Release Notes for 9.3 Maintenance Releases

This document describes the changes, fixed issues, and known issues provided in the maintenance releases of the Citrix® NetScaler®, Citrix® NetScaler® SDX, and Citrix® Access Gateway® software.

Note:

Build 63.4

Release version: Citrix NetScaler, version 9.3 build 63.4

Replaces build: None

Release date: July 2013

Release notes version: 2.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler.

Changes and Fixes

AppFlow

  • Issues ID 0388650: Netscaler might fail to respond when AppFlow is enabled on a Content Switching virtual server.

Application Firewall

  • Issue ID 0383140: Relaxation rules for cross-site scripting that have special characters in field names are not honored when the application firewall action is “Transform cross-site scripts.”
  • Issues ID 0389185: When the application firewall and integrated caching features are both enabled, requests for image data types sometimes generate 503 (service unavailable) responses.

Configuration Utility

  • Issue ID 0360163 (nCore and nCore VPX): You cannot configure a GSLB service for which a server is not configured on the NetScaler appliance. The configuration utility displays the message Server must be specified.
  • Issue ID 0363408 (nCore and nCore VPX): When using the Load Balancing Wizard for Citrix XenDesktop to configure load balancing for Citrix XenDesktop, if you specify a wildcard port (*) for a load balancing virtual server, the wizard inserts an asterisk in the name of the virtual server, in the name of the associated service group, and in the name of the monitor. Because the asterisk is an invalid character for an entity name, you cannot perform any operation (such as rename, set, or remove) on those entities.
  • Issue ID 0376543 (nCore and nCore VPX): The View Persistence Sessions dialog box in the NetScaler configuration utility displays negative values for destination port numbers that are greater than 32767.
  • Issue ID 0391762 (nCore): After you save the configuration and reboot a NetScaler appliance, the Netscaler configuration utility displays that the running configuration is not saved even when the configuration has been saved.
  • Issue ID 0393161: When the value of Memory Usage Limit is updated to more than 4095 using the NetScaler Graphical User Interface (GUI), the following error message appears:

    Value entered is out of range.

DataStream

  • Issue ID 0367120 (nCore and nCore VPX): Reference count for 'special queries' (USE/SET) stored in Netscaler were not incremented correctly, because of which Netscaler freed 'special query' even though there was a client connection referring to it. Later when a query is received on this client connection and Netscaler tries to replay the special queries linked with the connection, it crashes.

Global Server Load Balancing

  • Issue ID 0372920 (nCore and nCore VPX): If the NetScaler appliance has run out of memory, and you create a CNAME-based GSLB service, the appliance fails and dumps core.
  • Issue ID 0378578 (nCore and nCore VPX): If a GSLB configuration includes DNS views and a GSLB virtual server that is configured with the dynamic RTT load balancing method, the NetScaler appliance does not respond with the IP address that is configured for the DNS policies. But, after the appliance stops responding with the configured IP addresses, if you configure persistence for the GSLB virtual server, the issue persists for a while, and then gets resolved automatically.

Load Balancing

  • Issue ID 0335841: An MSSQL monitor works as expected if a rule is applied to a column with NCHAR data type but fails if a rule is applied to a column with CHAR data type.
  • Issue ID 0349955: After you restart the appliance, the domain-based service group is shown as DOWN and the following error message appears:

    " Domain name cannot be resolved".

  • Issue ID 0376173: If two NetScaler appliances in a high-availability configuration have TCPB mode enabled globally, and you create a DNS TCP service, the service might be successfully created on the primary NetScaler appliance but fail on the secondary appliance.
  • Issue ID 0376415: In certain cases, if SSLSESSION persistence is defined on an IPv6 virtual server that is using the SSL_BRIDGE protocol, the appliance performs a core dump and restarts.
  • Issue ID 0385219: You cannot create a load balancing monitor without a load balancing license.
  • Issue ID 0387253: When you create a new load balancing server on the configuration utility, occasionally a series of error messages appear indicating that the Load Balancing feature is not licensed and you are unable to create the virtual server.
  • Issue ID 0393963: If a packet engine receives a user logon request with a support-session (TASS) cookie from a session that was owned by a different packet engine, the appliance might fail.

NetScaler SDX Appliance

  • Issue ID 0334671: If your password to log on to the Management Service cellontains a colon (:), you cannot create a VPX instance. With this fix, when you configure a user account on an SDX appliance, a colon is not allowed in the account password.
  • Issue ID 0382221: A backup of the configuration file is created by default. If the configuration file is accidentally deleted, the backup is used when the appliance restarts.
  • Issue ID 0385037: If the /var/mps/policy/mps_policy_backup.xml file is empty or corrupted, the appliance performs a core dump and the Management Service user interface is blank.
  • Issues ID 0352992: BGP process on the NetScaler appliance may consume high CPU if advertisement interval is set to zero. With this situation, if a new process is started that consumes high CPU, the BGP process may not send out keep alive messages resulting in adjacency loss with neighbor device.

Networking

  • Issue ID 0350486: If you set the speed of an interface to AUTO, and then disable and enable the interface, the interface comes up with a speed of 100 Mbps.
  • Issue ID 0360291: An RNAT rule with RNAT IP address and a DNS service are configured on the NetScaler appliance. For DNS requests from a client, hitting the service and whose source IP address matches the RNAT rule, the NetScaler appliance forwards the DNS requests to the DNS server with source IP address field set to the RNAT IP and SNIP IP address, alternatively.
  • Issues ID 0366145: A NetScaler appliance configured for link load balancing and RNAT might fail to establish an active FTP connection from a client to an FTP server.
  • Issue ID 0373673: The NetScaler appliance becomes unresponsive when IPv6 packets match an ACL6 rule that have a range of source and destination IP addresses as a condition.
  • Issue ID 0374885: For ICMP traffic, the RNAT session counter does not decrement but continues to increment.

NITRO

  • Issues ID 0376142: The Statservice response lists some unused counters and the descriptions of the counters need more information.

Platform

  • Issue ID 0344262: 1G copper SFP transceivers are now supported on the ixgbe (ix) interfaces. These transceivers are hot-swappable on this interface. However, fiber SFP transceivers are not supported.

    The following SFP+ and SFP transceivers, and direct access cables, are supported:

    • Intel fiber SFP+: "FTLX8571D3BCV-IT"
    • Intel fiber SFP+: "FTLX8571D3BCV-I3"
    • Finisar fiber SFP+: "FTLX8571D3BCV"
    • Intel fiber SFP+ (LR): "FTLX1471D3BCV-IT"
    • Finisar fiber SFP+ (LR): "FTLX1471D3BCV "
    • Finisar copper SFP: "FCLF-8521-3"
    • Avago copper SFP: "ABCU-5710RZ"
    • Methode DAC cable: "DM-255-100 "
    • Methode DAC cable: "DM-255-300 "
    • Methode DAC cable: "DM-255-500 "
    Note:
    • Only 10G ports support DAC cables.
    • Fiber SFPs are not supported.
  • Issue ID 0360223: In certain cases, error messages on the console of an MPX 5550/5650 or MPX 8200/8400/8600 appliance continuously scroll if the physical registers are not correctly read.
  • Issue ID 0371521: On the MPX 8200/8400/8600 appliance, if you execute the <codeph>./ns_hw_err.bash</codeph> script, the appliance might perform a core dump and restart because of the smartctl commands present in the script.
  • Issue ID 0373125: The NetScaler hardware might sometimes report incorrect values for system health counters. The health counters are read over the SMBus, which is prone to reporting wrong or zero values.

Policies

  • Issue ID 0376175: Each of the following typecasts from string (text_t or a subclass of it) simply returns the original value, if the value is not of the correct format for the type it is cast to.
    • typecast_num_t - Should check that it is a proper number (num_at)
    • typecast_unsigned_long_t - Should check that it is a proper unsigned long (unsigned_long_at)
    • typecast_double_t - Should check that it is a proper double (double_at)

SDX

  • Issue ID 0346496: The Management Service utility’s home page does not display critical events for interfaces that are not assigned to any VPX instances.
  • Issue ID 0367664: A XenServer upgrade fails in either of the following circumstances:
    • The 0/2 interface, instead of the 0/1 interface, is configured as the management interface.
    • The IP address used for the XenServer management interface is also assigned to another device.

SSL

  • Issue ID 0392683: In some cases, parsing an incorrectly formatted client certificate might take more than a few seconds. The delay can trigger the monitoring logic to terminate the process and restart the appliance.
  • Issue ID 0373541: If you attempt to remove a certificate-key pair before unbinding it from an OCSP responder, the appliance might fail.
  • Issues ID 0352959: Memory leak is observed if a 1-byte SSL record is processed.
  • Issues ID 0392328: If the case of the domain name provided in the SNI extension from the client and the common name in the server certificate do not match, the SSL handshake fails. Now, SNI extension check is not case-sensitive.

System

  • Issues ID 0380623 (nCore): The NetScaler appliance cannot generate reports for some counters (for example, average server TTFB).
  • Issue ID 0384153: When selective acknowledgment (SACK) and partial buffering are enabled on the appliance, acknowledgments with incorrect TCP checksum are forwarded to the server.

URL Transformation/XML-API

  • Issue ID 0381778: To prevent loops when transforming a URL, you can no longer remove the priority assigned to an existing transform action. You can change an existing priority, but you cannot remove it entirely. The unset transform action command no longer accepts the -priority parameter, and the unsettransformaction_priority.

    API has been removed from XML-API.

Web Interface

  • Issue ID 0384255: If you access the NetScaler configuration utility by using a hostname instead of an IP address virtual servers that are assigned to access the Web Interface sites are not displayed.

XML API

  • Issues ID 0242149: The rmlbvserver API throws an error when there is a space character in the name of the load balancing virtual server.
  • Issues ID 0283923: The addrewriteaction API does not include the pattern argument which is mandatory for actions of type replace_all.

Known Issues and Workarounds

AAA Application Traffic

  • Issue ID 0378974: On a NetScaler appliance that has AAA-TM enabled and single sign-on (SSO) configured, attempts to upload large files in HTTP POST requests might cause high memory allocation errors.
    Workaround: Disable SSO for web forms that use the HTTP POST method. The following commands disable SSO for these web forms:
    add tm trafficaction disablesso -sso off
    add tm trafficpolicy disablesso "http.req.method.eq(POST)" disablesso
    bind tm global trafficpolicy

ACL

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

AppExpert

  • Issue ID 0270708: The process of configuring the application firewall for an application unit (appunit) is different than for other features, such as responder and rewrite. Instead of the Policy Manager, the Application Firewall wizard is invoked. The wizard prompts the user to configure the security check settings directly. It then creates a profile and policy from that information, and binds the policy to the appunit in the background, without displaying either the policy or the profile to the user.
    Note: You cannot associate multiple policies with an application unit by using the wizard. To do so, use the policy manager. A link is located on the main Application Firewall pane.

Application Firewall

  • Issues ID 0259458: Attempts to upload a 30 MB or larger file might fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.
  • Issue ID 0316200: After upgrading to NetScaler 9.3, build 58x, the built-in AppFW profiles are not visible in the NetScaler configuration utility or listed in the ns.conf file.
  • Issue ID 0318595: On a Sharepoint 2010 server that is protected by the application firewall, drop-down menus that are used to access documents do not open. When the user attempts to open a menu, a JavaScript progress indicator is displayed on the right side of the page, but no menu is displayed. For more information, see http://support.citrix.com/article/CTX132945.
  • Issue ID 0363687: Modifying the configured actions for rules in signature objects that are bound to profiles might cause failover and result in loss of configuration due to failure in command propagation to the secondary node.
  • Issue ID 0284677: The online help for the application firewall wizard points to placeholders. If you need help with the wizard, consult the following URL: http://support.citrix.com/proddocs/topic/netscaler-application-firewall-93/appfw-config-wizard-tsk.html Alternatively, a description of the Wizard can be found in the PDF-based documentation, in the Configuration chapter.

CloudBridge

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send, across the cloud bridge, a full-size packet in which the DF bit is unset. The cause is a bad checksum.

Command Line Interface

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the show configstatus command and reconfigure the appliance under low traffic conditions or during a maintenance period. If that does not resolve the issue, restart the appliance.

Dashboard

  • Issue ID 0346576: The NetScaler graphical user interface (GUI) becomes unresponsive when you try to access the Dashboard tab. The reason might be because the user that is trying to access the GUI does not have permission to execute the show ns version and show ns hardware commands.
    Workaround: Create a command policy that has permissions for the show ns version and show ns hardware commands and then bind it to the user. For example:
    add sys cmdPolicy policy1 ALLOW ((show)\s+ns\s+version|(show)\s+ns\s+hardware) bind sys user user1 policy1 1

Domain Name System

  • Issue ID 93203/0257123 (nCore): A DNS policy that is bound to a GSLB service is not evaluated if the GSLB method is set to dynamic round trip time (RTT).

    Workaround: Change the GSLB method and restart the appliance.

Load Balancing

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: If a TCP monitor is assigned to a MYSQL service, the MySQL server prevents the MIP address from making new connections.
    Note: This is a known issue with MySQL. It can be mitigated by setting a high value for max_connect_error, as described in the article at http://bugs.mysql.com/file.php?id=5184.
  • Issues ID 86096/0246139: When configuring the WI-EXTENDED monitor, the user has to provide the value of the sitepath parameter in such a way that it does not end with a slash /.
  • Issue ID 88593/0248222 (nCore): After failover, the maxclient setting on a service is not honored.

NetScaler SDX Appliance

  • Issue ID 0262505: When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: “NO DATA TO CHART”.
  • Issue ID 0265006: Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

  • Issue ID 0318639: If you log on to a NetScaler SDX appliance by using Internet Explorer version 8.0.6001.18702, and try to upgrade the Management Service or a NetScaler VPX instance without providing a documentation file, the following error message appears: “Invalid documentation filename format”.

NetScaler VPX Appliance

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX (virtual) appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features (such as compression and GSLB) stop working.

    Workaround: Reduce the memory allocated for caching.

  • Issues ID 94487/0258286: On the Microsoft Hyper-V platform, if there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.

Networking

  • Issue ID 0271154: The man pages for the commands add ns ip, set ns ip, add ns ip6, and set ns ip6 displays an incorrect default value for the ospfArea parameter.

Platform

  • Issues ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.
  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance. ipmi0: KCS error: 01 ipmi0: KCS: Reply address mismatch

Reporting

  • Issue ID 85025/0245335 (nCore and nCore VPX):Reporting charts do not support plotting of counters per packet engine.

SSL

  • Issues ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: “ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot.” However, the correct message--“ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate”-- appears upon subsequent attempts to delete the certificate-key pair.

System

  • Issues ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.
  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.

    Workaround: The global setting for MSS must be configured to greater than 1212.

  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if a failover happens while high availability (HA) synchronization is in progress.

XML

  • Issue ID 81650/0242628: The application firewall import feature validates XML schemas when importing them, but it might not validate certain XHTML files if they are imported as XML schemas. An invalid XHTML file appears in the list of imported XML schemas, but it is rejected if the user attempts to configure the XML Message Validation check to use the invalid file as the XML schema for validation.

XML API

  • Issue ID 80170/0241429: The syntax of the unset servicegroup command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the unset servicegroup command.
  • Issues ID 0242149: The rmlbvserver API throws an error when there is a space character in the name of the load balancing virtual server.
  • Issue ID 82501/0243262: The data type of the maxforwards argument of the setlbmonitor API is updated from int to unsignedint. This can cause incompatibility of the API.
  • Issue ID 86524/0246517: The data type of the type parameter of the bindcmpglobal_policyEx and unbindcmpglobal_policyEx APIs is changed from rwglobalbindpointEnum to piglobalbindpointEnum. This can cause incompatibility in the API.

Build 62.4

Release version: Citrix NetScaler, version 9.3 build 62.4

Replaces build: None

Release date: April 2013

Release notes version: 2.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler.

Changes and Fixes

Application Firewall

  • Issue ID 0338443: The application firewall cannot use negated (!) literal strings in a fastmatch signature pattern. If you include a negated literal string in a fastmatch-designated pattern in a signatures file, the application firewall displays an error message and does not bind the signatures file to the specified profile.
  • Issue ID 0364099: On a NetScaler appliance that has the application firewall's XML Validation security check enabled, the application firewall might hang during validation.
  • Issue ID 0369529: If an application firewall profile has the HTML cross-site scripting check configured to transform unsafe HTML, the application firewall might transform HTML tags that are listed as permitted tags in the signatures file.

Configuration Utility

  • Issue ID 0349711: In the upgrade wizard, selecting the Automatically reboot check box does not cause the appliance to automatically reboot after the software upgrade.
  • Issue ID 0370284: On the Reporting tab of the NetScaler configuration utility, the CPU vs. Memory Usage and HTTP Requests Rate report does not display the memory usage value.

Domain Name System

  • Issue ID 0292217: The NetScaler appliance functioning as a DNS proxy server and running a GSLB configuration fails under the following sequence of events:
    • The DNS virtual server receives a query for a CNAME record that does not exist on the DNS server. The queried record might or might not be associated with the domain name that is bound to the GSLB virtual server.
    • The DNS server sends a NODATA response for the CNAME record, and the appliance caches that negative response.
    • A load balancing virtual server that is part of the GSLB configuration (it is represented by a GSLB service) receives an HTTP request for the domain name for which the appliance cached the NODATA response.
  • Issue ID 0337088 (nCore and nCore VPX): A NetScaler appliance that is functioning as an end resolver might fail if it does not receive a response to one or more of the DNS queries that it generates.

Load Balancing

  • Issue ID 0340506 (nCore and nCore VPX): A memory leak might occur on one of a pair of NetScaler appliances that are deployed as follows:
    • A RADIUS load balancing virtual server is created on one appliance, and RADIUS services are bound to the virtual server.
    • On the other NetScaler appliance, a service is created to represent the RADIUS load balancing virtual server, and a UDP-ECV monitor is bound to the service. The memory leak occurs on the appliance on which the RADIUS load balancing virtual server is configured.
  • Issue ID 0350241 (nCore and nCore VPX): The NetScaler appliance might fail in the following set of circumstances
    • A load balancing virtual server has a backup chain consisting of multiple backup virtual servers.
    • One or more of those backup virtual servers are dummy virtual servers (that is, their IP address and port combination is 0.0.0.0:0).
    • You disable a dummy backup virtual server or the service group bound to it, or the state of either the backup virtual server or the service group transitions to DOWN.

Monitoring

  • Issue ID 0363709 (nCore and nCore VPX): If you run the clear ns config command and configuration commands for IPv6 service group members multiple times, alternately and in rapid succession, the NetScaler user interface displays incorrect details for monitors that are bound to IPv6 service group members.
  • Issue ID 0366073 (nCore and nCore VPX): IPv6 monitors of type SMTP fail if a mapped IP address is not consistent across all the processor cores in the NetScaler appliance.

NetScaler SDX Appliance

  • Issue IDs 0329618 and 0330559: If you upgrade a NetScaler SDX appliance from XenServer version 5.6 to XenServer version 6.0 and then try to modify the nsroot password, an error message appears. The error occurs because the nsroot user entry is deleted when you perform the upgrade. Starting from this release, the Management Service creates an entry for nsroot if it does not find an entry in the /etc/passwd directory.
  • Issue ID 0357270: If the Management Service fails to correctly apply the admin configuration, specifically the username and password, the entry for the username and password for the VPX instance is deleted from the database. If you try to modify the instance, the username field in the Modify NetScaler Wizard dialog box is blank.

Networking

  • Issue ID 0315773: In a Equal-cost multi-path protocol (ECMP), route selection changes with change in metric. The NetScaler may become unresponsive when the route information present in the data structure and the current selected route are different.
  • Issues ID 0353362: For a RNAT rule, the NetScaler appliance performs RNAT processing on packets related to new connections that match the conditions specified in the RNAT rule. However, the appliance does not perform RNAT processing on packets related to existing connections that were established before the RNAT rule was created.
  • Issue ID 0368683: For a recursive BGP route that depends on an IGP route for information, if there is some change in information in the IGP route, the NetScaler appliance does not properly update the BGP routes in its routing table.
  • Issue ID 0369560: If there are two BGP routes for reaching a network device and one of the routes becomes DOWN, the NetScaler appliance does not properly set the next hops while deleting the route from the IP Routing table.
  • Issue ID 0380833: After the NetScaler appliance receives BGP NOTIFICATION message from a BGP peer because of connection collision, the appliance may become unresponsive when you run the sh ip BGP neighbor command by using the VTYSH shell.

Platform

  • Issue ID 0380473: On the MPX 21550T platform, the output of the show hardware command displays an incorrect number of SSL cards.

Policy

  • Issue ID 0339824: The NetScaler appliance does not respond when RESET is used as the response side action (resAction) in bidirectional policies (having request side rule).
  • Issue ID 0370770: If an expression was URL encoded, such as in HTTP.REQ.URL, and if this expression was used to look up in a string map by using MAP_STRING(), the appliance can fail or the expression could evaluate to an incorrect value. An example expression is HTTP.REQ.URL.MAP_STRING("myMap").

Rewrite

  • Issue ID 0301481: On a NetScaler appliance that has a response-side rewrite policy configured and bound to a load balancing virtual server, a request sent to the virtual server might trigger a sequence of events that causes the NetScaler appliance to fail.

SSL

  • Issue ID 0275357: The NetScaler appliance fails if you add a certificate revocation list (CRL) that contains a NULL value in the nextUpdate field.
  • Issue ID 0355336: If crypto resources are not available to a packet engine because a number of SSL cards are DOWN, all SSL virtual servers configured on the appliance are marked DOWN. The threshold value for cards going DOWN depends on the number of cores and the number of crypto cards in the appliance.
  • Issue ID 0361974: If the crypto cards take longer to start than do the Access Gateway virtual servers, the virtual servers are marked DOWN.
  • Issue ID 0370650: The NetScaler VPX appliance might fail if both of the following conditions are met:
    1. OCSP is used to check for revoked certificates.
    2. Client sends the client certificate and key in the same record.

System

  • Issue ID 0259891: The NetScaler appliance does not have checks to ensure that it has received the complete information from the audit server. Therefore, when the appliance receives a packet from the audit server, it incorrectly assumes that this is the complete data (the audit server information might have been split across multiple packets). In such cases, the audit logs might not have the correct information.
  • Issue ID 0356430: SNMP traps are not being sent when memory utilization exceeds the threshold limit.
  • Issue ID 0359268 (Classic): The nsconmsg command (which is executed from the shell) does not work when a zipped file is provided for the -K parameter.
  • Issue IDs 0370181, 0370128, and 0326105: The NetScaler appliance fails to respond and then reboots on a race condition between the aggregator and the packet engine.
  • Issue ID 0374221: When an audit policy and a service are bound to the same virtual server, if you are modifying the syslog or nslog action, make sure that the service type, IP address and the port of the action does not match the corresponding parameters of the service.
    Note: The service type for syslog is UDP and for nslog it is TCP.

Web Interface

  • Issue ID 0308398: The application does not load when one of the farms which is bound is a valid XenApp farm (not observed in case of invalid XenApp farm) is down or is unavailable.

Known Issues and Workarounds

AAA Application Traffic

  • Issue ID 0378974: On a NetScaler appliance that has AAA-TM enabled and single sign-on (SSO) configured, attempts to upload large files in HTTP POST requests might cause high memory allocation errors.
    Workaround: Disable SSO for web forms that use the HTTP POST method. The following commands disable SSO for these web forms:
    add tm trafficaction disablesso -sso off
    add tm trafficpolicy disablesso "http.req.method.eq(POST)" disablesso
    bind tm global trafficpolicy

ACL

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

AppExpert

  • Issue ID 0270708: The process of configuring the application firewall for an application unit (appunit) is different than for other features, such as responder and rewrite. Instead of the Policy Manager, the Application Firewall wizard is invoked. The wizard prompts the user to configure the security check settings directly. It then creates a profile and policy from that information, and binds the policy to the appunit in the background, without displaying either the policy or the profile to the user.
    Note: You cannot associate multiple policies with an application unit by using the wizard. To do so, use the policy manager. A link is located on the main Application Firewall pane.

Application Firewall

  • Issues ID 0259458: Attempts to upload a 30 MB or larger file might fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.
  • Issue ID 0284677: The online help for the application firewall wizard points to placeholders. If you need help with the wizard, consult the following URL:

    http://support.citrix.com/proddocs/topic/netscaler-application-firewall-93/appfw-config-wizard-tsk.html

    Alternatively, a description of the Wizard can be found in the PDF-based documentation, in the Configuration chapter.

  • Issue ID 0318595: On a Sharepoint 2010 server that is protected by the application firewall, drop-down menus that are used to access documents do not open. When the user attempts to open a menu, a JavaScript progress indicator is displayed on the right side of the page, but no menu is displayed. For more information, see http://support.citrix.com/article/CTX132945.
  • Issue ID 0363687: Modifying the configured actions for rules in signature objects that are bound to profiles might cause failover and result in loss of configuration due to failure in command propagation to the secondary node.

CloudBridge

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send, across the cloud bridge, a full-size packet in which the DF bit is unset. The cause is a bad checksum.

Command Line Interface

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the show configstatus command and reconfigure the appliance under low traffic conditions or during a maintenance period. If that does not resolve the issue, restart the appliance.

Dashboard

  • Issue ID 0346576: The NetScaler graphical user interface (GUI) becomes unresponsive when you try to access the Dashboard tab. The reason might be because the user that is trying to access the GUI does not have permission to execute the show ns version and show ns hardware commands.
    Workaround: Create a command policy that has permissions for the show ns version and show ns hardware commands and then bind it to the user. For example:
    add sys cmdPolicy policy1 ALLOW ((show)\s+ns\s+version|(show)\s+ns\s+hardware) bind sys user user1 policy1 1

Domain Name System

  • Issue ID 93203/0257123 (nCore): A DNS policy that is bound to a GSLB service is not evaluated if the GSLB method is set to dynamic round trip time (RTT).

Integrated Caching

  • Issue ID 81159/0242246: When the NetScaler appliance receives a single byte-range request, if the starting position of the range is beyond 9 megabytes, the appliance sends the client a full response with a status code of 200 OK instead of a partial response.

Load Balancing

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: If a TCP monitor is assigned to a MYSQL service, the MySQL server prevents the MIP address from making new connections.
    Note: This is a known issue with MySQL. It can be mitigated by setting a high value for max_connect_error, as described in the article at http://bugs.mysql.com/file.php?id=5184.
  • Issues ID 86096/0246139: When configuring the WI-EXTENDED monitor, the user has to provide the value of the sitepath parameter in such a way that it does not end with a slash /.
    Example:
    add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 88593/0248222 (nCore): After failover, the maxclient setting on a service is not honored.

NetScaler SDX Appliance

  • Issue ID 0262505: When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: “NO DATA TO CHART”.
  • Issue ID 0265006: Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

  • Issue ID 0318639: If you log on to a NetScaler SDX appliance by using Internet Explorer version 8.0.6001.18702, and try to upgrade the Management Service or a NetScaler VPX instance without providing a documentation file, the following error message appears: “Invalid documentation filename format”.

    Workaround: Use a different browser.

NetScaler VPX Appliance

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX (virtual) appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features (such as compression and GSLB) stop working.

    Workaround: Reduce the memory allocated for caching.

  • Issues ID 94487/0258286: On the Microsoft Hyper-V platform, if there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.

