Release Notes for 9.3 Maintenance Releases

This document describes the changes, fixed issues, and known issues provided in the maintenance releases of the Citrix® NetScaler®, Citrix® NetScaler® SDX, and Citrix® Access Gateway® software.

Note: This document is also available in the Maintenance Releases section on Citrix eDocs. For the release notes of the first 9.3 release, see Release Notes.

Build 58.5

Release version: Citrix(R) NetScaler(R), version 9.3 build 58.5

Replaces build: None

Release date: August 2012

Readme version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA-TM

  • Issue ID 0307258: When you create a AAA-TM profile by using the configuration utility, it sets persistency for the profile to zero (0), instead of deriving the persistency values from the global persistency settings. You can verify this issue by typing the following command at the NetScaler command line:

    show tm sessionaction <profileName>

    You can fix the persistency settings for any AAA-TM profile that is affected by this issue by typing the following command at the NetScaler command line:

    set tm sessionAction <profileName> -persistentCookie ENABLED -persistentCookieValidity <positive_integer>

    For <positive_integer>, substitute the number of minutes that the persistency cookie is to remain valid. Then, use the 'show tm sessionaction' command to verify your changes.

  • Issue ID 0313931: On a NetScaler appliance that has AAA-TM enabled, if a user takes more than four minutes to finish authenticating and the AAA session expires, the user is unable to authenticate. When the user clicks the 'click here' link to return to the logon page, instead of being redirected to the logon page, the user is redirected to the 'Expired Session' page repeatedly.
  • Issue ID 0314561: On a NetScaler appliance with AAA-TM enabled and single sign-on (SSO) configured, if a user who uses the Google Chrome browser takes more than four minutes to authenticate and the session expires, the browser displays a blank page instead of the Session Expired page.
  • Issue ID 0322445: On a NetScaler appliance that has AAA-TM enabled and a load balancing virtual server configured to support 401 basic authentication, if a user sends a GET request that does not contain a Host header, the NetScaler appliance crashes.

Access Gateway

  • Issue ID 0308733: If you configure Access Gateway with additional appliances in which global server load balancing (GSLB) is enabled, when users log on with the Access Gateway Plug-in, occasionally the connection times out, a time-out error appears, such as 'Your Citrix Access Gateway session timed-out and you are not connected,' and the session disconnects.
  • Issue ID 0319607: If an authentication server and Access Gateway reside in the same domain, the appliance may fail.
  • Issue ID 0319901: If you enable Integrated Caching and Web Interface on Netscaler on an Access Gateway appliance, and then change the URL for the Web Interface, Access Gateway might fail.
  • Issue ID 0320210: When users connect with the Access Gateway Plug-in on a computer running Windows XP, the Group Policy Object is not applied.
  • Issue ID 0320493: If your authentication policies include the rules REQ.SSL.CLIENT.CERT.EXISTS and REQ.SSL.CLIENT.CERT.NOTEXISTS, and users log on with a smart card, the following might occur:
    • If smart card authentication fails, users are redirected to the Web Interface and prompted again for the smart card credentials.
    • If users do not enter smart card credentials, they are redirected to the Web Interface and prompted for their user name and password in order to authenticate with RADIUS.

AppExpert

  • Issue ID 0323436: The NetScaler configuration utility can display a maximum of 4500 bound patterns of a pattern set.

Application Firewall

  • Issue ID 0299876: You can now specify a type of either LITERAL or PCRE for any SQL keywords or special strings that you add to a signatures rule. You can use PCRE regular expressions in any keywords or special strings that are assigned a type of PCRE. Built-in and existing user-created SQL keywords and special strings are assigned the LITERAL type, but you can change the type assigned to any user-created keywords or special strings.
  • Issue ID 0303169: On a NetScaler appliance with the application firewall enabled, if a user sends a request with a large number of query parameters that contain SQL special strings without associated SQL keywords, a spike in CPU usage can result. The CPU spike can cause the application firewall to become unresponsive to subsequent requests, blocking user access to protected web sites and web services.
  • Issue ID 0319787: On a NetScaler appliance with the application firewall feature enabled, the comment stripping feature does not correctly parse web pages that have an HTML comment that is terminated with two hyphens, a space, two more hyphens, and a greater-than symbol (-- -->). In other words, you cannot have a string consisting of two hyphens and a space immediately preceding the usual comment termination string (-->). If you do, the comment stripping feature does not detect the final two hyphens and greater-than symbol as a comment terminator. The comment stripping feature therefore strips all content that follows the missed comment terminator.
  • Issue ID 0325339: On a NetScaler appliance with the Application Firewall enabled, if a protected web site sets a cookie longer than 735 bytes, the Cross-Site Request Forgery (CSRF) check is violated. If blocking is enabled for the CSRF check, the response is blocked.
  • Issue ID 0329539 (nCore): On a NetScaler appliance with the application firewall enabled, occasionally the NetScaler appliance crashes when retrieving a page from a protected web site that sets one or more cookies.
  • Issue ID 0331112 (nCore): In the NetScaler 9.3 58.2.nc build, when applying the HTML or XML SQL Injection check the application firewall does not transform special strings even when Transformation is enabled. This issue was fixed in build 58.4.nc.

Configuration Utility

  • Issue ID 0308459: In Enable/disable service group member view, the Enable and Disable buttons are inactive when the state of a service group member is one of the following - 'GOING OUT OF SERVICE', 'DOWN WHEN GOING OUT OF SERVICE' or 'GOING OUT OF SERVICE (graceful)'.
  • Issue ID 0323197: An HTTP monitor with extended respCode range cannot be configured through the configuration utility. If it is configured through the CLI, an error occurs when it is viewed in the configuration utility.
  • Issue ID 0328781: On a NetScaler appliance with the Application Firewall enabled, if an administrator uses the configuration utility to open a specific load balancing virtual server, and then clicks 'Configure Application Firewall', the configuration utility might display the following error message: Error creating view.

Intergrated Caching

  • Issue ID 0322506 (nCore): When you upgrade the NetScaler appliance from NetScaler release 9.1 to 9.3, the number of objects being cached is reduced because of architectural changes.

Load Balancing

  • Issue ID 0286525: NetScaler Classic builds become unresponsive under the following set of conditions:
    • A service that is being monitored by the appliance does not receive traffic for 248 days.
    • The state of the service is UP at least once after the 248-day period.
    • During the termination of a TCP connection used for monitoring the service, when the appliance sends the server a FIN packet, the server either does not respond or responds with an RST packet.
  • Issue ID 0314738: If you issue the 'force HA sync -force' command when HA synchronization is disabled on both nodes, the services on the secondary node are marked as DOWN. The services remain in that state until after a failover.

    When a failover occurs, the failover of some services might be delayed by a few seconds while monitors learn the actual states of those services. Until the monitors learn and correct the states, new connections to those services might be rejected. Consequently, you might also observe a brief period of outage following a failover.

Monitoring

  • Issue ID 0320571: The state of a service is shown as UP even when the service is down. Consequently, the NetScaler appliance continues to forward requests to that service, and clients do not receive responses to their requests.

NetScaler SDX Appliance

  • Issue ID 88556/0248194: When provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for those parameters.
  • Issue ID 0303515: You can now install the NetScaler SDX supplemental packs from the Management Service without manually opening an ssh connection to XenServer. To install this pack, on the configuration tab, in the navigation pane, expand Management Service, and then click XenServer Files. In the details pane, click 'Supplemental Packs'. You can upload the supplemental pack to the SDX appliance and also download it to create a backup on your client.
  • Issue ID 0326655: If you upgrade the Management Service from an earlier build to build 56.x or 57.x, restarting the appliance while data migration is in progress might corrupt your data contents.
  • Issue ID 0326663: In release 9.3, the upgrade process fails if you attempt to upgrade the Management Service from build 48.6 to build 56.5 or 57.5.
  • Issue ID 0326878: The Management Service shows duplicate entries for NetScaler VPX instances because of intermittent database connection failures. This is only a display issue. However, if a VPX instance is configured with an external authentication server for the nsroot (administrator) user, the authentication server might show several authentication failures.
  • Issue ID 0327984: You can now apply a hotfix for XenServer from the Management Service. On the Configuration tab, expand Management Service, and then click XenServer Files. In the details pane, click Hotfixes, and then click Upload. After uploading the hotfix to the appliance, click Apply. If an error occurs in the process of applying the hotfix, an error message displays the cause of the problem.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in release 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt.method=2

    Perform a warm reboot for the above change to take effect.

Networking

  • Issue ID 0260803: In an HA configuration, ping to NSIP of the secondary node fails because of the frequent clearing of configuations triggered by synchronization of configurations to secondary. This synchronization in turn was triggered by repeated saving of configurations in the primary.
  • Issue ID 0312412: The command sh ip ospf <1-65535> database, in the VTYSH command prompt, displays the database for all the OSPF processes instead of just for the process id specified.
  • Issue ID 0318668: A virtual server of type ANY drops the IPv6 ECHO reply if the ECHO request didn't pass through the appliance and the related IPv6 to IPv4 mapping is not present in appliance.
  • Issue ID 0319744: When an NS CLI login session times out, typing exit at the NS CLI prompt does not disconnect the session.
  • Issue ID 0321868: BGP does not advertise default route to the peer, with default-originate flag, if the state of a learnt default route toggles.
  • Issue ID 0324432: The NetScaler appliance forwards (L3 mode) certain response packets with IP header checksum value 0xFFFF, which is an invalid value according to RFC 1624. As a result, the router drops these packets.
  • Issue ID 0330118: OSPF maximum age link-state advertisements (LSAs) are not removed from the NetScaler appliance because the maximum age walker processes suspended indefinitely.

Policies

  • Issue ID 92149/0251246: Binding policies with actions related to HTTP, to TCP bindpoints results in the NetScaler appliance becoming unresponsive at runtime.

SNMP

  • Issue ID 0309930: The SNMP OID for 'vsvrCurSslVpnUsers' is getting counter values only from core 0.

System

  • Issue ID 0271783: If you configure an RNAT rule and enable the TCP proxy option for RNAT, the NetScaler appliance functions as a proxy for internal clients and maintains separate client-side and server-side connections. In certain scenarios, this behavior might result in a service type mismatch between the client-side and server-side connections, and the appliance might reboot with a core dump.
  • Issue IDs 0292272 and 0319417 (Classic): NetScaler resets the client and server-side connections if it receives a response with long headers (more than 16 packets) on a server-side connection after receiving a normal response on the same connection.
  • Issue ID 0300116: In an high availability configuration, when AAA keys are not synchronized to the secondary node and the appliance failover happens, the new primary node becomes unresponsive. This happens when NSC_TASS and NSC_TMAS cookies have same values and improper session lookup happens.
  • Issue ID 0302004: For load balancing virtual servers that have SOURCEIP persistence configured, client IP header insertion might fail for HTTP CONNECT requests sent to that virtual server.
  • Issue ID 0306237: If the number of dynamic services running on the NetScaler appliance exceeds 64k, any service created could not be accessed even after when the number of services is less than 64k.
  • Issue ID 0306660 (nCore): In certain cases, idle connections are not flushed and continue to consume system resources. As a result, the NetScaler appliance stops processing new requests.
  • Issue ID 0328271: Output of the mem stats or stat system -detail command is not same as the output displayed by the conmsg mem stats command.
  • Issue ID 0330336 (nCore): IPv6 addresses might occasionally be captured in the audit log, even though IPv6 addresses are not configured.

Web Interface

  • Issue ID 0322207: In a high availability setup, delays in Apache Tomcat start-up might prevent the propagation of web interface configurations to the secondary appliance. As a result, the web interface configurations are not available when the secondary appliance becomes primary and the 'Web Interface not installed' error is displayed.

XML

  • Issue ID 0304314: SOAP requests that do not conform to a WSDL are not handled properly by the XML validation module, which can cause the NetScaler appliance to hang or crash.

Known Issues and Workarounds

Access Gateway

  • Issue IDs 80175/0241433 and 82022/0242906: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting 'Windows 7 Mobile Broadband' in the Telstra Connection Manager 'Options' dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492/0244134: When users log on by using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84787/0245136: When you issue the command 'sh vpn vserver' on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says 'Error. Not a privileged user.' Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    • Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    • BindBind the profile so that is assumes the highest priority. the Outlook Web Outlook regular expression to this profile.
    • Bind the profile so that is assumes the highest priority.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 85861/0245969: If you enable ICA Proxy on Access Gateway, when users log on and attempt to open a virtual application, the connection to the Web Interface through Access Gateway times out and closes.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning 'Published resource shortcuts are currently disabled.' Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message 'Invalid username or password. Please try again.' This issue does not occur if users log on to Windows XP.
  • Issue ID 86470/0246469 and 86787/0246736: When users log on with the Access Gateway Plug-in for Windows by using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on by using Internet Explorer 9.
  • Issue ID 86471/0246473: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, Access Gateway fails.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either the intranet or to external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain, by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 91832/0250964: If users log on with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects. When users log off, however, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue ID 92543/0251596: After you configure Access Gateway to provide user connections through Citrix Receiver, when users right-click the Receiver icon in the notification area, the 'Log on' option does not appear. Users must connect by using the Web browser or they must right-click the Receiver icon and then, depending on the version of Receiver they are using, click 'About' or 'Preferences' from the Receiver menu and 'Plug-in Status' or 'Advanced' from the Receiver panel. You can also enable the log on option to appear when users right-click the Receiver icon by adding the following settings in the registry:
    • Add the Receiver key (if the key does not already exist) under the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\
      • HKEY_LOCAL_MACHINE\Software\Citrix\
    • Add the Inventory key in the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
    • In the 'Inventory key', configure the following 'REG_SZ' values:
      • VPNAddress. Provide the value as the Web address for the Access Gateway appliance; for example, https://<AccessGatewayFQDN>.
      • VPNPrompt1. Provide the value as 'UserName'.
      • VPNPrompt2. Provide the value as 'Password'.

        In addition, if you configure double-source authentication that requires authentication with LDAP plus RSA authentication, you need to also add the following as REG_SZ:

      • VPNPrompt3. Provide the value as 'Passcode'.
  • Issue ID 0289001: If you configure multiple post-authentication expressions with cascading priorities, Access Gateway might fail and then restart.
  • Issue ID 0301790: If you add sites from Citrix Presentation Server 4.5 and XenApp 6.5 to the same Web Interface site, when users log on with Internet Explorer 9 and then log off from the Web Interface, the session does not close completely. An error message appears stating that some resources are still active.

ACL

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

AppExpert

  • Issue ID 0270708: The process of configuring the application firewall for an application unit (appunit) is different than for other features, such as responder and rewrite. Instead of the Policy Manager, the Application Firewall wizard is invoked. The wizard prompts the user to configure the security check settings directly. It then creates a profile and policy from that information, and binds the policy to the appunit in the background, without displaying either the policy or the profile to the user. NOTE: You cannot associate multiple policies with an application unit by using the wizard. To do so, use the policy manager. A link is located on the main Application Firewall pane.

Application Firewall

  • Issue ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.
  • Issue ID 0284677: The online help for the application firewall wizard points to placeholders. If you need help with the wizard, consult the following URL: http://support.citrix.com/proddocs/topic/netscaler-application-firewall-93/appfw-config-wizard-tsk.html Alternatively, a description of the Wizard can be found in the PDF-based documentation, in the Configuration chapter.
  • Issue ID 0316200: After upgrading to NetScaler 9.3, build 58x, the built-in AppFW profiles are not visible in the NetScaler configuration utility or listed in the ns.conf file.
  • Issue ID 0318595: On a Sharepoint 2010 server that is protected by the application firewall, drop-down menus that are used to access documents do not open. When the user attempts to open a menu, a JavaScript progress indicator is displayed on the right side of the page, but no menu is displayed.

CloudBridge

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send, across the cloud bridge, a full-size packet in which the DF bit is unset. The cause is a bad checksum.

Command Line Interface

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the 'show configstatus' command and reconfigure the appliance under low traffic conditions or during a maintenance period. If that does not resolve the issue, restart the appliance.

Configuration Utility

  • Issue ID 92269/0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.

DataStream

  • Issue ID 83862/0244449 (nCore and nCore VPX): In this release, the DataStream feature does not support IPv6 addresses.
  • Issue ID 0287492: Some international characters resemble one or more ASCII alphabetic characters. If a client request contains such international characters, when forwarding the request to a database server, the NetScaler appliance replaces the international characters with the ASCII alphabetic characters that they resemble.

Domain Name System

  • Issue ID 93203/0257123 (nCore): A DNS policy that is bound to a GSLB service is not evaluated if the GSLB method is set to dynamic round trip time (RTT).

Integrated Caching

  • Issue ID 81159/0242246: When the NetScaler appliance receives a single byte-range request, if the starting position of the range is beyond 9 megabytes, the appliance sends the client a full response with a status code of 200 OK instead of a partial response.

Load Balancing

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: When using a TCP monitor for a MYSQL service, the MySQL server blocks the MIP for making new connections.
  • Issue ID 82996/0243703: MYSQL monitors show the service state as UP even when no subnet IP (SNIP) address or mapped IP (MIP) address is configured. This is expected behavior, because MYSQL monitors use the NetScaler IP (NSIP) address to send their probes.
  • Issue ID 86096/0246139: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example: add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 87407/0247289 (nCore and nCore VPX): For an RDP virtual server, the NetScaler appliance automatically maintains persistence through session cookies by using Session Directory, so you need not explicitly configure persistence. Currently, IP address based persistence is not supported, and you cannot disable the implicit session-cookie based persistence.
  • Issue ID 88593/0248222 (nCore): After failover, the 'maxclient' setting on a service is not honored.
  • Issue ID 90271/0249597: Application scripts that parse the servicegroup member name, and use the underscore delimiter (_) to identify fields to be extracted, fail, because the delimiter is now a question mark (?). In NetScaler releases earlier than 9.3, the format is <service group name>_<IP address>_<port>. The new format is <servicegroup name>?<IP address | server name>?<port>.
  • Issue ID 0309954: The NetScaler appliance fails in the following scenario:
    1. You create a remote GSLB service whose public IP address is the same as the public IP address of a local GSLB service.
    2. You bind monitors to the GSLB services, and then bind the GSLB services to a GSLB virtual server.

NetScaler SDX Appliance

  • Issue ID 88515/0248159: Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 91605/0250759: If the dashboard page on the management service virtual machine is open for more than 4 days, the browser (Internet Explorer 8.0) might report high memory usage.

    Workaround: In the browser, refresh or minimize the page to release the memory.

  • Issue ID 0262505: When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: “NO DATA TO CHART”.
  • Issue ID 0265006: Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

NetScaler SDX Appliance and NetScaler VPX Appliance

  • Issue IDs 0274497 and 0274498: Layer 2 (L2) mode, link aggregation control protocol (LACP), and virtual MAC addresses (VMACs) are not supported on the NetScaler SDX appliance or the NetScaler VPX virtual appliance.

NetScaler VPX Appliance

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX (virtual) appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features (such as compression and GSLB) stop working.

    Workaround: Reduce the memory allocated for caching.

  • Issue ID 94487/0258286: On the Microsoft Hyper-V platform, if there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.

    Workaround: Defragment the disk. For consistent virtual hard disk (VHD) performance, change a dynamic disk to a static disk.

Networking

  • Issue ID 0271154: The man pages for the commands 'add ns ip','set ns ip','add ns ip6', and 'set ns ip6' displays an incorrect default value for the 'ospfArea' parameter.

Platform

  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.
    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance.
    ipmi0: KCS error: 01
    ipmi0: KCS: Reply address mismatch
  • Issue ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.

Policies

  • Issue ID 0291975: The SYS.VSERVER('<vserver_name>').THROUGHPUT expression returns an incorrect throughput value.

Reporting

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: “ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot.” However, the correct message--“ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate”-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issue ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type: openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 85393/0245605: A DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.