    Workaround: Defragment the disk. For consistent virtual hard disk (VHD) performance, change a dynamic disk to a static disk.

Networking

  • Issue ID 0271154: The man pages for the commands add ns ip, set ns ip, add ns ip6, and set ns ip6 displays an incorrect default value for the ospfArea parameter.

Platform

  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.
  • Issue ID 0360223: In certain cases, error messages on the console of an MPX 5550/5650 or MPX 8200/8400/8600 appliance continuously scroll if the physical registers are not correctly read.
  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.
    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance.
    ipmi0: KCS error: 01
    ipmi0: KCS: Reply address mismatch
  • Issues ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.

Reporting

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL

  • Issues ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: “ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot.” However, the correct message--“ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate”-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issues ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.
    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:
    openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

System

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.

    Workaround: The global setting for MSS must be configured to greater than 1200.

  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if a failover happens while high availability (HA) synchronization is in progress.

XML

  • Issue ID 81650/0242628: The application firewall import feature validates XML schemas when importing them, but it might not validate certain XHTML files if they are imported as XML schemas. An invalid XHTML file appears in the list of imported XML schemas, but it is rejected if the user attempts to configure the XML Message Validation check to use the invalid file as the XML schema for validation.

XML API

  • Issue ID 80170/0241429: The syntax of the unset servicegroup command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the unset servicegroup command.
  • Issue ID 82501/0243262: The data type of the maxforwards argument of the setlbmonitor API is updated from int to unsignedint. This can cause incompatibility of the API.
  • Issue ID 86524/0246517: The data type of the type parameter of the bindcmpglobal_policyEx and unbindcmpglobal_policyEx APIs is changed from rwglobalbindpointEnum to piglobalbindpointEnum. This can cause incompatibility in the API.

Build 61.5

Release version: Citrix® NetScaler®, version 9.3 build 61.5

Replaces build: None

Release date: February 2013

Release notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler.

Changes and Fixes

Access Gateway

Application Firewall

  • Issue ID 0338443: The application firewall cannot use negated (!) literal strings in a fastmatch signature pattern. If you include a negated literal string in a fastmatch-designated pattern in a signatures file, the application firewall displays an error message and does not bind the signatures file to the specified profile.
  • Issue ID 0348647: On a NetScaler appliance that has the application firewall configured, if the client sends a web form with data that contains a plus sign (+), that form field triggers a form field consistency violation. This applies for data that the user types into the form, and for data in hidden fields that was generated by a javascript or sent to the user from the server.
  • Issue ID 0360302: Signature cookies generated by the application firewall are not sent if the secure flag is enabled for HTTPS connections.

DataStream

  • Issue ID 0287492: Some international characters resemble one or more ASCII alphabetic characters. If a client request contains such international characters, when forwarding the request to a database server, the NetScaler appliance replaces the international characters with the ASCII alphabetic characters that they resemble.

High Availability

  • Issue ID 0287765: In a high availability setup, SNMP traps netScalerConfigChange and netScalerConfigSave are getting generated on the secondary appliance.

Load Balancing

  • Issue ID 0283803: If you bind a server that has an IPv6 address to a service group, and the IPv6 address includes trailing consecutive zeroes, the NetScaler appliance applies an improper name to the logical entity that it creates to represent the server. Instead of correctly assigning the server’s IPv6 address as the name of the logical entity, the appliance assigns the name as its IP address but with a single colon instead of two for the consecutive zeroes.
  • Issue ID 0287821 (nCore and nCore VPX): The processor cores on the NetScaler appliance exchange persistence-session information by sending core-to-core messages. The maximum length allowed for a token in the persistence-session table is 64 bytes. If rule based persistence is used, any core that receives a request processes the entire token when creating the hash that identifies the persistence session, even if the token identified by the rule is greater than 64 bytes. But when the core shares the persistence session information with another core, it truncates the token to a length of 64 bytes. Sometimes, it also transmits the hash with a value of 0 (zero), prompting the core that receives the message to recalculate the hash value from the token it received. The recalculation, which is based on only the first 64 bytes of the token, causes a discrepancy in hash values between cores, a flood of core-to-core messages, and high CPU usage.
  • Issue ID 0331414 (nCore and nCore VPX): The states and port numbers of load balancing virtual servers and services are not included in log entries in the newnslog file.
  • Issue ID 0310465 and 0350458 (nCore and nCore VPX): The servicegroupbindings NITRO request (URL: http://<NS_IP>/nitro/v1/config/servicegroupbindings/<servicegroupname>) does not retrieve the names of the load balancing virtual servers to which the service group is bound.
  • Issue ID 0357088: Latency can occur when a NetScaler appliance sends sparse traffic to a Load Balancing virtual server.

Monitoring

  • Issue ID 0354059: The Last response field in the output of the show service command should indicate that a probe timed out if the following sequence of events occurs:
    1. The monitor bound to the service fails due to an internal error (for example, an unavailable ARP table entry).
    2. The error condition is corrected.
    3. Probes are successfully sent to the service, but they time out.

    Instead of text indicating that the most recent probe timed out, the content of the Last response field is Internal error: resource unavailable to send probe.

NetScaler SDX Appliance

  • Issue ID 0318968: If you log on to a NetScaler VPX instance and change the password for access to the instance, instead of changing the password from the Management Service, connectivity from the Management Service to the instance is lost. With this release, you can restore connectivity by creating a new profile from the Management Service, assigning it the same password that you specified on the NetScaler VPX instance, and then binding the new profile to the NetScaler VPX instance.

    To create a new administrator profile, log on to the Management Service and, on the Configuration tab, navigate to NetScaler > Admin Profiles. In the details pane, click Add. In the Create NetScaler Admin Profile dialog box, type the new profile name and password. Then navigate to NetScaler > Instances and select the instance to which you want to bind the new profile. Click Modify to open the Modify NetScaler wizard and, from the Admin Profile list, select the new profile. You do not need to restart the instance for this change to take effect.

    You can also lose connectivity to XenServer by changing the password on XenServer instead of from the Management Service. To restore connectivity, you can now change the password for XenServer from the Management Service.

    To change the password, log on to the Management Service and, on the Configuration tab, navigate to System > Users. Select the nsroot user, and then click Modify. In the Modify System User dialog box, type the same password that you specified when you were logged directly on to XenServer.

  • Issue ID 0336831: If you bind a new interface to a NetScaler instance by using the Management Service, the physical-interface to virtual-interface mapping does not change. However, if you modify a NetScaler instance by using the Management Service, and the modification involves disabling a virtual interface, the physical to virtual interface mapping on the instance might change.

Networking

  • Issue ID 0298289: For a configured IP Tunnel with Mac Based Forwarding (MBF) enabled, HTTP monitor may fail randomly because of wrong MAC addresses used in the Layer 2 header.
  • Issue ID 0343789: In a high availability configuration, a BGP peer of the secondary node stays in the OPENSENT state.
  • Issue ID 0346654: The NetScaler appliance does not ignore some unsupported capabilities. It might reset BGP connections even when strict-capability-match is not configured on the appliance.
  • Issue ID 0347842: When the NetScaler appliance reestablishes OSPF adjacency with a peer router, latency might delay the Link State (LS) updates sent by the appliance. The delay might cause the peer router to install invalid Link State Advertisements (LSAs) for a short period of time. As a result, traffic arriving during this period encounters a black-hole.

NITRO API

  • Issue ID 0318912: On the NetScaler appliance versions 9.2, 9.3, and 10, incorrect values are returned for cpuusagepcnt and rescpuusagepcnt on the following query: /nitro/v1/stat/system.

Platform

  • Issue ID 0357030: NetScaler release 9.3 build 61.x is supported on the SDX 11500/13500/14500/16500/18500/20500 NEBS platform.

Policies

  • Issue ID 0334472: In some deployments you cannot remove string patterns from string maps.
  • Issue ID 0342589: Existing compression policies cannot be disabled without changing the priority value.

SSL

  • Issue ID 0338757: If you bind a CA or client certificate to a service group and save the configuration, the binding is not saved and is therefore missing when the appliance is restarted.
  • Issue ID 0333936 (Classic and nCore): If an SSL chip fails on the NetScaler MPX platform, the software now attempts to reinitialize the chip and restore its operation.

System

  • Issue ID 0334500: High disk usage because the newnslog log files of NetScaler appliance version 9.2 are not automatically cleaned up on upgrade to NetScaler appliance version 9.3. With this fix, when a new newnslog file is created, say newnslog.xx, we will remove the corresponding newnslog.xx.gz file, if it exists.
  • Issue ID 0335155: When USIP is enabled, the NetScaler appliance sends a probe to the server using the client IP address as the source IP address. If the server responds to the probe with a packet having incorrect acknowledgement number, the appliance tries to probe the server again using MIP address instead of client IP address.
  • Issue ID 0352893: If the NetScaler appliance restarts while executing the save ns config command, a loss of configurations is observed in the ns.conf file.
  • Issues ID 0350189: Latency in some transactions because of high CPU usage on the 7 seconds boundary while synchronizing statistics.
  • Issue ID 0356420: A large number of routine system health check messages are continually added to the system log.
  • Issue ID 0358197: SNMP cannot complete in the 5 minutes window between polling period because it sends the request to aggregator and waits for response.

Known Issues and Workarounds

ACL

  • Issue ID 0264933: If you do not set the icmpType and icmpCode parameters while running the add acl or add acl6 command, the show acl -format TEXT or show acl6 -format TEXT command display unexpected value for these parameters. This is a display issue and has no effect on functionality.

AppExpert

  • Issue ID 0270708: The process of configuring the application firewall for an application unit (appunit) is different than for other features, such as responder and rewrite. Instead of the Policy Manager, the Application Firewall wizard is invoked. The wizard prompts the user to configure the security check settings directly. It then creates a profile and policy from that information, and binds the policy to the appunit in the background, without displaying either the policy or the profile to the user.
    Note: You cannot associate multiple policies with an application unit by using the wizard. To do so, use the policy manager. A link is located on the main Application Firewall pane.

Application Firewall

  • Issues ID 0259458: Attempts to upload a 30 MB or larger file might fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.
  • Issue ID 0284677: The online help for the application firewall wizard points to placeholders. If you need help with the wizard, consult the following URL: http://support.citrix.com/proddocs/topic/netscaler-application-firewall-93/appfw-config-wizard-tsk.html.

    Alternatively, a description of the Wizard can be found in the PDF-based documentation, in the Configuration chapter.

  • Issue ID 0318595: On a Sharepoint 2010 server that is protected by the application firewall, drop-down menus that are used to access documents do not open. When the user attempts to open a menu, a JavaScript progress indicator is displayed on the right side of the page, but no menu is displayed. For more information, see http://support.citrix.com/article/CTX132945.
  • Issue ID 0363687: Modifying the configured actions for rules in signature objects that are bound to profiles might cause failover and result in loss of configuration due to failure in command propagation to the secondary node.

CloudBridge

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send, across the CloudBridge tunnel, a full-size packet in which the DF bit is unset. The cause is a bad checksum.

Command Line Interface

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the show configstatus command and reconfigure the appliance under low traffic conditions or during a maintenance period. If that does not resolve the issue, restart the appliance.

Dashboard

  • Issue ID 0346576: The NetScaler graphical user interface (GUI) becomes unresponsive when you try to access the Dashboard tab. The reason might be because the user that is trying to access the GUI does not have permission to execute the show ns version and show ns hardware commands.
    Workaround: Create a command policy that has permissions for the show ns version and show ns hardware commands and then bind it to the user. For example:
    add sys cmdPolicy policy1 ALLOW ((show)\s+ns\s+version|(show)\s+ns\s+hardware)
    bind sys user user1 policy1 1

Integrated Caching

  • Issue ID 81159/0242246: When the NetScaler appliance receives a single byte-range request, if the starting position of the range is beyond 9 megabytes, the appliance sends the client a full response with a status code of 200 OK instead of a partial response.

Load Balancing

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: If a TCP monitor is assigned to a MYSQL service, the MySQL server prevents the MIP address from making new connections.
    Note: This is a known issue with MySQL. It can be mitigated by setting a high value for max_connect_error, as described in the article at http://bugs.mysql.com/file.php?id=5184.
  • Issues ID 86096/0246139: When configuring the WI-EXTENDED monitor, the user has to provide the value of the sitepath parameter in such a way that it does not end with a slash /.
    Example:
    add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 88593/0248222 (nCore): After failover, the maxclient setting on a service is not honored.

NetScaler SDX Appliance

  • Issue ID 0262505: When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: “NO DATA TO CHART”.
  • Issue ID 0265006: Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

  • Issue ID 0318639: If you log on to a NetScaler SDX appliance by using Internet Explorer version 8.0.6001.18702, and try to upgrade the Management Service or a NetScaler VPX instance without providing a documentation file, the following error message appears: “Invalid documentation filename format”.

    Workaround: Use a different browser.

NetScaler VPX Appliance

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX (virtual) appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features (such as compression and GSLB) stop working.

    Workaround: Reduce the memory allocated for caching.

  • Issues ID 94487/0258286: On the Microsoft Hyper-V platform, if there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.

    Workaround: Defragment the disk. For consistent virtual hard disk (VHD) performance, change a dynamic disk to a static disk.

Networking

  • Issue ID 0271154: The man pages for the commands add ns ip, set ns ip, add ns ip6, and set ns ip6 displays an incorrect default value for the ospfArea parameter.

Platform

  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.
    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance.
    ipmi0: KCS error: 01
    ipmi0: KCS: Reply address mismatch
  • Issues ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.

Reporting

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL

  • Issues ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: “ERROR: Configuration possibly inconsistent. Please check with the show configstatus command or reboot.” However, the correct message--“ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate”-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issues ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.
    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:
    openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

System

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.

    Workaround: The global setting for MSS must be configured to greater than 1200.

  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if a failover happens while high availability (HA) synchronization is in progress.
  • Issues ID 94133/0257961: If a server (load balancing virtual server or content switching vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_49 or a prior build to a build later than 9.3_49.
    Workaround: Do the following:
    1. Remove the audit policy and action.
    2. Add the deleted virtual server.
    3. Add the audit policy and action.
    4. Save the configuration.
  • Issues ID 0263852 (nCore): If you configure link aggregation on the 10G interfaces by using the link aggregation control protocol (LACP), the LA interface might flap (go down and come back up).
    Workaround: Initiate steering to CPU1. At the shell prompt, type:
    sysctl netscaler.ticks_on_cpu1=1
    To change the interrupt steering option back to CPU0 (the default), at the shell prompt, type:
    sysctl netscaler.ticks_on_cpu1=0
    To make the workaround persistent, add the first command to the initialization script /nsconfig/rc.netscaler or its equivalent.

XML

  • Issue ID 81650/0242628: The application firewall import feature validates XML schemas when importing them, but it might not validate certain XHTML files if they are imported as XML schemas. An invalid XHTML file appears in the list of imported XML schemas, but it is rejected if the user attempts to configure the XML Message Validation check to use the invalid file as the XML schema for validation.

XML API

  • Issue ID 80170/0241429: The syntax of the unset servicegroup command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the unset servicegroup command.

Build 60.3

Release version: Citrix® NetScaler®, version 9.3 build 60.3

Replaces build: None

Release date: December 2012

Release notes version: 4.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA Application Traffic

  • Issue ID 0345220: If a AAA virtual server is configured for two-factor authentication with RADIUS challenge/response in a single-signon (SSO) environment, with the SSO name extracted from the primary authentication service and the second factor from RADIUS challenge/response, the wrong username may be extracted. This can result in intermittent authentication failures.

Access Gateway

  • Issue ID 0314500: If you log on with the Access Gateway Plug-in and then attempt to log on to the configuration utility by using HTTPS, the connection fails. You must log on to the configuration utility by using HTTP when connected through the Access Gateway Plug-in.
  • Issue ID 0337886: If users select Automatically detect settings in Internet Explorer on a computer running Windows XP, when users log on with the Access Gateway Plug-in and then log off from Access Gateway, the Automatically detect settings check box is not restored to the previously configured setting.
  • Issue ID 0338451: If hundreds of concurrent sessions occur, the generation of a support file takes several hours.
  • Issue ID 0339669: Access Gateway can now handle proxy exception lists in Internet Explorer with character lengths of up to 2064 characters, which equals the maximum character length in Internet Explorer.
  • Issue ID 0346273: If you configure and bind an Access Gateway session policy to deny unauthorized users with a name longer than 31 characters to a group or to a virtual server, Access Gateway fails over. To fix the error, use a policy name with less than 31 characters. The maximum character length for policy names is 127.

AppFlow

  • Issue ID 0320239 (nCore): HTTP method names might be occasionally truncated in the AppFlow records.

Application Firewall

  • Issue ID 0346384: When the Start URL feature is configured to use an HTML error object uploaded to the NetScaler appliance, instead of an error URL, the start URL feature cannot block access to "/", even if you exclude "/" from the start URLs list.

CloudBridge

  • Issue ID 0341895: The state of the IPSEC tunnel becomes DOWN and (Security Association) SA reformation/re-keying does not happen after the Internet Key Exchange (IKE) lifetime expires.

Configuration Utility

  • Issue ID 0336854: When you open a log file in Syslog messages viewer, all the logs are not displayed when the uncompressed log file size is more than 10MB.
  • Issue ID 0346060: When you access the NetScaler configuration utility from a client environment using JRE 7, in certain configurations, the NetScaler configuration utility displays "Operation in Progress" message when you open a load balancing virtual server configuration.

Content Switching

  • Issue ID 0315161 (nCore and nCore VPX): A NetScaler appliance fails under the following sequence of events:
    1. You associate an HTTP load balancing virtual server with an HTTP profile and a backup load balancing virtual server of type TCP.
    2. You configure a content switching virtual server to switch requests on the basis of content switching policies, and you set the load balancing virtual server as a target for the content switching virtual server.
    3. The HTTP load balancing virtual server goes down.
    4. When the content switching virtual server receives a request, it happens to select the load balancing virtual server.
    5. Because the HTTP virtual server is down, the content switching virtual server selects the backup load balancing virtual server, which is of type TCP.
    6. The appliance attempts to access the HTTP profile, which cannot be associated with a load balancing virtual server of type TCP.

Global Server Load Balancing

  • Issue ID 0344759: If you attempt to create a CNAME based GSLB service with a CNAME that is already associated with another service, the NetScaler appliance not only disallows creation of the new service, but also removes the CNAME record for that CNAME. A subsequent attempt to create a GSLB service with that CNAME is successful, and creates a new CNAME record. Therefore, two GSLB services (the previously existing service and the new one) are associated with the same CNAME.

Integrated Caching

  • Issue ID 0337778: When an object gets cached in a content group that has hit selectors or hit parameters set, and the server is slow, Integrated Caching might not function normally. As a result, the NetScaler appliance might fail.
  • Issue ID 0347120: For HTTP callout caching, if a response gets cached in a content group that has the minimum number of hits set to a non-zero value, the show cache object command fails.

Load Balancing

  • Issue ID 0333200: If rule based persistence is configured for a load balancing virtual server, and the virtual server receives traffic from a content switching virtual server, the load balancing virtual server’s persistence sessions expire at the end of the configured timeout period, even if new requests arrive before session expiry.
  • Issue ID 0345300 (nCore and nCore VPX): If a UDP connection that is being managed by a load balancing virtual server of type UDP, SIP_UDP, DNS, RADIUS, or ANY is blocked pending a decision on persistence, and the associated protocol control block is freed before all the NetScaler buffers that reference the protocol control block are processed, the appliance might fail.

NetScaler SDX Appliance

  • Issue ID 0329597: In certain cases, the status of a storage disk present in the SDX appliance might appear as ‘”Missing”’ in the Management Service User interface under Monitoring > System Health > Storage > Disk node.

Networking

  • Issue ID 0288356: With MAC-Based Forwarding (MBF) enabled, new connections to a server fail through a Virtual IP (VIP) address, if the server is configured to reach over the newly added Subnet IP (SNIP) addresses that are bound to a Layer 3 (L3) VLAN.
  • Issue ID 0336886: When a VIP with OSPF LSA TYPE-1 exists on the NetScaler appliance, any new VIPs configured with TYPE-5 are saved as TYPE-1.

NITRO API

  • Issue ID 0257279: You can now view the virtual servers to which a specified service is bound. The REST URL for this is http://<nsip>/nitro/v1/config/svcbindings/svcname.

Policies

  • Issue ID 0291487: NetScaler appliances running version 9.2 build 52.1 or later and have a large number (in the hundreds) of policy bindings can experience performance issues on 'save ns config' and 'show config' operations. This can lead to interruption in services.

SSL

  • Issue ID 0344323: An attempt to add a CA certificate fails if the modulus value of the public key is not a multiple of 512 bits.
  • Issue ID 0353680: The add ssl certkey command fails if the private key file does not have a newline at the end of the file.

System

  • Issue ID 0241964: The SNMP engine ID does not get saved to the ns.conf file after the configurations are saved. Hence the engine ID is not retained across reboots. Also, the default SNMP engine ID is not displayed on issuing the show snmp engineid command.
  • Issue ID 0301065: When using the HTTP monitor, the NetScaler appliance might send SYN packets from a port on which an earlier session was not closed by the server. The server then responds with a bad syn ack response, which causes the NetScaler appliance to send a RST to the server.
  • Issue ID 0308095: In some cases, an internal service fails to bind to port 3010, and the failure causes the NetScaler appliance to restart itself.
  • Issue ID 0330336 (nCore): IPv6 addresses might occasionally be captured in the audit log, even though IPv6 addresses are not configured.
  • Issue ID 0352893: If the NetScaler appliance restarts while executing the save ns config command, a loss of configurations is observed in the ns.conf file.

Known Issues and Workarounds

Access Gateway

  • Issue IDs 80175/0241433 and 82022/242906 : If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling.
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 0242252: In the Access Gateway configuration utility, you can bind a server running the STA with the same IP address or fully qualified domain name (FQDN) two times.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492/0244134: When users log on by using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84787/0245136: When you issue the command sh vpn vserver on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    • Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    • Bind the Outlook Web Outlook regular expression to this profile.
    • Bind the profile so that is assumes the highest priority.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, Access Gateway fails.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either the intranet or to external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 85861/0245969: If you enable ICA Proxy on Access Gateway, when users log on and attempt to open a virtual application, the connection to the Web Interface through Access Gateway times out and closes.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not closed on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue IDs 86470/0246469 and 86787/246736: When users log on with the Access Gateway Plug-in for Windows by using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on by using Internet Explorer 9.
  • Issue ID 86471/0246473: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain, by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 91832/0250964: If users log on with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects. When users log off, however, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue ID 92543/0251596: After you configure Access Gateway to provide user connections through Citrix Receiver, when users right-click the Receiver icon in the notification area, the Log on option does not appear. Users must connect by using the Web browser or they must right-click the Receiver icon and then, depending on the version of Receiver they are using, click About or Preferences from the Receiver menu and Plug-in Status or Advanced from the Receiver panel. You can also enable the log on option to appear when users right-click the Receiver icon by adding the following settings in the registry:
    • Add the Receiver key (if the key does not already exist) under the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\
      • HKEY_LOCAL_MACHINE\Software\Citrix\
    • Add the Inventory key in the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
    • In the Inventory key, configure the following REG_SZ values:
      • VPNAddress. Provide the value as the Web address for the Access Gateway appliance; for example, https://<AccessGatewayFQDN>.
      • VPNPrompt1. Provide the value as 'UserName'.
      • VPNPrompt2. Provide the value as '*Password'.
        Note: To mask the password, enter an asterisk (*) before the word.

        In addition, if you configure double-source authentication that requires authentication with LDAP plus RSA authentication, you need to also add the following as REG_SZ:

      • VPNPrompt3. Provide the value as '*Passcode'.
  • Issue ID 0289001: If you configure multiple post-authentication expressions with cascading priorities, Access Gateway might fail and then restart.
  • Issue ID 0301790: If you add sites from Citrix Presentation Server 4.5 and XenApp 6.5 to the same Web Interface site, when users log on with Internet Explorer 9 and then log off from the Web Interface, the session does not close completely. An error message appears stating that some resources are still active.
  • Issue ID 0311708: If you configure LDAP and RADIUS authentication using RADIUS shared secrets, the configuration may remain stable for several weeks, but eventually, the RADIUS authentication may fail even if users enter the PIN correctly. When users log on, instead of offering a challenge in which the user must enter the shared secret, a message appears stating that authentication fails. As a workaround, you can change the IP address of the DNS server to redirect users to another site, while you restart the appliance, or you can enable users to log on through a virtual server that requires LDAP authentication only.
  • Issue ID 0332348: When you configure a post-authentication policy to check for a registry key or value on a user device, the scan fails each time the scan is run even if the user device meets the requirements of the policy.
  • Issue ID 0332373: In a high availability configuration, if failover occurs, the session is removed from the appliance that becomes secondary. If failover occurs again, the session is closed.

ACL

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

AppExpert

  • Issue ID 0270708: The process of configuring the application firewall for an application unit (appunit) is different than for other features, such as responder and rewrite. Instead of the Policy Manager, the Application Firewall wizard is invoked. The wizard prompts the user to configure the security check settings directly. It then creates a profile and policy from that information, and binds the policy to the appunit in the background, without displaying either the policy or the profile to the user. NOTE: You cannot associate multiple policies with an application unit by using the wizard. To do so, use the policy manager. A link is located on the main Application Firewall pane.

Application Firewall

  • Issues ID 0259458: Attempts to upload a 30 MB or larger file might fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.
  • Issue ID 0284677: The online help for the application firewall wizard points to placeholders. If you need help with the wizard, consult the following URL: http://support.citrix.com/proddocs/topic/netscaler-application-firewall-93/appfw-config-wizard-tsk.html. Alternatively, a description of the Wizard can be found in the PDF-based documentation, in the Configuration chapter.
  • Issue ID 0318595: On a Sharepoint 2010 server that is protected by the application firewall, drop-down menus that are used to access documents do not open. When the user attempts to open a menu, a JavaScript progress indicator is displayed on the right side of the page, but no menu is displayed. For more information, see http://support.citrix.com/article/CTX132945.

CloudBridge

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send, across the cloud bridge, a full-size packet in which the DF bit is unset. The cause is a bad checksum.

Command Line Interface

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the show configstatus command and reconfigure the appliance under low traffic conditions or during a maintenance period. If that does not resolve the issue, restart the appliance.

  • Issue ID 92269/0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.

    Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.

DataStream

  • Issue ID 0287492: Some international characters resemble one or more ASCII alphabetic characters. If a client request contains such international characters, when forwarding the request to a database server, the NetScaler appliance replaces the international characters with the ASCII alphabetic characters that they resemble.

Integrated Caching

  • Issue ID 81159/0242246: When the NetScaler appliance receives a single byte-range request, if the starting position of the range is beyond 9 megabytes, the appliance sends the client a full response with a status code of 200 OK instead of a partial response.

Load Balancing

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: If a TCP monitor is assigned to a MYSQL service, the MySQL server prevents the MIP address from making new connections.
    Note: This is a known issue with MySQL. It can be mitigated by setting a high value for max_connect_error, as described in the article at http://bugs.mysql.com/file.php?id=5184.
  • Issues ID 86096/0246139: When configuring the WI-EXTENDED monitor, the user has to provide the value of the sitepath parameter in such a way that it does not end with a slash /.
    Example:
    add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 88593/0248222 (nCore): After failover, the maxclient setting on a service is not honored.
  • Issue ID 0309954: A GSLB virtual server becomes unavailable if you use the same IP address as the public IP address for both a local and a remote GSLB service, bind monitors to the services, and then bind the services to the virtual server.

NetScaler SDX Appliance

  • Issue ID 0262505: When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: “NO DATA TO CHART”.
  • Issue ID 0265006: Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

NetScaler VPX Appliance

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX (virtual) appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features (such as compression and GSLB) stop working.

    Workaround: Reduce the memory allocated for caching.

  • Issues ID 94487/0258286: On the Microsoft Hyper-V platform, if there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.

    Workaround: Defragment the disk. For consistent virtual hard disk (VHD) performance, change a dynamic disk to a static disk.

Networking

  • Issue ID 0271154: The man pages for the commands add ns ip, set ns ip, add ns ip6, and set ns ip6 displays an incorrect default value for the ospfArea parameter.

Platform

  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance. ipmi0: KCS error: 01 ipmi0: KCS: Reply address mismatch

  • Issues ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.

Reporting

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL

  • Issues ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: “ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot.” However, the correct message--“ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate”-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issues ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.
    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:
    openssl rsa -in <EncryptedKey.key> > DecryptedKey.out
  • Issue ID 0338757: If you bind a CA or client certificate to a service group and save the configuration, the binding is not saved and is therefore missing when the appliance is restarted.

    Workaround: After the appliance restarts, rebind the certificate to the service group, or use services instead of a service group.

System

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance might fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance might fail if a failover happens while high availability (HA) synchronization is in progress.
  • Issues ID 94133/0257961: If a server (load balancing virtual server or content switching vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_49 or a prior build to a build later than 9.3_49.
    Workaround: Do the following:
    1. Remove the audit policy and action.
    2. Add the deleted virtual server.
    3. Add the audit policy and action.
    4. Save the configuration.
  • Issues ID 0263852 (nCore): If you configure link aggregation on the 10G interfaces by using the link aggregation control protocol (LACP), the LA interface might flap (go down and come back up).
    Workaround: Initiate steering to CPU1. At the shell prompt, type:
    sysctl netscaler.ticks_on_cpu1=1
    To change the interrupt steering option back to CPU0 (the default), at the shell prompt, type:
    sysctl netscaler.ticks_on_cpu1=0
    To make the workaround persistent, add the first command to the initialization script /nsconfig/rc.netscaler or its equivalent.

Web Interface

  • Issue ID 89052/0248592 (nCore and nCore VPX): The response from a Web Interface site that is configured in direct mode may have Java errors.

XML

  • Issue ID 81650/0242628: The application firewall import feature validates XML schemas when importing them, but it might not validate certain XHTML files if they are imported as XML schemas. An invalid XHTML file appears in the list of imported XML schemas, but it is rejected if the user attempts to configure the XML Message Validation check to use the invalid file as the XML schema for validation.

XML API

  • Issue ID 80170/0241429: The syntax of the unset servicegroup command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the unset servicegroup command.

Build 59.5

Release version: Citrix® NetScaler®, version 9.3 build 59.5

Replaces build: None

Release date: October 2012

Release notes version: 4.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes

Nitro API

  • Issue ID 89377/0248847: You can now specify the attributes that you want to view, by specifying the required attributes in the URL. For example, you can view the name and service type for all load balancing virtual servers by using the URL <nsip_address>/nitro/v1/config/lbvserver?attrs=name,servicetype.

SSL

  • Issues ID 74374/0236585: You can now load a certificate bundle containing one server certificate, up to nine intermediate certificates, and optionally, a server key. Separate steps for loading and linking the certificates are no longer required.

Bug Fixes

AAA Application Traffic

  • Issue ID 0319434: If 401 basic authentication is enabled on a load balancing virtual server, and authentication fails either due to invalid credentials or a Kerberos authentication failure, the NetScaler packet engine might crash.
  • Issue ID 0341787/ 344661: AAA-TM does not remove authorization headers from requests, so even if single sign-on (SSO) is configured, the user cannot use it to sign on to protected applications.

Access Gateway

  • Issue ID 289686: If users connect with the Access Gateway Plug-in for Mac and then log off from the Web Interface, if users log on again within five minutes, the connection fails. This only occurs if you enable ICA proxy in Access Gateway.
  • Issue ID 0326413: If you configure a pre-authentication policy by using the command-line interface, and you use an exceedingly large number of characters (900, for example) in the name, when you view the policy in the configuration utility, the policy fails to open and Java exception error occurs. The policy works, however.
  • Issue ID 0329603: When you configure Access Gateway to use a proxy server for network resources and to assign an intranet IP address to a user session, Access Gateway fails.
  • Issue ID 0329621: If you configure an endpoint policy and bind the policy to a virtual server, the preauthentication policy is not working as expected. Users with devices that meet the requirements may not be able to log on to Access Gateway.
  • Issue ID 0329917: If you configure address pools, when users log on with the Access Gateway Plug-in and the connection routes through a virtual IP address, if you configure a load balancing virtual server or a content switching virtual server on NetScaler, occasionally, Access Gateway fails.
  • Issue ID 0330636: When users log on with the Access Gateway Plug-in on an nCore Access Gateway appliance, occasionally when server-initiated connections occur, depending on the core through which the traffic is passed, the user device may fail.
  • Issue ID 0331288: When split tunneling is OFF, when users try to connect with an Access Gateway Plug-in, occasionally host routes added by the plug-in may block communication between the Internet IP address and the Domain Name Server. Users may experience network connectivity issues, such as the inability to access file shares on the network.
  • Issue ID 0332483: If you have a VLAN configuration on the NetScaler appliance, when users log on with the Access Gateway Plug-in, occasionally service-initiated connections to the user device fail.
  • Issue ID 0337609: When you integrate Access Gateway with a SharePoint site, after users log on successfully, when they open a Microsoft Office document, the session ends and the logon page appears.
  • Issue ID 0336091: When users log on with the Access Gateway Plug-in and they successfully establish a connection, and then users start a Remote Desktop Protocol (RDP) connection, the Access Gateway Plug-in resets the connection multiple times before users receive a stable connection to the RDP server.
  • Issue ID 0336576: If you configure an endpoint analysis scan with a client security expression for any scan type, such as requiring Notepad to be running on the user device, endpoint analysis does not work as expected.
  • Issues ID 0336499: When users log on to Access Gateway by using Citrix Receiver and then log off by using the Receiver icon in the taskbar, the computer loses network access. To restore network access, users must either disable and then enable their network interface or restart their computer. To avoid the issue, users can log off from the Access Interface home page.
  • Issue ID 0338220: If you configure client certificate-based expressions for preauthentication or post-authentication scans, when users try log on to Access Gateway, occasionally, the scan fails. To avoid the issue, you can use the classic or MPX 5500 platforms.
  • Issue ID 0340122: After users upgrade to Access Gateway 10, build 70.7, if you have a high availability configuration that includes an FTP server, when users log on with the Access Gateway Plug-in and initiate an FTP session, occasionally Access Gateway fails on both primary and secondary appliances while the FTP connection is active.

Application Firewall

  • Issue ID 0257168: The application firewall might trigger a false positive for a field consistency violation if submitted form data contains unnamed field(s), because some browsers do not send unnamed field(s) back to the server.
  • Issue ID 0306242/0248379: In rare cases, the internal data maintained by the application firewall might change incorrectly, causing the NetScaler appliance to restart.
  • Issue ID 0329401: On a NetScaler appliance that has the application firewall enabled and both cookie transformation and encryption on, secure memory usage increases slowly and continuously until the NetScaler appliance starts to drop connections. To work around this issue, you can reboot the NetScaler appliance regularly.
  • Issue ID 0330642/0331885: On a NetScaler appliance with both the application firewall and Integrated Caching features enabled, the NetScaler appliance might experience occasional resets when its memory fills up. The cause is a small memory leak.
  • Issue ID 0331112/0330298 (nCore): In the NetScaler 9.3 58.2.nc build, when applying the HTML or XML SQL Injection check the application firewall does not transform special strings even when Transformation is enabled. This issue was fixed in build 58.4.nc.
  • Issue ID 0331872: The NetScaler appliance now supports decoding of overlong UTF-8 characters.
  • Issue ID 0333332: When signatures that work on post body are enabled, a large post request may cause an HA failover during Literal pattern match.
  • Issue ID 0335102: On a NetScaler appliance that has the application firewall enabled, adding a large number of signatures objects can cause high CPU loads.

Configuration utility

  • Issue ID 93754/0257608: When you view the configuration difference between files, the corrective commands generated for bind or unbind commands of load balancing and content switching virtual servers might not be accurate in some cases.
  • Issue ID 0305248: In the Reporting tool, when users try to generate a 'system entities statistics' report for load balancing virtual servers, the load balancing virtual servers configured on the appliance might be displayed as being inactive. Users cannot choose the virtual server to view the statistics
  • Issue ID 0310203: In the Reporting tool, when users try to generate a custom report for load balancing virtual servers, the virtual servers might be displayed as being inactive. Users cannot choose the virtual server to view the statistics.
  • Issue ID 0327492: If a user attempts to access the Web Interface through the load balancing virtual server, the attempt fails if "enable access via mobile receivers" is enabled at global level and also on the individual load balancing virtual server, because the rewrite policies are also bound at both global level and vserver level
  • Issue ID 0328747: In the Reporting tool, when users try to generate a 'system entities statistics' report for GSLB domains, the GSLB domain names configured on the appliance might not be displayed in the entities list.
  • Issues ID 0329547 (nCore): In some cases, the value to which you set the prefetchPeriodMilliSec parameter for a cache content group might not be saved in the nsconfig file.
  • Issue ID 0333814: When users configure a port on the audit server, the configuration utility displays the port number as a negative integer if the port number is greater than 32767.
  • Issue ID 0339085: When you navigate to Network>Routes>Basic to view the basic route details, the 'Gateway/Owned IP/Name' column in the table does not display the name of the load balancing virtual server for LLB routes.

Cloud Bridge

  • Issue ID 0313629 (nCore and nCore VPX): When the NetScaler system time is modified, either due to Network Time Protocol Daemon (NTPD) or other external factors to a time earlier than the boot time, the iked process might start consuming 100% of CPU resources.

DataStream

  • Issue ID 0323442 (nCore and nCore VPX): The DataStream feature does not support dynamic stored procedures. Consequently, dynamic stored procedures fail if they use the sp_prepexec and sp_prepare stored procedures.

Domain Name System

  • Issue ID 0318199: If core memory is not available when the NetScaler appliance is processing an RRSIG record received in a response, the appliance fails.

Global Server Load Balancing

  • Issue ID 0299642: If static proximity is configured as the primary GSLB method, and it returns multiple GSLB services, the NetScaler appliance implements round robin load balancing on those services, regardless of which GSLB method is configured as the backup method. Additionally, the appliance does not consider any weights that might be configured for those GSLB services.
  • Issue ID 0308555 (nCore, nCore VPX): In certain scenarios, if the primary and backup GSLB methods are static proximity and dynamic RTT, respectively, requests for domain name resolution are not processed correctly. As a result, the appliance can fail.
  • Issue ID 0326364/0315417 (nCore and nCore VPX): Even though a GSLB virtual server is configured with the static proximity method, and some requests match a DNS policy whose action uses a DNS view to restrict matching requests to only a subset of the bound services, the NetScaler appliance uses the round robin method to load balance requests across all of the GSLB services that are bound to the GSLB virtual server. The issue can occur if the locations that correspond to the source IP addresses in the DNS requests are not found in the location database.

Load Balancing

  • Issue ID 0309954: A GSLB virtual server becomes unavailable if you use the same IP address as the public IP address for both a local and a remote GSLB service, bind monitors to the services, and then bind the services to the virtual server.
  • Issues ID 0312844 (nCore, nCore VPX): The NetScaler appliance might fail when it is rate limiting DNS or SIP traffic associated with a sessionless load balancing virtual server.
  • Issue ID 0331329/0341782 (nCore): If you rename a domain name server on which a service group is configured, and later perform an SNMP walk on the service group member full name, the NetScaler appliance fails.
  • Issue ID 0338196 (nCore, nCore VPX): The NetScaler appliance might fail during active-mode FTP transactions.

NetScaler SDX Appliance

  • Issue ID 88515/0248159: Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 0331900: If you try to upload a file larger than 300 MB to the NetScaler SDX appliance, the upload fails.
  • Issue ID 0332313 100 percent CPU usage is observed when the Management Service takes daily backup.
  • Issue ID 0334340: If you upgrade the Management Service on which a NetScaler instance with a description of greater than 32 characters is provisioned, the instance is not migrated, and therefore, complete data related to the instance is not available in the database. Later, if you delete this instance and provision a new instance with the same IP address, the operation fails.

Networking

  • Issue ID 0322026: In an L2 DSR configuration, packets arriving on the loop back interface are dropped even when the traffic rate on the interface is low.
  • Issue ID 0334312: During a warm restart of the NetScaler appliance, a daemon might fail to start. After not receiving heartbeats from the daemon, the Pitboss process restarts the appliance.
  • Issue ID 0336136: If a NetScaler appliance acting as a DHCP relay agent receives DHCP Discover traffic that is not from a Layer 3 VLAN, the appliance might disconnect from the default gateway and remain disconnected for some time.

Platform

  • Issue ID 0269952 (nCore): In rare cases, after you start a NetScaler appliance, the appliance might fail or the console might not respond because of a deadlock in the 10G ixgbe or e1k driver.
  • Issue ID 0321989: NetScaler release 9.3 build 59.x is supported on the new MPX 5550/5650 platform.

Policies

  • Issue ID 0291975: The SYS.VSERVER("<vserver_name>").THROUGHPUT expression returns an incorrect throughput value.
  • Issue ID 0336384: When creating an advanced expression, ClientSecurityMessage is unexpectedly added when you save the configurations. Therefore, when the appliance is rebooted, these advanced expressions are not executed and are lost.

Responder

  • Issue ID 0324200 (nCore): On a NetScaler appliance with the responder feature configured to redirect requests from authenticated members of a particular group to a custom web page, the redirections sometimes fail. The reason is that, when the responder feature is invoked before the AAA session is completely established (as is the case when a user selects a choice after initial logon), the user’s AAA session is not transferred from one core to the other. Responder therefore fails to identify the user as a member of the targeted group.
  • Issue ID 0330133: On a NetScaler appliance with the responder feature enabled and a respondWith response configured, if a user sends a request with a large Content-Length header, the NetScaler appliance might appear to hang. The cause of the apparent hang is that the NetScaler appliance expects a request of the specified Content-Length, and waits for the rest of the request before responding to it.

Rewrite

  • Issue ID 0301481: On a NetScaler appliance that has a response-side rewrite policy configured and bound to a load balancing virtual server, a request sent to the virtual server might trigger a sequence of events that causes the NetScaler appliance to fail.

SSL

  • Issue ID 0236585: You can now load a certificate bundle containing one server certificate, up to nine intermediate certificates, and optionally, a server key. Separate steps for loading and linking the certificates are no longer required.
  • Issue ID 0302532: The NetScaler appliance fails if all of the following conditions are met:
    • A certificate revocation list (CRL) is present and linked with a CA certificate, and the CA certificate is continuously updated.
    • The CRL is uploaded by using HTTP, and auto refresh is enabled on the CRL.
    • Client authentication is enabled. Therefore, the client is verified for every GET request.
  • Issue ID 0318672: In rare cases, a warm restart can cause the NetScaler appliance to fail or perform a core dump.

System

  • Issue ID 0250872 (nCore): In extremely rare circumstances, if the NetScaler management CPU becomes unresponsive due to internal causes, the NetScaler packet engines might also become unresponsive after waiting for replies from the management CPU. In that event, the NetScaler appliance can become unresponsive or fail.
  • Issue ID 0277102: When you execute the show events command, the NetScaler appliance might fail if the number of events to be displayed is more than 2^31.
  • Issue ID 0325718 (nCore): The amount of memory allocated to a packet engine can be retrieved by using show ns stat command (value of InUseMemory) or by SNMP polling (value of resMemUsage). There was a mismatch in InUseMemory and resMemUsage value for the same packet engine due to difference method used to calculate the allocated memory. This mismatch problem is now resolved and both the methods return the correct value.
  • Issue ID 0332251: You can now configure LACP from within a NetScaler VPX instance hosted on a NetScaler SDX appliance. Make sure that the interfaces that are part of the channel are not shared with other instances, and a dedicated channel is configured for an instance.
  • Issue ID 0333385: A hash collision might put the NetScaler aggregator into a recursive loop, causing the aggregator to fail. The NetScaler appliance might also fail, because of the aggregator failure.

Web Interface

  • Issue ID 0306731: If the Rewrite feature is not enabled, the Enable access through receiver client option for a Web Interface(WI) site does not work. This is because the functionality of the option depends on some rewrite policies on the appliance.

Known Issues and Workarounds

ACL

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

Access Gateway

  • Issue ID 80175/0241433 and 82022/242906 : If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling.
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 0242252: In the Access Gateway configuration utility, you can bind a server running the STA with the same IP address or fully qualified domain name (FQDN) two times.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 92543/0251596: After you configure Access Gateway to provide user connections through Citrix Receiver, when users right-click the Receiver icon in the notification area, the Log on option does not appear. Users must connect by using the Web browser or they must right-click the Receiver icon and then, depending on the version of Receiver they are using, click About or Preferences from the Receiver menu and Plug-in Status or Advanced from the Receiver panel. You can also enable the log on option to appear when users right-click the Receiver icon by adding the following settings in the registry:
    • Add the Receiver key (if the key does not already exist) under the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\
      • HKEY_LOCAL_MACHINE\Software\Citrix\
    • Add the Inventory key in the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
    • In the Inventory key, configure the following REG_SZ values:
      • VPNAddress. Provide the value as the Web address for the Access Gateway appliance; for example, https://<AccessGatewayFQDN>.
      • VPNPrompt1. Provide the value as 'UserName'.
      • VPNPrompt2. Provide the value as '*Password'.
        Note: To mask the password, enter an asterisk (*) before the word.

        In addition, if you configure double-source authentication that requires authentication with LDAP plus RSA authentication, you need to also add the following as REG_SZ:

      • VPNPrompt3. Provide the value as '*Passcode'.
  • Issue ID 0289001: If you configure multiple post-authentication expressions with cascading priorities, Access Gateway might fail and then restart.
  • Issue ID 91832/0250964: If users log on with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects. When users log off, however, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either the intranet or to external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain, by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787/0245136: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, Access Gateway fails.
  • Issue ID 83492/0244134: When users log on by using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    • Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    • Bind the Outlook Web Outlook regular expression to this profile.
    • Bind the profile so that is assumes the highest priority.
  • Issue ID 85861/0245969: If you enable ICA Proxy on Access Gateway, when users log on and attempt to open a virtual application, the connection to the Web Interface through Access Gateway times out and closes.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not closed on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue ID 86470/0246469 and 86787/246736: When users log on with the Access Gateway Plug-in for Windows by using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on by using Internet Explorer 9.
  • Issue ID 86471/0246473: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.
  • Issue ID 0301790: If you add sites from Citrix Presentation Server 4.5 and XenApp 6.5 to the same Web Interface site, when users log on with Internet Explorer 9 and then log off from the Web Interface, the session does not close completely. An error message appears stating that some resources are still active.
  • Issue ID 0311708: If you configure LDAP and RADIUS authentication using RADIUS shared secrets, the configuration may remain stable for several weeks, but eventually, the RADIUS authentication may fail even if users enter the PIN correctly. When users log on, instead of offering a challenge in which the user must enter the shared secret, a message appears stating that authentication fails. As a workaround, you can change the IP address of the DNS server to redirect users to another site, while you restart the appliance, or you can enable users to log on through a virtual server that requires LDAP authentication only.
  • Issue ID 0332348: When you configure a post-authentication policy to check for a registry key or value on a user device, the scan fails each time the scan is run even if the user device meets the requirements of the policy.
  • Issue ID 0332373: In a high availability configuration, if failover occurs, the session is removed from the appliance that becomes secondary. If failover occurs again, the session is closed

AppExpert

  • Issue ID 0270708: The process of configuring the application firewall for an application unit (appunit) is different than for other features, such as responder and rewrite. Instead of the Policy Manager, the Application Firewall wizard is invoked. The wizard prompts the user to configure the security check settings directly. It then creates a profile and policy from that information, and binds the policy to the appunit in the background, without displaying either the policy or the profile to the user.
    Note: You cannot associate multiple policies with an application unit by using the wizard. To do so, use the policy manager. A link is located on the main Application Firewall pane.

Application Firewall

  • Issues ID 0259458: Attempts to upload a 30 MB or larger file might fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.
  • Issue ID 0318595: On a Sharepoint 2010 server that is protected by the application firewall, drop-down menus that are used to access documents do not open. When the user attempts to open a menu, a JavaScript progress indicator is displayed on the right side of the page, but no menu is displayed. For more information, see http://support.citrix.com/article/CTX132945.
  • Issue ID 0284677: The online help for the application firewall wizard points to placeholders. If you need help with the wizard, consult the following URL, http://support.citrix.com/proddocs/topic/netscaler-application-firewall-93/appfw-config-wizard-tsk.html Alternatively, a description of the Wizard can be found in the PDF-based documentation, in the Configuration chapter.

CloudBridge

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send, across the cloud bridge, a full-size packet in which the DF bit is unset. The cause is a bad checksum.

Command Line Interface

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the 'show configstatus' command and reconfigure the appliance under low traffic conditions or during a maintenance period. If that does not resolve the issue, restart the appliance.

  • Issue ID 92269/0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.

    Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.

DataStream

  • Issue ID 0287492: Some international characters resemble one or more ASCII alphabetic characters. If a client request contains such international characters, when forwarding the request to a database server, the NetScaler appliance replaces the international characters with the ASCII alphabetic characters that they resemble.

Integrated Caching

  • Issue ID 81159/0242246: When the NetScaler appliance receives a single byte-range request, if the starting position of the range is beyond 9 megabytes, the appliance sends the client a full response with a status code of 200 OK instead of a partial response.

Load Balancing

  • Issue ID 82872/0243593: The setting for maximum requests per connection might be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: If a TCP monitor is assigned to a MYSQL service, the MySQL server prevents the MIP address from making new connections.
    Note: This is a known issue with MySQL. It can be mitigated by setting a high value for max_connect_error, as described in the article at http://bugs.mysql.com/file.php?id=5184.
  • Issues ID 86096/0246139: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example:
    add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 88593/0248222 (nCore): After failover, the 'maxclient' setting on a service is not honored.

NetScaler SDX Appliance

  • Issue ID 0262505: When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears “NO DATA TO CHART”.
  • Issue ID 0265006: Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

NetScaler VPX Appliance

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX (virtual) appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features (such as compression and GSLB) stop working.

    Workaround: Reduce the memory allocated for caching.

  • Issues ID 94487/0258286: On the Microsoft Hyper-V platform, if there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.

    Workaround: Defragment the disk. For consistent virtual hard disk (VHD) performance, change a dynamic disk to a static disk.

Networking

  • Issue ID 0271154: The man pages for the commands 'add ns ip','set ns ip','add ns ip6', and 'set ns ip6' displays an incorrect default value for the 'ospfArea' parameter.

Platform

  • Issues ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.
  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance. ipmi0: KCS error: 01 ipmi0: KCS: Reply address mismatch.

Reporting

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL

  • Issues ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears “ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot.” However, the correct message--“ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate”-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issues ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance. Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type: openssl rsa -in <EncryptedKey.key> > DecryptedKey.out
  • Issue ID 0338757: If you bind a CA or client certificate to a service group and save the configuration, the binding is not saved and is therefore missing when the appliance is restarted.

    Workaround: After the appliance restarts, rebind the certificate to the service group, or use services instead of a service group.

System

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance might fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance might fail if a failover happens while high availability (HA) synchronization is in progress.
  • Issues ID 94133/0257961: If a server (load balancing virtual server or content switching vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_49 or a prior build to a build later than 9.3_49. Workaround: Do the following:
    1. Remove the audit policy and action.
    2. Add the deleted virtual server.
    3. Add the audit policy and action.
    4. Save the configuration.
  • Issues ID 0263852 (nCore): If you configure link aggregation on the 10G interfaces by using the link aggregation control protocol (LACP), the LA interface might flap (go down and come back up).

    Workaround: Initiate steering to CPU1. At the shell prompt, type: sysctl netscaler.ticks_on_cpu1=1 To change the interrupt steering option back to CPU0 (the default), at the shell prompt, type: sysctl netscaler.ticks_on_cpu1=0 To make the workaround persistent, add the first command to the initialization script /nsconfig/rc.netscaler or its equivalent.

XML

  • Issue ID 81650/0242628: The application firewall import feature validates XML schemas when importing them, but it might not validate certain XHTML files if they are imported as XML schemas. An invalid XHTML file appears in the list of imported XML schemas, but it is rejected if the user attempts to configure the XML Message Validation check to use the invalid file as the XML schema for validation.

XML API

  • Issue ID 80170/0241429: The syntax of the 'unset servicegroup' command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the 'unset servicegroup' command.

Build 58.5

Release version: Citrix® NetScaler®, version 9.3 build 58.5

Replaces build: None

Release date: August 2012

Release notes version: 5.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA Application Traffic

  • Issue ID 0307258: When you create a AAA-TM profile by using the configuration utility, it sets persistency for the profile to zero (0), instead of deriving the persistency values from the global persistency settings. You can verify this issue by typing the following command at the NetScaler command line:

    show tm sessionaction <profileName>

    You can fix the persistency settings for any AAA-TM profile that is affected by this issue by typing the following command at the NetScaler command line:

    set tm sessionAction <profileName> -persistentCookie ENABLED -persistentCookieValidity <positive_integer>

    For <positive_integer>, substitute the number of minutes that the persistency cookie is to remain valid. Then, use the 'show tm sessionaction' command to verify your changes.

  • Issue ID 0313931: On a NetScaler appliance that has AAA-TM enabled, if a user takes more than four minutes to finish authenticating and the AAA session expires, the user is unable to authenticate. When the user clicks the 'click here' link to return to the logon page, instead of being redirected to the logon page, the user is redirected to the 'Expired Session' page repeatedly.
  • Issue ID 0314561: On a NetScaler appliance with AAA-TM enabled and single sign-on (SSO) configured, if a user who uses the Google Chrome browser takes more than four minutes to authenticate and the session expires, the browser displays a blank page instead of the Session Expired page.
  • Issue ID 0322445: On a NetScaler appliance that has AAA-TM enabled and a load balancing virtual server configured to support 401 basic authentication, if a user sends a GET request that does not contain a Host header, the NetScaler appliance crashes.