System

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if a failover happens while high availability (HA) synchronization is in progress.
  • Issue ID 94133/0257961: If a server (load balancing virtual server or content switching vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_49 or a prior build to a build later than 9.3_49.
    Workaround: Do the following:
    1. Remove the audit policy and action.
    2. Add the deleted virtual server.
    3. Add the audit policy and action.
    4. Save the configuration.
  • Issue ID 0263852 (nCore): If you configure link aggregation on the 10G interfaces by using the link aggregation control protocol (LACP), the LA interface might flap (go down and come back up).

    Workaround: Initiate steering to CPU1. At the shell prompt, type: sysctl netscaler.ticks_on_cpu1=1 To change the interrupt steering option back to CPU0 (the default), at the shell prompt, type: sysctl netscaler.ticks_on_cpu1=0 To make the workaround persistent, add the first command to the initialization script /nsconfig/rc.netscaler or its equivalent.

Web Interface

  • Issue ID 89052/0248592 (nCore and nCore VPX): The response from a Web Interface site that is configured in direct mode may have Java errors.

XML

  • Issue ID 81650/0242628: The application firewall import feature validates XML schemas when importing them, but it might not validate certain XHTML files if they are imported as XML schemas. An invalid XHTML file appears in the list of imported XML schemas, but it is rejected if the user attempts to configure the XML Message Validation check to use the invalid file as the XML schema for validation.
  • Issue ID 82058/0242928: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059/0242929: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069/0242939: When the Application Firewall validates XML messages, it does not validate the contents of elements that are defined as type 'any' in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to 'skip'.

    Workaround: Replace the 'any' type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The 'any' type is rarely used.)

XML API

  • Issue ID 80170/0241429: The syntax of the 'unset servicegroup' command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the 'unset servicegroup' command.

Build 57.5

Release version: Citrix® NetScaler®, version 9.3 build 57.5

Replaces build: None

Release date: June 2012

Release notes version: 2.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA-TM

  • Issue ID 89201/0248704: AAA-TM now supports NTLMv2 signon and sessions for single sign-on (SSO).
  • Issue ID 93823/0257671: TACACS has been modified to log only successfully executed TACACS commands to the NetScaler log. This change prevents the logs from showing TACACS commands that were entered by users who were not authorized to execute them.

Access Gateway

  • Issue ID 93317/0257227: If you try to end a user session by using the configuration utility or the command line, the session remains connected. When using the command line, the command returns a status stating "success" even though the session remains connected.
  • Issue ID 0282907: When you configure an intranet application for proxy and the users' Web browser is configured with a proxy auto configuration (PAC) file, when users log on with the Access Gateway Plug-in and try to access an internal network resource, proxy authentication fails. Users cannot access any resources through Access Gateway.
  • Issue ID 0289662: When users log on with the Access Gateway Plug-in and try to make a Voice over Internet Protocol (VoIP) call to a mobile phone by using Cisco Unified Personal Communicator application, the call does not connect.
  • Issue ID 0299406: If you configure a policy to restrict access to certain files, when users log on with clientless access and try to access the file, Access Gateway fails.
  • Issue ID 0306349: In a high availability configuration, if you configure an intranet IP address for a group, when users connect with the Access Gateway Plug-in, if failover occurs, the intranet IP address is no longer assigned to the session. As a consequence, users may not be able to connect to some internal resources. You must remove the IP address from the group and then configure the intranet IP address in a session profile bound globally.
  • Issue ID 0310124: If you configure a responder policy based on location criteria bound to the Access Gateway virtual server, when users log on through Receiver for Android 3.1 on a mobile device and connect through the virtual server, the policy does not work on Android versions earlier than 3.0. As a consequence, users may experience a connection delay.

Application Firewall

  • Issue ID 87741/0247559: The HTML SQL Injection check transformation feature does not detect double-byte backslash (\) or single quote ('} characters as special characters, and so does not either transform those characters or block the request that contains them.
  • Issue ID 0284784: When a web site sends a MIME-encoded web form to a user with the MIME boundary enclosed in double quotations, and the user returns the web form as a POST request, the application firewall resets the connection with a reset code of 9845.
  • Issue IDs 0298529 and 0306658: On a NetScaler nCore build with the application firewall feature enabled, certain scripts caused an internal state to be set to NULL when the feature expected a different setting, causing the application firewall to crash.
  • Issue ID 0300383 (Classic): On a NetScaler classic build that has the application firewall learning feature enabled, under heavy load the configuration utility can become unavailable and the NetScaler can freeze or hang.
  • Issue ID 0307082: When the NetScaler appliance sends an HTTP/1.0 100-Continue response on behalf of a protected web server, it now also sets the TCP Push flag in the response packet. This change resolves certain performance issues that might have been encountered when enabling the application firewall for some XML-based web services.
  • Issue ID 87741/0247559: The HTML SQL Injection check transformation feature does not detect double-byte backslash (\) or single quote ('} characters as special characters, and so does not either transform those characters or block the request that contains them.

Configuration Utility

  • Issue ID 0314258: When you modify any PBR rule from the configuration utility, the NetScaler appliance changes the APPLIED status of the PBR to NOTAPPLIED.

Load Balancing

  • Issue ID 75554/0237564: Maximum number of custom location entries supported has increased from 50 to 500. To enable the Static Proximity method, either configure the NetScaler appliance to use an existing static proximity database populated through a location file or add custom entries to the static proximity database.
  • Issue ID 0287324: You can now use the gslbautosync configuration command to save the remote and master node configurations. The local site configurations are saved before synchronization begins, and remote site configurations are saved after the synchronization.
  • Issue ID 0299390: Upgrading a high availability (HA) setup from NS9.3 B52.3 or an older build to NS9.3.55.1 corrupts the WionNS configuration. To resolve this issue, the automatic synchronization of HA configuration is disabled. You must manually apply configuration between HA nodes.
  • Issue ID 0305045: An incorrect port number is passed to the WI-Extended monitor, causing an error. This problem is resolved, and correct port information is passed to the WI-Extended monitor.
  • Issue ID 0308757: Content Switching was not working if CS vserver was configured with TCP service type and wildcard port because of NetScaler synchronization handling issue. This problem is now resolved.
  • Issue ID 0309304: When binding a domain based member to a service group, the debugging message "Oh binding a svc grp with DBS" is logged in the /var/nslog/newnslog file.

NetScaler SDX Appliance

  • Issue ID 94071/0257902: You can now configure a Simple Network Management Protocol (SNMP) agent on the Citrix NetScaler SDX appliance to generate asynchronous events, which are called traps.
  • Issue IDs 0278369 and 0284146: You can now configure a tagged VLAN, without configuring an NSVLAN, at the time of provisioning a NetScaler instance.
  • Issue ID 0287133: All HTTP and HTTPS communication between the Management Service and a NetScaler VPX Instance is now through a persistent session. A session ID is associated with each VPX instance and all HTTP and HTTPS communication between the Management Service and the instance uses this session ID.
  • Issue ID 0303527: With XenServer version 6.0 and later, HTTP communication between the Management Service and XenServer is now over a persistent session. All HTTP communication between the Management Service and XenServer uses one session ID. For earlier versions of XenServer, basic authentication (user name and password) is used.
  • Issue ID 0313155: NTP synchronization might fail if you add a new NTP server by using the Management Service user interface because the default contents of the ntp.conf file are not flushed.

Networking

  • Issue ID 0243105: When there are ECMP routes for a prefix, for every new route addition or deletion, the NetScaler appliance withdraws all the UP routes and adds them back again to its routing table. This results in a period of time when there are no routes to the prefix.
  • Issue ID 94268/0258087: In an high availability configuration, after failover, the configurations related to various dynamic routing protocols are not properly synced to the secondary node if the save config command is issued when the sync is in progress.
  • Issue ID 0305420: If the NetScaler appliance receives any traffic which hits a virtual server of type ANY then only for the first packet of this traffic the TTL value set to 255 and for the remaining packets, belonging the same session, the TTL value remains same. This applies to even fragment packets, where only for the first fragment of the packet the TTL value is set to 255 and for the remaining fragments the TTL value is unchanged.

Platform

  • Issue ID 58738/0223235: After a NetScaler appliance starts, the LCD displays the following information:
    • NS<platform number> on appliances running the classic version. For example, NS7000.
    • NSMPX-<model number> on MPX appliances. For example, NS-MPX15500.
    • "NetScaler" on VPX and SDX appliances.
  • Issue ID 76010/0237960: The 10G SFP+ transceiver is now hot-swappable on the NetScaler appliances that use the ixgbe (ix) interface.
    The following platforms support 10G SPF+ transceivers:
    • MPX 9700/10500/12500/15500 10G and 10G FIPS
    • MPX 11500/13500/14500/16500/1850020500
    • MPX 17500/19500/21500
    • MPX 17550/19550/20550/21550

Policy

  • Issue ID 0291975: The expression SYS.VSERVER("<vserver_name>").THROUGHPUT returns an incorrect throughput value.
  • Issue ID 0311268: You cannot add a rule of the form "HTTP.REQ/RES.BODY(<num>).CONTAINS(<string2>)" where <string2> has the property that its length is greater than the length of <string1>. <string1> is already existing string in the already configured policy expression "HTTP.REQ/RES.BODY(<num>).CONTAINS(<string1>)".

    For example, the second command provided below might not succeed if there exists some request for which the evaluation of rule in cs_example is in progress.

    -> add cs policy cs_example -rule 'HTTP.REQ.BODY(1000).CONTAINS("MyLengthIs12")

    -> add cs policy cs_example_break -rule 'HTTP.REQ.BODY(1000).CONTAINS("MyLengthIsBIG15")

SSL

  • Issue ID 0301726 (Classic): If OCSP is configured on a NetScaler appliance using a Broadcom SSL chip, multiple handshake messages that are received in a single record cause the SSL handshake to fail.
  • Issue ID 0316577: The SSL crypto card instrumentation is enhanced to provide more information on error status during initialization and at runtime.

System

  • Issue ID 0260531: When using HTTP pipelining in SSL offloading, and when Client-side Keep Alive is enabled on the client, the advertised window increases after every transaction, resulting in a huge advertised window.
  • Issue ID 0270163: When the NetScaler appliance runs processes such as gzip, the usage of the management CPU increases. Hence, high CPU usage alerts may get generated even though the packet engines are not actively processing packets.
  • Issue ID 0285015: Requests buffers larger than 24KB lead to buffer overflow and result in the web log module not working.
  • Issue ID 0311601: When client keep-alive is enabled, there are TCP retransmissions due to sudden shrinking of window.

Known Issues and Workarounds

AAA-TM

  • Issue ID 0307258: When you create a AAA-TM profile by using the configuration utility, the configuration utility displays the global persistency settings as the settings that it assigned to the profile. However, instead of actually deriving the persistency values from the global persistency settings, it sets persistency for the profile to zero (0). You can verify this issue by typing the following command at the NetScaler command line:

    show tm sessionaction <profileName>

    You can fix the persistency settings for any AAA-TM profile that is affected by this issue by typing the following command at the NetScaler command line:

    set tm sessionAction <profileName> -persistentCookie ENABLED -persistentCookieValidity <positive_integer>

    For <positive_integer>, substitute the number of minutes that the persistency cookie is to remain valid. Then, use the "show tm sessionaction" command to verify your changes.

Access Gateway

  • Issue IDs 80175/0241433 and 82022/0242906: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 0289001: If you configure multiple post-authentication expressions with cascading priorities, Access Gateway might fail and then restart.
  • Issue ID 0301790: If you add sites from Citrix Presentation Server 4.5 and XenApp 6.5 to the same Web Interface site, when users log on with Internet Explorer 9 and then log off from the Web Interface, the session does not close completely. An error message appears stating that some resources are still active.
  • Issue ID 91832/0250964: If users log on with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects. When users log off, however, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either the intranet or to external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain, by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787/0245136: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, Access Gateway fails.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492/0244134: When users log on by using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    • Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    • Bind the Outlook Web Outlook regular expression to this profile.
    • Bind the profile so that is assumes the highest priority.
  • Issue ID 85861/0245969: If you enable ICA Proxy on Access Gateway, when users log on and attempt to open a virtual application, the connection to the Web Interface through Access Gateway times out and closes.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue IDs 86470/0246469 and 86787/0246736: When users log on with the Access Gateway Plug-in for Windows by using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on by using Internet Explorer 9.
  • Issue ID 86471/0246473: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

ACL

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

AppExpert

  • Issue ID 0270708: The process of configuring the application firewall for an application unit (appunit) is different than for other features, such as responder and rewrite. Instead of the Policy Manager, the Application Firewall wizard is invoked. The wizard prompts the user to configure the security check settings directly. It then creates a profile and policy from that information, and binds the policy to the appunit in the background, without displaying either the policy or the profile to the user.
    Note: You cannot associate multiple policies with an application unit by using the wizard. To do so, use the policy manager. A link is located on the main Application Firewall pane.

Application Firewall

  • Issue ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.
  • Issue ID 0316200: The default built-in AppFW profiles are not available in the ns.conf file even though they are available on the system. You can verify the presence of these profiles by executing the 'show appfw profile' command.
  • Issue ID 0318595: On a Sharepoint 2010 server that is protected by the application firewall, drop-down menus that are used to access documents do not open. When the user attempts to open a menu, a JavaScript progress indicator is displayed on the right side of the page, but no menu is displayed.

CloudBridge

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send a full-size packet, whose DF bit is unset, across the cloud bridge. This happens because of bad checksum.

Command Line Interface

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If that does not resolve the issue, restart the appliance.

Configuration Utility

  • Issue ID 92269/0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.

    Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.

  • Issue ID 0308459: In Enable/disable service group member view, the Enable and Disable buttons are inactive when the state of a service group member is one of the following - "GOING OUT OF SERVICE", "DOWN WHEN GOING OUT OF SERVICE" or "GOING OUT OF SERVICE (graceful)”.

DataStream

  • Issue ID 83862/0244449 (nCore and nCore VPX): This release does not support IPv6 addresses.
  • Issue ID 0287492: Some international characters resemble one or more ASCII alphabetic characters. If a client request contains such international characters, when forwarding the request to a database server, the NetScaler appliance replaces the international characters with the ASCII alphabetic characters that they resemble.

Domain Name System

  • Issue ID 93203/0257123 (nCore): A DNS policy that is bound to a GSLB service is not evaluated if the GSLB method is set to dynamic round trip time (RTT).

Integrated Caching

  • Issue ID 81159/0242246: When the NetScaler appliance receives a single byte-range request, if the starting position of the range is beyond 9 megabytes, the appliance sends the client a full response with a status code of 200 OK instead of a partial response.

Load Balancing

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: When using a TCP monitor for a MYSQL service, the MySQL server blocks the MIP for making new connections.
  • Issue ID 82996/0243703: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096/0246139: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example: add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 87407/0247289 (nCore and nCore VPX): For an RDP virtual server, the NetScaler appliance automatically maintains persistence through session cookies by using Session Directory, so you need not explicitly configure persistence. Currently, IP address based persistence is not supported, and you cannot disable the implicit session-cookie based persistence.
  • Issue ID 88593/0248222 (nCore): After failover, the 'maxclient' setting on a service is not honored.
  • Issue ID 90271/0249597: Application scripts that parse the servicegroup member name, and use the underscore delimiter (_) to identify fields to be extracted, fail, because the delimiter is now a question mark (?). In NetScaler releases earlier than 9.3, the format is <service group name>_<IP address>_<port>. The new format is <servicegroup name>?<IP address | server name>?<port>.
  • Issue ID 0309954: When you add a remote GSLB service with public IP same as the local GSLB service public IP and bind monitors to the GSLB services, binding these services to the GSLB vserver causes it to become unavailable.

NetScaler SDX Appliance

  • Issue ID 88515/0248159: Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556/0248194: When provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for those parameters.
  • Issue ID 91605/0250759: If the dashboard page on the management service virtual machine is open for more than 4 days, the browser (Internet Explorer 8.0) might report high memory usage.

    Workaround: In the browser, refresh or minimize the page to release the memory.

  • Issue ID 0262505: When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: “NO DATA TO CHART”.
  • Issue ID 0265006: Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

  • Issue ID 0326655: When you upgrade the Management Service from an earlier build to build 56.x or 57.x, restarting the appliance while data migration is in progress might corrupt the data contents. To check if migration is in progress, at the Management Service shell prompt, type:
    "ps -ax | grep svm_migration"
    If you see some processes running, then migration is in progress and you must not restart the Management Service.
  • Issue ID 0326663: In release 9.3, the upgrade process fails if you attempt to upgrade the Management Service from build 48.6 to build 56.5 or 57.5.

    Workaround: First, upgrade the Management Service from build 48.6 to build 55.6, and then upgrade it from build 55.6 to build 56.5 or 57.5.

  • Issue ID 0326878: The Management Service shows duplicate entries for NetScaler VPX instances because of intermittent database connection failures. This is only a display issue. However, if a VPX instance is configured with an external authentication server for the nsroot (administrator) user, the authentication server might show several authentication failures.

NetScaler SDX Appliance and NetScaler VPX Appliance

  • Issue IDs 0274497 and 0274498: Layer 2 (L2) mode, link aggregation control protocol (LACP), and virtual MAC addresses (VMACs) are not supported on the NetScaler SDX appliance or the NetScaler VPX virtual appliance.

NetScaler VPX Appliance

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX (virtual) appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features (such as compression and GSLB) stop working.

    Workaround: Reduce the memory allocated for caching.

  • Issue ID 94487/0258286: On the Microsoft Hyper-V platform, if there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.

    Workaround: Defragment the disk. For consistent virtual hard disk (VHD) performance, change a dynamic disk to a static disk.

Networking

  • Issue ID 0271154: The man pages for the commands 'add ns ip','set ns ip','add ns ip6', and 'set ns ip6' displays an incorrect default value for the 'ospfArea' parameter.

Platform

  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance. ipmi0: KCS error: 01 ipmi0: KCS: Reply address mismatch

  • Issue ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.

Reporting

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: “ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot.” However, the correct message--“ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate”-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issue ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type: openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 85393/0245605: A DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.

System

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if a failover happens while high availability (HA) synchronization is in progress.
  • Issue ID 94133/0257961: If a server (load balancing virtual server or content switching vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_49 or a prior build to a build later than 9.3_49.
    Workaround: Do the following:
    1. Remove the audit policy and action.
    2. Add the deleted virtual server.
    3. Add the audit policy and action.
    4. Save the configuration.
  • Issue ID 0263852 (nCore): If you configure link aggregation on the 10G interfaces by using the link aggregation control protocol (LACP), the LA interface might flap (go down and come back up).

    Workaround: Initiate steering to CPU1. At the shell prompt, type: sysctl netscaler.ticks_on_cpu1=1 To change the interrupt steering option back to CPU0 (the default), at the shell prompt, type: sysctl netscaler.ticks_on_cpu1=0 To make the workaround persistent, add the first command to the initialization script /nsconfig/rc.netscaler or its equivalent.

Web Interface

  • Issue ID 89052/0248592 (nCore and nCore VPX): The response from a Web Interface site that is configured in direct mode may have Java errors.

XML

  • Issue ID 81650/0242628: The application firewall import feature validates XML schemas when importing them, but it might not validate certain XHTML files if they are imported as XML schemas. An invalid XHTML file appears in the list of imported XML schemas, but it is rejected if the user attempts to configure the XML Message Validation check to use the invalid file as the XML schema for validation.
  • Issue ID 82058/0242928: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059/0242929: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069/0242939: When the Application Firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

XML API

  • Issue ID 80170/0241429: The syntax of the "unset servicegroup" command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the "unset servicegroup" command.