Access Gateway

  • Issue ID 0308733: If you configure Access Gateway with additional appliances in which global server load balancing (GSLB) is enabled, when users log on with the Access Gateway Plug-in, occasionally the connection times out, a time-out error appears, such as 'Your Citrix Access Gateway session timed-out and you are not connected,' and the session disconnects.
  • Issues ID 0319607: If an authentication server and Access Gateway reside in the same domain, the appliance may fail.
  • Issue ID 0319901: If you enable Integrated Caching and Web Interface on Netscaler on an Access Gateway appliance, and then change the URL for the Web Interface, Access Gateway might fail.
  • Issue ID 0320210: When users connect with the Access Gateway Plug-in on a computer running Windows XP, the Group Policy Object is not applied.
  • Issue ID 0320493: If your authentication policies include the rules REQ.SSL.CLIENT.CERT.EXISTS and REQ.SSL.CLIENT.CERT.NOTEXISTS, and users log on with a smart card, the following might occur:
    • If smart card authentication fails, users are redirected to the Web Interface and prompted again for the smart card credentials.
    • If users do not enter smart card credentials, they are redirected to the Web Interface and prompted for their user name and password in order to authenticate with RADIUS.

AppExpert

  • Issue ID 0323436: The NetScaler configuration utility can display a maximum of 4500 bound patterns of a pattern set.

Application Firewall

  • Issues ID 0299876: You can now specify a type of either LITERAL or PCRE for any SQL keywords or special strings that you add to a signatures rule. You can use PCRE regular expressions in any keywords or special strings that are assigned a type of PCRE. Built-in and existing user-created SQL keywords and special strings are assigned the LITERAL type, but you can change the type assigned to any user-created keywords or special strings.
  • Issues ID 0303169: On a NetScaler appliance with the application firewall enabled, if a user sends a request with a large number of query parameters that contain SQL special strings without associated SQL keywords, a spike in CPU usage can result. The CPU spike can cause the application firewall to become unresponsive to subsequent requests, blocking user access to protected web sites and web services.
  • Issue ID 0319787: On a NetScaler appliance with the application firewall feature enabled, the comment stripping feature does not correctly parse web pages that have an HTML comment that is terminated with two hyphens, a space, two more hyphens, and a greater-than symbol (-- -->). In other words, you cannot have a string consisting of two hyphens and a space immediately preceding the usual comment termination string (-->). If you do, the comment stripping feature does not detect the final two hyphens and greater-than symbol as a comment terminator. The comment stripping feature therefore strips all content that follows the missed comment terminator.
  • Issues ID 0325339: On a NetScaler appliance with the application firewall enabled, if a protected web site sets a cookie longer than 735 bytes, the Cross-Site Request Forgery (CSRF) check is violated. If blocking is enabled for the CSRF check, the response is blocked.
  • Issues ID 0329539 (nCore): On a NetScaler appliance with the application firewall enabled, occasionally the NetScaler appliance crashes when retrieving a page from a protected web site that sets one or more cookies.
  • Issues ID 0331112 (nCore): In the NetScaler 9.3 58.2.nc build, when applying the HTML or XML SQL Injection check the application firewall does not transform special strings even when Transformation is enabled. This issue was fixed in build 58.4.nc.

Configuration Utility

  • Issues ID 0308459: In Enable/disable service group member view, the Enable and Disable buttons are inactive when the state of a service group member is one of the following - 'GOING OUT OF SERVICE', 'DOWN WHEN GOING OUT OF SERVICE' or 'GOING OUT OF SERVICE (graceful)'.
  • Issue ID 0314769: When the certificate used to sign the JAR files expires, the application's digital signature cannot be verified. An error is displayed when the user tries to access the NetScaler GUI.
  • Issue ID 0323197: An HTTP monitor with extended respCode range cannot be configured through the configuration utility. If it is configured through the CLI, an error occurs when it is viewed in the configuration utility.
  • Issues ID 0328781: On a NetScaler appliance with the application firewall enabled, if an administrator uses the configuration utility to open a specific load balancing virtual server, and then clicks 'Configure application firewall', the configuration utility might display the following error message: Error creating view.

Intergrated Caching

  • Issue ID 0322506 (nCore): When you upgrade the NetScaler appliance from NetScaler release 9.1 to 9.3, the number of objects being cached is reduced because of architectural changes.

Load Balancing

  • Issues ID 0286525 (Classic): NetScaler Classic builds become unresponsive under the following set of conditions:
    • A service that is being monitored by the appliance does not receive traffic for 248 days.
    • The state of the service is UP at least once after the 248-day period.
    • During the termination of a TCP connection used for monitoring the service, when the appliance sends the server a FIN packet, the server either does not respond or responds with an RST packet.
  • Issues ID 0314738: If you issue the 'force HA sync -force' command when HA synchronization is disabled on both nodes, the services on the secondary node are marked as DOWN. The services remain in that state until after a failover.

    When a failover occurs, the failover of some services might be delayed by a few seconds while monitors learn the actual states of those services. Until the monitors learn and correct the states, new connections to those services might be rejected. Consequently, you might also observe a brief period of outage following a failover.

Monitoring

  • Issues ID 0320571: The state of a service is shown as UP even when the service is down. Consequently, the NetScaler appliance continues to forward requests to that service, and clients do not receive responses to their requests.

NetScaler SDX Appliance

  • Issue ID 88556/0248194: When provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for those parameters.
  • Issue ID 0303515: You can now install the NetScaler SDX supplemental packs from the Management Service without manually opening an ssh connection to XenServer. To install this pack, on the configuration tab, in the navigation pane, expand Management Service, and then click XenServer Files. In the details pane, click 'Supplemental Packs'. You can upload the supplemental pack to the SDX appliance and also download it to create a backup on your client.
  • Issues ID 0326655: If you upgrade the Management Service from an earlier build to build 56.x or 57.x, restarting the appliance while data migration is in progress might corrupt your data contents.
  • Issues ID 0326663: In release 9.3, the upgrade process fails if you attempt to upgrade the Management Service from build 48.6 to build 56.5 or 57.5.
  • Issues ID 0326878: The Management Service shows duplicate entries for NetScaler VPX instances because of intermittent database connection failures. This is only a display issue. However, if a VPX instance is configured with an external authentication server for the nsroot (administrator) user, the authentication server might show several authentication failures.
  • Issues ID 0327984: You can now apply a hotfix for XenServer from the Management Service. On the Configuration tab, expand Management Service, and then click XenServer Files. In the details pane, click Hotfixes, and then click Upload. After uploading the hotfix to the appliance, click Apply. If an error occurs in the process of applying the hotfix, an error message displays the cause of the problem.

NetScaler VPX Appliance

  • Issues ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in release 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2

    Perform a warm reboot for the above change to take effect.

Networking

  • Issues ID 0260803: In an HA configuration, ping to NSIP of the secondary node fails because of the frequent clearing of configurations triggered by synchronization of configurations to secondary. This synchronization in turn was triggered by repeated saving of configurations in the primary.
  • Issue ID 0312412: The command sh ip ospf <1-65535> database, in the VTYSH command prompt, displays the database for all the OSPF processes instead of just for the process id specified.
  • Issues ID 0318668: A virtual server of type ANY drops the IPv6 ECHO reply if the ECHO request didn't pass through the appliance and the related IPv6 to IPv4 mapping is not present in appliance.
  • Issues ID 0319744: When an NS CLI login session times out, typing exit at the NS CLI prompt does not disconnect the session.
  • Issues ID 0321868: BGP does not advertise default route to the peer, with default-originate flag, if the state of a learnt default route toggles.
  • Issues ID 0324432: The NetScaler appliance forwards (L3 mode) certain response packets with IP header checksum value 0xFFFF, which is an invalid value according to RFC 1624. As a result, the router drops these packets.
  • Issues ID 0330118: OSPF maximum age link-state advertisements (LSAs) are not removed from the NetScaler appliance because the maximum age walker processes suspended indefinitely.
  • Issue IDs 0303966 and 0318380: In an High Availability configuration in the INC mode, GSLB site IP address is not synchronized with the secondary node.

Policies

  • Issues ID 92149/0251246: Binding policies with actions related to HTTP, to TCP bindpoints results in the NetScaler appliance becoming unresponsive at runtime.

SNMP

  • Issues ID 0309930: The SNMP OID for 'vsvrCurSslVpnUsers' is getting counter values only from core 0.

System

  • Issues ID 0271783: If you configure an RNAT rule and enable the TCP proxy option for RNAT, the NetScaler appliance functions as a proxy for internal clients and maintains separate client-side and server-side connections. In certain scenarios, this behavior might result in a service type mismatch between the client-side and server-side connections, and the appliance might reboot with a core dump.
  • Issue IDs 0292272 and 0319417 (Classic): NetScaler resets the client and server-side connections if it receives a response with long headers (more than 16 packets) on a server-side connection after receiving a normal response on the same connection.
  • Issues ID 0300116: In an high availability configuration, when AAA keys are not synchronized to the secondary node and the appliance failover happens, the new primary node becomes unresponsive. This happens when NSC_TASS and NSC_TMAS cookies have same values and improper session lookup happens.
  • Issues ID 0302004: For load balancing virtual servers that have SOURCEIP persistence configured, client IP header insertion might fail for HTTP CONNECT requests sent to that virtual server.
  • Issues ID 0306237: If the number of dynamic services running on the NetScaler appliance exceeds 64k, any service created could not be accessed even after when the number of services is less than 64k.
  • Issue ID 0306660 (nCore): You can now use the set ns tcpparam connFlushIfNoMem <connFlushIfNoMem> command on a NetScaler appliance to close existing connections if memory is not available for a new connection. When using this command, you must specify the type of connection to be closed. By default, this feature is disabled on the appliance.
  • Issues ID 0328271: Output of the mem stats or stat system -detail command is not same as the output displayed by the conmsg mem stats command.
  • Issues ID 0330336 (nCore): IPv6 addresses might occasionally be captured in the audit log, even though IPv6 addresses are not configured.

Web Interface

  • Issue ID 0322207: In a high availability setup, delays in Apache Tomcat start-up might prevent the propagation of web interface configurations to the secondary appliance. As a result, the web interface configurations are not available when the secondary appliance becomes primary and the 'Web Interface not installed' error is displayed.

XML

  • Issue ID 0304314: SOAP requests that do not conform to a WSDL are not handled properly by the XML validation module, which can cause the NetScaler appliance to hang or crash.

Known Issues and Workarounds

Access Gateway

  • Issue IDs 80175/0241433 and 82022/0242906: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting 'Windows 7 Mobile Broadband' in the Telstra Connection Manager 'Options' dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492/0244134: When users log on by using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84787/0245136: When you issue the command 'sh vpn vserver' on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says 'Error. Not a privileged user.' Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    • Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    • Bind the Outlook Web Outlook regular expression to this profile.
    • Bind the profile so that is assumes the highest priority.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 85861/0245969: If you enable ICA Proxy on Access Gateway, when users log on and attempt to open a virtual application, the connection to the Web Interface through Access Gateway times out and closes.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning 'Published resource shortcuts are currently disabled.' Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message 'Invalid username or password. Please try again.' This issue does not occur if users log on to Windows XP.
  • Issue ID 86470/0246469 and 86787/0246736: When users log on with the Access Gateway Plug-in for Windows by using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on by using Internet Explorer 9.
  • Issue ID 86471/0246473: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, Access Gateway fails.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either the intranet or to external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain, by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 91832/0250964: If users log on with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects. When users log off, however, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue ID 92543/0251596: After you configure Access Gateway to provide user connections through Citrix Receiver, when users right-click the Receiver icon in the notification area, the Log on option does not appear. Users must connect by using the Web browser or they must right-click the Receiver icon and then, depending on the version of Receiver they are using, click About or Preferences from the Receiver menu and Plug-in Status or Advanced from the Receiver panel. You can also enable the log on option to appear when users right-click the Receiver icon by adding the following settings in the registry:
    • Add the Receiver key (if the key does not already exist) under the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\
      • HKEY_LOCAL_MACHINE\Software\Citrix\
    • Add the Inventory key in the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
    • In the Inventory key, configure the following REG_SZ values:
      • VPNAddress. Provide the value as the Web address for the Access Gateway appliance; for example, https://<AccessGatewayFQDN>.
      • VPNPrompt1. Provide the value as 'UserName'.
      • VPNPrompt2. Provide the value as '*Password'.
        Note: To mask the password, enter an asterisk (*) before the word.

        In addition, if you configure double-source authentication that requires authentication with LDAP plus RSA authentication, you need to also add the following as REG_SZ:

      • VPNPrompt3. Provide the value as '*Passcode'.
  • Issue ID 0289001: If you configure multiple post-authentication expressions with cascading priorities, Access Gateway might fail and then restart.
  • Issue ID 0301790: If you add sites from Citrix Presentation Server 4.5 and XenApp 6.5 to the same Web Interface site, when users log on with Internet Explorer 9 and then log off from the Web Interface, the session does not close completely. An error message appears stating that some resources are still active.

ACL

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

AppExpert

  • Issue ID 0270708: The process of configuring the application firewall for an application unit (appunit) is different than for other features, such as responder and rewrite. Instead of the Policy Manager, the Application Firewall wizard is invoked. The wizard prompts the user to configure the security check settings directly. It then creates a profile and policy from that information, and binds the policy to the appunit in the background, without displaying either the policy or the profile to the user. NOTE: You cannot associate multiple policies with an application unit by using the wizard. To do so, use the policy manager. A link is located on the main Application Firewall pane.

Application Firewall

  • Issues ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.
  • Issue ID 0284677: The online help for the application firewall wizard points to placeholders. If you need help with the wizard, consult the following URL: http://support.citrix.com/proddocs/topic/netscaler-application-firewall-93/appfw-config-wizard-tsk.html Alternatively, a description of the Wizard can be found in the PDF-based documentation, in the Configuration chapter.
  • Issue ID 0318595: On a Sharepoint 2010 server that is protected by the application firewall, drop-down menus that are used to access documents do not open. When the user attempts to open a menu, a JavaScript progress indicator is displayed on the right side of the page, but no menu is displayed. For more information, see http://support.citrix.com/article/CTX132945.

CloudBridge

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send, across the cloud bridge, a full-size packet in which the DF bit is unset. The cause is a bad checksum.

Command Line Interface

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the 'show configstatus' command and reconfigure the appliance under low traffic conditions or during a maintenance period. If that does not resolve the issue, restart the appliance.

  • Issue ID 92269/0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.

    Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.

DataStream

  • Issue ID 83862/0244449 (nCore and nCore VPX): In this release, the DataStream feature does not support IPv6 addresses.
  • Issue ID 0287492: Some international characters resemble one or more ASCII alphabetic characters. If a client request contains such international characters, when forwarding the request to a database server, the NetScaler appliance replaces the international characters with the ASCII alphabetic characters that they resemble.

Integrated Caching

  • Issue ID 81159/0242246: When the NetScaler appliance receives a single byte-range request, if the starting position of the range is beyond 9 megabytes, the appliance sends the client a full response with a status code of 200 OK instead of a partial response.

Load Balancing

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: If a TCP monitor is assigned to a MYSQL service, the MySQL server prevents the MIP address from making new connections.
    Note: This is a known issue with MySQL. It can be mitigated by setting a high value for max_connect_error, as described in the article at http://bugs.mysql.com/file.php?id=5184.
  • Issue ID 82996/0243703: MYSQL monitors show the service state as UP even when no subnet IP (SNIP) address or mapped IP (MIP) address is configured. This is expected behavior, because MYSQL monitors use the NetScaler IP (NSIP) address to send their probes.
  • Issues ID 86096/0246139: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example: add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 87407/0247289 (nCore and nCore VPX): For an RDP virtual server, the NetScaler appliance automatically maintains persistence through session cookies by using Session Directory, so you need not explicitly configure persistence. Currently, IP address based persistence is not supported, and you cannot disable the implicit session-cookie based persistence.
  • Issue ID 88593/0248222 (nCore): After failover, the 'maxclient' setting on a service is not honored.
  • Issue ID 90271/0249597: Application scripts that parse the servicegroup member name, and use the underscore delimiter (_) to identify fields to be extracted, fail, because the delimiter is now a question mark (?). In NetScaler releases earlier than 9.3, the format is <service group name>_<IP address>_<port>. The new format is <servicegroup name>?<IP address | server name>?<port>.
  • Issue ID 0309954: The NetScaler appliance fails in the following scenario:
    1. You create a remote GSLB service whose public IP address is the same as the public IP address of a local GSLB service.
    2. You bind monitors to the GSLB services, and then bind the GSLB services to a GSLB virtual server.

NetScaler SDX Appliance

  • Issues ID 88515/0248159: Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 91605/0250759: If the dashboard page on the management service virtual machine is open for more than 4 days, the browser (Internet Explorer 8.0) might report high memory usage.

    Workaround: In the browser, refresh or minimize the page to release the memory.

  • Issue ID 0262505: When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: “NO DATA TO CHART”.
  • Issue ID 0265006: Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

NetScaler SDX Appliance and NetScaler VPX Appliance

  • Issues IDs 0274497 and 0274498: Layer 2 (L2) mode, link aggregation control protocol (LACP), and virtual MAC addresses (VMACs) are not supported on the NetScaler SDX appliance or the NetScaler VPX virtual appliance.

NetScaler VPX Appliance

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX (virtual) appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features (such as compression and GSLB) stop working.

    Workaround: Reduce the memory allocated for caching.

  • Issues ID 94487/0258286: On the Microsoft Hyper-V platform, if there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.

    Workaround: Defragment the disk. For consistent virtual hard disk (VHD) performance, change a dynamic disk to a static disk.

Networking

  • Issue ID 0271154: The man pages for the commands 'add ns ip','set ns ip','add ns ip6', and 'set ns ip6' displays an incorrect default value for the 'ospfArea' parameter.

Platform

  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.
    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance.
    ipmi0: KCS error: 01
    ipmi0: KCS: Reply address mismatch
  • Issues ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.

Policies

  • Issue ID 0291975: The SYS.VSERVER('<vserver_name>').THROUGHPUT expression returns an incorrect throughput value.

Reporting

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL

  • Issues ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: “ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot.” However, the correct message--“ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate”-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issues ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type: openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 85393/0245605: A DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.

System

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if a failover happens while high availability (HA) synchronization is in progress.
  • Issues ID 94133/0257961: If a server (load balancing virtual server or content switching vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_49 or a prior build to a build later than 9.3_49.
    Workaround: Do the following:
    1. Remove the audit policy and action.
    2. Add the deleted virtual server.
    3. Add the audit policy and action.
    4. Save the configuration.
  • Issues ID 0263852 (nCore): If you configure link aggregation on the 10G interfaces by using the link aggregation control protocol (LACP), the LA interface might flap (go down and come back up).

    Workaround: Initiate steering to CPU1. At the shell prompt, type: sysctl netscaler.ticks_on_cpu1=1 To change the interrupt steering option back to CPU0 (the default), at the shell prompt, type: sysctl netscaler.ticks_on_cpu1=0 To make the workaround persistent, add the first command to the initialization script /nsconfig/rc.netscaler or its equivalent.

Web Interface

  • Issue ID 89052/0248592 (nCore and nCore VPX): The response from a Web Interface site that is configured in direct mode may have Java errors.

XML

  • Issue ID 81650/0242628: The application firewall import feature validates XML schemas when importing them, but it might not validate certain XHTML files if they are imported as XML schemas. An invalid XHTML file appears in the list of imported XML schemas, but it is rejected if the user attempts to configure the XML Message Validation check to use the invalid file as the XML schema for validation.
  • Issue ID 82058/0242928: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059/0242929: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069/0242939: When the Application Firewall validates XML messages, it does not validate the contents of elements that are defined as type 'any' in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to 'skip'.

    Workaround: Replace the 'any' type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The 'any' type is rarely used.)

XML API

  • Issue ID 80170/0241429: The syntax of the 'unset servicegroup' command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the 'unset servicegroup' command.

Build 57.5

Release version: Citrix® NetScaler®, version 9.3 build 57.5

Replaces build: None

Release date: June 2012

Release notes version: 4.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA-TM

  • Issue ID 89201/0248704: AAA-TM now supports NTLMv2 signon and sessions for single sign-on (SSO).
  • Issue ID 93823/0257671: TACACS has been modified to log only successfully executed TACACS commands to the NetScaler log. This change prevents the logs from showing TACACS commands that were entered by users who were not authorized to execute them.

Access Gateway

  • Issue ID 93317/0257227: If you try to end a user session by using the configuration utility or the command line, the session remains connected. When using the command line, the command returns a status stating "success" even though the session remains connected.
  • Issue ID 0282907: When you configure an intranet application for proxy and the users' Web browser is configured with a proxy auto configuration (PAC) file, when users log on with the Access Gateway Plug-in and try to access an internal network resource, proxy authentication fails. Users cannot access any resources through Access Gateway.
  • Issue ID 0289662: When users log on with the Access Gateway Plug-in and try to make a Voice over Internet Protocol (VoIP) call to a mobile phone by using Cisco Unified Personal Communicator application, the call does not connect.
  • Issue ID 0299406: If you configure a policy to restrict access to certain files, when users log on with clientless access and try to access the file, Access Gateway fails.
  • Issue ID 0306349: In a high availability configuration, if you configure an intranet IP address for a group, when users connect with the Access Gateway Plug-in, if failover occurs, the intranet IP address is no longer assigned to the session. As a consequence, users may not be able to connect to some internal resources. You must remove the IP address from the group and then configure the intranet IP address in a session profile bound globally.
  • Issue ID 0310124: If you configure a responder policy based on location criteria bound to the Access Gateway virtual server, when users log on through Receiver for Android 3.1 on a mobile device and connect through the virtual server, the policy does not work on Android versions earlier than 3.0. As a consequence, users may experience a connection delay.

Application Firewall

  • Issue ID 87741/0247559: The HTML SQL Injection check transformation feature does not detect double-byte backslash (\) or single quote ('} characters as special characters, and so does not either transform those characters or block the request that contains them.
  • Issue ID 0284784: When a web site sends a MIME-encoded web form to a user with the MIME boundary enclosed in double quotations, and the user returns the web form as a POST request, the application firewall resets the connection with a reset code of 9845.
  • Issue IDs 0298529 and 0306658: On a NetScaler nCore build with the application firewall feature enabled, certain scripts caused an internal state to be set to NULL when the feature expected a different setting, causing the application firewall to crash.
  • Issue ID 0300383 (Classic): On a NetScaler classic build that has the application firewall learning feature enabled, under heavy load the configuration utility can become unavailable and the NetScaler can freeze or hang.
  • Issue ID 0307082: When the NetScaler appliance sends an HTTP/1.0 100-Continue response on behalf of a protected web server, it now also sets the TCP Push flag in the response packet. This change resolves certain performance issues that might have been encountered when enabling the application firewall for some XML-based web services.
  • Issue ID 87741/0247559: The HTML SQL Injection check transformation feature does not detect double-byte backslash (\) or single quote ('} characters as special characters, and so does not either transform those characters or block the request that contains them.

Configuration Utility

  • Issues ID 0314258: When you modify any PBR rule from the configuration utility, the NetScaler appliance changes the APPLIED status of the PBR to NOTAPPLIED.

Load Balancing

  • Issues ID 75554/0237564: Maximum number of custom location entries supported has increased from 50 to 500. To enable the Static Proximity method, either configure the NetScaler appliance to use an existing static proximity database populated through a location file or add custom entries to the static proximity database.
  • Issues ID 0287324: You can now use the gslbautosync configuration command to save the remote and master node configurations. The local site configurations are saved before synchronization begins, and remote site configurations are saved after the synchronization.
  • Issues ID 0299390: Upgrading a high availability (HA) setup from NS9.3 B52.3 or an older build to NS9.3.55.1 corrupts the WionNS configuration. To resolve this issue, the automatic synchronization of HA configuration is disabled. You must manually apply configuration between HA nodes.
  • Issues ID 0305045: An incorrect port number is passed to the WI-Extended monitor, causing an error. This problem is resolved, and correct port information is passed to the WI-Extended monitor.
  • Issues ID 0308757: Content Switching was not working if CS vserver was configured with TCP service type and wildcard port because of NetScaler synchronization handling issue. This problem is now resolved.
  • Issues ID 0309304: When binding a domain based member to a service group, the debugging message "Oh binding a svc grp with DBS" is logged in the /var/nslog/newnslog file.

NetScaler SDX Appliance

  • Issue ID 94071/0257902: You can now configure a Simple Network Management Protocol (SNMP) agent on the Citrix NetScaler SDX appliance to generate asynchronous events, which are called traps.
  • Issue IDs 0278369 and 0284146: You can now configure a tagged VLAN, without configuring an NSVLAN, at the time of provisioning a NetScaler instance.
  • Issue ID 0287133: All HTTP and HTTPS communication between the Management Service and a NetScaler VPX Instance is now through a persistent session. A session ID is associated with each VPX instance and all HTTP and HTTPS communication between the Management Service and the instance uses this session ID.
  • Issues ID 0303527: With XenServer version 6.0 and later, HTTP communication between the Management Service and XenServer is now over a persistent session. All HTTP communication between the Management Service and XenServer uses one session ID. For earlier versions of XenServer, basic authentication (user name and password) is used.
  • Issue ID 0313155: NTP synchronization might fail if you add a new NTP server by using the Management Service user interface because the default contents of the ntp.conf file are not flushed.

Networking

  • Issue ID 0243105: When there are ECMP routes for a prefix, for every new route addition or deletion, the NetScaler appliance withdraws all the UP routes and adds them back again to its routing table. This results in a period of time when there are no routes to the prefix.
  • Issue ID 94268/0258087: In an high availability configuration, after failover, the configurations related to various dynamic routing protocols are not properly synced to the secondary node if the save config command is issued when the sync is in progress.
  • Issue ID 0305420: If the NetScaler appliance receives any traffic which hits a virtual server of type ANY then only for the first packet of this traffic the TTL value set to 255 and for the remaining packets, belonging the same session, the TTL value remains same. This applies to even fragment packets, where only for the first fragment of the packet the TTL value is set to 255 and for the remaining fragments the TTL value is unchanged.

Platform

  • Issues ID 58738/0223235: After a NetScaler appliance starts, the LCD displays the following information:
    • NS<platform number> on appliances running the classic version. For example, NS7000.
    • NSMPX-<model number> on MPX appliances. For example, NS-MPX15500.
    • "NetScaler" on VPX and SDX appliances.
  • Issue ID 76010/0237960: The 10G SFP+ transceiver is now hot-swappable on the NetScaler appliances that use the ixgbe (ix) interface.
    The following platforms support 10G SPF+ transceivers:
    • MPX 9700/10500/12500/15500 10G and 10G FIPS
    • MPX 11500/13500/14500/16500/1850020500
    • MPX 17500/19500/21500
    • MPX 17550/19550/20550/21550

Policy

  • Issues ID 0291975: The expression SYS.VSERVER("<vserver_name>").THROUGHPUT returns an incorrect throughput value.
  • Issues ID 0311268: You cannot add a rule of the form "HTTP.REQ/RES.BODY(<num>).CONTAINS(<string2>)" where <string2> has the property that its length is greater than the length of <string1>. <string1> is already existing string in the already configured policy expression "HTTP.REQ/RES.BODY(<num>).CONTAINS(<string1>)".

    For example, the second command provided below might not succeed if there exists some request for which the evaluation of rule in cs_example is in progress.

    -> add cs policy cs_example -rule 'HTTP.REQ.BODY(1000).CONTAINS("MyLengthIs12")

    -> add cs policy cs_example_break -rule 'HTTP.REQ.BODY(1000).CONTAINS("MyLengthIsBIG15")

SSL

  • Issues ID 0301726 (Classic): If OCSP is configured on a NetScaler appliance using a Broadcom SSL chip, multiple handshake messages that are received in a single record cause the SSL handshake to fail.
  • Issue ID 0316577: The SSL crypto card instrumentation is enhanced to provide more information on error status during initialization and at runtime.

System

  • Issue ID 0260531: When using HTTP pipelining in SSL offloading, and when Client-side Keep Alive is enabled on the client, the advertised window increases after every transaction, resulting in a huge advertised window.
  • Issue ID 0270163: When the NetScaler appliance runs processes such as gzip, the usage of the management CPU increases. Hence, high CPU usage alerts may get generated even though the packet engines are not actively processing packets.
  • Issue ID 0285015: Requests buffers larger than 24KB lead to buffer overflow and result in the web log module not working.
  • Issue ID 0311601: When client keep-alive is enabled, there are TCP retransmissions due to sudden shrinking of window.

Known Issues and Workarounds

AAA-TM

  • Issue ID 0307258: When you create a AAA-TM profile by using the configuration utility, the configuration utility displays the global persistency settings as the settings that it assigned to the profile. However, instead of actually deriving the persistency values from the global persistency settings, it sets persistency for the profile to zero (0). You can verify this issue by typing the following command at the NetScaler command line:

    show tm sessionaction <profileName>

    You can fix the persistency settings for any AAA-TM profile that is affected by this issue by typing the following command at the NetScaler command line:

    set tm sessionAction <profileName> -persistentCookie ENABLED -persistentCookieValidity <positive_integer>

    For <positive_integer>, substitute the number of minutes that the persistency cookie is to remain valid. Then, use the "show tm sessionaction" command to verify your changes.

Access Gateway

  • Issue IDs 80175/0241433 and 82022/0242906: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 0289001: If you configure multiple post-authentication expressions with cascading priorities, Access Gateway might fail and then restart.
  • Issue ID 0301790: If you add sites from Citrix Presentation Server 4.5 and XenApp 6.5 to the same Web Interface site, when users log on with Internet Explorer 9 and then log off from the Web Interface, the session does not close completely. An error message appears stating that some resources are still active.
  • Issue ID 91832/0250964: If users log on with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects. When users log off, however, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either the intranet or to external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain, by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787/0245136: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, Access Gateway fails.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492/0244134: When users log on by using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    • Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    • Bind the Outlook Web Outlook regular expression to this profile.
    • Bind the profile so that is assumes the highest priority.
  • Issue ID 85861/0245969: If you enable ICA Proxy on Access Gateway, when users log on and attempt to open a virtual application, the connection to the Web Interface through Access Gateway times out and closes.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue IDs 86470/0246469 and 86787/0246736: When users log on with the Access Gateway Plug-in for Windows by using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on by using Internet Explorer 9.
  • Issue ID 86471/0246473: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

ACL

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

AppExpert

  • Issue ID 0270708: The process of configuring the application firewall for an application unit (appunit) is different than for other features, such as responder and rewrite. Instead of the Policy Manager, the Application Firewall wizard is invoked. The wizard prompts the user to configure the security check settings directly. It then creates a profile and policy from that information, and binds the policy to the appunit in the background, without displaying either the policy or the profile to the user.
    Note: You cannot associate multiple policies with an application unit by using the wizard. To do so, use the policy manager. A link is located on the main Application Firewall pane.

Application Firewall

  • Issue ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.
  • Issue ID 0318595: On a Sharepoint 2010 server that is protected by the application firewall, drop-down menus that are used to access documents do not open. When the user attempts to open a menu, a JavaScript progress indicator is displayed on the right side of the page, but no menu is displayed. For more information, see http://support.citrix.com/article/CTX132945.

CloudBridge

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send a full-size packet, whose DF bit is unset, across the cloud bridge. This happens because of bad checksum.

Command Line Interface

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If that does not resolve the issue, restart the appliance.

  • Issue ID 92269/0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.

    Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.

Configuration Utility

  • Issue ID 0308459: In Enable/disable service group member view, the Enable and Disable buttons are inactive when the state of a service group member is one of the following - "GOING OUT OF SERVICE", "DOWN WHEN GOING OUT OF SERVICE" or "GOING OUT OF SERVICE (graceful)”.

DataStream

  • Issue ID 83862/0244449 (nCore and nCore VPX): This release does not support IPv6 addresses.
  • Issue ID 0287492: Some international characters resemble one or more ASCII alphabetic characters. If a client request contains such international characters, when forwarding the request to a database server, the NetScaler appliance replaces the international characters with the ASCII alphabetic characters that they resemble.

Integrated Caching

  • Issue ID 81159/0242246: When the NetScaler appliance receives a single byte-range request, if the starting position of the range is beyond 9 megabytes, the appliance sends the client a full response with a status code of 200 OK instead of a partial response.

Load Balancing

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: If a TCP monitor is assigned to a MYSQL service, the MySQL server prevents the MIP address from making new connections.
    Note: This is a known issue with MySQL. It can be mitigated by setting a high value for max_connect_error, as described in the article at http://bugs.mysql.com/file.php?id=5184.
  • Issue ID 82996/0243703: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096/0246139: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example: add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 87407/0247289 (nCore and nCore VPX): For an RDP virtual server, the NetScaler appliance automatically maintains persistence through session cookies by using Session Directory, so you need not explicitly configure persistence. Currently, IP address based persistence is not supported, and you cannot disable the implicit session-cookie based persistence.
  • Issue ID 88593/0248222 (nCore): After failover, the 'maxclient' setting on a service is not honored.
  • Issue ID 90271/0249597: Application scripts that parse the servicegroup member name, and use the underscore delimiter (_) to identify fields to be extracted, fail, because the delimiter is now a question mark (?). In NetScaler releases earlier than 9.3, the format is <service group name>_<IP address>_<port>. The new format is <servicegroup name>?<IP address | server name>?<port>.
  • Issues ID 0309954: When you add a remote GSLB service with public IP same as the local GSLB service public IP and bind monitors to the GSLB services, binding these services to the GSLB vserver causes it to become unavailable.

NetScaler SDX Appliance

  • Issue ID 88515/0248159: Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556/0248194: When provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for those parameters.
  • Issue ID 91605/0250759: If the dashboard page on the management service virtual machine is open for more than 4 days, the browser (Internet Explorer 8.0) might report high memory usage.

    Workaround: In the browser, refresh or minimize the page to release the memory.

  • Issue ID 0262505: When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: “NO DATA TO CHART”.
  • Issue ID 0265006: Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

  • Issues ID 0326655: When you upgrade the Management Service from an earlier build to build 56.x or 57.x, restarting the appliance while data migration is in progress might corrupt the data contents. To check if migration is in progress, at the Management Service shell prompt, type:
    "ps -ax | grep svm_migration"
    If you see some processes running, then migration is in progress and you must not restart the Management Service.
  • Issues ID 0326663: In release 9.3, the upgrade process fails if you attempt to upgrade the Management Service from build 48.6 to build 56.5 or 57.5.

    Workaround: First, upgrade the Management Service from build 48.6 to build 55.6, and then upgrade it from build 55.6 to build 56.5 or 57.5.

  • Issues ID 0326878: The Management Service shows duplicate entries for NetScaler VPX instances because of intermittent database connection failures. This is only a display issue. However, if a VPX instance is configured with an external authentication server for the nsroot (administrator) user, the authentication server might show several authentication failures.

NetScaler SDX Appliance and NetScaler VPX Appliance

  • Issue IDs 0274497 and 0274498: Layer 2 (L2) mode, link aggregation control protocol (LACP), and virtual MAC addresses (VMACs) are not supported on the NetScaler SDX appliance or the NetScaler VPX virtual appliance.

NetScaler VPX Appliance

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX (virtual) appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features (such as compression and GSLB) stop working.

    Workaround: Reduce the memory allocated for caching.

  • Issue ID 94487/0258286: On the Microsoft Hyper-V platform, if there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.

    Workaround: Defragment the disk. For consistent virtual hard disk (VHD) performance, change a dynamic disk to a static disk.

Networking

  • Issue ID 0271154: The man pages for the commands 'add ns ip','set ns ip','add ns ip6', and 'set ns ip6' displays an incorrect default value for the 'ospfArea' parameter.

Platform

  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance. ipmi0: KCS error: 01 ipmi0: KCS: Reply address mismatch

  • Issue ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.

Reporting

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: “ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot.” However, the correct message--“ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate”-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issue ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type: openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 85393/0245605: A DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.

System

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if a failover happens while high availability (HA) synchronization is in progress.
  • Issue ID 94133/0257961: If a server (load balancing virtual server or content switching vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_49 or a prior build to a build later than 9.3_49.
    Workaround: Do the following:
    1. Remove the audit policy and action.
    2. Add the deleted virtual server.
    3. Add the audit policy and action.
    4. Save the configuration.
  • Issue ID 0263852 (nCore): If you configure link aggregation on the 10G interfaces by using the link aggregation control protocol (LACP), the LA interface might flap (go down and come back up).

    Workaround: Initiate steering to CPU1. At the shell prompt, type: sysctl netscaler.ticks_on_cpu1=1 To change the interrupt steering option back to CPU0 (the default), at the shell prompt, type: sysctl netscaler.ticks_on_cpu1=0 To make the workaround persistent, add the first command to the initialization script /nsconfig/rc.netscaler or its equivalent.

Web Interface

  • Issue ID 89052/0248592 (nCore and nCore VPX): The response from a Web Interface site that is configured in direct mode may have Java errors.

XML

  • Issue ID 81650/0242628: The application firewall import feature validates XML schemas when importing them, but it might not validate certain XHTML files if they are imported as XML schemas. An invalid XHTML file appears in the list of imported XML schemas, but it is rejected if the user attempts to configure the XML Message Validation check to use the invalid file as the XML schema for validation.
  • Issue ID 82058/0242928: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059/0242929: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069/0242939: When the application firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

XML API

  • Issue ID 80170/0241429: The syntax of the "unset servicegroup" command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the "unset servicegroup" command.

Build 56.5

Release version: Citrix® NetScaler® release 9.3 build 56.5

Replaces build: None

Release date: May 2012

Release notes version: 2.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA-TM Issues

  • Issue ID 84299/0244785: If the user does not try to log on for over two minutes once the AAA-TM log on page is displayed, the NetScaler appliance displays a "500 internal server error" message and does not redirect the user to the load balancing page.

Access Gateway Issues

  • Issue ID 90334/0249654: If users log on to Access Gateway by using a Web browser, log off and then subsequently log on by using the Access Gateway logon dialog box over a port other than port 443, such as port 444, the logon fails.
  • Issue IDs 90726/0249979, 0268032, 0283223, 0299327, 0299916, and 0301952: If you configure client certificate-based expressions for preauthentication or post-authentication scans and if users log on with a client certificate on an nCore Access Gateway model MPX 7500 or higher, the scan fails and users cannot log on. This issue does not occur with a classic build or on the MPX 5500.
  • Issue ID 91072/0250267: When users log on with the Access Gateway Plug-in and then switch wireless networks without logging off, users cannot access the local area network (LAN) until they log off and then log on again with the Access Gateway Plug-in.
  • Issue IDs 0267012 and 0274134: This fix addresses a memory stability issue in an underlying component of Access Gateway.
  • Issue ID 0270872: When you configure LDAP authentication, when logging on with the Access Gateway Plug-in or through Citrix Receiver on a mobile device, if users take more than 30 seconds to enter their credentials, the logon dialog box times out and users have to reconnect.
  • Issue ID 0274306: When users log on with the Access Gateway Plug-in, if you unbind a session policy for a user group with connections to a server running XenApp, the connection fails.
  • Issue ID 0274400: When users connect with the Access Gateway Plug-in for Java on a Mac computer running OS X Versions 10.6 or 10.7, the plug-in fails and a blank window appears.
  • Issue ID 0284135: When users log on with the Access Gateway Plug-in and if the Access Gateway appliance FQDN is in the proxy bypass list, Access Gateway disregards the proxy setting. When the plug-in attempts to connect to Access Gateway through the proxy, the connection fails.
  • Issue ID 0286000: If users log on with clientless access, create a folder within a shared folder in the Access Interface and then refreshes the page, a replica folder appears on the File Transfer page.
  • Issue ID 0289686: If users connect with the Access Gateway Plug-in for Mac and then log off from the Web Interface, if users log on again within five minutes, the connection fails. This only occurs if you enable ICA proxy in Access Gateway.
  • Issue ID 0290220: When users log on to Access Gateway with the Access Gateway Plug-in for Mac OS X, the home page is slow to appear or does not appear in the Web browser.
  • Issue ID 0300221: When users log on to an nCore Access Gateway model MPX 7500 or higher, if there is high memory usage, the Access Gateway might fail. This issue does not occur with a classic build or on the MPX 5500.
  • Issue ID 0301557: If users connect with the Access Gateway Plug-in and two network adapters have active connections on the user device, DNS resolution does not occur and users cannot access internal resources. If users disable one network adapter, users can then access internal resources.
  • Issue IDs 0301799 and 0305241: Access Gateway might not release all user sessions, which results in maximum usage of the licenses. When this occurs, users cannot log on and you must restart Access Gateway.
  • Issue IDs 0302268 and 0303490: After the preauthentication scan passes and users log on, if an internal processing error occurs, Access Gateway fails.
  • Issue ID 0302490: If users log on with Receiver for Chromebook through Access Gateway, when users log off, Access Gateway does not release the session. Users must close the Web browser to log on again.
  • Issue IDs 0303081 and 0303265: If servers in the internal network return a UDP packet with zero length, Access Gateway fails.

AppExpert Issues

  • Issue IDs 0283171 and 0303178: If you have an expression that contains any of the following objects, and evaluate that expression in the expression evaluator, the NetScaler appliance may hang or crash.
    • SIGNED32_STRING
    • UNSIGNED16_STRING
    • SIGNED16_STRING
    • UNSIGNED8_STRING
    • SIGNED8_STRING
    • WEEKDAY_STRING_SHORT
    • WEEKDAY_STRING

AppFlow Issues

  • Issue ID 0301461 (nCore): If you enable the clientTrafficOnly parameter when the AppFlow feature is enabled, the NetScaler appliance fails. By default, the clienttrafficonly parameter is disabled.
  • Issue ID 0302578 (nCore): If you enable AppFlow when the NetScaler device is in transparent mode, or when the load balancing virtual servers use wildcards for the IP address and port to dynamically learn the backend services, the NetScaler device fails.

Application Firewall Issues

  • Issue ID 0260631: If changes are made to the application firewall signature configuration during periods of heavy traffic and active processing of requests and responses, the NetScaler appliance might crash.
  • Issue ID 0285286: After upgrading the NetScaler appliance from NS 9.3 (build 50.3) to NS 9.3 (build 54.4), the application firewall logs begin to record abnormal SQL injection and cross-site scripting errors. These errors do not cause connections to be blocked even when blocking is enabled for the HTML SQL Injection and HTML Cross-Site Scripting features.
  • Issue ID 0287556: In an HA pair that has both the application firewall and the integrated caching features enabled, both the primary and the secondary nodes occasionally restart. This is due to improper processing of cookies with null or empty values.
  • Issue IDs 0290886 and 0267238: On NetScaler appliances that have both the application firewall and the integrated caching features enabled, memory utilization increases quickly and remains high.
  • Issue ID 0291620 (Classic): After upgrading from NetScaler 9.2 to NetScaler 9.3x, the getsystemuser() call returns only the first user, regardless of any other user accounts that had been created on the NetScaler appliance.

Configuration Utility Issues

  • Issue ID 0269789 (nCore and nCore VPX): The "stat service" command incorrectly displays the interface information along with the service statistics.
  • Issue ID 0300003: The 'View Events' dialog box of the 'Diagnostics' page of the Configuration Utility hangs after you click 'Run' for a selected newnslog file.
  • Issue ID 0300376: If you create an SSL service from an existing service by modifying parameters, such as the IP address and port, and also click the Advanced tab to set or check the values of advanced parameters, the service is not created until you change the value of the clear text port parameter on the Advanced tab. The service is created if you do not click the Advanced tab.

Content Switching Issues

  • Issue IDs 0290387, 0290393, and 0290396: If the name of a target load balancing virtual server in a content switching policy label is 32 characters or longer, when you open the policy label in the configuration utility, the dialog box displays a corrupted and truncated form of the load balancing virtual server’s name.

DataStream Issues

  • Issue ID 0303980 (nCore and nCore VPX): A monitor of type MSSQL fails if you replace the existing query with a shorter query.

Domain Name System Issues

  • Issue IDs 0251644, 0272407, 0284605, and 0292227: The NetScaler appliance fails under the following sequence of events:
    1. You configure a DNS zone on the appliance. The appliance is to function as a proxy server for the zone.
    2. You do not configure a name server record or Start of Authority record for the zone. However, you add one or more DNS records for a domain name that belongs to the zone.
    3. A client attempts to resolve the domain name, but the record type for which the client sends the query does not exist on the appliance.

Global Server Load Balancing Issues

  • Issue ID 93051/0252048 (nCore and nCore VPX): When a load balancing virtual server that is a part of a GSLB configuration is down and receives a client request, the NetScaler appliance makes a GSLB decision and attempts an HTTP redirect or a connection proxy to a GSLB site that is UP and healthy. If source IP persistence is set on both the primary and backup GSLB virtual servers, and the core that receives the request is not the owner of the source IP persistence entry, the appliance fails when it attempts to make the GSLB decision.

Integrated Caching Issues

  • Issue ID 0275965: The "show running config" or the "show cache contentgroup" command causes the NetScaler Command line interface to fail if more than 32 policies refer to the same content group and the size of the thirty second policy name is more than 32 characters.

Load Balancing Issues

  • Issue IDs 0269379 and 0285447 (nCore and nCore VPX): When you use the configuration utility or the "unset lb vserver" command to disassociate a backup virtual server from a primary virtual server, the NetScaler appliance does not record the dissociation event for up to one hour. Within this period, you can inadvertently create a loop condition by setting the former backup virtual server as the primary virtual server and the former primary virtual server as the backup virtual server. The appliance then displays both virtual servers as being a backup of the other.
  • Issue ID 0284733 (nCore and nCore VPX): Events that are related to the states of monitors are not logged if they are generated by NetScaler packet processing engines other than NSPPE-00.
  • Issue ID 0288565: Each monitoring probe that is generated by the nsmysql.pl script results in a memory leak that, over a period of time, prevents the NetScaler appliance from allocating memory to the script. As a result, services might be marked as being up even when the probes fail.
  • Issue ID 0288771: The NetScaler appliance fails if you use the "unset lb vserver" command with a virtual server that is not a load balancing virtual server.

NetScaler SDX Appliance Issues

  • Issue ID 86597/0246578: Internet Explorer version 9.0 does not load the Configuration tab.
  • Issue ID 87916/0247683: You can now configure your NetScaler SDX appliance to synchronize its local clock with a Network Time Protocol (NTP) server. As a result, the clock on the SDX appliance has the same date and time settings as the other servers on your network. The clock synchronization configuration does not change if the appliance is restarted, upgraded, or downgraded. However, the configuration does not get propagated to the secondary NetScaler instance in a high availability setup. For more information, see "Configuring Clock Synchronization" in the "Managing and Monitoring the NetScaler SDX Appliance" chapter of the Citrix NetScaler SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 89148/0248663 (nCore): When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.
  • Issue ID 90586/0249864: Log on to the Management Service user interface fails after 25 days.
  • Issue ID 92189/0251275: The progress status is now displayed after you provision or modify a NetScaler instance.
  • Issue ID 92857/0251875: On your NetScaler SDX appliance, the backup policy runs a backup at 00:30 A.M. every day, but you can create a backup file at any time if, for example, you want to immediately back up changes to the configuration. You can use the backup file to restore the configuration data on the appliance. You can restore the configuration data of the XenServer, Management Service, and all of the NetScaler instances. Alternatively, you can restore only the NetScaler instances or selected NetScaler instances. For more information, see "Backing Up and Restoring the Configuration Data of the SDX Appliance" in the "Configuring the Management Service" chapter of the Citrix NetScaler SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 0271764: You can now reset the NetScaler SDX appliance to the factory default. Performing a factory reset terminates all current client sessions with the Management Service, so you have to log back on to the Management Service for any additional configuration tasks. When you are ready to restore the appliance, import the backup files by using the Management Service. For more information, see "Performing a Factory Reset" in the "Configuring the Management Service" chapter of the Citrix NetScaler SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 0271765: You can now upgrade to a later version of the XenServer software on your NetScaler SDX appliance to enable and disable functionality of some features, such as VLAN filtering. The process of upgrading the XenServer software involves uploading the build file of the target build to the Management Service, and then upgrading the XenServer software. For more information, see "Upgrading the XenServer Software" in the "Configuring the Management Service" chapter of the Citrix NetScaler SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 0271766: Logging on to the Management Service on your NetScaler SDX appliance gives you direct access to the NetScaler instances that are provisioned on the appliance, if you upgrade the Management Service and the NetScaler instances to this build. If you log on to the Management Service by using your user credentials, you do not have to provide the user credentials again for logging on to an instance. By default, the timeout value is set to 30 minutes and the configuration tab is opened in a new browser window. For more information, see "Single Sign-On to the Management Service and the NetScaler Instances" in the "Introduction" chapter of the Citrix NetScaler SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 0275111: You can now replace the default certificate that is shipped with the NetScaler SDX appliance with your own certificate. Installing an SSL certificate terminates all current client connections with the Management Service, so you have to log back on to the Management Service for any additional configuration tasks. For more information, see "Installing an SSL Certificate on the SDX Appliance" in the "Managing and Monitoring the NetScaler SDX Appliance" chapter of the Citrix NetScaler SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 0286008: If you provision a NetScaler VPX instance with 2048MB of memory (the default) and later increase the memory to 17408MB (17GB), the instance might fail to start up correctly, and attempts to log on to the instance fail.
  • Issue ID 0288265: A networkconfig utility has been added to simplify initial configuration of the NetScaler SDX appliance through the serial console. For more information, see the Citrix NetScaler SDX Quick Start Guide for the related hardware platform.
  • Issue ID 0289151: If you provision a NetScaler VPX instance with approximately 12288MB (12GB) of memory and then upgrade the instance, the upgrade operation fails and the following error message appears: ERROR: NetScaler on nCore VPX requires minimum 2 Gigabytes and 2 CPUs to start.
  • Issue ID 0298456: Provisioning and modifying a NetScaler instance on the NetScaler SDX appliance is now made simple with the addition of two new wizards: the Provision NetScaler Wizard and the Modify NetScaler Wizard.
  • Issue ID 0275498: Initial configuration of the Management Service is now made simple with the addition of a Setup Wizard. You can configure the network settings, such as XenServer IP address, Management Service IP address, Netmask, and gateway, system settings, such as http or https access and time zone, and change the default password by using this wizard. To launch the wizard, in the navigation pane, click System. In the details pane, click Setup Wizard.

Networking Issues

  • Issue ID 0277939: Each route learnt or unlearnt through dynamic routing protocol is treated as configuration changes. This resulted in dumping of absolute records, which in turn resulted in high CPU usage.
  • Issue ID 0300820: When the NetScaler appliance receives an unpredicted flow of SYNs, it blocks the connect system calls used by OSPF daemon. This causes delay in sending out the hello packets resulting in adjacency failure.
  • Issue ID 0302613: When an OSPF connection timeout, the NetScaler appliance removes and applies back the router configuration. This causes an adjacency flap which momentary drops all the advertised routes.

Platform Issues

  • Issue ID 94198/0258025: If a member interface is removed from an LA channel, the LA channel might show negative statistics in the next statistics collection cycle.
  • Issue ID 0274708 (nCore): A script is now available to update the old firmware (2CV102HD) on a running MPX 17500/19500/21500 platform that is using INTEL X25 series Solid-State Drives (SSDs) (SSDSA2M160G2GN) to the new firmware (2CV102M3). For more information, see http://support.citrix.com/article/CTX133342.

Reporting Issues

  • Issue IDs 0284006 and 0299274: When accessing the Reporting page from the configuration utility, there are some memory corruption issues while accessing load balancing virtual server specific data.

System Issues

  • Issue ID 0250343: You can now specify a time-out value for inactive CLI sessions for a system user. If a user's CLI session is idle for a time that exceeds the time-out value, the NetScaler appliance terminates the connection. The timeout can be defined in a user’s configuration, in a user-group configuration, and in the global configuration. The time-out for inactive CLI sessions for a user is determined by the following order of precedence:
    • Time-out value as defined in the user's configuration.
    • Time-out value as defined in the group configuration for the user’s group.
    • Time-out value as defined in the system global configuration.
  • Issue ID 0260531: When using HTTP pipelining in SSL offloading, and when Client-side Keep Alive is enabled on the client, the advertised window increases after every transaction, resulting in a huge advertised window.
  • Issue ID 0270951: The Russian government adopted a law to cancel Daylight Saving Time (DST). As a result, the Netscaler appliance is not reflecting the correct local time.
  • Issue ID 0272484: In an High Availability configuration with Connection Mirroring enabled on a virtual server, the secondary node fails when a connection to this virtual server, on the primary node, is blocked for an event (either external event or for data completion event) and the virtual server receives a FIN packet for this connection.
  • Issue ID 0278806 (nCore): If a 10G ixgbe interface is reset, the hardware controller RX logic might write to the data area of a NetScaler packet buffer (NSB) after it has been returned to the NSB free pool. This can result in NSB corruption. An interface reset can be triggered by an event, such as changing the flow control settings with the "set interface" command.
  • Issue ID 0283768: The client continues to send request packets to the NetScaler despite the NetScaler sending a FIN packet to the client and closing the connection at the NetScaler end. These new packets are dropped by the NetScaler.
  • Issue IDs 0286329 and 0289033: In rare cases, the NetScaler appliance fails when some pages are recovered from the free queue before the page table scan is complete.
  • Issue IDs 0290271, 0292429, and 0298435 (nCore): If a 1G e1k interface is reset, the hardware controller RX logic might write to the data area of a NetScaler packet buffer (NSB) after it has been returned to the NSB free pool. This can result in NSB corruption. An interface reset can be triggered by an event, such as changing the flow control settings by using the "set interface" command.

Known Issues and Workarounds

Access Gateway Issues

  • Issue IDs 80175/0241433 and 82022/0242906: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling.
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492/0244134: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84787/0245136: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    2. Bind the Outlook Web Outlook regular expression to this profile.
    3. Bind the profile so that is assumes the highest priority.
  • Issue ID 85861/0245969: If you enable ICA Proxy on Access Gateway, when users log on and attempt to open a virtual application, the connection to the Web Interface through Access Gateway times out and closes.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue IDs 86470/0246469 and 86787/0246736: When users log on with the Access Gateway Plug-in for Windows by using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on by using Internet Explorer 9.
  • Issue ID 86471/0246473: Whenusers log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 91832/0250964: If users logon with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects, but when users log off, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue ID 0278218: If you enable encryption for endpoint analysis scans and configure preauthentication and post-authentication policies, the preauthentication scan completes successfully and the post-authentication scan fails.
  • Issue ID 0289001: If you configure multiple post-authentication expressions with cascading priorities, Access Gateway might fail and then restart.
  • Issue ID 0301790: If you add sites from Citrix Presentation Server 4.5 and XenApp 6.5 to the same Web Interface site, when users log on with Internet Explorer 9 and then log off from the Web Interface, the session does not close completely. An error message appears stating that some resources are still active.
  • Issue ID 0306349: In a high availability configuration, if you configure an intranet IP address for a group, when users connect with the Access Gateway Plug-in, if failover occurs, the intranet IP address is no longer assigned to the session. As a consequence, users may not be able to connect to some internal resources. You must remove the IP address from the group and then configure the intranet IP address in a session profile bound globally.