Build 56.5

Release version: Citrix® NetScaler® release 9.3 build 56.5

Replaces build: None

Release date: May 2012

Release notes version: 2.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA-TM Issues

  • Issue ID 84299/0244785: If the user does not try to log on for over two minutes once the AAA-TM log on page is displayed, the NetScaler appliance displays a "500 internal server error" message and does not redirect the user to the load balancing page.

Access Gateway Issues

  • Issue ID 90334/0249654: If users log on to Access Gateway by using a Web browser, log off and then subsequently log on by using the Access Gateway logon dialog box over a port other than port 443, such as port 444, the logon fails.
  • Issue IDs 90726/0249979, 0268032, 0283223, 0299327, 0299916, and 0301952: If you configure client certificate-based expressions for preauthentication or post-authentication scans and if users log on with a client certificate on an nCore Access Gateway model MPX 7500 or higher, the scan fails and users cannot log on. This issue does not occur with a classic build or on the MPX 5500.
  • Issue ID 91072/0250267: When users log on with the Access Gateway Plug-in and then switch wireless networks without logging off, users cannot access the local area network (LAN) until they log off and then log on again with the Access Gateway Plug-in.
  • Issue IDs 0267012 and 0274134: This fix addresses a memory stability issue in an underlying component of Access Gateway.
  • Issue ID 0270872: When you configure LDAP authentication, when logging on with the Access Gateway Plug-in or through Citrix Receiver on a mobile device, if users take more than 30 seconds to enter their credentials, the logon dialog box times out and users have to reconnect.
  • Issue ID 0274306: When users log on with the Access Gateway Plug-in, if you unbind a session policy for a user group with connections to a server running XenApp, the connection fails.
  • Issue ID 0274400: When users connect with the Access Gateway Plug-in for Java on a Mac computer running OS X Versions 10.6 or 10.7, the plug-in fails and a blank window appears.
  • Issue ID 0284135: When users log on with the Access Gateway Plug-in and if the Access Gateway appliance FQDN is in the proxy bypass list, Access Gateway disregards the proxy setting. When the plug-in attempts to connect to Access Gateway through the proxy, the connection fails.
  • Issue ID 0286000: If users log on with clientless access, create a folder within a shared folder in the Access Interface and then refreshes the page, a replica folder appears on the File Transfer page.
  • Issue ID 0289686: If users connect with the Access Gateway Plug-in for Mac and then log off from the Web Interface, if users log on again within five minutes, the connection fails. This only occurs if you enable ICA proxy in Access Gateway.
  • Issue ID 0290220: When users log on to Access Gateway with the Access Gateway Plug-in for Mac OS X, the home page is slow to appear or does not appear in the Web browser.
  • Issue ID 0300221: When users log on to an nCore Access Gateway model MPX 7500 or higher, if there is high memory usage, the Access Gateway might fail. This issue does not occur with a classic build or on the MPX 5500.
  • Issue ID 0301557: If users connect with the Access Gateway Plug-in and two network adapters have active connections on the user device, DNS resolution does not occur and users cannot access internal resources. If users disable one network adapter, users can then access internal resources.
  • Issue IDs 0301799 and 0305241: Access Gateway might not release all user sessions, which results in maximum usage of the licenses. When this occurs, users cannot log on and you must restart Access Gateway.
  • Issue IDs 0302268 and 0303490: After the preauthentication scan passes and users log on, if an internal processing error occurs, Access Gateway fails.
  • Issue ID 0302490: If users log on with Receiver for Chromebook through Access Gateway, when users log off, Access Gateway does not release the session. Users must close the Web browser to log on again.
  • Issue IDs 0303081 and 0303265: If servers in the internal network return a UDP packet with zero length, Access Gateway fails.

AppExpert Issues

  • Issue IDs 0283171 and 0303178: If you have an expression that contains any of the following objects, and evaluate that expression in the expression evaluator, the NetScaler appliance may hang or crash.
    • SIGNED32_STRING
    • UNSIGNED16_STRING
    • SIGNED16_STRING
    • UNSIGNED8_STRING
    • SIGNED8_STRING
    • WEEKDAY_STRING_SHORT
    • WEEKDAY_STRING

AppFlow Issues

  • Issue ID 0301461 (nCore): If you enable the clientTrafficOnly parameter when the AppFlow feature is enabled, the NetScaler appliance fails. By default, the clienttrafficonly parameter is disabled.
  • Issue ID 0302578 (nCore): If you enable AppFlow when the NetScaler device is in transparent mode, or when the load balancing virtual servers use wildcards for the IP address and port to dynamically learn the backend services, the NetScaler device fails.

Application Firewall Issues

  • Issue ID 0260631: If changes are made to the application firewall signature configuration during periods of heavy traffic and active processing of requests and responses, the NetScaler appliance might crash.
  • Issue ID 0285286: After upgrading the NetScaler appliance from NS 9.3 (build 50.3) to NS 9.3 (build 54.4), the application firewall logs begin to record abnormal SQL injection and cross-site scripting errors. These errors do not cause connections to be blocked even when blocking is enabled for the HTML SQL Injection and HTML Cross-Site Scripting features.
  • Issue ID 0287556: In an HA pair that has both the application firewall and the integrated caching features enabled, both the primary and the secondary nodes occasionally restart. This is due to improper processing of cookies with null or empty values.
  • Issue IDs 0290886 and 0267238: On NetScaler appliances that have both the application firewall and the integrated caching features enabled, memory utilization increases quickly and remains high.
  • Issue ID 0291620 (Classic): After upgrading from NetScaler 9.2 to NetScaler 9.3x, the getsystemuser() call returns only the first user, regardless of any other user accounts that had been created on the NetScaler appliance.

Configuration Utility Issues

  • Issue ID 0269789 (nCore and nCore VPX): The "stat service" command incorrectly displays the interface information along with the service statistics.
  • Issue ID 0300003: The 'View Events' dialog box of the 'Diagnostics' page of the Configuration Utility hangs after you click 'Run' for a selected newnslog file.
  • Issue ID 0300376: If you create an SSL service from an existing service by modifying parameters, such as the IP address and port, and also click the Advanced tab to set or check the values of advanced parameters, the service is not created until you change the value of the clear text port parameter on the Advanced tab. The service is created if you do not click the Advanced tab.

Content Switching Issues

  • Issue IDs 0290387, 0290393, and 0290396: If the name of a target load balancing virtual server in a content switching policy label is 32 characters or longer, when you open the policy label in the configuration utility, the dialog box displays a corrupted and truncated form of the load balancing virtual server’s name.

DataStream Issues

  • Issue ID 0303980 (nCore and nCore VPX): A monitor of type MSSQL fails if you replace the existing query with a shorter query.

Domain Name System Issues

  • Issue IDs 0251644, 0272407, 0284605, and 0292227: The NetScaler appliance fails under the following sequence of events:
    1. You configure a DNS zone on the appliance. The appliance is to function as a proxy server for the zone.
    2. You do not configure a name server record or Start of Authority record for the zone. However, you add one or more DNS records for a domain name that belongs to the zone.
    3. A client attempts to resolve the domain name, but the record type for which the client sends the query does not exist on the appliance.

Global Server Load Balancing Issues

  • Issue ID 93051/0252048 (nCore and nCore VPX): When a load balancing virtual server that is a part of a GSLB configuration is down and receives a client request, the NetScaler appliance makes a GSLB decision and attempts an HTTP redirect or a connection proxy to a GSLB site that is UP and healthy. If source IP persistence is set on both the primary and backup GSLB virtual servers, and the core that receives the request is not the owner of the source IP persistence entry, the appliance fails when it attempts to make the GSLB decision.

Integrated Caching Issues

  • Issue ID 0275965: The "show running config" or the "show cache contentgroup" command causes the NetScaler Command line interface to fail if more than 32 policies refer to the same content group and the size of the thirty second policy name is more than 32 characters.

Load Balancing Issues

  • Issue IDs 0269379 and 0285447 (nCore and nCore VPX): When you use the configuration utility or the "unset lb vserver" command to disassociate a backup virtual server from a primary virtual server, the NetScaler appliance does not record the dissociation event for up to one hour. Within this period, you can inadvertently create a loop condition by setting the former backup virtual server as the primary virtual server and the former primary virtual server as the backup virtual server. The appliance then displays both virtual servers as being a backup of the other.
  • Issue ID 0284733 (nCore and nCore VPX): Events that are related to the states of monitors are not logged if they are generated by NetScaler packet processing engines other than NSPPE-00.
  • Issue ID 0288565: Each monitoring probe that is generated by the nsmysql.pl script results in a memory leak that, over a period of time, prevents the NetScaler appliance from allocating memory to the script. As a result, services might be marked as being up even when the probes fail.
  • Issue ID 0288771: The NetScaler appliance fails if you use the "unset lb vserver" command with a virtual server that is not a load balancing virtual server.

NetScaler SDX Appliance Issues

  • Issue ID 86597/0246578: Internet Explorer version 9.0 does not load the Configuration tab.
  • Issue ID 87916/0247683: You can now configure your NetScaler SDX appliance to synchronize its local clock with a Network Time Protocol (NTP) server. As a result, the clock on the SDX appliance has the same date and time settings as the other servers on your network. The clock synchronization configuration does not change if the appliance is restarted, upgraded, or downgraded. However, the configuration does not get propagated to the secondary NetScaler instance in a high availability setup. For more information, see "Configuring Clock Synchronization" in the "Managing and Monitoring the NetScaler SDX Appliance" chapter of the Citrix NetScaler SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 89148/0248663 (nCore): When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.
  • Issue ID 90586/0249864: Log on to the Management Service user interface fails after 25 days.
  • Issue ID 92189/0251275: The progress status is now displayed after you provision or modify a NetScaler instance.
  • Issue ID 92857/0251875: On your NetScaler SDX appliance, the backup policy runs a backup at 00:30 A.M. every day, but you can create a backup file at any time if, for example, you want to immediately back up changes to the configuration. You can use the backup file to restore the configuration data on the appliance. You can restore the configuration data of the XenServer, Management Service, and all of the NetScaler instances. Alternatively, you can restore only the NetScaler instances or selected NetScaler instances. For more information, see "Backing Up and Restoring the Configuration Data of the SDX Appliance" in the "Configuring the Management Service" chapter of the Citrix NetScaler SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 0271764: You can now reset the NetScaler SDX appliance to the factory default. Performing a factory reset terminates all current client sessions with the Management Service, so you have to log back on to the Management Service for any additional configuration tasks. When you are ready to restore the appliance, import the backup files by using the Management Service. For more information, see "Performing a Factory Reset" in the "Configuring the Management Service" chapter of the Citrix NetScaler SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 0271765: You can now upgrade to a later version of the XenServer software on your NetScaler SDX appliance to enable and disable functionality of some features, such as VLAN filtering. The process of upgrading the XenServer software involves uploading the build file of the target build to the Management Service, and then upgrading the XenServer software. For more information, see "Upgrading the XenServer Software" in the "Configuring the Management Service" chapter of the Citrix NetScaler SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 0271766: Logging on to the Management Service on your NetScaler SDX appliance gives you direct access to the NetScaler instances that are provisioned on the appliance, if you upgrade the Management Service and the NetScaler instances to this build. If you log on to the Management Service by using your user credentials, you do not have to provide the user credentials again for logging on to an instance. By default, the timeout value is set to 30 minutes and the configuration tab is opened in a new browser window. For more information, see "Single Sign-On to the Management Service and the NetScaler Instances" in the "Introduction" chapter of the Citrix NetScaler SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 0275111: You can now replace the default certificate that is shipped with the NetScaler SDX appliance with your own certificate. Installing an SSL certificate terminates all current client connections with the Management Service, so you have to log back on to the Management Service for any additional configuration tasks. For more information, see "Installing an SSL Certificate on the SDX Appliance" in the "Managing and Monitoring the NetScaler SDX Appliance" chapter of the Citrix NetScaler SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 0286008: If you provision a NetScaler VPX instance with 2048MB of memory (the default) and later increase the memory to 17408MB (17GB), the instance might fail to start up correctly, and attempts to log on to the instance fail.
  • Issue ID 0288265: A networkconfig utility has been added to simplify initial configuration of the NetScaler SDX appliance through the serial console. For more information, see the Citrix NetScaler SDX Quick Start Guide for the related hardware platform.
  • Issue ID 0289151: If you provision a NetScaler VPX instance with approximately 12288MB (12GB) of memory and then upgrade the instance, the upgrade operation fails and the following error message appears: ERROR: NetScaler on nCore VPX requires minimum 2 Gigabytes and 2 CPUs to start.
  • Issue ID 0298456: Provisioning and modifying a NetScaler instance on the NetScaler SDX appliance is now made simple with the addition of two new wizards: the Provision NetScaler Wizard and the Modify NetScaler Wizard.
  • Issue ID 0275498: Initial configuration of the Management Service is now made simple with the addition of a Setup Wizard. You can configure the network settings, such as XenServer IP address, Management Service IP address, Netmask, and gateway, system settings, such as http or https access and time zone, and change the default password by using this wizard. To launch the wizard, in the navigation pane, click System. In the details pane, click Setup Wizard.

Networking Issues

  • Issue ID 0277939: Each route learnt or unlearnt through dynamic routing protocol is treated as configuration changes. This resulted in dumping of absolute records, which in turn resulted in high CPU usage.
  • Issue ID 0300820: When the NetScaler appliance receives an unpredicted flow of SYNs, it blocks the connect system calls used by OSPF daemon. This causes delay in sending out the hello packets resulting in adjacency failure.
  • Issue ID 0302613: When an OSPF connection timeout, the NetScaler appliance removes and applies back the router configuration. This causes an adjacency flap which momentary drops all the advertised routes.

Platform Issues

  • Issue ID 94198/0258025: If a member interface is removed from an LA channel, the LA channel might show negative statistics in the next statistics collection cycle.
  • Issue ID 0274708 (nCore): A script is now available to update the old firmware (2CV102HD) on a running MPX 17500/19500/21500 platform that is using INTEL X25 series Solid-State Drives (SSDs) (SSDSA2M160G2GN) to the new firmware (2CV102M3). For more information, see http://support.citrix.com/article/CTX133342.

Reporting Issues

  • Issue IDs 0284006 and 0299274: When accessing the Reporting page from the configuration utility, there are some memory corruption issues while accessing load balancing virtual server specific data.

System Issues

  • Issue ID 0250343: You can now specify a time-out value for inactive CLI sessions for a system user. If a user's CLI session is idle for a time that exceeds the time-out value, the NetScaler appliance terminates the connection. The timeout can be defined in a user’s configuration, in a user-group configuration, and in the global configuration. The time-out for inactive CLI sessions for a user is determined by the following order of precedence:
    • Time-out value as defined in the user's configuration.
    • Time-out value as defined in the group configuration for the user’s group.
    • Time-out value as defined in the system global configuration.
  • Issue ID 0260531: When using HTTP pipelining in SSL offloading, and when Client-side Keep Alive is enabled on the client, the advertised window increases after every transaction, resulting in a huge advertised window.
  • Issue ID 0270951: The Russian government adopted a law to cancel Daylight Saving Time (DST). As a result, the Netscaler appliance is not reflecting the correct local time.
  • Issue ID 0272484: In an High Availability configuration with Connection Mirroring enabled on a virtual server, the secondary node fails when a connection to this virtual server, on the primary node, is blocked for an event (either external event or for data completion event) and the virtual server receives a FIN packet for this connection.
  • Issue ID 0278806 (nCore): If a 10G ixgbe interface is reset, the hardware controller RX logic might write to the data area of a NetScaler packet buffer (NSB) after it has been returned to the NSB free pool. This can result in NSB corruption. An interface reset can be triggered by an event, such as changing the flow control settings with the "set interface" command.
  • Issue ID 0283768: The client continues to send request packets to the NetScaler despite the NetScaler sending a FIN packet to the client and closing the connection at the NetScaler end. These new packets are dropped by the NetScaler.
  • Issue IDs 0286329 and 0289033: In rare cases, the NetScaler appliance fails when some pages are recovered from the free queue before the page table scan is complete.
  • Issue IDs 0290271, 0292429, and 0298435 (nCore): If a 1G e1k interface is reset, the hardware controller RX logic might write to the data area of a NetScaler packet buffer (NSB) after it has been returned to the NSB free pool. This can result in NSB corruption. An interface reset can be triggered by an event, such as changing the flow control settings by using the "set interface" command.

Known Issues and Workarounds

Access Gateway Issues

  • Issue IDs 80175/0241433 and 82022/0242906: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling.
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492/0244134: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84787/0245136: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    2. Bind the Outlook Web Outlook regular expression to this profile.
    3. Bind the profile so that is assumes the highest priority.
  • Issue ID 85861/0245969: If you enable ICA Proxy on Access Gateway, when users log on and attempt to open a virtual application, the connection to the Web Interface through Access Gateway times out and closes.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue IDs 86470/0246469 and 86787/0246736: When users log on with the Access Gateway Plug-in for Windows by using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on by using Internet Explorer 9.
  • Issue ID 86471/0246473: Whenusers log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 91832/0250964: If users logon with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects, but when users log off, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue ID 0278218: If you enable encryption for endpoint analysis scans and configure preauthentication and post-authentication policies, the preauthentication scan completes successfully and the post-authentication scan fails.
  • Issue ID 0289001: If you configure multiple post-authentication expressions with cascading priorities, Access Gateway might fail and then restart.
  • Issue ID 0301790: If you add sites from Citrix Presentation Server 4.5 and XenApp 6.5 to the same Web Interface site, when users log on with Internet Explorer 9 and then log off from the Web Interface, the session does not close completely. An error message appears stating that some resources are still active.
  • Issue ID 0306349: In a high availability configuration, if you configure an intranet IP address for a group, when users connect with the Access Gateway Plug-in, if failover occurs, the intranet IP address is no longer assigned to the session. As a consequence, users may not be able to connect to some internal resources. You must remove the IP address from the group and then configure the intranet IP address in a session profile bound globally.

ACL Issues

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

AppExpert Issues

  • Issue ID 0270708: The process of configuring the application firewall for an application unit (appunit) is different than for other features, such as responder and rewrite. Instead of the Policy Manager, the Application Firewall wizard is invoked. The wizard prompts the user to configure the security check settings directly. It then creates a profile and policy from that information, and binds the policy to the appunit in the background, without displaying either the policy or the profile to the user. NOTE: You cannot associate multiple policies with an application unit by using the wizard. To do so, use the policy manager. A link is located on the main Application Firewall pane.

Application Firewall Issues

  • Issue ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.

CloudBridge Issues

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send a full-size packet, whose DF bit is unset, across the cloud bridge. This happens because of bad checksum.

Command Line Interface Issues

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If that does not resolve the issue, restart the appliance.

Configuration Utility Issues

  • Issue ID 92269/0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.

    Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.

DataStream Issues

  • Issue ID 83862/0244449 (nCore and nCore VPX): This release does not support IPv6 addresses.
  • Issue ID 0287492: Some international characters resemble one or more ASCII alphabetic characters. If a client request contains such international characters, when forwarding the request to a database server, the NetScaler appliance replaces the international characters with the ASCII alphabetic characters that they resemble.

Integrated Caching Issues

  • Issue ID 81159/0242246: When the NetScaler appliance receives a single byte-range request, if the starting position of the range is beyond 9 megabytes, the appliance sends the client a full response with a status code of 200 OK instead of a partial response.

Load Balancing Issues

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: When using a TCP monitor for a MYSQL service, the MySQL server blocks the MIP for making new connections.
  • Issue ID 82996/0243703: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096/0246139: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example: add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 87407/0247289 (nCore and nCore VPX): For an RDP virtual server, the NetScaler appliance automatically maintains persistence through session cookies by using Session Directory, so you need not explicitly configure persistence. Currently, IP address based persistence is not supported, and you cannot disable the implicit session-cookie based persistence.
  • Issue ID 88593/0248222 (nCore): After failover, the 'maxclient' setting on a service is not honored.
  • Issue ID 90271/0249597: Application scripts that parse the servicegroup member name, and use the underscore delimiter (_) to identify fields to be extracted, fail, because the delimiter is now a question mark (?). In NetScaler releases earlier than 9.3, the format is <service group name>_<IP address>_<port>. The new format is <servicegroup name>?<IP address | server name>?<port>.