ACL Issues

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

AppExpert Issues

  • Issue ID 0270708: The process of configuring the application firewall for an application unit (appunit) is different than for other features, such as responder and rewrite. Instead of the Policy Manager, the Application Firewall wizard is invoked. The wizard prompts the user to configure the security check settings directly. It then creates a profile and policy from that information, and binds the policy to the appunit in the background, without displaying either the policy or the profile to the user. NOTE: You cannot associate multiple policies with an application unit by using the wizard. To do so, use the policy manager. A link is located on the main Application Firewall pane.

Application Firewall Issues

  • Issue ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.

CloudBridge Issues

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send a full-size packet, whose DF bit is unset, across the cloud bridge. This happens because of bad checksum.

Command Line Interface Issues

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If that does not resolve the issue, restart the appliance.

  • Issue ID 92269/0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.

    Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.

DataStream Issues

  • Issue ID 83862/0244449 (nCore and nCore VPX): This release does not support IPv6 addresses.
  • Issue ID 0287492: Some international characters resemble one or more ASCII alphabetic characters. If a client request contains such international characters, when forwarding the request to a database server, the NetScaler appliance replaces the international characters with the ASCII alphabetic characters that they resemble.

Integrated Caching Issues

  • Issue ID 81159/0242246: When the NetScaler appliance receives a single byte-range request, if the starting position of the range is beyond 9 megabytes, the appliance sends the client a full response with a status code of 200 OK instead of a partial response.

Load Balancing Issues

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: If a TCP monitor is assigned to a MYSQL service, the MySQL server prevents the MIP address from making new connections.
    Note: This is a known issue with MySQL. It can be mitigated by setting a high value for max_connect_error, as described in the article at http://bugs.mysql.com/file.php?id=5184.
  • Issue ID 82996/0243703: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096/0246139: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example: add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 87407/0247289 (nCore and nCore VPX): For an RDP virtual server, the NetScaler appliance automatically maintains persistence through session cookies by using Session Directory, so you need not explicitly configure persistence. Currently, IP address based persistence is not supported, and you cannot disable the implicit session-cookie based persistence.
  • Issue ID 88593/0248222 (nCore): After failover, the 'maxclient' setting on a service is not honored.
  • Issue ID 90271/0249597: Application scripts that parse the servicegroup member name, and use the underscore delimiter (_) to identify fields to be extracted, fail, because the delimiter is now a question mark (?). In NetScaler releases earlier than 9.3, the format is <service group name>_<IP address>_<port>. The new format is <servicegroup name>?<IP address | server name>?<port>.

NetScaler SDX Appliance Issues

  • Issue ID 0262505: When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: "NO DATA TO CHART".
  • Issue ID 0265006: Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

  • Issue ID 88515/0248159: Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556/0248194: When provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for those parameters.
  • Issue ID 91605/0250759: If the dashboard page on the management service virtual machine is open for more than 4 days, the browser (Internet Explorer 8.0) might report high memory usage.

    Workaround: In the browser, refresh or minimize the page to release the memory.

  • Issue ID 0326655: When you upgrade the Management Service from an earlier build to build 56.x or 57.x, restarting the appliance while data migration is in progress might corrupt the data contents. To check if migration is in progress, at the Management Service shell prompt, type:
    "ps -ax | grep svm_migration"
    If you see some processes running, then migration is in progress and you must not restart the Management Service.
  • Issues ID 0326663: In release 9.3, the upgrade process fails if you attempt to upgrade the Management Service from build 48.6 to build 56.5 or 57.5.

    Workaround: First, upgrade the Management Service from build 48.6 to build 55.6, and then upgrade it from build 55.6 to build 56.5 or 57.5.

  • Issue ID 0326878: The Management Service shows duplicate entries for NetScaler VPX instances because of intermittent database connection failures. This is only a display issue. However, if a VPX instance is configured with an external authentication server for the nsroot (administrator) user, the authentication server might show several authentication failures.

NetScaler SDX Appliance and NetScaler VPX Appliance Issues

  • Issue IDs 0274497 and 0274498: Layer 2 (L2) mode, link aggregation control protocol (LACP), and virtual MAC addresses (VMACs) are not supported on the NetScaler SDX appliance or the NetScaler VPX virtual appliance.

NetScaler VPX Appliance Issues

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX (virtual) appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features (such as compression and GSLB) stop working.

    Workaround: Reduce the memory allocated for caching.

  • Issue ID 94487/0258286: On the Microsoft Hyper-V platform, if there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.

    Workaround: Defragment the disk. For consistent virtual hard disk (VHD) performance, change a dynamic disk to a static disk.

Networking Issues

  • Issue ID 0271154: The man pages for the commands 'add ns ip','set ns ip','add ns ip6', and 'set ns ip6' displays an incorrect default value for the 'ospfArea' parameter.

Platform Issues

  • Issue ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.
  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance. ipmi0: KCS error: 01 ipmi0: KCS: Reply address mismatch.

Reporting Issues

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL Issues

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: "ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot." However, the correct message--"ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate"-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issue ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type: openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 85393/0245605: A DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.

System Issues

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if a failover happens while high availability (HA) synchronization is in progress.
  • Issue ID 94133/0257961: If a server (load balancing virtual server or content switching vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_49 or a prior build to a build later than 9.3_49.
    Workaround: Do the following:
    1. Remove the audit policy and action.
    2. Add the deleted virtual server.
    3. Add the audit policy and action.
    4. Save the configuration.
  • Issue ID 0263852 (nCore): If you configure link aggregation on the 10G interfaces by using the link aggregation control protocol (LACP), the LA interface might flap (go down and come back up).

    Workaround: Initiate steering to CPU1. At the shell prompt, type: sysctl netscaler.ticks_on_cpu1=1 To change the interrupt steering option back to CPU0 (the default), at the shell prompt, type: sysctl netscaler.ticks_on_cpu1=0 To make the workaround persistent, add the first command to the initialization script /nsconfig/rc.netscaler or its equivalent.

Web Interface Issues

  • Issue ID 89052/0248592 (nCore and nCore VPX): The response from a Web Interface site that is configured in direct mode may have Java errors.

XML Issues

  • Issue ID 81650/0242628: The application firewall import feature validates XML schemas when importing them, but it might not validate certain XHTML files if they are imported as XML schemas. An invalid XHTML file appears in the list of imported XML schemas, but it is rejected if the user attempts to configure the XML Message Validation check to use the invalid file as the XML schema for validation.
  • Issue ID 82058/0242928: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059/0242929: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069/0242939: When the application firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

XML API Issues

  • Issue ID 80170/0241429: The syntax of the "unset servicegroup" command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the "unset servicegroup" command.

Build 55.6

Release version: Citrix® NetScaler® release 9.3 build 55.6

Replaces build: None

Release date: February 2012

Release notes version: 2.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA Issues

  • Issue IDs 0275806 and 0268577: If a NetScaler appliance has AAA-TM enabled and configured, and a protected web server has 401 basic authentication enabled, a user who connects to that web server by using either the Google Chrome or the Apple Safari web browser does not receive a logon page. Instead, the user receives a message saying that the user is not authorized to access the web server. The cause is that, when issuing a basic authentication challenge, the NetScaler appliance marks the realm as null.
  • Issue ID 0277648: After logging on to a VPN though AAA-TM and then accessing a Microsoft Sharepoint server, a user may experience intermittent difficulty with opening a document. A document might not open at all, or it might open in read-only mode when edit access was requested. A repeated attempt to access the document might succeed or might encounter one of the same problems. The underlying issue is a flaw in the authentication procedure.
  • Issue IDs 0288077 and 0288260 (nCore): On a NetScaler appliance with AAA-TM enabled and configured, when a user logon attempt fails, the NSC_VPNERR cookie and error page are not set.

Access Gateway Issues

  • Issue ID 0270127: If you enable ICA Proxy and users access the Web Interface on a virtual server with cookie persistence enabled, cookie persistence does not work. When users access the Web Interface, an error will appear and users will be prompted to close their browser window and log on again.
  • Issue ID 0275322: If you enable ICA Proxy and configure single sign-on to the Web Interface, when users log on with the Access Gateway Plug-in and try to open published application from the Web Interface, the application fails to open.
  • Issue IDs 82472/0243236 and 0286505: When the RADIUS authentication server issues a challenge response, authentication might fail. Users need to log on again.
  • Issue IDs 86743/0246694 and 0270956: When you deploy Access Gateway in a high availability pair, Access Gateway might send the same session twice to the secondary appliance, which causes the secondary Access Gateway to fail.
  • Issue ID 91459/0250621: When users log on with the Access Gateway Plug-in for Java and then try to access Web resources through a proxy server, users can download the plug-in, but they cannot establish a connection, or else they can log on, but cannot access the resource and the connection eventually fails.
  • Issue ID 92793/0251817: If you install additional Universal licenses on Access Gateway VPX, in addition to the 10 licenses you receive with Access Gateway, the appliance might not recognize the additional licenses. After the 10 Universal licenses are used, further logon attempts by users fail.
  • Issue ID 93346/0257257: If Access Gateway detects a Layered Service Provider (LSP) when users attempt to establish a connection to the appliance, the number of available tunnels is reduced from 128 to 32.
  • Issue ID 0261028: If you configure Access Gateway in a double-hop deployment and monitor the Secure Ticket Authority (STA), if there is an SSL handshake failure and low memory on Access Gateway, the appliance intermittently fails.
  • Issue ID 0268666: Access Gateway user and administrator connections fail. Users cannot establish a connection by using the Access Gateway Plug-in and administrators cannot connect to the configuration utility.
  • Issue ID 0269947: If you change the rule in an endpoint analysis expression that is in a bound policy, endpoint analysis might fail and users may not be able to log on.
  • Issue ID 0271533: If you configure a custom logon page, when users log on with Internet Explorer 9, the text on the page is illegible when the custom page contains transparent images. User devices need to be in compatibility mode to display the logon page correctly.
  • Issue IDs 0277876 and 0287096: When Access Gateway receives UDP network traffic, occasionally initialization does not occur on the receiving core. When this occurs, Access Gateway fails.
  • Issue ID 0283038: If you configure reverse network address translation (NAT) and Access Gateway, when users connect to Access Gateway, the appliance might fail and then fail over to the secondary Access Gateway in a high availability pair.
  • Issue ID 0283557: If users upgrade Java Runtime Environment (JRE) to a version later than 1.6.0_27 and then log on through Access Gateway, attempts to open a published application or XenDesktop fail.
  • Issue ID 0284167: If you do not enable split tunneling, when users log on with the Access Gateway Plug-in by using Internet Explorer, the Use a proxy server for your LAN check box clears and users cannot access internal network resources. When users log off from the plug-in, the Use a proxy server for your LAN check box is selected again, but it clears when users log on with the plug-in.

AppFlow Issues

  • Issue ID 0270379 (nCore): When the AppFlow feature is enabled on a NetScaler appliance, the appliance might fail if it receives an invalid HTTP request header.

Application Firewall Issues

  • Issue ID 0273621: On a Citrix Access Gateway with the application firewall enabled and configured, clients who connect by way of the FQDN are unable to log on through the Web Interface on NetScaler (WIonNS) module. When clients connect to the Access Gateway by way of the IP address, however, they are able to log on through WIonNS. When this occurs, the customer must disable the application firewall feature to permit logons through WIonNS to function correctly.

Application Firewall/Signatures Issues

  • Issue IDs 92794/0251818 and 0262085 (Classic and nCore): On NetScaler appliances that have the application firewall enabled, after an upgrade from the 9.3 version of NetScaler classic to the 9.3 version of NetScaler nCore firmware, an existing signatures file may not function properly. If that occurs, you can correct the problem by creating a new application firewall profile and policy and binding them to the signatures file.

Configuration Utility Issues

  • Issue ID 0271501: The Configure Backend Services dialog box, which you use to configure services for an AppExpert application, does not include the Service Groups tab.
  • Issue ID 0273951: If you use the configuration utility to enable or disable an SSL parameter (such as DH param, Ephemeral RSA, Session Reuse, Cipher Redirect, SSLv2 Redirect, or protocol) on a AAA virtual server, the change is not reflected in the Command Line Interface (CLI).

Connection Failover Issues

  • Issue IDs 0274489 and 90146/0249489 (nCore): In a high availability pair, if the Use Source IP (USIP) option is enabled on an FTP service, the connection information associated with each data channel of the FTP service is not synchronized to the secondary appliance. The issue occurs only with active-mode FTP connections. It causes FTP transactions to fail after a failover event.

Content Switching Issues

  • Issue ID 0285831: Content switching policies that contain virtual-server based expressions (expressions that begin with the SYS.VSERVER("<vserver-name>") prefix) cannot be bound to virtual servers of type MSSQL and MYSQL.

DataStream Issues

  • Issue ID 0284217 (nCore): When two different monitors of MSSQL_ECV type are used at the same time, they can both incorrectly indicate the service to be down.

Domain Name System Issues

  • Issue IDs 0269616 and 0269631 (nCore and nCore VPX): The NetScaler appliance might fail when attempting to access memory that is associated with the processing of a DNS response. The cause is improper clean-up of memory after a memory failure condition that occurs when the response is being processed.
  • Issue IDs 0276412 and 0285276 (nCore and nCore VPX): The NetScaler appliance fails under the following sequence of events:
    • As part of a DNS response, a name server for which the appliance is configured as a DNS proxy server sends the appliance a Start of Authority (SOA) record that belongs to a root server. The appliance caches the SOA record. A name server (NS) record for that root server is also available on the appliance. The root server’s NS record is considered an authenticated record.
    • The appliance receives a CNAME query for a domain name that cannot be resolved. The appliance caches the resulting NXDOMAIN response (a negative response).
    • The appliance receives an ANY query for the domain for which the negative response was received and cached.
    • With the authenticated name server record and cached SOA record, the appliance behaves as though it is authoritative for the queried domain, processes the ANY query, and attempts to populate the record that was created for the negative response.
  • Issue ID 0267498 (nCore and nCore VPX): The NetScaler appliance might fail under the following set of conditions:
    • A client sends a load balancing virtual server of type DNS_TCP a request that cannot be served from the DNS cache on the appliance. The appliance is configured as a DNS proxy server for the requested domain.
    • Before the appliance responds to the DNS request, the virtual server receives a second DNS request on the same client connection. The second request has the TCP FIN flag set and can be served from the DNS cache.

Integrated Caching Issues

  • Issue ID 0283931: The man page for the "set cache parameter" command contains some commented sentences.
  • Issue ID 92551/0251603: If, during validation of an expired cache object with the server, the client sends a reset request or the server responds with no data, the object goes into an error state. All requests for that object are then treated as cache misses until the object is flushed.

Load Balancing Issues

  • Issue ID 0276581: When a NetScaler appliance is configured to provide SSL, load balancing, and AAA-TM services for Microsoft Outlook for Web Access (OWA) servers, an Apple iPhone or iPad user who tries to do ActiveSync with the Microsoft Exchange server may receive a 403 Access Forbidden error.
  • Issue ID 93335/0257245 (nCore and nCore VPX): Remote Desktop Protocol(RDP) connections established by clients time out under the following set of conditions:
    • The Terminal Services Gateway servers that allow the RDP connections to be made to the computers are load balanced by a virtual server on the NetScaler appliance.
    • The version of the TPKT protocol being used for communication is any version other than Version 3.
  • Issue ID 0262924 (nCore and nCore VPX): The NetScaler appliance fails under the following sequence of events:
    • A processor core receives a core-to-core message for deleting a rate limiting session that it owns.
    • The core performs a lookup for the session entry but the session entry does not exist on the core (a rare occurrence).
  • Issue IDs 88470/0248130, 0263522, and 0276411 (nCore): The NetScaler appliance might fail when performing URL redirection under low memory conditions.
  • Issue ID 0264879: When the load balancing feature is disabled, a load balancing virtual server is shown as being down when all the services bound to the virtual server are up, and as being up when all the services bound to it are down.
  • Issue ID 0272688 (nCore and nCore VPX): The NetScaler appliance fails when processing the persistence rule if the rule is based on responses and the configured load balancing method is the token method. However, the issue is rare and occurs when the appliance is processing HTTP and non-HTTP traffic simultaneously.

Monitoring Issues

  • Issue ID 0282876 (nCore and nCore VPX): Address Resolution Protocol(ARP) monitors do not update the Layer 2 parameters in the server information on non-master cores.

NetScaler SDX Appliance Issues

  • Issue ID 0274939: If only a 10/x interface or a 1/x interface is assigned to a NetScaler VPX instance, and the state of that interface is changed from UP to DOWN and then back to UP, the instance is not accessible through the NSIP address.
  • Issue ID 0275607: In certain cases, if only a 1/x interface is assigned to a NetScaler VPX instance, the instance is unresponsive after it is started.

NetScaler VPX Appliance Issues

  • Issue ID 94472/0258273: Tagged VLAN support is now available on NetScaler VPX virtual appliances hosted on XenServer. With this enhancement, if you configure tagged VLANs on a port on the switch but do NOT configure any VLANs on the XenServer interface attached to that port, the VLAN tags are passed through to the VPX instance and you can use the tagged VLAN configuration on the virtual appliance.

Networking Issues

  • Issue ID 0268589: In certain cases, routes are not updated because OSPF threads that are responsible for calculating the shortest path are not scheduled.
  • Issue ID 0273671: If a PBR-rule based connection is established on the NetScaler appliance and the rule is later removed, the appliance may fail.
  • issue ID 0258993: If you create an RNAT rule with an extended ACL as the condition, and the name of the ACL is an IP address (for example, 10.102.29.10), the appliance interprets the ACL as an IP address instead of as an ACL. When you display the RNAT records, the NetScaler appliance restarts.

Platform Issues

  • Issue ID 91160/0250344 (nCore): The NIC error counter is incremented for dropped packets in addition to NIC errors.

Policies Issues

  • Issue ID 0273159: The NetScaler appliance may reboot continuously because of a Responder policy evaluation error when a client sends an invalid HTTP request to a protected web site.
  • Issue ID 0287356: If you remove a classic expression that is referenced by an advanced expression from a NetScaler configuration without first removing the advanced expression, the NetScaler appliance may crash. If this occurs on the primary NetScaler appliance in a high availability (HA) configuration, upon failover the secondary NetScaler appliance also crashes. To work around this issue, simply remove any advanced expressions first, and then remove classic expressions.

Rate Limiting Issues

  • Issue ID 0273618: The NetScaler appliance fails when it temporarily blocks the evaluation of rate limiting selectors. Deep body parsing and HTTP callout evaluation are examples of processes during which the appliance temporarily blocks evaluation.

SSL Issues

  • Issue ID 0269568: The NetScaler appliance fails if the clear config command is issued to remove a custom cipher group that is bound to the internal services on the appliance.
  • Issue ID 0278362: The following, new, SNMP alarms are added to indicate the rate of 1024, 2048, and 4096-bit key operations during SSL transactions and the number of current SSL sessions in use.
    • 1024KEY-EXCHANGE-RATE
    • 2048KEY-EXCHANGE-RATE
    • 4096KEY-EXCHANGE-RATE
    • SSL-CUR-SESSION-INUSE

System Issues

  • Issue ID 0262914: The maximum segment size (MSS) is incorrectly updated if you use the "set service" command to change any parameter of an existing service.
  • Issue IDs 0274650, 0270995, and 0273066: When HTTP connection multiplexing on a virtual server is OFF, the NetScaler opens a new connection for every request instead of reusing the last-used connection. The new connection results in failure of features, such as NTLM authentication protocol, that require persistent connections with the servers.
  • Issue ID 0274822 (nCore and nCore VPX): When utilization of the management CPU returns to the configured normal threshold value after an SNMP trap for high CPU utilization (cpuUtilization) has been sent, the corresponding normal trap (cpuUtilizationNormal) is sent three times.
  • Issue ID 0285827 (Classic): In certain cases, if you save the core while compression is enabled in the nssavecore.sh file, the operation fails.
  • Issue IDs 79837/0241190, 88223/0247937, 81193/0242275, and 86655/0246624: NetScaler does not handle some cases in which the response is received before the complete request is forwarded to the server.

Known Issues and Workarounds

Access Gateway Issues

  • Issue ID 81165/0242252: In the Access Gateway configuration utility, you can bind a server running the STA with the same IP address or fully qualified domain name (FQDN) twice.
  • Issue ID 0285111: If you configure ICA Proxy when users log on with the Access Gateway Plug-in and you close all sessions by using the command line, the sessions do not close.
  • Issue ID 91832/0250964: If users logon with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects, but when users log off, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue IDs 80175/0241433 and 82022/0242906: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection.
      For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787/0245136: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492/0244134: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    2. Bind the Outlook Web Outlook regular expression to this profile.
    3. Bind the profile so that is assumes the highest priority.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue IDs 86470/0246469 and 86787/0246736: When users log on with the Access Gateway Plug-in for Windows using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on using Internet Explorer 9.
  • Issue ID 86471/0246473: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

Access Control Lists Issues

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

Application Firewall Issues

  • Issue ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.

CloudBridge Issues

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send a full-size packet, whose DF bit is unset, across the cloud bridge. This happens because of bad checksum.

Command Line Interface Issues

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the show configstatus command and reconfigure the appliance under low traffic conditions or during a maintenance period. If that does not resolve the issue, restart the appliance.

DataStream Issues

  • Issue ID 83862/0244449 (nCore and nCore VPX): This release does not support IPv6 addresses.

Domain Name System Issues

  • Issue ID 93203/0257123 (nCore): A DNS policy that is bound to a GSLB service is not evaluated if the GSLB method is set to dynamic round trip time (RTT).

Load Balancing Issues

  • Issue ID 86096/0246139: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example: add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: If a TCP monitor is assigned to a MYSQL service, the MySQL server prevents the MIP address from making new connections.
    Note: This is a known issue with MySQL. It can be mitigated by setting a high value for max_connect_error, as described in the article at http://bugs.mysql.com/file.php?id=5184.
  • Issue ID 82996/0243703: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 87407/0247289 (nCore and nCore VPX): For an RDP virtual server, the NetScaler appliance automatically maintains persistence through session cookies by using Session Directory, so you need not explicitly configure persistence. Currently, IP address based persistence is not supported, and you cannot disable the implicit session-cookie based persistence.
  • Issue ID 88593/0248222 (nCore): After failover, the 'maxclient' setting on a service is not honored.
  • Issue ID 90271/0249597: Application scripts that parse the servicegroup member name, and use the underscore delimiter (_) to identify fields to be extracted, fail, because the delimiter is now a question mark (?). In NetScaler releases earlier than 9.3, the format is <service group name>_<IP address>_<port>. The new format is <servicegroup name>?<IP address | server name>?<port>.

NetScaler SDX Appliance Issues

  • Issue ID 0262505 (nCore): When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: "NO DATA TO CHART".
  • Issue ID 86597/0246578 (nCore): Internet Explorer version 9.0 does not load the Configuration tab.

    Workaround: Run Internet Explorer version 9.0 in compatibility mode.

  • Issue ID 0265006 (nCore): Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

  • Issue ID 88515/0248159 (nCore): Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556/0248194 (nCore): When provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for those parameters.

    Workaround: To correct the parameter values, log on to the NetScaler instance through the Xen Console. You also need to correct the values for this instance in the XenStore. After correcting the values in the both the places, rediscover the NetScaler instances from the Management Service VM user interface without selecting any specific instance, by clicking Rediscovery in the NetScaler Instance pane.

  • Issue ID 89148/0248663 (nCore): When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.
  • Issue ID 91605/0250759 (nCore): If the dashboard page on the management service virtual machine is open for more than 4 days, the browser (Internet Explorer 8.0) might report high memory usage.

    Workaround: In the browser, refresh or minimize the page to release the memory.

NetScaler SDX Appliance and NetScaler VPX Appliance Issues

  • Issue IDs 0274497 and 0274498: Layer 2 (L2) mode, link aggregation control protocol (LACP), and virtual MAC addresses (VMACs) are not supported on the NetScaler SDX appliance or the NetScaler VPX virtual appliance.

NetScaler VPX Appliance Issues

  • Issue ID 94487/0258286: On the Microsoft Hyper-V platform, when there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.
  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX (virtual) appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features (such as compression and GSLB) stop working.

    Workaround: Reduce the memory allocated for caching.

Networking Issues

  • Issue ID 0271154 (Classic, ncore, and VPX): The man pages for the commands add ns ip, set ns ip, add ns ip6, and set ns ip6 display an incorrect default value for the ospfArea parameter.

Platform Issues

  • Issue ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.
  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance--ipmi0: KCS error: 01 ipmi0: KCS: Reply address mismatch.

  • Issue ID 94198/0258025: If a member interface is removed from an LA channel, the LA channel might show negative statistics in the next statistics collection cycle.

Reporting Issues

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL Issues

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type: openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: "ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot." However, the correct message--"ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate"-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issue ID 85393/0245605: A DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.

System Issues

  • Issue ID 94133/0257961: If a server (load balancing virtual server or content switching vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_47.5 to 9.3_51.5.
    Workaround: Do the following:
    1. Remove the audit policy and action
    2. Add the deleted virtual server
    3. Add the audit policy and action
    4. Save the configuration
  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if a failover happens while high availability (HA) synchronization is in progress.

Web Interface Issues

  • Issue ID 89052/0248592 (nCore and nCore VPX): The response from a Web Interface site that is configured in direct mode may have Java errors.

XML Issues

  • Issue ID 81650/0242628: The NetScaler import utility validates XML schemas during import, but it may fail to validate certain XHTML files being imported as XMLSchema. These invalid XMLSchema's are rejected if the user tries to use them in profile configuration (XMLValidation binding).
  • Issue ID 82058/0242928: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059/0242929: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069/0242939: When the application firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

XML API Issues

  • Issue ID 80170/0241429: The syntax of the "unset servicegroup" command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the "unset servicegroup" command.

Build 54.4

Release version: Citrix® NetScaler® release 9.3 build 54.4

Replaces build: None

Release date: December 2011

Release notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA-TM Issues

  • Issue ID 93854/0257700: When AAA is in use, and a user who has not already authenticated accesses a URL that contains encoded spaces (%20), after authentication AAA replaces the encoded spaces with the plus (+) character before it attempts to access the URL. When it attempts to redirect to the modified URL, the web server returns a 404 error.

Access Gateway Issues

  • Issue ID 93631/0257509: Access Gateway supports client interception by using Intranet Applications. You can configure up to 128 intranet applications in Access Gateway. The previous limit was 32 intranet applications.
  • Issue ID 91875/0251005: When users log on to Access Gateway, if there is a delay sending the authentication response, authentication and Access Gateway might fail.
  • Issue IDs 93657/0257518 and 93716/0257574: When users attempt to log on two times, Access Gateway detects an active session and starts to initiate the transfer logon process. However, Access Gateway fails to remove the original session and transfer logon fails. If users try to transfer logon again, the logon page appears.
  • Issue ID 94181/0258005: If UDP packets from the user device arrive at Access Gateway as multiple packets, Access Gateway truncates the UDP packet if all the truncated fragments fit in one packet and then are sent from the appliance.
  • Issue ID 0266865: Access Gateway does not update the MAC address cache for XenApp or XenDesktop when the MAC address of the server changes. User connections fail and you must restart Access Gateway.
  • Issue ID 0271589: If you upgrade Access Gateway from Version 9.3 build 51.5 to build 53.5, when users log on successfully with the Access Gateway Plug-in on an iPad, an "Access Gateway unexpected response" error appears.

AppFlow Issues

  • Issue ID 0274236 (nCore and nCore VPX): When the AppFlow feature is enabled, memory more than the allocated size of buffer may be released. This may result in memory corruption and packet engine failure.

Application Firewall Issues

  • Issue ID 0264504: In some circumstances when a large number of application firewall sessions are active, the NetScaler watchdog process can stall and abort the packet engine, causing a system restart.
  • Issue ID 0269994: After upgrading a NetScaler appliance that has the application firewall enabled and configured from version 9.0 of the NetScaler OS to version 9.3, if the deny URL feature is configured and deny URLs are enabled, memory usage increases significantly and continues to increase over time as denied URLs are accessed.
  • Issue ID 0271427: When a user attempts to connect to an Application Firewall-protected web site using an Apple IPhone, the connection would fail with an error.

Cloud Bridge Issues

  • Issue ID 90206/0249539 (Classic): The IKE process causes a loop and due to which 100 percent CPU usage is observed.

Configuration Utility Issues

  • Issue ID 0269486: In an High availability configuration, the configuration utility does not display the configured route monitors on the NetScaler appliances. Also, when a route monitor is configured to monitor a default route , the configuration utility displays the secondary node's IP address as 0.0.0.0.

Content Switching Issues

  • Issue ID 0264772 (nCore and nCore VPX): The NetScaler appliance does not increment the hit counters that are displayed for content switching policy bindings in the output of the "show cs vserver <name>" command, even though it increments the counters for the total number of policy hits in the output of the "show cs policy [<policyName>]" command. The issue occurs with URL-based policies when the “caseSensitive” option for the content switching virtual server is set to “OFF.”

DataStream Issues

  • Issue ID 90389/0249698 (nCore and nCore VPX): The MSSQL-ECV monitor uses the default MS SQL protocol version, TDS 7.0, even if you set a different MS SQL protocol version for the monitor.

EdgeSight Monitoring Issues

  • Issue ID 0266622 (Classic and nCore): Injection of EdgeSight for NetScaler measurement scripts into the response occurs only if the HTTP content-type header is text/html.

Global Server Load Balancing Issues

  • Issue ID 92365/0251432: When a GSLB virtual server that is configured with the static proximity method receives requests that alternately match a separate subset of bound GSLB services, the NetScaler appliance fails to serve each request the GSLB service IP addresses, from the respective subset, in round-robin order. For example, if the GSLB virtual server receives a request R1 that matches services S1, S2, and S3 and a request R2 that matches services S4, S5, and S6, in the order R1, R2, R1, R2, the NetScaler appliance fails to serve R1 the IP addresses of S1, S2, and S3 and R2 the IP addresses of S4, S5, and S6, in round-robin order.

Integrated Caching Issues

  • Issue ID 93435/0257335: If a request for an object arrives as the object expires (at the time specified by the "absExpiry" parameter), the "pollEveryTime" parameter for that object is set to YES. Future requests for the object are sent to the origin server.

Load Balancing Issues

  • Issue ID 69918//0233211: Unlike in earlier releases, when you use the “sync gslb config” command or its alias, the “sync config” command, the NetScaler appliance displays a warning that the synchronization of GSLB sites can result in loss of configuration on remote sites, and prompts you to confirm that you want to synchronize the sites. The prompt helps prevent unintentional synchronization that might result from accidental use of the command.

NetScaler SDX Appliance Issues

  • Issue ID 0261672: You can download the Management Service build and documentation files, SSL keys and certificates, XVA images, NetScaler instance build and documentation files, and licenses to a local computer as a backup. You can also directly download the technical support file to your local computer and then send it to Citrix support. Earlier you had to use FTP to download these files.
  • Issue ID 0268115 (nCore): You cannot change an interface on a NetScaler VPX instance if you have not selected any of the management interfaces (0/1 and 0/2) when provisioning the instance.
    Note: Make sure that the NSVLAN is configured correctly. In case of an incorrect configuration, the instance is not reachable.
  • Issue ID 0269055: You can now save the settings of all the NetScaler instances provisioned on the SDX appliance before performing a factory reset. You can use the saved information to reprovision the instances after the reset. For more information, see the SDX Administration Guide at http://support.citrix.com/article/CTX129335.
  • Issue ID 0267383 (nCore): You cannot remove a configured NSVLAN by using “Modify NetScaler Instance” in the management Service VM user interface.

Networking Issues

  • Issue ID 0263530 (nCore and nCore VPX): The NetScaler appliance fails when it processes IPv6 UDP packets for which the appliance has not allocated memory for NAT entry.

SNMP Issues

  • Issue ID 93916/0257759: For an SNMP query, the NetScaler appliance returns the value of the SNMP objects svcAvgTransactionTime and svcGrpMemberAvgTransactionTime, in picoseconds.
  • Issue ID 0260021 (nCore and nCore VPX): NetScaler appliance returns a different value for the SNMP object ‘sslSessionsPerSec’ than the value of the corresponding ‘SSL sessions (Rate)’ counter displayed on the Monitoring page.

SSL Issues

  • Issue ID 92246/0251327 (Classic): In rare cases, on the NetScaler 12000 appliance, if the combination of a NetScaler response and maximum transmission unit (MTU) is such that the data in the last tcp packet is 8 bytes or less, decryption of data using DES/AES ciphers fails.

System Issues

  • Issue ID 89581/0249017: The NetScaler appliance fails due to the internal traffic accessing the buffer.
  • Issue ID 90580/0249858: Log records are not generated for the "reboot" command.
  • Issue ID 0259201: In rare cases, the appliance restarts when the process monitoring daemon does not recognize the short heartbeat messages from clients.
  • Issue ID 0263699: The NetScaler appliance does not process invalid requests that are sent after a connection close.
  • Issue ID 88149/0247876: The NetScaler appliance is unable to learn the restarting of the httpd process after the process fails. This causes the NetScaler appliance to drop SYN packets intermittently destined to the NSIP, or MIP, or SNIP address on the appliance.
  • Issue ID 93475/0257369: After a data structure, used for tracking NAT info was getting freed to memory, a field related to netbridge configuration, was not getting zeroed out and if same data structure was being picked up again for server side connection, we tried to send data on the bridge which is not configured so packet was not getting out.
  • Issue ID 93586/0257469: The NetScaler appliance forwards Keep Alive probes, from the server, to a client even when the client has advertised a zero window. This causes the client to reset the connection.
  • Issue ID 93826/0257673: HTTP requests may acknowledge previous responses that causes packet re-ordering. The NetScaler appliance fails when any configured L7 features, for example rewrite policies, processes these packets.
  • Issue ID 94442/0258246 and 93593/0257475: When device name length exceeds 256 characters, then the length stored is truncated. However, the NetScaler appliance allocates more memory to store the device name and while releasing the memory, the appliance releases less memory than the extended. This leads to memory leak.

Known Issues and Workarounds

Access Gateway Issues

  • Issue ID 92054/0251163: If you enable multi-stream connection policy settings in either XenApp 6.5 for Windows Server 2008 R2 or XenDesktop 5.5 and you install the Access Gateway Plug-in by using an MSI package, Access Gateway does not establish multi-stream connections to the resource, although XenApp and XenDesktop launch on the user device in a single stream.
  • Issue ID 91832/0250964: If users logon with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects, but when users log off, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue IDs 80175/0241433 and 82022/0242906: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling.
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      1. Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      2. Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      3. Contact the manufacturer for other devices.
  • Issue ID 89427/0248893: If users connect with the Access Gateway Plug-in by using an airtel 3G device and the Repeater Plug-in accelerates VPN traffic after the establishing the VPN connection, when users put the user device in standby or hibernate, when users resume the device, the Access Gateway Plug-in fails to reestablish the connection. When users disable acceleration with the Repeater Plug-in, restoration of the VPN connection is successful. Users can then enable acceleration with the Repeater Plug-in.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787/0245136: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492/0244134: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    2. Bind the Outlook Web Outlook regular expression to this profile
    3. Bind the profile so that is assumes the highest priority.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue IDs 86470/0246469 and 86787/0246736: When users log on with the Access Gateway Plug-in for Windows using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on using Internet Explorer 9.
  • Issue ID 86471/0246473: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

ACL Issues

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmpCode parameters of an extended ACL or ACL6.

Application Firewall Issues

  • Issue ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.

CloudBridge Issues

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send a full-size packet, whose DF bit is unset, across the cloud bridge. This happens because of bad checksum.

Command Line Interface Issues

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If this does not resolve the issue, restart the appliance.

DataStream Issues

  • Issue ID 83862/0244449 (nCore and nCore VPX): This release does not support IPv6 addresses.

Domain Name System Issues

  • Issue ID 93203/0257123 (nCore): A DNS policy that is bound to a GSLB service is not evaluated if the GSLB method is set to dynamic round trip time (RTT).

Load Balancing Issues

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: If a TCP monitor is assigned to a MYSQL service, the MySQL server prevents the MIP address from making new connections.
    Note: This is a known issue with MySQL. It can be mitigated by setting a high value for max_connect_error, as described in the article at http://bugs.mysql.com/file.php?id=5184.
  • Issue ID 82996/0243703: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096/0246139: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example:
    add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 88593/0248222 (nCore): After failover, the 'maxclient' setting on a service is not honored.
  • Issue ID 90271/0249597: Application scripts that parse the servicegroup member name, and use the underscore delimiter (_) to identify fields to be extracted, fail, because the delimiter is now a question mark (?). In NetScaler releases earlier than 9.3, the format is <service group name>_<IP address>_<port>. The new format is <servicegroup name>?<IP address | server name>?<port>.
  • Issue ID 87407/0247289 (nCore and nCore VPX): For an RDP virtual server, the NetScaler appliance automatically maintains persistence through session cookies by using Session Directory, so you need not explicitly configure persistence. Currently, IP address based persistence is not supported, and you cannot disable the implicit session cookie based persistence.

NetScaler SDX Appliance Issues

  • Issue ID 265006 (nCore): Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

  • Issue ID 0262505 (nCore): When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: "NO DATA TO CHART".
  • Issue ID 86597/0246578 (nCore): Internet Explorer version 9.0 does not load the Configuration tab.

    Workaround: Run Internet Explorer version 9.0 in compatibility mode.

  • Issue ID 88515/0248159 (nCore): Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556/0248194 (nCore): When provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for these parameters.

    Workaround: To correct the parameter values, log on to the NetScaler instance through the Xen Console. You also need to correct the values for this instance in the XenStore. After correcting the values in the both the places, rediscover the NetScaler instances from the Management Service VM user interface without selecting any specific instance, by clicking Rediscovery in the NetScaler Instance pane.

  • Issue ID 89148/0248663 (nCore): When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.
  • Issue ID 91605/0250759 (nCore): If the dashboard page on the management service virtual machine is open for more than 4 days, the browser (Internet Explorer 8.0) might report high memory usage.

    Workaround:In the browser, refresh or minimize the page to release the memory.

  • Issue ID 0274939: If only a 10/x interface or a 1/x interface is assigned to a NetScaler VPX instance, and the state of that interface is changed from UP to DOWN and then UP again, the instance is not accessible through the NSIP address.

    Workaround: Assign a 0/x interface to the VPX instance.

  • Issue ID 0275607: In certain cases, if only a 1/x interface is assigned to a NetScaler VPX instance, the instance is unresponsive after it is started.

    workaround: Assign a 0/x interface to the VPX instance.

NetScaler VPX Appliance Issues

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features, such as compression and GSLB, stop working.

    Workaround: Reduce the memory allocated for caching.

  • Issue ID 94487/0258286: On the Microsoft Hyper-V platform, when there are fragmentation issues on dynamic virtual disks, the NetScaler VPX appliance sends HTTP 5xx responses to requests.

Networking Issues

  • Issue ID 0271154 (Classic, nCore, and nCore VPX): The man pages for the commands 'add ns ip','set ns ip','add ns ip6', and 'set ns ip6' displays an incorrect default value for the parameter 'ospfArea'.

Platform Issues

  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.
  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance. ipmi0: KCS error: 01 ipmi0: KCS: Reply address mismatch

  • Issue ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 94198/0258025: If a member interface is removed from an LA channel, the LA channel might show negative statistics in the next statistics collection cycle.

Reporting Issues

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL Issues

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.
    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:
    openssl rsa -in <EncryptedKey.key> > DecryptedKey.out
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: “ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot.” However, the correct message--“ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate”-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issue ID 85393/0245605: A DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.

System Issues

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if a failover happens while high availability (HA) synchronization is in progress.
  • Issue ID 94133/0257961: If a server (load balancing virtual server or content switching vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_49 or a prior build to a build later than 9.3_49.
    Workaround: Do the following:
    1. Remove the audit policy and action.
    2. Add the deleted virtual server.
    3. Add the audit policy and action.
    4. Save the configuration.

Web Interface Issues

  • Issue ID 89052/0248592 (nCore and nCore VPX): The response from a Web Interface site that is configured in direct mode may have Java errors.

XML Issues

  • Issue ID 81650/0242628: The NetScaler import utility validates XML schemas during import, but it may fail to validate certain XHTML files being imported as XMLSchema. These invalid XMLSchema's are rejected if the user tries to use them in profile configuration (XMLValidation binding).
  • Issue ID 82058/0242928: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059/0242929: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069/0242939: When the application firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

XML API Issues

  • Issue ID 80170/0241429: The syntax of the "unset servicegroup" command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the "unset servicegroup" command.

Build 53.6

Release version: Citrix® NetScaler® release 9.3 build 53.6

Replaces build: None

Release date: November 2011

Release notes version: 2.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA-TM Issues

  • Issue IDs 93635/0257512, 0263061, and 0263473: The NetScaler appliance fails in the following scenario:
    1. A user uses invalid credentials to log on to a AAA-TM authentication virtual server, and then sends the virtual server a second request.
    2. The user’s browser reuses the TCP connection for the second request.

Access Gateway Issues

  • Issue ID 91344/0250516: The multi-stream ICA feature allows you to partition multiple ICA streams in the same session. With multi-stream ICA, you can partition a single TCP connection into multiple streams based on different types of traffic that are typical for session reliability.
  • Issue ID 91453/0250615: Occasionally, when users log on with the Access Gateway Plug-in, and a Web browser sends a resources.js request that contains a session cookie (NSC_AAAC), Access Gateway proxies the request to the server and returns an HTTP 404 Not Found error. Unnecessarily, the user receives an NTLM authentication message prompting them to enter credentials.
  • Issue ID 92124/0251222: If you configure bookmarks on Access Gateway as a reverse proxy and users do not connect with clientless access, Access Gateway might fail.
  • Issue ID 93384/0257288: You can create a session or preauthentication policy to check for REG_MULTI_NZ and REG_BINARY registry types on the user device.
  • Issue ID 94534/0258329: When you configure two appliances as a high availability pair, if you create a session policy with a name longer than 31 characters, when users are logged on with the Access Gateway Plug-in, if the primary appliance becomes unavailable, failover to the secondary appliance does not occur and the connection fails.

AppFlow Issues

  • Issue IDs 94685/0258921 and 0264518 (nCore and nCore VPX): The NetScaler appliance may crash if you try to delete an AppFlow policy or action while traffic affected by the policy or action is flowing through the appliance.

Application Firewall Issues

  • Issue ID 83695/0244305: On nCore systems with the application firewall enabled, the following counters may show incorrect values:
    • (CLI) Opening client connections
    • (CLI) Established client connections
    • (GUI) Opening connections
    • (GUI) Established connections
    • (GUI) Active Server connections
  • Issue ID 92641/0251685 (nCore and nCore VPX): The amount of memory available to the application firewall is much lower than the amount of memory available to the NetScaler appliance.
  • Issue ID 93940/0257771: When both AAA SSO and the Application Firewall are enabled on the NetScaler appliance, and an advanced Application Firewall profile is bound to global or a bind point, the appliance sends incorrect HTTP POST requests to the web server, breaking web server functionality.

Cache Redirection Issues

  • Issue ID 92791/0251815: The NetScaler appliance fails in the following scenario:
    1. A cache redirection virtual server is configured with a listen policy, RNAT is configured, and TCP proxy is enabled for RNAT (by using the "set rnatparam -tcpproxy ENABLED" command).
    2. A client sends the appliance a request meant for the origin server. The request satisfies the RNAT criteria but does not match the listen policy that is configured for the cache redirection virtual server.
    3. Another client sends the appliance a request for the same origin server and, this time, the request matches the listen policy that is configured for the cache redirection virtual server.

Command Line Interface Issues

  • Issue ID 92966/0251975: If you are using the Perl package Net::SSH::Perl, the NetScaler appliance may not allow new connections after the limit for maximum number of connections has been reached, even if some users have logged out. Make sure that your Perl script has the following line: $ssh->login("$user", "$password", 1); instead of: $ssh->login("$user", "$password");

Configuration Utility Issues

  • Issue ID 82499/0243259: In NetScaler release 9.3, the PHP version has been upgraded from 5.2.6 to 5.3.8.
  • Issue ID 92919/0251932: In the "Select the Template Type" dialog box (AppExpert > Templates > Entity Templates > Add), the option for creating a load balancing virtual server template is not available, and the "SSL Vserver" option is listed more than once.

DataStream Issues

  • Issue ID 92394/0251460 (nCore and nCore VPX): If a client cancels an SQL query before the server responds to a query it sent earlier, load balancing fails for subsequent queries sent by the client. The NetScaler appliance forwards all subsequent queries sent by that client to the same database server.

Content Switching Issues

  • Issue ID 93339/0257249 (nCore and nCore VPX): A content switching virtual server does not serve a client request in the following scenario:
    • Three or more advanced policies that use the "MATCHES_LOCATION(<location>)" function are bound to the content switching virtual server.
    • The source IP address of the request does not match any location in the location database.

Integrated Caching Issues

  • Issue ID 94009/0257849: The NetScaler appliance fails if the maximum response size (maxResSize) of a single object in the integrated cache exceeds 100 MB.
  • Issue ID 94708/0258932: The NetScaler appliance does not retransmit data for a 304 Not modified cache hit when RTO (round trip timeout) is hit.

Load Balancing Issues

  • Issue ID 92390/0251455: Data transfer might stop after a failover in the following scenario: Stateful connection failover is enabled on the load balancing virtual server that is managing the connection, and the failover was immediately preceded by a burst of traffic.
  • Issues ID 87201/0247100 (Classic and nCore): If a load balancing virtual server for TCP services has stateful connection failover enabled, an established connection may be broken if a failover occurs more than once while a large amount of data is being transferred.

NetScaler SDX Appliance Issues

  • Issue ID 92664/0251706 (nCore): You can now perform the following actions:
    • Provision a NetScaler VPX instance on a subnet that is different from the subnet of the management service VM. Traffic between the management service VM and the NetScaler VPX instance is routed.
    • Specify that only secure communication is allowed between the management service VM and the NetScaler instances.
    • Specify that the SDX appliance can be accessed only over a secure channel (https instead of http).
    • Apply administrative configuration on a NetScaler instance at a later time if the instance is not reachable from the management service VM.
  • Issue ID 0261338 (nCore): If you create a NetScaler IP address from the NetScaler Configuration node in the Configuration tab of  the management Service VM user interface, the default  IP address created is a subnet IP (SNIP) address and not the mapped IP (MIP) address.

Rewrite Issues

  • Issue ID 92586/0251637: Rewrite policies are not applied to HTTP requests that use the HTTP method CONNECT.
  • Issue ID 92739/0251770: When an HTTP message body is extremely large (2 GB or more), the replace_all, insert_all, insert_before, and insert_after_all rewrite actions cause the NetScaler to crash.

SNMP Issues

  • Issue ID 93003/0252009: A new SNMP OID, sysStatisticsTime (1.3.6.1.4.1.5951.4.1.1.41.17), returns the interval at which various statistical counters are updated.
  • Issue ID 93469/0257366: If a content switching classic policy is rebound to the content switching virtual server, an SNMPWALK operation on the csPolicyHits SNMP object returns an error.

SSL Issues

  • Issue ID 91408/0250575 (nCore VPX): If OCSP check is enabled on a NetScaler VPX appliance, and the appliance receives the client key exchange and client certificate as part of a single record, the SSL handshake fails.
  • Issue IDs 93373/0257280, 0264151, and 0264043 (nCore): If there is a delay between HA health monitoring and SSL card monitoring, HA health monitoring reports that the SSL card is DOWN.

System Issues

  • Issue IDs 89829/0249234 and 93515/0257405: The "diff ns config" CLI command erroneously audits a command more than once and displays the error message "Already audited command" in its output. This issue is observed when the command attribute that is treated as the unique ID for the command occurs in multiple records in the NetScaler database. For example, the host name that you specify in the "add dns nsRec" command is treated as the unique ID for the command when a database record is created. If the "add dns nsRec" command is used to assign multiple IP addresses to a host, the host name can occur in multiple records and, consequently, lead to multiple audits of the "add dns nsRec" command when you use "diff ns config."
    Note: As a result of the changes that were made to resolve this issue, the "mx" parameter, which is required in the "add dns mxRec" and "set dns mxRec" commands, is now also required in the "unset dns mxRec" command. The syntax of the "unset dns mxRec" command has changed as follows:

    Before: unset dns mxRec <domain> -TTL

    After: unset dns mxRec <domain> -mx <string> -TTL

  • Issue ID 92046/0251155: If a NetScaler appliance is unable to determine the link status of an interface and stores an invalid link-status value in the internal database, the appliance fails.
  • Issue ID 94767/0258978: If you use the configuration utility to delete all the configured NTP servers, configurations in one of the startup scripts (rc.netscaler) file are lost.

Known Issues and Workarounds

Access Gateway Issues

  • Issue ID 92054/0251163: If you enable multi-stream connection policy settings in either XenApp 6.5 for Windows Server 2008 R2 or XenDesktop 5.5 and you install the Access Gateway Plug-in by using an MSI package, Access Gateway does not establish multi-stream connections to the resource, although XenApp and XenDesktop launch on the user device in a single stream.
  • Issue ID 91832/0250964: If users logon with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects, but when users log off, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue IDs 80175/0241433 and 82022/0242906: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    • Disable split tunneling
    • Configure Access Gateway so user connections do not receive an intranet IP address.
    • Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 89427/0248893: If users connect with the Access Gateway Plug-in by using an airtel 3G device and the Repeater Plug-in accelerates VPN traffic after the establishing the VPN connection, when users put the user device in standby or hibernate, when users resume the device, the Access Gateway Plug-in fails to reestablish the connection. When users disable acceleration with the Repeater Plug-in, restoration of the VPN connection is successful. Users can then enable acceleration with the Repeater Plug-in.
  • Issue ID 89439/0248898: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791/0249202: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675/0249937: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787/0245136: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986/0245297: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268/0247968: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 81494/0242522: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492/0244134: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819/0244412: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894/0245227: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915/0245243: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    2. Bind the Outlook Web Outlook regular expression to this profile.
    3. Bind the profile so that is assumes the highest priority.
  • Issue ID 86122/0246165: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123/0246166: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323/0246328: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue IDs 86470/0246469 and 86787/0246736: When users log on with the Access Gateway Plug-in for Windows using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on using Internet Explorer 9.
  • Issue ID 86471/0246473: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722/0246679: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

ACL Issues

  • Issue ID 0264933: The NetScaler appliance does not display the correct default values for the icmpType and icmp Code parameters of an extended ACL or ACL6.

Application Firewall Issues

  • Issue ID 83089/0243784: The users can look at the default signature rules in configuration utility, but it will be useful to have a comprehensive list of all the rules accessible in documentation or white papers for users to review.
  • Issue ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.

CloudBridge Issues

  • Issue ID 91850/0250982 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send a full-size packet, whose DF bit is unset, across the cloud bridge. This happens because of bad checksum.

Command Line Interface Issues

  • Issue ID 82908/0243626 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If this does not resolve the issue, restart the appliance.

DataStream Issues

  • Issue ID 83862/0244449 (nCore and nCore VPX): This release does not support IPv6 addresses.

Domain Name System Issues

  • Issue ID 93203/0257123 (nCore): A DNS policy that is bound to a GSLB service is not evaluated if the GSLB method is set to dynamic round trip time (RTT).

Load Balancing Issues

  • Issue ID 82872/0243593: The setting for maximum requests per connection may be violated during a transaction with the physical server.
  • Issue ID 82929/0243645: If a TCP monitor is assigned to a MYSQL service, the MySQL server prevents the MIP address from making new connections.
    Note: This is a known issue with MySQL. It can be mitigated by setting a high value for max_connect_error, as described in the article at http://bugs.mysql.com/file.php?id=5184.
  • Issue ID 82996/0243703: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096/0246139: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example: add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 87407/0247289 (nCore and nCore VPX): When an RDP service is configured, the NetScaler appliance automatically maintains persistence through session cookies using Session Directory. You need not explicitly configure persistency on NetScaler. In some situations, (where multiple persons use same user-login credentials) session cookie persistence may not be helpful, and IP-based persistence methods are necessary. Future releases will support IP address based persistency. In some other situations, load balancing of the RDP services without persistence may be necessary. That is, each new connection to an RDP virtual server needs to be load balanced irrespective of a user's disconnected session existing on a terminal server.
  • Issue ID 88593/0248222 (nCore): After failover, the "maxclient" setting on a service is not honored.
  • Issue ID 90271/0249597: Application scripts that parse the servicegroup member name, and use the underscore delimiter (_) to identify fields to be extracted, fail, because the delimiter is now a question mark (?). In NetScaler releases earlier than 9.3, the format is <service group name>_<IP address>_<port>. The new format is <servicegroup name>?<IP address | server name>?<port>.

NetScaler SDX Appliance Issues

  • Issue ID 86597/0246578 (nCore): Internet Explorer version 9.0 does not load the Configuration tab.

    Workaround: Run Internet Explorer version 9.0 in compatibility mode.

  • Issue ID 88515/0248159 (nCore): Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556/0248194 (nCore): When provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for these parameters.

    Workaround: To correct the parameter values, log on to the NetScaler instance through the Xen Console. You also need to correct the values for this instance in the XenStore. After correcting the values in the both the places, rediscover the NetScaler instances from the Management Service VM user interface without selecting any specific instance, by clicking Rediscovery in the NetScaler Instance pane.

  • Issue ID 89148/0248663 (nCore): When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.
  • Issue ID 91605/0250759 (nCore): If the dashboard page on the management service virtual machine is open for more than 4 days, the browser (Internet Explorer 8.0) might report high memory usage.

    Workaround: In the browser, refresh or minimize the page to release the memory.

  • Issue ID 0262505 (nCore): When viewing the built-in or custom reports in the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: "NO DATA TO CHART".
  • Issue ID 0265006 (nCore): Tx flow control on the interfaces of a NetScaler VPX instance can cause packets to be dropped instead of transmitted.

    Workaround: Turn off the Tx flow control globally on the interfaces from the management Service VM user interface. On the Configuration tab, in the navigation pane, click System, and then click Interfaces.