NetScaler SDX Appliance Issues

  • Issue ID 0262505: When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: "NO DATA TO CHART".
  • Issue ID 0265006: Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

  • Issue ID 88515/0248159: Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556/0248194: When provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for those parameters.
  • Issue ID 91605/0250759: If the dashboard page on the management service virtual machine is open for more than 4 days, the browser (Internet Explorer 8.0) might report high memory usage.

    Workaround: In the browser, refresh or minimize the page to release the memory.

  • Issue ID 0326655: When you upgrade the Management Service from an earlier build to build 56.x or 57.x, restarting the appliance while data migration is in progress might corrupt the data contents. To check if migration is in progress, at the Management Service shell prompt, type:
    "ps -ax | grep svm_migration"
    If you see some processes running, then migration is in progress and you must not restart the Management Service.
  • Issue ID 0326663: In release 9.3, the upgrade process fails if you attempt to upgrade the Management Service from build 48.6 to build 56.5 or 57.5.

    Workaround: First, upgrade the Management Service from build 48.6 to build 55.6, and then upgrade it from build 55.6 to build 56.5 or 57.5.

  • Issue ID 0326878: The Management Service shows duplicate entries for NetScaler VPX instances because of intermittent database connection failures. This is only a display issue. However, if a VPX instance is configured with an external authentication server for the nsroot (administrator) user, the authentication server might show several authentication failures.

NetScaler SDX Appliance and NetScaler VPX Appliance Issues

  • Issue IDs 0274497 and 0274498: Layer 2 (L2) mode, link aggregation control protocol (LACP), and virtual MAC addresses (VMACs) are not supported on the NetScaler SDX appliance or the NetScaler VPX virtual appliance.

NetScaler VPX Appliance Issues

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX (virtual) appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features (such as compression and GSLB) stop working.

    Workaround: Reduce the memory allocated for caching.

  • Issue ID 94487/0258286: On the Microsoft Hyper-V platform, if there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.

    Workaround: Defragment the disk. For consistent virtual hard disk (VHD) performance, change a dynamic disk to a static disk.

Networking Issues

  • Issue ID 0271154: The man pages for the commands 'add ns ip','set ns ip','add ns ip6', and 'set ns ip6' displays an incorrect default value for the 'ospfArea' parameter.

Platform Issues

  • Issue ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.
  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance. ipmi0: KCS error: 01 ipmi0: KCS: Reply address mismatch.

Reporting Issues

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL Issues

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: "ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot." However, the correct message--"ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate"-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issue ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type: openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 85393/0245605: A DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.

System Issues

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if a failover happens while high availability (HA) synchronization is in progress.
  • Issue ID 94133/0257961: If a server (load balancing virtual server or content switching vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_49 or a prior build to a build later than 9.3_49.
    Workaround: Do the following:
    1. Remove the audit policy and action.
    2. Add the deleted virtual server.
    3. Add the audit policy and action.
    4. Save the configuration.
  • Issue ID 0263852 (nCore): If you configure link aggregation on the 10G interfaces by using the link aggregation control protocol (LACP), the LA interface might flap (go down and come back up).

    Workaround: Initiate steering to CPU1. At the shell prompt, type: sysctl netscaler.ticks_on_cpu1=1 To change the interrupt steering option back to CPU0 (the default), at the shell prompt, type: sysctl netscaler.ticks_on_cpu1=0 To make the workaround persistent, add the first command to the initialization script /nsconfig/rc.netscaler or its equivalent.

Web Interface Issues

  • Issue ID 89052/0248592 (nCore and nCore VPX): The response from a Web Interface site that is configured in direct mode may have Java errors.

XML Issues

  • Issue ID 81650/0242628: The application firewall import feature validates XML schemas when importing them, but it might not validate certain XHTML files if they are imported as XML schemas. An invalid XHTML file appears in the list of imported XML schemas, but it is rejected if the user attempts to configure the XML Message Validation check to use the invalid file as the XML schema for validation.
  • Issue ID 82058/0242928: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059/0242929: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069/0242939: When the Application Firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

XML API Issues

  • Issue ID 80170/0241429: The syntax of the "unset servicegroup" command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the "unset servicegroup" command.

Build 55.6

Release version: Citrix® NetScaler® release 9.3 build 55.6

Replaces build: None

Release date: February 2012

Release notes version: 2.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA Issues

  • Issue IDs 0275806 and 0268577: If a NetScaler appliance has AAA-TM enabled and configured, and a protected web server has 401 basic authentication enabled, a user who connects to that web server by using either the Google Chrome or the Apple Safari web browser does not receive a logon page. Instead, the user receives a message saying that the user is not authorized to access the web server. The cause is that, when issuing a basic authentication challenge, the NetScaler appliance marks the realm as null.
  • Issue ID 0277648: After logging on to a VPN though AAA-TM and then accessing a Microsoft Sharepoint server, a user may experience intermittent difficulty with opening a document. A document might not open at all, or it might open in read-only mode when edit access was requested. A repeated attempt to access the document might succeed or might encounter one of the same problems. The underlying issue is a flaw in the authentication procedure.
  • Issue IDs 0288077 and 0288260 (nCore): On a NetScaler appliance with AAA-TM enabled and configured, when a user logon attempt fails, the NSC_VPNERR cookie and error page are not set.

Access Gateway Issues

  • Issue ID 0270127: If you enable ICA Proxy and users access the Web Interface on a virtual server with cookie persistence enabled, cookie persistence does not work. When users access the Web Interface, an error will appear and users will be prompted to close their browser window and log on again.
  • Issue ID 0275322: If you enable ICA Proxy and configure single sign-on to the Web Interface, when users log on with the Access Gateway Plug-in and try to open published application from the Web Interface, the application fails to open.
  • Issue IDs 82472/0243236 and 0286505: When the RADIUS authentication server issues a challenge response, authentication might fail. Users need to log on again.
  • Issue IDs 86743/0246694 and 0270956: When you deploy Access Gateway in a high availability pair, Access Gateway might send the same session twice to the secondary appliance, which causes the secondary Access Gateway to fail.
  • Issue ID 91459/0250621: When users log on with the Access Gateway Plug-in for Java and then try to access Web resources through a proxy server, users can download the plug-in, but they cannot establish a connection, or else they can log on, but cannot access the resource and the connection eventually fails.
  • Issue ID 92793/0251817: If you install additional Universal licenses on Access Gateway VPX, in addition to the 10 licenses you receive with Access Gateway, the appliance might not recognize the additional licenses. After the 10 Universal licenses are used, further logon attempts by users fail.
  • Issue ID 93346/0257257: If Access Gateway detects a Layered Service Provider (LSP) when users attempt to establish a connection to the appliance, the number of available tunnels is reduced from 128 to 32.
  • Issue ID 0261028: If you configure Access Gateway in a double-hop deployment and monitor the Secure Ticket Authority (STA), if there is an SSL handshake failure and low memory on Access Gateway, the appliance intermittently fails.
  • Issue ID 0268666: Access Gateway user and administrator connections fail. Users cannot establish a connection by using the Access Gateway Plug-in and administrators cannot connect to the configuration utility.
  • Issue ID 0269947: If you change the rule in an endpoint analysis expression that is in a bound policy, endpoint analysis might fail and users may not be able to log on.
  • Issue ID 0271533: If you configure a custom logon page, when users log on with Internet Explorer 9, the text on the page is illegible when the custom page contains transparent images. User devices need to be in compatibility mode to display the logon page correctly.
  • Issue IDs 0277876 and 0287096: When Access Gateway receives UDP network traffic, occasionally initialization does not occur on the receiving core. When this occurs, Access Gateway fails.
  • Issue ID 0283038: If you configure reverse network address translation (NAT) and Access Gateway, when users connect to Access Gateway, the appliance might fail and then fail over to the secondary Access Gateway in a high availability pair.
  • Issue ID 0283557: If users upgrade Java Runtime Environment (JRE) to a version later than 1.6.0_27 and then log on through Access Gateway, attempts to open a published application or XenDesktop fail.
  • Issue ID 0284167: If you do not enable split tunneling, when users log on with the Access Gateway Plug-in by using Internet Explorer, the Use a proxy server for your LAN check box clears and users cannot access internal network resources. When users log off from the plug-in, the Use a proxy server for your LAN check box is selected again, but it clears when users log on with the plug-in.

AppFlow Issues

  • Issue ID 0270379 (nCore): When the AppFlow feature is enabled on a NetScaler appliance, the appliance might fail if it receives an invalid HTTP request header.

Application Firewall Issues

  • Issue ID 0273621: On a Citrix Access Gateway with the application firewall enabled and configured, clients who connect by way of the FQDN are unable to log on through the Web Interface on NetScaler (WIonNS) module. When clients connect to the Access Gateway by way of the IP address, however, they are able to log on through WIonNS. When this occurs, the customer must disable the application firewall feature to permit logons through WIonNS to function correctly.

Application Firewall/Signatures Issues

  • Issue IDs 92794/0251818 and 0262085 (Classic and nCore): On NetScaler appliances that have the application firewall enabled, after an upgrade from the 9.3 version of NetScaler classic to the 9.3 version of NetScaler nCore firmware, an existing signatures file may not function properly. If that occurs, you can correct the problem by creating a new application firewall profile and policy and binding them to the signatures file.

Configuration Utility Issues

  • Issue ID 0271501: The Configure Backend Services dialog box, which you use to configure services for an AppExpert application, does not include the Service Groups tab.
  • Issue ID 0273951: If you use the configuration utility to enable or disable an SSL parameter (such as DH param, Ephemeral RSA, Session Reuse, Cipher Redirect, SSLv2 Redirect, or protocol) on a AAA virtual server, the change is not reflected in the Command Line Interface (CLI).

Connection Failover Issues

  • Issue IDs 0274489 and 90146/0249489 (nCore): In a high availability pair, if the Use Source IP (USIP) option is enabled on an FTP service, the connection information associated with each data channel of the FTP service is not synchronized to the secondary appliance. The issue occurs only with active-mode FTP connections. It causes FTP transactions to fail after a failover event.

Content Switching Issues

  • Issue ID 0285831: Content switching policies that contain virtual-server based expressions (expressions that begin with the SYS.VSERVER("<vserver-name>") prefix) cannot be bound to virtual servers of type MSSQL and MYSQL.

DataStream Issues

  • Issue ID 0284217 (nCore): When two different monitors of MSSQL_ECV type are used at the same time, they can both incorrectly indicate the service to be down.

Domain Name System Issues

  • Issue IDs 0269616 and 0269631 (nCore and nCore VPX): The NetScaler appliance might fail when attempting to access memory that is associated with the processing of a DNS response. The cause is improper clean-up of memory after a memory failure condition that occurs when the response is being processed.
  • Issue IDs 0276412 and 0285276 (nCore and nCore VPX): The NetScaler appliance fails under the following sequence of events:
    • As part of a DNS response, a name server for which the appliance is configured as a DNS proxy server sends the appliance a Start of Authority (SOA) record that belongs to a root server. The appliance caches the SOA record. A name server (NS) record for that root server is also available on the appliance. The root server’s NS record is considered an authenticated record.
    • The appliance receives a CNAME query for a domain name that cannot be resolved. The appliance caches the resulting NXDOMAIN response (a negative response).
    • The appliance receives an ANY query for the domain for which the negative response was received and cached.
    • With the authenticated name server record and cached SOA record, the appliance behaves as though it is authoritative for the queried domain, processes the ANY query, and attempts to populate the record that was created for the negative response.
  • Issue ID 0267498 (nCore and nCore VPX): The NetScaler appliance might fail under the following set of conditions:
    • A client sends a load balancing virtual server of type DNS_TCP a request that cannot be served from the DNS cache on the appliance. The appliance is configured as a DNS proxy server for the requested domain.
    • Before the appliance responds to the DNS request, the virtual server receives a second DNS request on the same client connection. The second request has the TCP FIN flag set and can be served from the DNS cache.

Integrated Caching Issues

  • Issue ID 0283931: The man page for the "set cache parameter" command contains some commented sentences.
  • Issue ID 92551/0251603: If, during validation of an expired cache object with the server, the client sends a reset request or the server responds with no data, the object goes into an error state. All requests for that object are then treated as cache misses until the object is flushed.

Load Balancing Issues

  • Issue ID 0276581: When a NetScaler appliance is configured to provide SSL, load balancing, and AAA-TM services for Microsoft Outlook for Web Access (OWA) servers, an Apple iPhone or iPad user who tries to do ActiveSync with the Microsoft Exchange server may receive a 403 Access Forbidden error.
  • Issue ID 93335/0257245 (nCore and nCore VPX): Remote Desktop Protocol(RDP) connections established by clients time out under the following set of conditions:
    • The Terminal Services Gateway servers that allow the RDP connections to be made to the computers are load balanced by a virtual server on the NetScaler appliance.
    • The version of the TPKT protocol being used for communication is any version other than Version 3.
  • Issue ID 0262924 (nCore and nCore VPX): The NetScaler appliance fails under the following sequence of events:
    • A processor core receives a core-to-core message for deleting a rate limiting session that it owns.
    • The core performs a lookup for the session entry but the session entry does not exist on the core (a rare occurrence).
  • Issue IDs 88470/0248130, 0263522, and 0276411 (nCore): The NetScaler appliance might fail when performing URL redirection under low memory conditions.
  • Issue ID 0264879: When the load balancing feature is disabled, a load balancing virtual server is shown as being down when all the services bound to the virtual server are up, and as being up when all the services bound to it are down.
  • Issue ID 0272688 (nCore and nCore VPX): The NetScaler appliance fails when processing the persistence rule if the rule is based on responses and the configured load balancing method is the token method. However, the issue is rare and occurs when the appliance is processing HTTP and non-HTTP traffic simultaneously.

Monitoring Issues

  • Issue ID 0282876 (nCore and nCore VPX): Address Resolution Protocol(ARP) monitors do not update the Layer 2 parameters in the server information on non-master cores.

NetScaler SDX Appliance Issues

  • Issue ID 0274939: If only a 10/x interface or a 1/x interface is assigned to a NetScaler VPX instance, and the state of that interface is changed from UP to DOWN and then back to UP, the instance is not accessible through the NSIP address.
  • Issue ID 0275607: In certain cases, if only a 1/x interface is assigned to a NetScaler VPX instance, the instance is unresponsive after it is started.

NetScaler VPX Appliance Issues

  • Issue ID 94472/0258273: Tagged VLAN support is now available on NetScaler VPX virtual appliances hosted on XenServer. With this enhancement, if you configure tagged VLANs on a port on the switch but do NOT configure any VLANs on the XenServer interface attached to that port, the VLAN tags are passed through to the VPX instance and you can use the tagged VLAN configuration on the virtual appliance.

Networking Issues

  • Issue ID 0268589: In certain cases, routes are not updated because OSPF threads that are responsible for calculating the shortest path are not scheduled.
  • Issue ID 0273671: If a PBR-rule based connection is established on the NetScaler appliance and the rule is later removed, the appliance may fail.
  • issue ID 0258993: If you create an RNAT rule with an extended ACL as the condition, and the name of the ACL is an IP address (for example, 10.102.29.10), the appliance interprets the ACL as an IP address instead of as an ACL. When you display the RNAT records, the NetScaler appliance restarts.

Platform Issues

  • Issue ID 91160/0250344 (nCore): The NIC error counter is incremented for dropped packets in addition to NIC errors.

Policies Issues

  • Issue ID 0273159: The NetScaler appliance may reboot continuously because of a Responder policy evaluation error when a client sends an invalid HTTP request to a protected web site.
  • Issue ID 0287356: If you remove a classic expression that is referenced by an advanced expression from a NetScaler configuration without first removing the advanced expression, the NetScaler appliance may crash. If this occurs on the primary NetScaler appliance in a high availability (HA) configuration, upon failover the secondary NetScaler appliance also crashes. To work around this issue, simply remove any advanced expressions first, and then remove classic expressions.

Rate Limiting Issues

  • Issue ID 0273618: The NetScaler appliance fails when it temporarily blocks the evaluation of rate limiting selectors. Deep body parsing and HTTP callout evaluation are examples of processes during which the appliance temporarily blocks evaluation.

SSL Issues

  • Issue ID 0269568: The NetScaler appliance fails if the clear config command is issued to remove a custom cipher group that is bound to the internal services on the appliance.
  • Issue ID 0278362: The following, new, SNMP alarms are added to indicate the rate of 1024, 2048, and 4096-bit key operations during SSL transactions and the number of current SSL sessions in use.
    • 1024KEY-EXCHANGE-RATE
    • 2048KEY-EXCHANGE-RATE
    • 4096KEY-EXCHANGE-RATE
    • SSL-CUR-SESSION-INUSE

System Issues

  • Issue ID 0262914: The maximum segment size (MSS) is incorrectly updated if you use the "set service" command to change any parameter of an existing service.
  • Issue IDs 0274650, 0270995, and 0273066: When HTTP connection multiplexing on a virtual server is OFF, the NetScaler opens a new connection for every request instead of reusing the last-used connection. The new connection results in failure of features, such as NTLM authentication protocol, that require persistent connections with the servers.
  • Issue ID 0274822 (nCore and nCore VPX): When utilization of the management CPU returns to the configured normal threshold value after an SNMP trap for high CPU utilization (cpuUtilization) has been sent, the corresponding normal trap (cpuUtilizationNormal) is sent three times.
  • Issue ID 0285827 (Classic): In certain cases, if you save the core while compression is enabled in the nssavecore.sh file, the operation fails.
  • Issue IDs 79837/0241190, 88223/0247937, 81193/0242275, and 86655/0246624: NetScaler does not handle some cases in which the response is received before the complete request is forwarded to the server.

Known Issues and Workarounds

Access Gateway Issues

  • Issue ID 81165/0242252: In the Access Gateway configuration utility, you can bind a server running the STA with the same IP address or fully qualified domain name (FQDN) twice.
  • Issue ID 0285111: If you configure ICA Proxy when users log on with the Access Gateway Plug-in and you close all sessions by using the command line, the sessions do not close.
  • Issue ID 91832/0250964: If users logon with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects, but when users log off, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue IDs 80175/0241433 and 82022/0242906: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection.
      For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787/0245136: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492/0244134: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    2. Bind the Outlook Web Outlook regular expression to this profile.
    3. Bind the profile so that is assumes the highest priority.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue IDs 86470/0246469 and 86787/0246736: When users log on with the Access Gateway Plug-in for Windows using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on using Internet Explorer 9.
  • Issue ID 86471/0246473: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

Access Control Lists Issues

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

Application Firewall Issues

  • Issue ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.

CloudBridge Issues

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send a full-size packet, whose DF bit is unset, across the cloud bridge. This happens because of bad checksum.

Command Line Interface Issues

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the show configstatus command and reconfigure the appliance under low traffic conditions or during a maintenance period. If that does not resolve the issue, restart the appliance.

DataStream Issues

  • Issue ID 83862/0244449 (nCore and nCore VPX): This release does not support IPv6 addresses.

Domain Name System Issues

  • Issue ID 93203/0257123 (nCore): A DNS policy that is bound to a GSLB service is not evaluated if the GSLB method is set to dynamic round trip time (RTT).

Load Balancing Issues

  • Issue ID 86096/0246139: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example: add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: When using a TCP monitor for a MYSQL service, the MySQL server blocks the MIP for making new connections.
  • Issue ID 82996/0243703: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 87407/0247289 (nCore and nCore VPX): For an RDP virtual server, the NetScaler appliance automatically maintains persistence through session cookies by using Session Directory, so you need not explicitly configure persistence. Currently, IP address based persistence is not supported, and you cannot disable the implicit session-cookie based persistence.
  • Issue ID 88593/0248222 (nCore): After failover, the 'maxclient' setting on a service is not honored.
  • Issue ID 90271/0249597: Application scripts that parse the servicegroup member name, and use the underscore delimiter (_) to identify fields to be extracted, fail, because the delimiter is now a question mark (?). In NetScaler releases earlier than 9.3, the format is <service group name>_<IP address>_<port>. The new format is <servicegroup name>?<IP address | server name>?<port>.

NetScaler SDX Appliance Issues

  • Issue ID 0262505 (nCore): When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: "NO DATA TO CHART".
  • Issue ID 86597/0246578 (nCore): Internet Explorer version 9.0 does not load the Configuration tab.

    Workaround: Run Internet Explorer version 9.0 in compatibility mode.

  • Issue ID 0265006 (nCore): Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

  • Issue ID 88515/0248159 (nCore): Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556/0248194 (nCore): When provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for those parameters.

    Workaround: To correct the parameter values, log on to the NetScaler instance through the Xen Console. You also need to correct the values for this instance in the XenStore. After correcting the values in the both the places, rediscover the NetScaler instances from the Management Service VM user interface without selecting any specific instance, by clicking Rediscovery in the NetScaler Instance pane.

  • Issue ID 89148/0248663 (nCore): When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.
  • Issue ID 91605/0250759 (nCore): If the dashboard page on the management service virtual machine is open for more than 4 days, the browser (Internet Explorer 8.0) might report high memory usage.

    Workaround: In the browser, refresh or minimize the page to release the memory.

NetScaler SDX Appliance and NetScaler VPX Appliance Issues

  • Issue IDs 0274497 and 0274498: Layer 2 (L2) mode, link aggregation control protocol (LACP), and virtual MAC addresses (VMACs) are not supported on the NetScaler SDX appliance or the NetScaler VPX virtual appliance.

NetScaler VPX Appliance Issues

  • Issue ID 94487/0258286: On the Microsoft Hyper-V platform, when there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.
  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX (virtual) appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features (such as compression and GSLB) stop working.

    Workaround: Reduce the memory allocated for caching.

Networking Issues

  • Issue ID 0271154 (Classic, ncore, and VPX): The man pages for the commands add ns ip, set ns ip, add ns ip6, and set ns ip6 display an incorrect default value for the ospfArea parameter.

Platform Issues

  • Issue ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.
  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance--ipmi0: KCS error: 01 ipmi0: KCS: Reply address mismatch.

  • Issue ID 94198/0258025: If a member interface is removed from an LA channel, the LA channel might show negative statistics in the next statistics collection cycle.

Reporting Issues

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL Issues

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type: openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: "ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot." However, the correct message--"ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate"-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issue ID 85393/0245605: A DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.

System Issues

  • Issue ID 94133/0257961: If a server (load balancing virtual server or content switching vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_47.5 to 9.3_51.5.
    Workaround: Do the following:
    1. Remove the audit policy and action
    2. Add the deleted virtual server
    3. Add the audit policy and action
    4. Save the configuration
  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if a failover happens while high availability (HA) synchronization is in progress.

Web Interface Issues

  • Issue ID 89052/0248592 (nCore and nCore VPX): The response from a Web Interface site that is configured in direct mode may have Java errors.

XML Issues

  • Issue ID 81650/0242628: The NetScaler import utility validates XML schemas during import, but it may fail to validate certain XHTML files being imported as XMLSchema. These invalid XMLSchema's are rejected if the user tries to use them in profile configuration (XMLValidation binding).
  • Issue ID 82058/0242928: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059/0242929: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069/0242939: When the Application Firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

XML API Issues

  • Issue ID 80170/0241429: The syntax of the "unset servicegroup" command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the "unset servicegroup" command.

Build 54.4

Release version: Citrix® NetScaler® release 9.3 build 54.4

Replaces build: None

Release date: December 2011

Release notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA-TM Issues

  • Issue ID 93854/0257700: When AAA is in use, and a user who has not already authenticated accesses a URL that contains encoded spaces (%20), after authentication AAA replaces the encoded spaces with the plus (+) character before it attempts to access the URL. When it attempts to redirect to the modified URL, the web server returns a 404 error.

Access Gateway Issues

  • Issue ID 93631/0257509: Access Gateway supports client interception by using Intranet Applications. You can configure up to 128 intranet applications in Access Gateway. The previous limit was 32 intranet applications.
  • Issue ID 91875/0251005: When users log on to Access Gateway, if there is a delay sending the authentication response, authentication and Access Gateway might fail.
  • Issue IDs 93657/0257518 and 93716/0257574: When users attempt to log on two times, Access Gateway detects an active session and starts to initiate the transfer logon process. However, Access Gateway fails to remove the original session and transfer logon fails. If users try to transfer logon again, the logon page appears.
  • Issue ID 94181/0258005: If UDP packets from the user device arrive at Access Gateway as multiple packets, Access Gateway truncates the UDP packet if all the truncated fragments fit in one packet and then are sent from the appliance.
  • Issue ID 0266865: Access Gateway does not update the MAC address cache for XenApp or XenDesktop when the MAC address of the server changes. User connections fail and you must restart Access Gateway.
  • Issue ID 0271589: If you upgrade Access Gateway from Version 9.3 build 51.5 to build 53.5, when users log on successfully with the Access Gateway Plug-in on an iPad, an "Access Gateway unexpected response" error appears.

AppFlow Issues

  • Issue ID 0274236 (nCore and nCore VPX): When the AppFlow feature is enabled, memory more than the allocated size of buffer may be released. This may result in memory corruption and packet engine failure.

Application Firewall Issues

  • Issue ID 0264504: In some circumstances when a large number of Application Firewall sessions are active, the NetScaler watchdog process can stall and abort the packet engine, causing a system restart.
  • Issue ID 0269994: After upgrading a NetScaler appliance that has the Application Firewall enabled and configured from version 9.0 of the NetScaler OS to version 9.3, if the deny URL feature is configured and deny URLs are enabled, memory usage increases significantly and continues to increase over time as denied URLs are accessed.
  • Issue ID 0271427: When a user attempts to connect to an Application Firewall-protected web site using an Apple IPhone, the connection would fail with an error.

Cloud Bridge Issues

  • Issue ID 90206/0249539 (Classic): The IKE process causes a loop and due to which 100 percent CPU usage is observed.

Configuration Utility Issues

  • Issue ID 0269486: In an High availability configuration, the configuration utility does not display the configured route monitors on the NetScaler appliances. Also, when a route monitor is configured to monitor a default route , the configuration utility displays the secondary node's IP address as 0.0.0.0.

Content Switching Issues

  • Issue ID 0264772 (nCore and nCore VPX): The NetScaler appliance does not increment the hit counters that are displayed for content switching policy bindings in the output of the "show cs vserver <name>" command, even though it increments the counters for the total number of policy hits in the output of the "show cs policy [<policyName>]" command. The issue occurs with URL-based policies when the “caseSensitive” option for the content switching virtual server is set to “OFF.”

DataStream Issues

  • Issue ID 90389/0249698 (nCore and nCore VPX): The MSSQL-ECV monitor uses the default MS SQL protocol version, TDS 7.0, even if you set a different MS SQL protocol version for the monitor.

EdgeSight Monitoring Issues

  • Issue ID 0266622 (Classic and nCore): Injection of EdgeSight for NetScaler measurement scripts into the response occurs only if the HTTP content-type header is text/html.

Global Server Load Balancing Issues

  • Issue ID 92365/0251432: When a GSLB virtual server that is configured with the static proximity method receives requests that alternately match a separate subset of bound GSLB services, the NetScaler appliance fails to serve each request the GSLB service IP addresses, from the respective subset, in round-robin order. For example, if the GSLB virtual server receives a request R1 that matches services S1, S2, and S3 and a request R2 that matches services S4, S5, and S6, in the order R1, R2, R1, R2, the NetScaler appliance fails to serve R1 the IP addresses of S1, S2, and S3 and R2 the IP addresses of S4, S5, and S6, in round-robin order.

Integrated Caching Issues

  • Issue ID 93435/0257335: If a request for an object arrives as the object expires (at the time specified by the "absExpiry" parameter), the "pollEveryTime" parameter for that object is set to YES. Future requests for the object are sent to the origin server.

Load Balancing Issues

  • Issue ID 69918//0233211: Unlike in earlier releases, when you use the “sync gslb config” command or its alias, the “sync config” command, the NetScaler appliance displays a warning that the synchronization of GSLB sites can result in loss of configuration on remote sites, and prompts you to confirm that you want to synchronize the sites. The prompt helps prevent unintentional synchronization that might result from accidental use of the command.

NetScaler SDX Appliance Issues

  • Issue ID 0261672: You can download the Management Service build and documentation files, SSL keys and certificates, XVA images, NetScaler instance build and documentation files, and licenses to a local computer as a backup. You can also directly download the technical support file to your local computer and then send it to Citrix support. Earlier you had to use FTP to download these files.
  • Issue ID 0268115 (nCore): You cannot change an interface on a NetScaler VPX instance if you have not selected any of the management interfaces (0/1 and 0/2) when provisioning the instance.
    Note: Make sure that the NSVLAN is configured correctly. In case of an incorrect configuration, the instance is not reachable.
  • Issue ID 0269055: You can now save the settings of all the NetScaler instances provisioned on the SDX appliance before performing a factory reset. You can use the saved information to reprovision the instances after the reset. For more information, see the SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 0267383 (nCore): You cannot remove a configured NSVLAN by using “Modify NetScaler Instance” in the management Service VM user interface.

Networking Issues

  • Issue ID 0263530 (nCore and nCore VPX): The NetScaler appliance fails when it processes IPv6 UDP packets for which the appliance has not allocated memory for NAT entry.

SNMP Issues

  • Issue ID 93916/0257759: For an SNMP query, the NetScaler appliance returns the value of the SNMP objects svcAvgTransactionTime and svcGrpMemberAvgTransactionTime, in picoseconds.
  • Issue ID 0260021 (nCore and nCore VPX): NetScaler appliance returns a different value for the SNMP object ‘sslSessionsPerSec’ than the value of the corresponding ‘SSL sessions (Rate)’ counter displayed on the Monitoring page.

SSL Issues

  • Issue ID 92246/0251327 (Classic): In rare cases, on the NetScaler 12000 appliance, if the combination of a NetScaler response and maximum transmission unit (MTU) is such that the data in the last tcp packet is 8 bytes or less, decryption of data using DES/AES ciphers fails.

System Issues

  • Issue ID 89581/0249017: The NetScaler appliance fails due to the internal traffic accessing the buffer.
  • Issue ID 90580/0249858: Log records are not generated for the "reboot" command.
  • Issue ID 0259201: In rare cases, the appliance restarts when the process monitoring daemon does not recognize the short heartbeat messages from clients.
  • Issue ID 0263699: The NetScaler appliance does not process invalid requests that are sent after a connection close.
  • Issue ID 88149/0247876: The NetScaler appliance is unable to learn the restarting of the httpd process after the process fails. This causes the NetScaler appliance to drop SYN packets intermittently destined to the NSIP, or MIP, or SNIP address on the appliance.
  • Issue ID 93475/0257369: After a data structure, used for tracking NAT info was getting freed to memory, a field related to netbridge configuration, was not getting zeroed out and if same data structure was being picked up again for server side connection, we tried to send data on the bridge which is not configured so packet was not getting out.
  • Issue ID 93586/0257469: The NetScaler appliance forwards Keep Alive probes, from the server, to a client even when the client has advertised a zero window. This causes the client to reset the connection.
  • Issue ID 93826/0257673: HTTP requests may acknowledge previous responses that causes packet re-ordering. The NetScaler appliance fails when any configured L7 features, for example rewrite policies, processes these packets.
  • Issue ID 94442/0258246 and 93593/0257475: When device name length exceeds 256 characters, then the length stored is truncated. However, the NetScaler appliance allocates more memory to store the device name and while releasing the memory, the appliance releases less memory than the extended. This leads to memory leak.

Known Issues and Workarounds

Access Gateway Issues

  • Issue ID 92054/0251163: If you enable multi-stream connection policy settings in either XenApp 6.5 for Windows Server 2008 R2 or XenDesktop 5.5 and you install the Access Gateway Plug-in by using an MSI package, Access Gateway does not establish multi-stream connections to the resource, although XenApp and XenDesktop launch on the user device in a single stream.
  • Issue ID 91832/0250964: If users logon with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects, but when users log off, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue IDs 80175/0241433 and 82022/0242906: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling.
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      1. Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      2. Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      3. Contact the manufacturer for other devices.
  • Issue ID 89427/0248893: If users connect with the Access Gateway Plug-in by using an airtel 3G device and the Repeater Plug-in accelerates VPN traffic after the establishing the VPN connection, when users put the user device in standby or hibernate, when users resume the device, the Access Gateway Plug-in fails to reestablish the connection. When users disable acceleration with the Repeater Plug-in, restoration of the VPN connection is successful. Users can then enable acceleration with the Repeater Plug-in.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787/0245136: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492/0244134: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    2. Bind the Outlook Web Outlook regular expression to this profile
    3. Bind the profile so that is assumes the highest priority.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue IDs 86470/0246469 and 86787/0246736: When users log on with the Access Gateway Plug-in for Windows using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on using Internet Explorer 9.
  • Issue ID 86471/0246473: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

ACL Issues

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

Application Firewall Issues

  • Issue ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.

CloudBridge Issues

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send a full-size packet, whose DF bit is unset, across the cloud bridge. This happens because of bad checksum.

Command Line Interface Issues

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If this does not resolve the issue, restart the appliance.

DataStream Issues

  • Issue ID 83862/0244449 (nCore and nCore VPX): This release does not support IPv6 addresses.

Domain Name System Issues

  • Issue ID 93203/0257123 (nCore): A DNS policy that is bound to a GSLB service is not evaluated if the GSLB method is set to dynamic round trip time (RTT).

Load Balancing Issues

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: When using a TCP monitor for a MYSQL service, the MySQL server blocks the MIP for making new connections.
  • Issue ID 82996/0243703: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096/0246139: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example:
    add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 88593/0248222 (nCore): After failover, the 'maxclient' setting on a service is not honored.
  • Issue ID 90271/0249597: Application scripts that parse the servicegroup member name, and use the underscore delimiter (_) to identify fields to be extracted, fail, because the delimiter is now a question mark (?). In NetScaler releases earlier than 9.3, the format is <service group name>_<IP address>_<port>. The new format is <servicegroup name>?<IP address | server name>?<port>.
  • Issue ID 87407/0247289 (nCore and nCore VPX): For an RDP virtual server, the NetScaler appliance automatically maintains persistence through session cookies by using Session Directory, so you need not explicitly configure persistence. Currently, IP address based persistence is not supported, and you cannot disable the implicit session cookie based persistence.

NetScaler SDX Appliance Issues

  • Issue ID 265006 (nCore): Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

  • Issue ID 0262505 (nCore): When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: "NO DATA TO CHART".
  • Issue ID 86597/0246578 (nCore): Internet Explorer version 9.0 does not load the Configuration tab.

    Workaround: Run Internet Explorer version 9.0 in compatibility mode.

  • Issue ID 88515/0248159 (nCore): Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556/0248194 (nCore): When provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for these parameters.

    Workaround: To correct the parameter values, log on to the NetScaler instance through the Xen Console. You also need to correct the values for this instance in the XenStore. After correcting the values in the both the places, rediscover the NetScaler instances from the Management Service VM user interface without selecting any specific instance, by clicking Rediscovery in the NetScaler Instance pane.

  • Issue ID 89148/0248663 (nCore): When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.
  • Issue ID 91605/0250759 (nCore): If the dashboard page on the management service virtual machine is open for more than 4 days, the browser (Internet Explorer 8.0) might report high memory usage.

    Workaround:In the browser, refresh or minimize the page to release the memory.

  • Issue ID 0274939: If only a 10/x interface or a 1/x interface is assigned to a NetScaler VPX instance, and the state of that interface is changed from UP to DOWN and then UP again, the instance is not accessible through the NSIP address.

    Workaround: Assign a 0/x interface to the VPX instance.

  • Issue ID 0275607: In certain cases, if only a 1/x interface is assigned to a NetScaler VPX instance, the instance is unresponsive after it is started.

    workaround: Assign a 0/x interface to the VPX instance.

NetScaler VPX Appliance Issues

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features, such as compression and GSLB, stop working.

    Workaround: Reduce the memory allocated for caching.

  • Issue ID 94487/0258286: On the Microsoft Hyper-V platform, when there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.

Networking Issues

  • Issue ID 0271154 (Classic, nCore, and nCore VPX): The man pages for the commands 'add ns ip','set ns ip','add ns ip6', and 'set ns ip6' displays an incorrect default value for the parameter 'ospfArea'.

Platform Issues

  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.
  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance. ipmi0: KCS error: 01 ipmi0: KCS: Reply address mismatch

  • Issue ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 94198/0258025: If a member interface is removed from an LA channel, the LA channel might show negative statistics in the next statistics collection cycle.

Reporting Issues

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL Issues

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.
    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:
    openssl rsa -in <EncryptedKey.key> > DecryptedKey.out
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: “ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot.” However, the correct message--“ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate”-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issue ID 85393/0245605: A DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.

System Issues

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if a failover happens while high availability (HA) synchronization is in progress.
  • Issue ID 94133/0257961: If a server (load balancing virtual server or content switching vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_49 or a prior build to a build later than 9.3_49.
    Workaround: Do the following:
    1. Remove the audit policy and action.
    2. Add the deleted virtual server.
    3. Add the audit policy and action.
    4. Save the configuration.

Web Interface Issues

  • Issue ID 89052/0248592 (nCore and nCore VPX): The response from a Web Interface site that is configured in direct mode may have Java errors.

XML Issues

  • Issue ID 81650/0242628: The NetScaler import utility validates XML schemas during import, but it may fail to validate certain XHTML files being imported as XMLSchema. These invalid XMLSchema's are rejected if the user tries to use them in profile configuration (XMLValidation binding).
  • Issue ID 82058/0242928: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059/0242929: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069/0242939: When the Application Firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

XML API Issues

  • Issue ID 80170/0241429: The syntax of the "unset servicegroup" command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the "unset servicegroup" command.

Build 53.5

Release version: Citrix® NetScaler® release 9.3 build 53.5

Replaces build: None

Release date: November 2011

Release notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA-TM Issues

  • Issue IDs 93635/0257512, 0263061, and 0263473: The NetScaler appliance fails in the following scenario:
    1. A user uses invalid credentials to log on to a AAA-TM authentication virtual server, and then sends the virtual server a second request.
    2. The user’s browser reuses the TCP connection for the second request.

Access Gateway Issues

  • Issue ID 91344/0250516: The multi-stream ICA feature allows you to partition multiple ICA streams in the same session. With multi-stream ICA, you can partition a single TCP connection into multiple streams based on different types of traffic that are typical for session reliability.
  • Issue ID 91453/0250615: Occasionally, when users log on with the Access Gateway Plug-in, and a Web browser sends a resources.js request that contains a session cookie (NSC_AAAC), Access Gateway proxies the request to the server and returns an HTTP 404 Not Found error. Unnecessarily, the user receives an NTLM authentication message prompting them to enter credentials.
  • Issue ID 92124/0251222: If you configure bookmarks on Access Gateway as a reverse proxy and users do not connect with clientless access, Access Gateway might fail.
  • Issue ID 93384/0257288: You can create a session or preauthentication policy to check for REG_MULTI_NZ and REG_BINARY registry types on the user device.
  • Issue ID 94534/0258329: When you configure two appliances as a high availability pair, if you create a session policy with a name longer than 31 characters, when users are logged on with the Access Gateway Plug-in, if the primary appliance becomes unavailable, failover to the secondary appliance does not occur and the connection fails.

AppFlow Issues

  • Issue IDs 94685/0258921 and 0264518 (nCore and nCore VPX): The NetScaler appliance may crash if you try to delete an AppFlow policy or action while traffic affected by the policy or action is flowing through the appliance.

Application Firewall Issues

  • Issue ID 83695/0244305: On nCore systems with the application firewall enabled, the following counters may show incorrect values:
    • (CLI) Opening client connections
    • (CLI) Established client connections
    • (GUI) Opening connections
    • (GUI) Established connections
    • (GUI) Active Server connections
  • Issue ID 92641/0251685 (nCore and nCore VPX): The amount of memory available to the Application Firewall is much lower than the amount of memory available to the NetScaler appliance.
  • Issue ID 93940/0257771: When both AAA SSO and the Application Firewall are enabled on the NetScaler appliance, and an advanced Application Firewall profile is bound to global or a bind point, the appliance sends incorrect HTTP POST requests to the web server, breaking web server functionality.

Cache Redirection Issues

  • Issue ID 92791/0251815: The NetScaler appliance fails in the following scenario:
    1. A cache redirection virtual server is configured with a listen policy, RNAT is configured, and TCP proxy is enabled for RNAT (by using the "set rnatparam -tcpproxy ENABLED" command).
    2. A client sends the appliance a request meant for the origin server. The request satisfies the RNAT criteria but does not match the listen policy that is configured for the cache redirection virtual server.
    3. Another client sends the appliance a request for the same origin server and, this time, the request matches the listen policy that is configured for the cache redirection virtual server.

Command Line Interface Issues

  • Issue ID 92966/0251975: If you are using the Perl package Net::SSH::Perl, the NetScaler appliance may not allow new connections after the limit for maximum number of connections has been reached, even if some users have logged out. Make sure that your Perl script has the following line: $ssh->login("$user", "$password", 1); instead of: $ssh->login("$user", "$password");

Configuration Utility Issues

  • Issue ID 82499/0243259: In NetScaler release 9.3, the PHP version has been upgraded from 5.2.6 to 5.3.8.
  • Issue ID 92919/0251932: In the "Select the Template Type" dialog box (AppExpert > Templates > Entity Templates > Add), the option for creating a load balancing virtual server template is not available, and the "SSL Vserver" option is listed more than once.

DataStream Issues

  • Issue ID 92394/0251460 (nCore and nCore VPX): If a client cancels an SQL query before the server responds to a query it sent earlier, load balancing fails for subsequent queries sent by the client. The NetScaler appliance forwards all subsequent queries sent by that client to the same database server.

Content Switching Issues

  • Issue ID 93339/0257249 (nCore and nCore VPX): A content switching virtual server does not serve a client request in the following scenario:
    • Three or more advanced policies that use the "MATCHES_LOCATION(<location>)" function are bound to the content switching virtual server.
    • The source IP address of the request does not match any location in the location database.

Integrated Caching Issues

  • Issue ID 94009/0257849: The NetScaler appliance fails if the maximum response size (maxResSize) of a single object in the integrated cache exceeds 100 MB.
  • Issue ID 94708/0258932: The NetScaler appliance does not retransmit data for a 304 Not modified cache hit when RTO (round trip timeout) is hit.

Load Balancing Issues

  • Issue ID 92390/0251455: Data transfer might stop after a failover in the following scenario: Stateful connection failover is enabled on the load balancing virtual server that is managing the connection, and the failover was immediately preceded by a burst of traffic.
  • Issue ID 87201/0247100 (Classic and nCore): If a load balancing virtual server for TCP services has stateful connection failover enabled, an established connection may be broken if a failover occurs more than once while a large amount of data is being transferred.

NetScaler SDX Appliance Issues

  • Issue ID 92664/0251706 (nCore): You can now perform the following actions:
    • Provision a NetScaler VPX instance on a subnet that is different from the subnet of the management service VM. Traffic between the management service VM and the NetScaler VPX instance is routed.
    • Specify that only secure communication is allowed between the management service VM and the NetScaler instances.
    • Specify that the SDX appliance can be accessed only over a secure channel (https instead of http).
    • Apply administrative configuration on a NetScaler instance at a later time if the instance is not reachable from the management service VM.
  • Issue ID 0261338 (nCore): If you create a NetScaler IP address from the NetScaler Configuration node in the Configuration tab of  the management Service VM user interface, the default  IP address created is a subnet IP (SNIP) address and not the mapped IP (MIP) address.

Rewrite Issues

  • Issue ID 92586/0251637: Rewrite policies are not applied to HTTP requests that use the HTTP method CONNECT.
  • Issue ID 92739/0251770: When an HTTP message body is extremely large (2 GB or more), the replace_all, insert_all, insert_before, and insert_after_all rewrite actions cause the NetScaler to crash.

SNMP Issues

  • Issue ID 93003/0252009: A new SNMP OID, sysStatisticsTime (1.3.6.1.4.1.5951.4.1.1.41.17), returns the interval at which various statistical counters are updated.
  • Issue ID 93469/0257366: If a content switching classic policy is rebound to the content switching virtual server, an SNMPWALK operation on the csPolicyHits SNMP object returns an error.

SSL Issues

  • Issue ID 91408/0250575 (nCore VPX): If OCSP check is enabled on a NetScaler VPX appliance, and the appliance receives the client key exchange and client certificate as part of a single record, the SSL handshake fails.
  • Issue IDs 93373/0257280, 0264151, and 0264043 (nCore): If there is a delay between HA health monitoring and SSL card monitoring, HA health monitoring reports that the SSL card is DOWN.

System Issues

  • Issue IDs 89829/0249234 and 93515/0257405: The "diff ns config" CLI command erroneously audits a command more than once and displays the error message "Already audited command" in its output. This issue is observed when the command attribute that is treated as the unique ID for the command occurs in multiple records in the NetScaler database. For example, the host name that you specify in the "add dns nsRec" command is treated as the unique ID for the command when a database record is created. If the "add dns nsRec" command is used to assign multiple IP addresses to a host, the host name can occur in multiple records and, consequently, lead to multiple audits of the "add dns nsRec" command when you use "diff ns config."
    Note: As a result of the changes that were made to resolve this issue, the "mx" parameter, which is required in the "add dns mxRec" and "set dns mxRec" commands, is now also required in the "unset dns mxRec" command. The syntax of the "unset dns mxRec" command has changed as follows:

    Before: unset dns mxRec <domain> -TTL

    After: unset dns mxRec <domain> -mx <string> -TTL

  • Issue ID 92046/0251155: If a NetScaler appliance is unable to determine the link status of an interface and stores an invalid link-status value in the internal database, the appliance fails.
  • Issue ID 94767/0258978: If you use the configuration utility to delete all the configured NTP servers, configurations in one of the startup scripts (rc.netscaler) file are lost.

Known Issues and Workarounds

Access Gateway Issues

  • Issue ID 92054/0251163: If you enable multi-stream connection policy settings in either XenApp 6.5 for Windows Server 2008 R2 or XenDesktop 5.5 and you install the Access Gateway Plug-in by using an MSI package, Access Gateway does not establish multi-stream connections to the resource, although XenApp and XenDesktop launch on the user device in a single stream.
  • Issue ID 91832/0250964: If users logon with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects, but when users log off, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue IDs 80175/0241433 and 82022/0242906: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    • Disable split tunneling
    • Configure Access Gateway so user connections do not receive an intranet IP address.
    • Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 89427/0248893: If users connect with the Access Gateway Plug-in by using an airtel 3G device and the Repeater Plug-in accelerates VPN traffic after the establishing the VPN connection, when users put the user device in standby or hibernate, when users resume the device, the Access Gateway Plug-in fails to reestablish the connection. When users disable acceleration with the Repeater Plug-in, restoration of the VPN connection is successful. Users can then enable acceleration with the Repeater Plug-in.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787/0245136: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492/0244134: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    2. Bind the Outlook Web Outlook regular expression to this profile.
    3. Bind the profile so that is assumes the highest priority.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue IDs 86470/0246469 and 86787/0246736: When users log on with the Access Gateway Plug-in for Windows using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on using Internet Explorer 9.
  • Issue ID 86471/0246473: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

ACL Issues

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmp Code parameters of an extended ACL or ACL6.

Application Firewall Issues

  • Issue ID 83089/0243784: The users can look at the default signature rules in configuration utility, but it will be useful to have a comprehensive list of all the rules accessible in documentation or white papers for users to review.
  • Issue ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.

CloudBridge Issues

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send a full-size packet, whose DF bit is unset, across the cloud bridge. This happens because of bad checksum.

Command Line Interface Issues

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If this does not resolve the issue, restart the appliance.

DataStream Issues

  • Issue ID 83862/0244449 (nCore and nCore VPX): This release does not support IPv6 addresses.

Domain Name System Issues

  • Issue ID 93203/0257123 (nCore): A DNS policy that is bound to a GSLB service is not evaluated if the GSLB method is set to dynamic round trip time (RTT).

Load Balancing Issues

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: When using a TCP monitor for a MYSQL service, the MySQL server blocks the MIP for making new connections.
  • Issue ID 82996/0243703: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096/0246139: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example: add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 87407/0247289 (nCore and nCore VPX): When an RDP service is configured, the NetScaler appliance automatically maintains persistence through session cookies using Session Directory. You need not explicitly configure persistency on NetScaler. In some situations, (where multiple persons use same user-login credentials) session cookie persistence may not be helpful, and IP-based persistence methods are necessary. Future releases will support IP address based persistency. In some other situations, load balancing of the RDP services without persistence may be necessary. That is, each new connection to an RDP virtual server needs to be load balanced irrespective of a user's disconnected session existing on a terminal server.
  • Issue ID 88593/0248222 (nCore): After failover, the "maxclient" setting on a service is not honored.
  • Issue ID 90271/0249597: Application scripts that parse the servicegroup member name, and use the underscore delimiter (_) to identify fields to be extracted, fail, because the delimiter is now a question mark (?). In NetScaler releases earlier than 9.3, the format is <service group name>_<IP address>_<port>. The new format is <servicegroup name>?<IP address | server name>?<port>.

NetScaler SDX Appliance Issues

  • Issue ID 86597/0246578 (nCore): Internet Explorer version 9.0 does not load the Configuration tab.

    Workaround: Run Internet Explorer version 9.0 in compatibility mode.

  • Issue ID 88515/0248159 (nCore): Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556/0248194 (nCore): When provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for these parameters.

    Workaround: To correct the parameter values, log on to the NetScaler instance through the Xen Console. You also need to correct the values for this instance in the XenStore. After correcting the values in the both the places, rediscover the NetScaler instances from the Management Service VM user interface without selecting any specific instance, by clicking Rediscovery in the NetScaler Instance pane.

  • Issue ID 89148/0248663 (nCore): When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.
  • Issue ID 91605/0250759 (nCore): If the dashboard page on the management service virtual machine is open for more than 4 days, the browser (Internet Explorer 8.0) might report high memory usage.

    Workaround: In the browser, refresh or minimize the page to release the memory.

  • Issue ID 0262505 (nCore): When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: "NO DATA TO CHART".
  • Issue ID 0265006 (nCore): Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

  • Issue ID 0268115 (nCore): You cannot change an interface on a NetScaler VPX instance if you have not selected any of the management interfaces (0/1 and 0/2) when provisioning the instance.

    Workaround: First, add an interface to the NetScaler VPX instance. After the instance restarts, remove the interfaces that are not required.

    Note: Make sure that the NSVLAN is configured correctly. In case of an incorrect configuration, the instance is not reachable.

NetScaler VPX Appliance Issues

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features, such as compression and GSLB, stop working.

    Workaround: Reduce the memory allocated for caching.

Platform Issues

  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance. ipmi0: KCS error: 01 ipmi0: KCS: Reply address mismatch

  • Issue ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 94198/0258025: If a member interface is removed from an LA channel, the LA channel might show negative statistics in the next statistics collection cycle.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.

Reporting Issues

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine

SSL Issues

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: "ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot." However, the correct message--"ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate"-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issue ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:

    openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 85393/0245605: A DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.

System Issues

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if failover happens while high availability (HA) synchronization is in progress.
  • Issue ID 94133/0257961: If a server (lb virtual server or cs vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_47.5 to 9.3_51.5.

    Workaround: Do the following:

    1. Remove the audit policy and action
    2. Add the deleted virtual server
    3. Add the audit policy and action
    4. Save the configuration

Web Interface Issues

  • Issue ID 89052/0248592 (nCore and nCore VPX): The response from a Web Interface site that is configured in direct mode may have Java errors.

XML Issues

  • Issue ID 81650/0242628: The NetScaler import utility validates XML schemas during import, but it may fail to validate certain XHTML files being imported as XMLSchema. These invalid XMLSchema's are rejected if the user tries to use them in profile configuration (XMLValidation binding).
  • Issue ID 82058/0242928: The "unique" element in the XML schema is currently not supported.
  • Issue ID 82059/0242929: The "redefine" element in the XML schema is currently not supported.
  • Issue ID 82069/0242939: When the Application Firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

  • Issue ID 83707/0244316: The Import feature for Schema and WSDL files does not support Non-ASCII characters. If an importing WSDL/Schema file contains Non-ASCII characters then it results in a partial import.

    Workaround: Convert XML schema or WSDL files to ASCII before importing them.

XML API Issues

  • Issue ID 80170/0241429: The syntax of the "unset servicegroup" command has been changed to allow unsetting the parameters of the service group members. This change can cause XML API incompatibility with respect to the "unset servicegroup" command.

Build 52.3

Release version: Citrix® NetScaler® release 9.3 build 52.3

Replaces build: None

Release date: October 2011

Release notes version: 2.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

Access Gateway Issues

  • Issue ID 86965: When users connect to Access Gateway and you have single sign-on enabled, when users connect to a resource, occasionally Access Gateway returns a 500 Internal Server Error when the resource does not accept a 0 content length during NTLM authentication.
  • Issue ID 88409: If 16 users are changing their passwords simultaneously, new users cannot log on.
  • Issue ID 91811: If you enable client choices and users can log on with the Access Gateway Plug-in or by using clientless access, when users try to transfer files, an Internal Server Error 29 appears.
  • Issue ID 91285: When two Access Gateway appliances are configured as part of a high availability pair and you configure double-source authentication, occasionally if the primary node fails, the secondary node also fails to accept connections and Access Gateway subsequently fails.

Application Firewall Issues

  • Issue ID 83366: When the application firewall is configured, the NetScaler appliance may fail because of an issue in delivering the learning messages to the "aslearn" daemon.
  • Issue ID 86782: Importing appfw objects such as signatures, htmlerror page, and so on, may fail on first attempt if the import command contains a very long source URL. The command will succeed if executed a second time.
  • Issue ID 91899: The Application Firewall fails when a web page with a significantly large number of unique URLs is processed.

Configuration Utility Issues

  • Issue 93321: If, when adding a new TCP profile, you specify a value greater than 128 for the "Maximum Burst Limit" field, the appliance adds a minus symbol (-) before the value.
  • Issue ID 93358 (Classic and nCore): When you install a CA certificate on a NetScaler FIPS appliance by using the configuration utility, FIPS Key Name is not a required parameter.

Domain Name System Issues

  • Issue ID 92383: If a DNS query made by the NetScaler appliance leads to a chain of CNAME responses and one of the intermediate CNAME response expires before the other responses because it has the least time-to-live (TTL) value, the bailiwick check is not handled correctly during subsequent attempts to resolve the same DNS query. Consequently, subsequent attempts fail intermittently. Additionally, when the appliance is functioning as an end resolver, if the length of the domain name in the query is less than 64 characters and the domain name in an intermediate CNAME response is greater than 64 characters, CNAME references are not handled correctly. Consequently, the appliance fails when you run the "flush dns proxyRecords" command.

Global Server Load Balancing Issues

  • Issue ID 85912: In a large GSLB configuration, if persistence session exchange is enabled between sites and the configuration of GSLB virtual servers is not symmetric across the participating sites, then the NetScaler appliance may fail.
  • Issue ID 87244 (nCore and nCore VPX): A NetScaler appliance running release 9.2 fails under the following sequence of events:
    1. GSLB is configured on the appliance, and it receives a metrics exchange protocol (MEP) connection from another GSLB site that has a lower IP address and is running a NetScaler release earlier than 9.2.
    2. The MEP connection is received by a non-owner core and the state of the MEP connection flaps (goes down and comes back up within an interval of about 10 seconds).
    3. After the MEP connection flaps, the GSLB site running NetScaler 9.2 attempts to share persistence sessions with the GSLB site running the pre-9.2 release.

Integrated Caching Issues

  • Issue ID 90335: The "show cache object" CLI command can corrupt NetScaler memory, causing the appliance to fail.

Load Balancing Issues

  • Issue ID 91869: The counter that indicates the number of connections made to a load balancing virtual server is not incremented correctly when the load balancing virtual server is bound to a content switching virtual server.

Networking Issues

  • Issue ID 87163: If a response packet is dropped during high availability failover, the NetScaler appliance does not block fragmented request packets.
  • Issue ID 91703: On failover, the bgp sessions on the secondary NetScaler in a HA-INC pair are reset. This is applicable to cl, nCore and vpx builds.
  • Issue ID 91886 (nCore and nCore VPX): If the NetScaler appliance receives a monitoring packet that it sent out for monitoring a service, the appliance may fail to send further monitoring probes for the service.
  • Issue ID 92773: The NetScaler appliance fails if a client tries to establish an active FTP session with a server that is  reachable through a Link Load Balancing (LLB) route.

NITRO API Issues

  • Issue ID 93938: The data type for the "statechangetimeseconds" field for the lbvserver and csvserver classes is not consistent. The lbvserver class uses the integer data type and the csvserver class uses the date data type.

Platform Issues

  • Issue ID 92406 (Classic and nCore): On the NetScaler MPX 7500/9500 and MPX 9700/10500/12500/15500 appliances with an Intel 1GB interface, the health monitoring system automatically performs a warm restart if the appliance does not respond to health checks. If the appliance continues to be unresponsive, you have to perform a hard reboot.
  • Issue IDs 92435 and 92677 (nCore): In certain rare conditions, access to the BMC device for health check data may fail on the MPX 11500/13500/14500/16500/18500 platform. Consequently, the load on the management CPU significantly escalates and the appliance becomes unresponsive.

Policies Issues

  • Issue ID 92982: The NetScaler appliance fails when the rewrite action "replace_all" is applied to a response that is being generated by a content filter action.

Rewrite Issues

  • Issue ID 88938: The NetScaler appliance may sometimes fail to rewrite HTTP responses that use chunked encoding.
  • Issue ID 92968: If a rewrite policy with the "log" action specified is bound to a TCP virtual server, when the policy matches a connection, the NetScaler appliance fails.

SDX Appliance Issues

  • Issue ID 92408: If the Management Service VM is in an idle state, the database connection sometimes times out internally causing continuous login failures.

SNMP Issues

  • Issue ID 92172: Some types of incorrectly formatted SNMP OID requests may lead to failure of the NetScaler appliance.

System Issues

  • Issue ID 91005: Client and server-side connections for RNAT do not log TCP 4 tuple information, connection duration, bytes transferred, and connection duration.
  • Issue ID 91561: If you run the shell command showtechsupport to create a collector file, "pciconf -lcv" is also executed. The output of the command appears under <collectorfile>/shell/pciconf-lcv.out.
  • Issue ID 91606 (nCore): When a layout file is used with nCore to run PEs on different CPUs, if a PE ID is greater than the ID of the CPU running the PE, the profiler fails.
  • Issue ID 91693: If there is no URI-QUERY string after the "?" (example: http://search.citrix.com/search?), the client side weblog report must indicate the NULL value by showing "-". However, nothing is recorded in the weblog report.
  • Issue ID 92654: Setting the deprecated "recvbufsize" parameter through the "set ns tcpparam" command throws an "argument deprecated" error in the CLI but still modifies the global tcpprofile nstcp_default_profile.
  • Issue IDs 93094 and 93983: If the nsconfigaudit tool cannot allocate the memory required for comparing large configurations, the tool fails.
  • Issue ID 94674: If a server (lb virtual server or cs vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on reboot.

Web Interface Issues

  • Issue ID 92859 (nCore and nCore VPX): The "Enable access through mobile receiver" option in the Web Interface GUI wizard activates web interface sites for most mobile platforms but is known to work for the following:
    • iPhone Receiver.
    • iPad Receiver.
    • Android Receiver.
    • Blackberry Receiver.
    • Mac Receiver .
    • iPad web browser.
    • Wyse Terminals.

Known Issues and Workarounds

Access Gateway Issues

  • Issue ID 92054: If you enable multi-stream connection policy settings in either XenApp 6.5 for Windows Server 2008 R2 or XenDesktop 5.5 and you install the Access Gateway Plug-in by using an MSI package, Access Gateway does not establish multi-stream connections to the resource, although XenApp and XenDesktop launch on the user device in a single stream.
  • Issue ID 91832: If users logon with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects, but when users log off, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue IDs 80175 and 82022: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling.
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 89427: If users connect with the Access Gateway Plug-in by using an airtel 3G device and the Repeater Plug-in accelerates VPN traffic after the establishing the VPN connection, when users put the user device in standby or hibernate, when users resume the device, the Access Gateway Plug-in fails to reestablish the connection. When users disable acceleration with the Repeater Plug-in, restoration of the VPN connection is successful. Users can then enable acceleration with the Repeater Plug-in.
  • Issue ID 89439: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 81494: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    2. Bind the Outlook Web Outlook regular expression to this profile.
    3. Bind the profile so that is assumes the highest priority.
  • Issue ID 86122: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue IDs 86470 and 86787: When users log on with the Access Gateway Plug-in for Windows using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on using Internet Explorer 9.
  • Issue ID 86471: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

Application Firewall Issues

  • Issue ID 83089: The users can look at the default signature rules in configuration utility, but it will be useful to have a comprehensive list of all the rules accessible in documentation or white papers for users to review.
  • Issue ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.

CloudBridge Issues

  • Issue ID 91850 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send a full-size packet, that has the DF bit unset, across the cloud bridge. This happens because of bad checksum.

Command Line Interface Issues

  • Issue ID 82908 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If this does not resolve the issue, restart the appliance.

DataStream Issues

  • Issue ID 83862 (nCore and nCore VPX): In this release, IPv6 addresses are not supported.

Domain Name System Issues

  • Issue ID 93203 (nCore): A DNS policy that is bound to a GSLB service is not evaluated if the GSLB method is set to dynamic round trip time (RTT).

Load Balancing Issues

  • Issue ID 82872: The setting of maximum requests per connection may be violated when a transaction is going on with the physical server.
  • Issue ID 82929: When using a TCP monitor for a MYSQL service, the MySQL server blocks the MIP for making new connections.
  • Issue ID 82996: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example: add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 87201  (Classic and nCore): On a load balancing virtual server for TCP services on which stateful connection failover is enabled, an established connection may be broken if a failover occurs more than once while a large amount of data is being transferred.
  • Issue ID 87407 (nCore and nCore VPX): When an RDP service is configured, the NetScaler appliance automatically maintains persistence through session cookies using Session Directory. You need not explicitly configure persistency on NetScaler. In the next releases, IP address based persistency will be supported. In some situations, (where multiple persons use same user-login credentials) session cookie persistence may not be helpful and IP-based persistence methods will be necessary. In some other situations, load balancing of the RDP services without persistence may be necessary. That is, each new connection to an RDP virtual server needs to be load balanced irrespective of a user's disconnected session existing on a terminal server.
  • Issue ID 88593 (nCore): After failover, the 'maxclient' setting on a service is not honored.
  • Issue ID 90271: The NetScaler appliance internally represents the servicegroup members with unique names. From the NetScaler release 9.3, the internal naming convention changed because the delimiters used in the servicegroup member name are changed. The earlier format is: <service group name>_<IP address>_<port>. The new format is: <servicegroup name>?<IP address | server name>?<port>. Because of this change, application scripts that parse the servicegroup member name and extract the fields based on the delimiter "underscore" ("_"), will fail because the delimiter is now changed to "question mark" ("?").

NetScaler SDX Appliance Issues

  • Issue ID 86597: The "Configuration" tab does not load on Internet Explorer version 9.0.

    Workaround: Run Internet Explorer version 9.0 in compatibility mode.

  • Issue ID 88515: Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556: While provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for these parameters later.

    Workaround: To correct the parameter values, log on to the NetScaler instance through the Xen Console. You also need to correct the values for this instance in the XenStore. After correcting the values in the both the places, rediscover the NetScaler instances from the Management Service VM user interface without selecting any specific instance, by clicking Rediscovery in the NetScaler Instance pane.

  • Issue ID 89148: When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.

Platform Issues

  • Issue ID 87419 (nCore): When you launch the remote console from the LOM configuration utility on the MPX 11500/13500/14500/16500/18500 appliance, remote keyboard redirection does not work.
    Workaround: Reset the LOM firmware. Note that the appliance may become unresponsive for approximately 60 seconds when you reset the LOM firmware. Warning: You should reset the LOM firmware only when one of the following conditions applies:
    • The appliance has just been installed.
    • The appliance is the secondary  node in a high availability setup.
  • Issue ID 90018 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.

Reporting Issues

  • Issue ID 85025 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine

SSL Issues

  • Issue ID 80830 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the message, "ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot," appears instead of the correct message. However, the correct message, "ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate," appears upon subsequent attempts to delete the certificate-key pair.
  • Issue ID 81850 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type: openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 85393: DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.
  • Issue ID 74279: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.

System Issues

  • Issue ID 84099 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320 (nCore and nCore VPX): The NetScaler appliance may fail if failover happens while high availability (HA) synchronization is in progress.
  • Issue ID 94133: If a server (lb virtual server or cs vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_47.5 to 9.3_51.5.
    Workaround: Do the following:
    1. Remove the audit policy and action.
    2. Add the deleted virtual server.
    3. Add the audit policy and action.
    4. Save the configuration.

Web Interface Issues

  • Issue ID 89052 (nCore and nCore VPX): The response from a Web Interface site, configured in direct mode, may have Java errors.

XML Issues

  • Issue ID 81650: NetScaler import utility already does validation of XML Schema during import. But, it may fail to validate certain XHTML files while being imported as XMLSchema. These invalid XmlSchemas though, will be rejected if the user tries to use them in profile configuration (XMLValidation binding).
  • Issue ID 82058: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069: When the Application Firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

  • Issue ID 83707: Import feature for Schema and WSDL files does not support Non-ASCII characters. If an importing WSDL/Schema file contains Non-ASCII characters then it results in a partial import.

    Workaround: Convert XML schema or WSDL files to ASCII before importing them.

XML API Issues

  • Issue ID 80170: The syntax of the "unset servicegroup" command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the "unset servicegroup" command.

Build 51.5

Release version: Citrix® NetScaler® release 9.3 build 51.5

Replaces build: None

Release date: August 2011

Release notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA Issues

  • Issue ID 89587 (Classic and nCore): If you use Internet Explorer with the 'Display a notification for every script error' option enabled, when you access a virtual server on which  AAA TM is configured,  script error windows are displayed.

Access Gateway Issues

  • Issue ID 85276: If Access Gateway does not receive responses from queries sent to servers running the Secure Ticket Authority (STA), a new connection is opened for each STA query. When this occurs, Access Gateway fails.
  • Issue ID 87967: If you configure LDAP authentication on Access Gateway with nested Group Extraction enabled, when users log on with the Access Gateway Plug-in and the connection routes through a virtual IP address, authentication may fail due to a communication failure between Access Gateway and Active Directory.
  • Issue ID 89116: When users log on with the Access Gateway Plug-in on computers running Windows XP and Vista, the Avaya IP Softphone application does not open.
  • Issue ID 89641: If you configure group extraction and groups on the authorization server exceed 16 kilobytes (KB), when users log on they might receive an HTTP 500 Internal server error message.
  • Issue ID 89855: If you create a pre-authentication policy to check for a registry entry and use a large integer value, such as CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Eventlog_RegCheck02').VALUE == 4052471216, user authentication fails.

AppFlow Issues

  • Issue ID 91472 (nCore and nCore VPX): The AppFlow feature is re-enabled on a service when you disable it by using the respective Configure Service dialog box.
  • Issue ID 92796 (nCore and nCore VPX): NetScaler appliance fails when attempting to export L7 AppFlow records to the collector because of an internal issue.

Application Firewall Issues

  • Issue ID 81616: Attempts to upload a 10 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.
  • Issue ID 89103: In some cases with Application Firewall enabled, malformed http requests can cause users to re-login.
  • Issue ID 91607: Some internal counters were being incremented incorrectly. This has been fixed.
  • Issue ID 91695: The issue is that AppFw does not check for XSS vulnerabilities in HTTP request headers if the attack pattern is percent encoded.  Customer is seeing that XSS attack is not detected in the Cookie header in a request because the XSS attack is percent encoded.
  • Issue ID 91738: When both AppFw and IC are enabled, for requests that match advanced profiles, if the responses are already cached in IC, then client connection may be reset intermittently.
  • Issue ID 92143: Setting "-enableformtagging off" while using the "add appfw profile" command worked fine in 9.2 builds but started to trigger a false ERROR in 9.3 build onwards. As a result, If any add appfw profile command contained "enabledformtagging off", it  failed due to this ERROR after upgrade resulting in loss of such profiles.
  • Issue ID 92297: The issue is that AppFw runs out of memory when processing HTTP traffic and it is caused by a memory leak in AppFw HTML Form processing code.

CloudBridge Issues

  • Issue ID 91805 (nCore and nCore VPX): NetScaler crashes while sending TCP RST to those devices in the cloud, whose connection it manages.

DataStream Issues

  • Issue ID 89076 (nCore and nCore VPX): The "Database Users" subnode in the configuration utility that lets you configure your database user name and password on the NetScaler is now moved under the "System" node. Therefore, to add a database user by using the configuration utility, in the navigation pane, expand "System", and then click "Database Users".
  • Issue ID 89643 (nCore and nCore VPX): If you have a service for SQL Server 2005 bound to a load balancing virtual server of type MS SQL, you cannot connect to the virtual server by using SQL Management Studio 2008.
  • Issue ID 92022 (nCore and nCore VPX): The authentication response from MS SQL Server is not interpreted correctly, thus leading to connection failure.
  • Issue ID 92075 (nCore and nCore VPX): The user name in MS SQL Server is not case sensitive, but NetScaler handles it as case sensitive, therefore, causing authentication failure.

High Availability Issues

  • Issue ID 90067 (nCore and nCore VPX): If the name of an RTSP load balancing virtual server has more than 31 characters, the NetScaler appliance might fail.
  • Issue ID 91790: While the configuration synchronization is in progress, if failover process is triggered and the current secondary appliance becomes the primary appliance, the 'clear config' propagates to the new secondary appliance.

Integrated Caching Issues

  • Issue ID 90810: A cache miss occurs when a content-coding value (for example, "gzip" or "compress") in the Accept-Encoding header is accompanied by a quality value (or "qvalue"). Following is an example of an Accept-Encoding header that results in a cache miss:

    Accept-Encoding: gzip;q=1.0

Load Balancing Issues

  • Issue ID 90211 (Classic, nCore, and nCore VPX): If USIP is enabled and an HTTP request with CONNECT method comes on an existing connection, connections to LB proxy servers get reset.
  • Issue ID 90423: When using the WI EXTENDED MONITOR for monitoring the Web Interface services, in the response to the GET request, if the 'ASP' string is not sent in the first SET cookie, the monitor failed.
  • Issue IDs 92081, 92140, and 92215 (nCore): In some rare cases, the NetScaler appliance fails.

NetScaler SDX Appliance Issues

  • Issue ID 91335: In certain complex SDX configurations involving LA and HA, one or more 1G interfaces might not begin to receive traffic. A 'reset interface' is then needed to start RX traffic flowing. This is applicable to the e1kvf 1G interfaces only, not the management interfaces.
  • Issue ID 91797: Two options, "Force Shut Down" and "Force Reboot" have been added that lets you shut down and restart a NetScaler instance forcefully. You can use these options if normal shut down and/or reboot operations are not working on a particular instance.

Networking Issues

  • Issue ID 85290: The NetScaler appliance might fail if you remove an IP address from the appliance that is in the same subnet on which you have configured a SYSLOG or AUDITLOG server.
  • Issue ID 85794: NetScaler appliance sends malformed BGP update messages, where Path attributes length value is not properly set, and overwrites withdrawn routes length. This happens because BGP uses circular buffers for sending messages and there was minor error during rewinding of buffer. Therefore, this problem is randomly observed during rewinding.
  • Issue ID 91377: Port leak issue during passive FTP. This issue was observed when a client initiated a control connection, requested for a data connection but did not come back for data connection.

Platform Issues

  • Issue ID 91829: Perl scripts using SSLeay do not function as expected if they are running on NetScaler release 9.3 build 50.3 and earlier.

Policies Issues

  • Issue ID 91579: After the configuration is cleared on a standalone NetScaler appliance, the indexes in the built-in pattern set "ctx_file_extensions" are changed to incorrect values. Consequently, built-in cache policies like "ctx_images" and "ctx_web_css" are evaluated incorrectly. In a high availability setup, the issue also occurs in the secondary appliance after configuration synchronization and in both appliances after a failover.
  • Issue ID 91660 (Classic): NetScaler Classic (non-nCore) systems might fail when evaluating the following policy-based entities:
    • An HTTP callout that includes a named expression.
    • A named expression that triggers an HTTP callout.
  • Issue ID 92265: If an encrypted cookie value is truncated in an HTTP request, the NetScaler appliance may fail when attempting to decrypt the value. This applies to rewrite actions that use the ENCRYPT() and DECRYPT() functions and to Application Firewall cookie encryption.

Rewrite Issues

  • Issue ID 87691: If rewrite is enabled, and if a server sends an amount of data that is more than the specified content length or includes data in the response body for responses that should not have a body (such as a 304 response), in some cases, rewrite does not work.

SSL Issues

  • Issue ID 90331 (nCore): On the MPX 9700/10500/12500/15500 10G FIPS appliances in a high availability setup, key management commands such as "add ssl certkey" may fail while accessing the FIPS keys in the FIPS card. This may result in higher CPU utilization and a longer time for the secondary appliance to synchronize commands from the primary appliance.

System Issues

  • Issue ID 92367: The value of allocated memory that is displayed for CONN_POOL in the output of the "nsconmsg -d memstats" command is incorrect. This issue is observed when a large amount of memory is allocated to CONN_POOL on NetScaler appliances that have large memory resources.

VPX Issues

  • Issue ID 90689 (nCore VPX): The NetScaler VPX virtual appliance installed on the Citrix XenServer fails when it receives a frame with a packet size of more than 1514 bytes.
  • Issue ID 92065 (nCore VPX): On a NetScaler VPX appliance, you cannot modify the HAmonitor or the tagall parameter for an interface by using the configuration utility.

Web Interface Issues

  • Issue ID 85473 (nCore and nCore VPX): The show techsupport command is updated to collect the WebInterface.conf files from the NetScaler appliance.

Known Issues and Workarounds

Access Gateway Issues

  • Issue ID 91832: If users logon with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects, but when users log off, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue ID 80175 and 82022: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:

    1. Disable split tunneling

    2. Configure Access Gateway so user connections do not receive an intranet IP address.

    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:

    • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
    • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
    • Contact the manufacturer for other devices.
  • Issue ID 89427: If users connect with the Access Gateway Plug-in by using an airtel 3G device and the Repeater Plug-in accelerates VPN traffic after the establishing the VPN connection, when users put the user device in standby or hibernate, when users resume the device, the Access Gateway Plug-in fails to reestablish the connection. When users disable acceleration with the Repeater Plug-in, restoration of the VPN connection is successful. Users can then enable acceleration with the Repeater Plug-in.
  • Issue ID 89439: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 81494: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:

    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.

    2. Bind the Outlook Web Outlook regular expression to this profile.

    3. Bind the profile so that is assumes the highest priority.

  • Issue ID 85861: If you enable ICA Proxy on Access Gateway, when users log on and attempt to open a virtual application, the connection to the Web Interface through Access Gateway times out and closes.
  • Issue ID 85906: When users log on with an earlier version of the Access Gateway Plug-in, users do not receive the upgrade prompt and the user device receives a session ID. However, the session is not established and the Web browser trying to load the file services.html and upgrading the plug-in both fail.
  • Issue ID 86122: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue ID 86470 and 86787: When users log on with the Access Gateway Plug-in for Windows using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on using Internet Explorer 9.
  • Issue ID 86471: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

Application Firewall Issues

  • Issue ID 83089: The users can look at the default signature rules in configuration utility, but it will be useful to have a comprehensive list of all the rules accessible in documentation or white papers for users to review.
  • Issue ID 86782: Importing appfw objects such as signatures, htmlerror page, and so on, may fail on first attempt if the import command contains a very long source URL. The command will succeed if executed a second time.
  • Issue ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.

CloudBridge Issues

  • Issue ID 91850 (nCore and nCore VPX): NetScaler drops TCP packets when the server has to send a full-size packet, that has the DF bit unset, across the cloud bridge. This happens due to bad checksum.

Command Line Interface Issues

  • Issue ID 82908 (nCore and nCore VPX): In certain rare cases, when the NetScaler appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If this does not resolve the issue, restart the appliance.

DataStream Issues

  • Issue ID 83862 (nCore and nCore VPX): In this release, IPv6 addresses are not supported.

Load Balancing Issues

  • Issue ID 82872: The setting of maximum requests per connection may be violated when a transaction is going on with the physical server.
  • Issue ID 82929: When using a TCP monitor for a MYSQL service, the MySQL server blocks the MIP for making new connections.
  • Issue ID 82996: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' .

    For example:

    add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa

    -password bbb -domain ccc

  • Issue ID 87201 (Classic and nCore): On a load balancing virtual server for TCP services on which stateful connection failover is enabled, an established connection may be broken if a failover occurs more than once while a large amount of data is being transferred. 
  • Issue ID 87407 (nCore and nCore VPX): When an RDP service is configured, the NetScaler appliance automatically maintains persistence through session cookies using Session Directory. You need not explicitly configure persistency on NetScaler. In the next releases, IP address based persistency will be supported.

    In some situations, (where multiple persons use same user-login credentials) session cookie persistence may not be helpful and IP-based persistence methods will be necessary. In some other situations, load balancing of the RDP services without persistence may be necessary. That is, each new connection to an RDP virtual server needs to be load balanced irrespective of a user's disconnected session existing on a terminal server.

  • Issue ID 88593 (nCore): After failover, the 'maxclient' setting on a service is not honored.

NetScaler SDX Appliance Issues

  • Issue ID 88515: Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556: While provisioning a NetScaler instance, if you have entered invalid NetScaler settings for the IP address, Netmask, or Gateway parameters, you cannot modify the values for these parameters later.

    Workaround: To rectify the parameter values, log on to the NetScaler instance through the Xen Console. You also need to rectify the values for this instance in the XenStore.

    After correcting in the both the places, rediscover the NetScaler instances from the Management Service VM user interface without selecting any specific instance by clicking Rediscovery in the NetScaler Instance pane.

  • Issue ID 89148: When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.

Platform Issues

  • Issue ID 87419 (nCore): When you launch the remote console from the LOM configuration utility on the MPX 11500/13500/14500/16500/18500 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. Note that the appliance may become unresponsive for approximately 60 seconds when you reset the LOM firmware.

    Warning: You should reset the LOM firmware only when one of the following conditions apply:

    • The appliance has just been installed.
    • The appliance is the secondary  node in a high availability setup.
  • Issue ID 90018 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.

Reporting Issues

  • Issue ID 85025 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine

SSL Issues

  • Issue ID 80830 (nCore): When you attempt to delete an SSL certificate key-pair object that is referenced by a Certificate Revocation List (CRL), the message, "ERROR: Configuration possibly inconsistent. Please check with the "show configstatus" command or reboot," is displayed.

    This message is not the intended message. However, on the subsequent attempt to delete the certificate key-pair object, the correct message, "ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate," is displayed.

  • Issue ID 81850 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:

    openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 85393: DSA certificate signed with SHA-2 algorithm is not supported in the client authentication process.
  • Issue ID 74279: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.

System Issues

  • Issue ID 84099 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server on which connection failover is enabled and the load balancing method is the token method.
  • Issue ID 84282: If the global setting for the maximum segment size (MSS) to use for TCP connections is less than 1220, the NetScaler appliance causes an excessive delay in saving the configuration.
  • Issue ID 84320: The NetScaler appliance may fail if failover happens while high availability (HA) synchronization is in progress.

Web Interface Issues

  • Issue ID 89052 (nCore and nCore VPX): The response from a Web Interface site, configured in direct mode, may have Java errors.

XML Issues

  • Issue ID 81650: NetScaler import utility already does validation of XML Schema during import. But, it may fail to validate certain XHTML files while being imported as XMLSchema. These invalid XmlSchemas though, will be rejected if the user tries to use them in profile configuration (XMLValidation binding).
  • Issue ID 82058: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069: When the Application Firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

  • Issue ID 83707: Import feature for Schema and WSDL files does not support Non-ASCII characters. If an importing WSDL/Schema file contains Non-ASCII characters then it results in a partial import.

    Workaround: Convert XML schema or WSDL files to ASCII before importing them.

XML API Issues

  • Issue ID 80170: The syntax of the unset servicegroup command has been changed to allow unsetting of the parameters of the service group members. This can cause XML API incompatibility with respect to the unset servicegroup command.

Build 50.3

Release version: Citrix® NetScaler® release 9.3 build 50.3

Replaces build: None

Release date: July 2011

Release notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix Netscaler and Citrix Access Gateway.

Changes and Fixes

Access Gateway Issues

  • Issue ID 81781: When users connect to Access Gateway and change an expired password on the challenge response page, users can enter up to 256 characters. If users create a password with more than 31 characters, however, when they log on again, Access Gateway displays a 401 authentication error and logon fails.
  • Issue ID 87050: When users log on with Citrix online plug-ins and you configure Access Gateway in a high availability pair, if the primary appliance fails, occasionally the connection fails and users receive an error message stating that the connection to the appliance is interrupted.
  • Issue ID 90098: If there is a large amount of network traffic through the Access Gateway VPN tunnel and if users access 40,000 or more resources through the tunnel, access to new resources fail.

Application Firewall Issues

  • Issue ID 89103: In some cases with Application Firewall enabled malformed http requests can cause users to re-login.
  • Issue ID 89417: Relaxation rules for transformation of SQL special characters do not work in some cases.
  • Issue ID 90909: Config sync is triggered every minute instead of exponentially backing off when files are missing in secondary required by the configuration.

Cache Redirection Issues

  • Issue ID 91008: If the cache redirection virtual server receives a request without a backslash (/) after the hostname (at the end of a request), the request gets corrupted when it is sent to the destination. When the NetScaler sends the request to the destination, the space is missed between ‘/’ and ‘HTTP/1.1’.
  • Issue ID 91062: If forward proxy is configured, NetScaler always connects to the physical server using port 443 instead of using the port specified in the client request, and there is a failure in serving the request.

CloudBridge Issues

  • Issue ID 89428 (nCore and nCore VPX): This build supports the NAT implementation of RFC 3947 and 3948 for the cloud bridge peers to communicate properly when any of the peer is behind a NAT device. For more information about configuring a cloud bridge, see the "Cloud Bridge" chapter of the Citrix NetScaler Networking Guide at http://support.citrix.com/article/CTX128671.

Configuration Utility Issues

  • Issue ID 88379: Now "NetScaler Management Pack for System Center Operation Manager 2007 (SCOM)" can be downloaded from NetScaler GUI Downloads page. The Citrix NetScaler Operation Manager pack provides monitors and rules to monitor the NetScaler systems deployed in your network. The Citrix NetScaler Performance and Resource Optimization (PRO) Management Pack (MP) provides monitors and rules to monitor the health of the virtual servers configured on the managed NetScaler systems and initiate corrective actions using the PRO feature of SCVMM when the virtual servers become unhealthy.

Content Switching Issues

  • Issue ID 89906: The NetScaler appliance does not support content switching based on the parameters of a stored procedure call for database protocols.

DataStream Issues

  • Issue ID 88227 (nCore): The NetScaler appliance does not support the MySQL server version 5.5.7 or later. The NetScaler fails when you log on to the MySQL load balancing virtual server.
  • Issue ID 90228 (nCore and nCore VPX): You can use the following expressions to configure content switching based on remote procedure call (RPC) names or IDs:
    • MSSQL.REQ.RPC.NAME. Returns the name of the procedure that is being called in a remote procedure call (RPC) request. The name is returned as a string.
    • MSSQL.REQ.RPC.IS_PROCID. Returns a Boolean value that indicates whether the remote procedure call (RPC) request contains a process ID or an RPC name. A return value of TRUE indicates that the request contains a process ID and a return value of FALSE indicates that the request contains an RPC name.
    • MSSQL.REQ.RPC.PROCID. Returns the process ID of the remote procedure call (RPC) request as an integer.
  • Issue ID 91217: For MySQL virtual servers, the NetScaler appliance does not correctly handle a query of the format 'SET NAMES 'UTF8'' with the character set name in quotation marks. This causes the further requests on the same connection to fail.

EdgeSight Monitoring Issues

  • Issue ID 90241: When EdgeSight monitoring is enabled on a LB/CS VIP, the user is given options to choose if the responses to the clients from that VIP should be compressed or not. The decision to bind/unbind compression policies to that VIP will be taken accordingly.

Integrated Caching Issues

  • Issue ID 89374 (Classic): If all the three following conditions are met, when the NetScaler appliance receives a request for an object and it attempts to re-validate and serve, NetScaler fails:
    • The content group setting "alwaysEvalPolicies" is set to YES.
    • The response cached in this group has status codes greater than 300.
    • The object is in expired state.

Load Balancing Issues

  • Issue ID 81582: When an SNIP address is configured as an ADNS service and later the ADNS servers IP address is changed, the ADNS count for the old IP address does not get decremented, and an error occurs when you try to remove the old IP address. Example:

    add ip 1.1.1.1 255.255.255.0 [configured as SNIP]

    add service adns 1.1.1.1 adnS 53 [configuring the same IP as ADNS]

    set server 1.1.1.1 -ipaddress 1.1.1.2 [changing the adns server IP to new IP]

    rm ip 1.1.1.1 [Removing old IP returns error]

  • Issue ID 82185 (nCore): In low-traffic-rate scenarios as mentioned below, the least connection load balancing becomes uneven. For example, when a service gets very low traffic rate such as two or three requests per second per service, and the service takes an average of 800 milliseconds to respond with the first byte. To make the load balancing precise and even in low-traffic scenarios, the following option is provided:

    set lb parameter  -consolidatedLConn ( YES | NO )

    By default, the option is set to 'Yes'. If and only if there is uneven least connection load balancing in low-traffic scenarios, you can set the "consolidatedLConn" to 'No' to make the load balancing even.

  • Issue ID 82571: When a load balancing virtual server and content switching virtual server are configured on the NetScaler appliance, when a server connection terminates, some counters on the load balancing virtual server such as open established connections (OEs) are not decremented until the connection is flushed. This may lead to other side effects like unnecessary spillover.
  • Issue ID 87893: If you set the maxclient value very low, the NetScaler appliance closes connections frequently in spite of reusing them.
  • Issue ID 89697 (nCore): If all the Branch Repeater appliances bound to a load balancing virtual server are DOWN, the NetScaler appliance should bypass the Branch Repeater appliances and send traffic directly to the data center.
  • Issue ID 90426 (nCore and nCore VPX): The MS-SQL ECV monitor may have errors when the expected response is a result set.
  • Issue ID 90917: When you create a load balancing monitor of type MSSQL-ECV, the default expression prefix is now changed from HTTP to MSSQL. When you create a load balancing monitor of type MySQL-ECV, the default expression prefix is now changed from HTTP to MySQL.

NetScaler SDX Appliance Issues

  • Issue ID 90966: While modifying nsroot user if password contains special characters such as $, then password is not correctly updated on hypervisor and management vm cannot communicate with hypervisor anymore.

Networking Issues

  • Issue ID 88583: When OSPF authentication is in use and the packet size is 512, the authentication digest verification on the NetScaler can go wrong resulting in dropped packets.

NITRO API Issues

  • Issue ID 90781: In getlbvserver, cookieipport information is missing for servicegroup bindings. In lbvserver response structure, servicegroup member information is missing.

Platform Issues

  • Issue ID 88559 (nCore): On the MPX 17500/19500/21500 and MPX 11500/13500/14500/16500/18500 appliances, programming the IP address, default gateway, and netmask from the front panel keypad does not work. Note: You can use the keypad for this purpose only when the appliance has a factory default configuration.
  • Issue ID 91248 (nCore): The following table shows the maximum throughput available on the Citrix NetScaler MPX 11500/13500/14500/16500/18500 appliances.

    Model Maximum throughput (in Gbps)

    11500 8

    13500 12

    14500 18

    16500 24

    18500 36

                                                                                                                                                                                                                            

SNMP Issues

  • Issue ID 90440: An snmp request from a manager will not get a response from the NetScaler if an rnat rule has been configured on the NetScaler for the manager's subnet with a SNIP as natip and that SNIP has dynamic routing enabled on it.

SSL Issues

  • Issue ID 89491: If a policy for client authentication during renegotiation over SSLv3 protocol is configured on the backend server, the NetScaler fails during SSL renegotiation.

System Issues

  • Issue ID 88885 (nCore and nCore VPX): During race conditions between user logins and session timeouts on the NetScaler appliance, if a core-to-core message for logout request handling fails, the core that receives the logout message might not clean up the user session. When a user whose session has not been cleaned up logs on to the appliance again, session duplication occurs on the core and the appliance might fail.
  • Issue ID 89527: The NetScaler appliance fails when a large number of HTTP pipeline POST requests with large content lengths are received over the same client-side connection.
  • Issue ID 89864: When a server does not receive a window update sent by the NetScaler appliance, download latency is observed.
  • Issue ID 89986 (nCore and nCore VPX): If addition of an IP on NetScaler was failing in one of the PE's and succeeding in other PE's, it would lead to config inconsistency across PE's in NetScaler. Now we have added proper recovery mechanism to recover from this failure where if "add ip" command fails on one of PE, we will revert this command across all the successful PE's also.
  • Issue ID 90715 (nCore): If the channel is Down/Disable, sh channel command always gives channel downtime as 0h00m00s i.e downtime not increasing. However sh interface gives the correct channel downtime.

Web Interface Issues

  • Issue ID 90121 (nCore and nCore VPX): Launching of XenApp application fails on iPad when using Web Interface on NetScaler through Safari with error "Unable to download file". The root cause of this issue is that Safari on iPad does not pass the downloaded ica file to Citrix Receiver correctly since file extension is jsp. In 9.3 build 50.1 onwards, this issue has been fixed by configuring rewrite policy in WI wizard which changes the file extension to .ica while downloading the ICA file.
  • Issue ID 90658 (nCore and nCore VPX): If vpn vserver is configured on port other than 443, Single Sign On from Access Gateway to Web Interface fails and Web Interface login remains stuck with blank page at agesso.jsp when logging in to the Web Interface through Access Gateway. Root cause of this issue was incorrect port configuration in AGEWebServiceURL within WebInterface.conf for Web Interface site. Also, DNS record for Access Gateway VIP was not added correctly. This issue is resolved in 9.3 build 50.x onwards.

XML Issues

  • Issue ID 68633: You cannot set the total import size limit to less than the currently imported object size.

Known Issues and Workarounds

Access Gateway Issues

  • Issue ID 80175 and 82022: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling.
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 89427: If users connect with the Access Gateway Plug-in by using an airtel 3G device and the Repeater Plug-in accelerates VPN traffic after the establishing the VPN connection, when users put the user device in standby or hibernate, when users resume the device, the Access Gateway Plug-in fails to reestablish the connection. When users disable acceleration with the Repeater Plug-in, restoration of the VPN connection is successful. Users can then enable acceleration with the Repeater Plug-in.
  • Issue ID 89439: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 81494: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    2. Bind the Outlook Web Outlook regular expression to this profile.
    3. Bind the profile so that is assumes the highest priority.
  • Issue ID 85861: If you enable ICA Proxy on Access Gateway, when users log on and attempt to open a virtual application, the connection to the Web Interface through Access Gateway times out and closes.
  • Issue ID 85906: When users log on with an earlier version of the Access Gateway Plug-in, users do not receive the upgrade prompt and the user device receives a session ID. However, the session is not established and the Web browser trying to load the file services.html and upgrading the plug-in both fail.
  • Issue ID 86022: If you configure the user device to enable users to log on only using the Access Gateway Plug-in and then change the plug-in Web address to an unresolvable address, when users try to log on through the logon dialog box, an authentication error appears. Then, if users try to log on using the plug-in, the logon dialog box does not appear and users cannot change the Web address. Users should exit and then restart the plug-in to subsequently change the Web address.
  • Issue ID 86122: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue ID 86470 and 86787: When users log on with the Access Gateway Plug-in for Windows using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on using Internet Explorer 9.
  • Issue ID 86471: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

Application Firewall Issues

  • Issue ID 81616: Attempts to upload a 10 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.
  • Issue ID 83089: The users can look at the default signature rules in configuration utility, but it will be useful to have a comprehensive list of all the rules accessible in documentation or white papers for users to review.
  • Issue ID 86782: Importing appfw objects such as signatures, htmlerror page, and so on, may fail on first attempt if the import command contains a very long source URL. The command will succeed if executed a second time.

CloudBridge Issues

  • Issue ID 91805 (nCore and nCore VPX): NetScaler crashes while sending TCP RST to those devices in the cloud, whose connection it manages.
  • Issue ID 91850 (nCore and nCore VPX): NetScaler drops TCP packets when the server has to send a full-size packet, that has the DF bit unset, across the cloud bridge. This happens due to bad checksum.

Command Line Interface Issues

  • Issue ID 82908: In certain rare cases, when the NetScaler appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If this does not resolve the issue, restart the appliance.

DataStream Issues

  • Issue ID 83862 (nCore, nCore VPX): In this release, IPv6 addresses are not supported.

Integrated Caching Issues

  • Issue ID 81159: When the NetScaler appliance receives a single byte-range request, if the starting position of the range is beyond 9 megabytes, the appliance sends the client a full response with a status code of 200 OK instead of a partial response.

Load Balancing Issues

  • Issue ID 82872: The setting of maximum requests per connection may be violated when a transaction is going on with the physical server.
  • Issue ID 82929: When using a TCP monitor for MYSQL service, the MySQL server blocks the MIP for making new connections.
  • Issue ID 82996: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' .

    For example:

    add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc

  • Issue ID 87201 (Classic, nCore): On a load balancing virtual server for TCP services on which stateful connection failover is enabled, an established connection may be broken if a failover occurs more than once while a large amount of data is being transferred.
  • Issue ID 87407 (nCore and nCore VPX): When an RDP service is configured, the NetScaler appliance automatically maintains persistence through session cookies using Session Directory. You need not explicitly configure persistency on NetScaler. In the next releases, IP address based persistency will be supported. In some situations, (where multiple persons use same user-login credentials) session cookie persistence may not be helpful and IP-based persistence methods will be necessary. In some other situations, load balancing of the RDP services without persistence may be necessary. That is, each new connection to an RDP virtual server needs to be load balanced irrespective of a user's disconnected session existing on a terminal server.

NetScaler SDX Appliance Issues

  • Issue ID 88515: Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556: While provisioning a NetScaler instance, if you have entered invalid NetScaler settings for the IP address, Netmask, or Gateway parameters, you cannot modify the values for these parameters later.

    Workaround: To rectify the parameter values, log on to the NetScaler instance through the Xen Console. You also need to rectify the values for this instance in the XenStore. After correcting in the both the places, rediscover the NetScaler instances from the Management Service VM user interface without selecting any specific instance by clicking Rediscovery in the NetScaler Instance pane.

  • Issue ID 89148: When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.
  • Issue ID 91335: In certain complex SDX configurations involving LA and HA, one or more 1G interfaces might not begin to receive traffic.  A "reset interface" is then needed to start RX traffic flowing. This is applicable to the e1kvf 1G interfaces only, not the management interfaces.

Platform Issues

  • Issue ID 87419 (nCore): When you launch the remote console from the LOM configuration utility on the MPX 11500/13500/14500/16500/18500 appliance, remote keyboard redirection does not work.
    Workaround: Reset the LOM firmware. Note that the appliance may become unresponsive for approximately 60 seconds when you reset the LOM firmware. Warning: You should reset the LOM firmware only when one of the following conditions apply:
    • The appliance has just been installed.
    • The appliance is the secondary  node in a high availability setup.
  • Issue ID 90018 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, to release 9.3 build 50.3, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.

Reporting Issues

  • Issue ID 85025 (nCore, nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL Issues

  • Issue ID 74279: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830 (nCore): When you attempt to delete an SSL certificate key-pair object that is referenced by a Certificate Revocation List (CRL), the message, "ERROR: Configuration possibly inconsistent. Please check with the "show configstatus" command or reboot," is displayed. This message is not the intended message. However, on the subsequent attempt to delete the certificate key-pair object, the correct message, "ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate," is displayed.
  • Issue ID 81850 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/ 12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:

    openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

System Issues

  • Issue ID 84099 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server on which connection failover is enabled and the load balancing method is the token method.
  • Issue ID 84282: If the global setting for the maximum segment size (mss) to use for TCP connections is less than 1220, the NetScaler appliance causes excessive delay to save the configuration.
  • Issue ID 84320 (nCore): The NetScaler appliance may fail if failover happens while high availability (HA) synchronization is in progress.
  • Issue ID 88593 (nCore): After failover, the maxclient configuration on a service is not honored.

Web Interface Issues

  • Issue ID 89052 (nCore and nCore VPX): The response from a Web Interface site, configured in direct mode, may have Java errors.

XML Issues

  • Issue ID 81650: NetScaler import utility already does validation of XML Schema during import.  But, it may fail to validate certain XHTML files while being imported as XMLSchema. These invalid XmlSchemas though, will be rejected if the user tries to use them in profile configuration (XMLValidation binding).
  • Issue ID 82058: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069: When the Application Firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

  • Issue ID 83707: Import feature for Schema and WSDL files does not support Non-ASCII characters. If an importing WSDL/Schema file contains Non-ASCII characters then it results in a partial import.

    Workaround: Convert XML schema or WSDL files to ASCII before importing them.

XML API Issues

  • Issue ID 80170: The syntax of the unset servicegroup command has been changed to allow unsetting of the parameters of the service group members. This can cause XML API incompatibility with respect to the unset servicegroup command.
Back to top