  • Issue ID 0268115 (nCore): You cannot change an interface on a NetScaler VPX instance if you have not selected any of the management interfaces (0/1 and 0/2) when provisioning the instance.

    Workaround: First, add an interface to the NetScaler VPX instance. After the instance restarts, remove the interfaces that are not required.

    Note: Make sure that the NSVLAN is configured correctly. In case of an incorrect configuration, the instance is not reachable.

NetScaler VPX Appliance Issues

  • Issue ID 88057/0247795: If you allocate more than 200MB for caching on a VPX appliance with 2GB RAM or allocate more than 800MB on a VPX appliance with 4GB RAM, memory-intensive features, such as compression and GSLB, stop working.

    Workaround: Reduce the memory allocated for caching.

Platform Issues

  • Issue ID 87419/0247297 (nCore): When you start the remote console from the LOM configuration utility on a NetScaler MPX 11500/13500/14500/16500/18500/20500 or MPX 17550/19550/20550/21550 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. The following error messages might appear on the console during LOM reset, because the LOM module does not respond to the appliance. ipmi0: KCS error: 01 ipmi0: KCS: Reply address mismatch

  • Issue ID 90018/0249389 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.
  • Issue ID 94198/0258025: If a member interface is removed from an LA channel, the LA channel might show negative statistics in the next statistics collection cycle.
  • Issue ID 0262488 (nCore): On the MPX and SDX 11500/13500/14500/16500/18500/20500 and MPX and SDX 17550/19550/20550/21550 appliances, the network cable does not lock properly into the port and is easy to pull out.

Reporting Issues

  • Issue ID 85025/0245335 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine

SSL Issues

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830/0241961 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the following, incorrect message appears: "ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot." However, the correct message--"ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate"-- appears upon subsequent attempts to delete the certificate-key pair.
  • Issue ID 81850/0242774 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:

    openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 85393/0245605: A DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.

System Issues

  • Issue ID 84099/0244639 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282/0244774: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320/0244792 (nCore and nCore VPX): The NetScaler appliance may fail if failover happens while high availability (HA) synchronization is in progress.
  • Issue ID 94133/0257961: If a server (lb virtual server or cs vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_47.5 to 9.3_51.5.

    Workaround: Do the following:

    1. Remove the audit policy and action
    2. Add the deleted virtual server
    3. Add the audit policy and action
    4. Save the configuration

Web Interface Issues

  • Issue ID 89052/0248592 (nCore and nCore VPX): The response from a Web Interface site that is configured in direct mode may have Java errors.

XML Issues

  • Issue ID 81650/0242628: The NetScaler import utility validates XML schemas during import, but it may fail to validate certain XHTML files being imported as XMLSchema. These invalid XMLSchema's are rejected if the user tries to use them in profile configuration (XMLValidation binding).
  • Issue ID 82058/0242928: The "unique" element in the XML schema is currently not supported.
  • Issue ID 82059/0242929: The "redefine" element in the XML schema is currently not supported.
  • Issue ID 82069/0242939: When the Application Firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

  • Issue ID 83707/0244316: The Import feature for Schema and WSDL files does not support Non-ASCII characters. If an importing WSDL/Schema file contains Non-ASCII characters then it results in a partial import.

    Workaround: Convert XML schema or WSDL files to ASCII before importing them.

XML API Issues

  • Issue ID 80170/0241429: The syntax of the "unset servicegroup" command has been changed to allow unsetting the parameters of the service group members. This change can cause XML API incompatibility with respect to the "unset servicegroup" command.

Build 52.3

Release version: Citrix® NetScaler® release 9.3 build 52.3

Replaces build: None

Release date: October 2011

Release notes version: 2.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

Access Gateway Issues

  • Issue ID 86965: When users connect to Access Gateway and you have single sign-on enabled, when users connect to a resource, occasionally Access Gateway returns a 500 Internal Server Error when the resource does not accept a 0 content length during NTLM authentication.
  • Issue ID 88409: If 16 users are changing their passwords simultaneously, new users cannot log on.
  • Issue ID 91811: If you enable client choices and users can log on with the Access Gateway Plug-in or by using clientless access, when users try to transfer files, an Internal Server Error 29 appears.
  • Issue ID 91285: When two Access Gateway appliances are configured as part of a high availability pair and you configure double-source authentication, occasionally if the primary node fails, the secondary node also fails to accept connections and Access Gateway subsequently fails.

Application Firewall Issues

  • Issue ID 83366: When the application firewall is configured, the NetScaler appliance may fail because of an issue in delivering the learning messages to the "aslearn" daemon.
  • Issue ID 86782: Importing appfw objects such as signatures, htmlerror page, and so on, may fail on first attempt if the import command contains a very long source URL. The command will succeed if executed a second time.
  • Issue ID 91899: The application firewall fails when a web page with a significantly large number of unique URLs is processed.

Configuration Utility Issues

  • Issue 93321: If, when adding a new TCP profile, you specify a value greater than 128 for the "Maximum Burst Limit" field, the appliance adds a minus symbol (-) before the value.
  • Issue ID 93358 (Classic and nCore): When you install a CA certificate on a NetScaler FIPS appliance by using the configuration utility, FIPS Key Name is not a required parameter.

Domain Name System Issues

  • Issue ID 92383: If a DNS query made by the NetScaler appliance leads to a chain of CNAME responses and one of the intermediate CNAME response expires before the other responses because it has the least time-to-live (TTL) value, the bailiwick check is not handled correctly during subsequent attempts to resolve the same DNS query. Consequently, subsequent attempts fail intermittently. Additionally, when the appliance is functioning as an end resolver, if the length of the domain name in the query is less than 64 characters and the domain name in an intermediate CNAME response is greater than 64 characters, CNAME references are not handled correctly. Consequently, the appliance fails when you run the "flush dns proxyRecords" command.

Global Server Load Balancing Issues

  • Issue ID 85912: In a large GSLB configuration, if persistence session exchange is enabled between sites and the configuration of GSLB virtual servers is not symmetric across the participating sites, then the NetScaler appliance may fail.
  • Issue ID 87244 (nCore and nCore VPX): A NetScaler appliance running release 9.2 fails under the following sequence of events:
    1. GSLB is configured on the appliance, and it receives a metrics exchange protocol (MEP) connection from another GSLB site that has a lower IP address and is running a NetScaler release earlier than 9.2.
    2. The MEP connection is received by a non-owner core and the state of the MEP connection flaps (goes down and comes back up within an interval of about 10 seconds).
    3. After the MEP connection flaps, the GSLB site running NetScaler 9.2 attempts to share persistence sessions with the GSLB site running the pre-9.2 release.

Integrated Caching Issues

  • Issue ID 90335: The "show cache object" CLI command can corrupt NetScaler memory, causing the appliance to fail.

Load Balancing Issues

  • Issue ID 91869: The counter that indicates the number of connections made to a load balancing virtual server is not incremented correctly when the load balancing virtual server is bound to a content switching virtual server.

Networking Issues

  • Issue ID 87163: If a response packet is dropped during high availability failover, the NetScaler appliance does not block fragmented request packets.
  • Issue ID 91703: On failover, the bgp sessions on the secondary NetScaler in a HA-INC pair are reset. This is applicable to cl, nCore and vpx builds.
  • Issue ID 91886 (nCore and nCore VPX): If the NetScaler appliance receives a monitoring packet that it sent out for monitoring a service, the appliance may fail to send further monitoring probes for the service.
  • Issue ID 92773: The NetScaler appliance fails if a client tries to establish an active FTP session with a server that is  reachable through a Link Load Balancing (LLB) route.

NITRO API Issues

  • Issue ID 93938: The data type for the "statechangetimeseconds" field for the lbvserver and csvserver classes is not consistent. The lbvserver class uses the integer data type and the csvserver class uses the date data type.

Platform Issues

  • Issue ID 92406 (Classic and nCore): On the NetScaler MPX 7500/9500 and MPX 9700/10500/12500/15500 appliances with an Intel 1GB interface, the health monitoring system automatically performs a warm restart if the appliance does not respond to health checks. If the appliance continues to be unresponsive, you have to perform a hard reboot.
  • Issue IDs 92435 and 92677 (nCore): In certain rare conditions, access to the BMC device for health check data may fail on the MPX 11500/13500/14500/16500/18500 platform. Consequently, the load on the management CPU significantly escalates and the appliance becomes unresponsive.

Policies Issues

  • Issue ID 92982: The NetScaler appliance fails when the rewrite action "replace_all" is applied to a response that is being generated by a content filter action.

Rewrite Issues

  • Issue ID 88938: The NetScaler appliance may sometimes fail to rewrite HTTP responses that use chunked encoding.
  • Issue ID 92968: If a rewrite policy with the "log" action specified is bound to a TCP virtual server, when the policy matches a connection, the NetScaler appliance fails.

SDX Appliance Issues

  • Issue ID 92408: If the Management Service VM is in an idle state, the database connection sometimes times out internally causing continuous login failures.

SNMP Issues

  • Issue ID 92172: Some types of incorrectly formatted SNMP OID requests may lead to failure of the NetScaler appliance.

System Issues

  • Issue ID 91005: Client and server-side connections for RNAT do not log TCP 4 tuple information, connection duration, bytes transferred, and connection duration.
  • Issue ID 91561: If you run the shell command showtechsupport to create a collector file, "pciconf -lcv" is also executed. The output of the command appears under <collectorfile>/shell/pciconf-lcv.out.
  • Issue ID 91606 (nCore): When a layout file is used with nCore to run PEs on different CPUs, if a PE ID is greater than the ID of the CPU running the PE, the profiler fails.
  • Issue ID 91693: If there is no URI-QUERY string after the "?" (example: http://search.citrix.com/search?), the client side weblog report must indicate the NULL value by showing "-". However, nothing is recorded in the weblog report.
  • Issue ID 92654: Setting the deprecated "recvbufsize" parameter through the "set ns tcpparam" command throws an "argument deprecated" error in the CLI but still modifies the global tcpprofile nstcp_default_profile.
  • Issue IDs 93094 and 93983: If the nsconfigaudit tool cannot allocate the memory required for comparing large configurations, the tool fails.
  • Issue ID 94674: If a server (lb virtual server or cs vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on reboot.

Web Interface Issues

  • Issue ID 92859 (nCore and nCore VPX): The "Enable access through mobile receiver" option in the Web Interface GUI wizard activates web interface sites for most mobile platforms but is known to work for the following:
    • iPhone Receiver.
    • iPad Receiver.
    • Android Receiver.
    • Blackberry Receiver.
    • Mac Receiver .
    • iPad web browser.
    • Wyse Terminals.

Known Issues and Workarounds

Access Gateway Issues

  • Issue ID 92054: If you enable multi-stream connection policy settings in either XenApp 6.5 for Windows Server 2008 R2 or XenDesktop 5.5 and you install the Access Gateway Plug-in by using an MSI package, Access Gateway does not establish multi-stream connections to the resource, although XenApp and XenDesktop launch on the user device in a single stream.
  • Issue ID 91832: If users logon with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects, but when users log off, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue IDs 80175 and 82022: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling.
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 89427: If users connect with the Access Gateway Plug-in by using an airtel 3G device and the Repeater Plug-in accelerates VPN traffic after the establishing the VPN connection, when users put the user device in standby or hibernate, when users resume the device, the Access Gateway Plug-in fails to reestablish the connection. When users disable acceleration with the Repeater Plug-in, restoration of the VPN connection is successful. Users can then enable acceleration with the Repeater Plug-in.
  • Issue ID 89439: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 81494: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    2. Bind the Outlook Web Outlook regular expression to this profile.
    3. Bind the profile so that is assumes the highest priority.
  • Issue ID 86122: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue IDs 86470 and 86787: When users log on with the Access Gateway Plug-in for Windows using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on using Internet Explorer 9.
  • Issue ID 86471: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

Application Firewall Issues

  • Issue ID 83089: The users can look at the default signature rules in configuration utility, but it will be useful to have a comprehensive list of all the rules accessible in documentation or white papers for users to review.
  • Issues ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.

CloudBridge Issues

  • Issue ID 91850 (nCore and nCore VPX): The NetScaler appliance drops TCP packets when the server has to send a full-size packet, that has the DF bit unset, across the cloud bridge. This happens because of bad checksum.

Command Line Interface Issues

  • Issue ID 82908 (nCore): In certain rare cases, if the NetScaler MPX appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If this does not resolve the issue, restart the appliance.

DataStream Issues

  • Issue ID 83862 (nCore and nCore VPX): In this release, IPv6 addresses are not supported.

Domain Name System Issues

  • Issue ID 93203 (nCore): A DNS policy that is bound to a GSLB service is not evaluated if the GSLB method is set to dynamic round trip time (RTT).

Load Balancing Issues

  • Issue ID 82872: The setting of maximum requests per connection may be violated when a transaction is going on with the physical server.
  • Issue ID 82929: When using a TCP monitor for a MYSQL service, the MySQL server blocks the MIP for making new connections.
  • Issue ID 82996: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' . For example: add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc
  • Issue ID 87201  (Classic and nCore): On a load balancing virtual server for TCP services on which stateful connection failover is enabled, an established connection may be broken if a failover occurs more than once while a large amount of data is being transferred.
  • Issue ID 87407 (nCore and nCore VPX): When an RDP service is configured, the NetScaler appliance automatically maintains persistence through session cookies using Session Directory. You need not explicitly configure persistency on NetScaler. In the next releases, IP address based persistency will be supported. In some situations, (where multiple persons use same user-login credentials) session cookie persistence may not be helpful and IP-based persistence methods will be necessary. In some other situations, load balancing of the RDP services without persistence may be necessary. That is, each new connection to an RDP virtual server needs to be load balanced irrespective of a user's disconnected session existing on a terminal server.
  • Issue ID 88593 (nCore): After failover, the 'maxclient' setting on a service is not honored.
  • Issue ID 90271: The NetScaler appliance internally represents the servicegroup members with unique names. From the NetScaler release 9.3, the internal naming convention changed because the delimiters used in the servicegroup member name are changed. The earlier format is: <service group name>_<IP address>_<port>. The new format is: <servicegroup name>?<IP address | server name>?<port>. Because of this change, application scripts that parse the servicegroup member name and extract the fields based on the delimiter "underscore" ("_"), will fail because the delimiter is now changed to "question mark" ("?").

NetScaler SDX Appliance Issues

  • Issue ID 86597: The "Configuration" tab does not load on Internet Explorer version 9.0.

    Workaround: Run Internet Explorer version 9.0 in compatibility mode.

  • Issue ID 88515: Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556: While provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for these parameters later.

    Workaround: To correct the parameter values, log on to the NetScaler instance through the Xen Console. You also need to correct the values for this instance in the XenStore. After correcting the values in the both the places, rediscover the NetScaler instances from the Management Service VM user interface without selecting any specific instance, by clicking Rediscovery in the NetScaler Instance pane.

  • Issue ID 89148: When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.

Platform Issues

  • Issue ID 87419 (nCore): When you launch the remote console from the LOM configuration utility on the MPX 11500/13500/14500/16500/18500 appliance, remote keyboard redirection does not work.
    Workaround: Reset the LOM firmware. Note that the appliance may become unresponsive for approximately 60 seconds when you reset the LOM firmware. Warning: You should reset the LOM firmware only when one of the following conditions applies:
    • The appliance has just been installed.
    • The appliance is the secondary  node in a high availability setup.
  • Issues ID 90018 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.

Reporting Issues

  • Issue ID 85025 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine

SSL Issues

  • Issue ID 80830 (nCore): If you attempt to delete an SSL certificate-key pair that is referenced by a certificate revocation list (CRL), the message, "ERROR: Configuration possibly inconsistent. Please check with the 'show configstatus' command or reboot," appears instead of the correct message. However, the correct message, "ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate," appears upon subsequent attempts to delete the certificate-key pair.
  • Issue ID 81850 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type: openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 85393: DSA certificate signed with the SHA-2 algorithm is not supported in the client authentication process.
  • Issues ID 74279: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.

System Issues

  • Issue ID 84099 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server that uses the token method for load balancing and has connection failover enabled.
  • Issue ID 84282: A global setting of less than 1220 for the maximum segment size (MSS) to use for TCP connections causes an excessive delay in saving the configuration.
  • Issue ID 84320 (nCore and nCore VPX): The NetScaler appliance may fail if failover happens while high availability (HA) synchronization is in progress.
  • Issue ID 94133: If a server (lb virtual server or cs vserver) is configured with the same IP address, port, and protocol as the server configured in the audit syslog or nslog action, the configured virtual server will be deleted on upgrading from 9.3_47.5 to 9.3_51.5.
    Workaround: Do the following:
    1. Remove the audit policy and action.
    2. Add the deleted virtual server.
    3. Add the audit policy and action.
    4. Save the configuration.

Web Interface Issues

  • Issue ID 89052 (nCore and nCore VPX): The response from a Web Interface site, configured in direct mode, may have Java errors.

XML Issues

  • Issue ID 81650: NetScaler import utility already does validation of XML Schema during import. But, it may fail to validate certain XHTML files while being imported as XMLSchema. These invalid XmlSchemas though, will be rejected if the user tries to use them in profile configuration (XMLValidation binding).
  • Issue ID 82058: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069: When the application firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

  • Issue ID 83707: Import feature for Schema and WSDL files does not support Non-ASCII characters. If an importing WSDL/Schema file contains Non-ASCII characters then it results in a partial import.

    Workaround: Convert XML schema or WSDL files to ASCII before importing them.

XML API Issues

  • Issue ID 80170: The syntax of the "unset servicegroup" command has been changed to allow unsetting the parameters of the service group members. This can cause XML API incompatibility with respect to the "unset servicegroup" command.

Build 51.5

Release version: Citrix® NetScaler® release 9.3 build 51.5

Replaces build: None

Release date: August 2011

Release notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA Issues

  • Issue ID 89587 (Classic and nCore): If you use Internet Explorer with the 'Display a notification for every script error' option enabled, when you access a virtual server on which  AAA TM is configured,  script error windows are displayed.

Access Gateway Issues

  • Issue ID 85276: If Access Gateway does not receive responses from queries sent to servers running the Secure Ticket Authority (STA), a new connection is opened for each STA query. When this occurs, Access Gateway fails.
  • Issue ID 87967: If you configure LDAP authentication on Access Gateway with nested Group Extraction enabled, when users log on with the Access Gateway Plug-in and the connection routes through a virtual IP address, authentication may fail due to a communication failure between Access Gateway and Active Directory.
  • Issue ID 89116: When users log on with the Access Gateway Plug-in on computers running Windows XP and Vista, the Avaya IP Softphone application does not open.
  • Issue ID 89641: If you configure group extraction and groups on the authorization server exceed 16 kilobytes (KB), when users log on they might receive an HTTP 500 Internal server error message.
  • Issue ID 89855: If you create a pre-authentication policy to check for a registry entry and use a large integer value, such as CLIENT.REG('HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Eventlog_RegCheck02').VALUE == 4052471216, user authentication fails.

AppFlow Issues

  • Issue ID 91472 (nCore and nCore VPX): The AppFlow feature is re-enabled on a service when you disable it by using the respective Configure Service dialog box.
  • Issue ID 92796 (nCore and nCore VPX): NetScaler appliance fails when attempting to export L7 AppFlow records to the collector because of an internal issue.

Application Firewall Issues

  • Issue ID 81616: Attempts to upload a 10 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.
  • Issue ID 89103: In some cases with application firewall enabled, malformed http requests can cause users to re-login.
  • Issue ID 91607: Some internal counters were being incremented incorrectly. This has been fixed.
  • Issue ID 91695: The issue is that AppFw does not check for XSS vulnerabilities in HTTP request headers if the attack pattern is percent encoded.  Customer is seeing that XSS attack is not detected in the Cookie header in a request because the XSS attack is percent encoded.
  • Issue ID 91738: When both AppFw and IC are enabled, for requests that match advanced profiles, if the responses are already cached in IC, then client connection may be reset intermittently.
  • Issue ID 92143: Setting "-enableformtagging off" while using the "add appfw profile" command worked fine in 9.2 builds but started to trigger a false ERROR in 9.3 build onwards. As a result, If any add appfw profile command contained "enabledformtagging off", it  failed due to this ERROR after upgrade resulting in loss of such profiles.
  • Issue ID 92297: The issue is that AppFw runs out of memory when processing HTTP traffic and it is caused by a memory leak in AppFw HTML Form processing code.

CloudBridge Issues

  • Issue ID 91805 (nCore and nCore VPX): NetScaler crashes while sending TCP RST to those devices in the cloud, whose connection it manages.

DataStream Issues

  • Issue ID 89076 (nCore and nCore VPX): The "Database Users" subnode in the configuration utility that lets you configure your database user name and password on the NetScaler is now moved under the "System" node. Therefore, to add a database user by using the configuration utility, in the navigation pane, expand "System", and then click "Database Users".
  • Issue ID 89643 (nCore and nCore VPX): If you have a service for SQL Server 2005 bound to a load balancing virtual server of type MS SQL, you cannot connect to the virtual server by using SQL Management Studio 2008.
  • Issue ID 92022 (nCore and nCore VPX): The authentication response from MS SQL Server is not interpreted correctly, thus leading to connection failure.
  • Issue ID 92075 (nCore and nCore VPX): The user name in MS SQL Server is not case sensitive, but NetScaler handles it as case sensitive, therefore, causing authentication failure.

High Availability Issues

  • Issue ID 90067 (nCore and nCore VPX): If the name of an RTSP load balancing virtual server has more than 31 characters, the NetScaler appliance might fail.
  • Issue ID 91790: While the configuration synchronization is in progress, if failover process is triggered and the current secondary appliance becomes the primary appliance, the 'clear config' propagates to the new secondary appliance.

Integrated Caching Issues

  • Issue ID 90810: A cache miss occurs when a content-coding value (for example, "gzip" or "compress") in the Accept-Encoding header is accompanied by a quality value (or "qvalue"). Following is an example of an Accept-Encoding header that results in a cache miss:

    Accept-Encoding: gzip;q=1.0

Load Balancing Issues

  • Issue ID 90211 (Classic, nCore, and nCore VPX): If USIP is enabled and an HTTP request with CONNECT method comes on an existing connection, connections to LB proxy servers get reset.
  • Issue ID 90423: When using the WI EXTENDED MONITOR for monitoring the Web Interface services, in the response to the GET request, if the 'ASP' string is not sent in the first SET cookie, the monitor failed.
  • Issue IDs 92081, 92140, and 92215 (nCore): In some rare cases, the NetScaler appliance fails.

NetScaler SDX Appliance Issues

  • Issue ID 91335: In certain complex SDX configurations involving LA and HA, one or more 1G interfaces might not begin to receive traffic. A 'reset interface' is then needed to start RX traffic flowing. This is applicable to the e1kvf 1G interfaces only, not the management interfaces.
  • Issue ID 91797: Two options, "Force Shut Down" and "Force Reboot" have been added that lets you shut down and restart a NetScaler instance forcefully. You can use these options if normal shut down and/or reboot operations are not working on a particular instance.

Networking Issues

  • Issue ID 85290: The NetScaler appliance might fail if you remove an IP address from the appliance that is in the same subnet on which you have configured a SYSLOG or AUDITLOG server.
  • Issue ID 85794: NetScaler appliance sends malformed BGP update messages, where Path attributes length value is not properly set, and overwrites withdrawn routes length. This happens because BGP uses circular buffers for sending messages and there was minor error during rewinding of buffer. Therefore, this problem is randomly observed during rewinding.
  • Issue ID 91377: Port leak issue during passive FTP. This issue was observed when a client initiated a control connection, requested for a data connection but did not come back for data connection.

Platform Issues

  • Issue ID 91829: Perl scripts using SSLeay do not function as expected if they are running on NetScaler release 9.3 build 50.3 and earlier.

Policies Issues

  • Issue ID 91579: After the configuration is cleared on a standalone NetScaler appliance, the indexes in the built-in pattern set "ctx_file_extensions" are changed to incorrect values. Consequently, built-in cache policies like "ctx_images" and "ctx_web_css" are evaluated incorrectly. In a high availability setup, the issue also occurs in the secondary appliance after configuration synchronization and in both appliances after a failover.
  • Issue ID 91660 (Classic): NetScaler Classic (non-nCore) systems might fail when evaluating the following policy-based entities:
    • An HTTP callout that includes a named expression.
    • A named expression that triggers an HTTP callout.
  • Issue ID 92265: If an encrypted cookie value is truncated in an HTTP request, the NetScaler appliance may fail when attempting to decrypt the value. This applies to rewrite actions that use the ENCRYPT() and DECRYPT() functions and to Application Firewall cookie encryption.

Rewrite Issues

  • Issue ID 87691: If rewrite is enabled, and if a server sends an amount of data that is more than the specified content length or includes data in the response body for responses that should not have a body (such as a 304 response), in some cases, rewrite does not work.

SSL Issues

  • Issue ID 90331 (nCore): On the MPX 9700/10500/12500/15500 10G FIPS appliances in a high availability setup, key management commands such as "add ssl certkey" may fail while accessing the FIPS keys in the FIPS card. This may result in higher CPU utilization and a longer time for the secondary appliance to synchronize commands from the primary appliance.

System Issues

  • Issue ID 92367: The value of allocated memory that is displayed for CONN_POOL in the output of the "nsconmsg -d memstats" command is incorrect. This issue is observed when a large amount of memory is allocated to CONN_POOL on NetScaler appliances that have large memory resources.

VPX Issues

  • Issue ID 90689 (nCore VPX): The NetScaler VPX virtual appliance installed on the Citrix XenServer fails when it receives a frame with a packet size of more than 1514 bytes.
  • Issue ID 92065 (nCore VPX): On a NetScaler VPX appliance, you cannot modify the HAmonitor or the tagall parameter for an interface by using the configuration utility.

Web Interface Issues

  • Issue ID 85473 (nCore and nCore VPX): The show techsupport command is updated to collect the WebInterface.conf files from the NetScaler appliance.

Known Issues and Workarounds

Access Gateway Issues

  • Issue ID 91832: If users logon with the Access Gateway Plug-in and then put the user device into hibernation, when the device resumes from a different network, the Access Gateway Plug-in reconnects, but when users log off, the default route might be deleted. Users can restart their device to obtain the network route.
  • Issue ID 80175 and 82022: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:

    1. Disable split tunneling

    2. Configure Access Gateway so user connections do not receive an intranet IP address.

    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:

    • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
    • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
    • Contact the manufacturer for other devices.
  • Issue ID 89427: If users connect with the Access Gateway Plug-in by using an airtel 3G device and the Repeater Plug-in accelerates VPN traffic after the establishing the VPN connection, when users put the user device in standby or hibernate, when users resume the device, the Access Gateway Plug-in fails to reestablish the connection. When users disable acceleration with the Repeater Plug-in, restoration of the VPN connection is successful. Users can then enable acceleration with the Repeater Plug-in.
  • Issue ID 89439: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 81494: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:

    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.

    2. Bind the Outlook Web Outlook regular expression to this profile.

    3. Bind the profile so that is assumes the highest priority.

  • Issue ID 85861: If you enable ICA Proxy on Access Gateway, when users log on and attempt to open a virtual application, the connection to the Web Interface through Access Gateway times out and closes.
  • Issue ID 85906: When users log on with an earlier version of the Access Gateway Plug-in, users do not receive the upgrade prompt and the user device receives a session ID. However, the session is not established and the Web browser trying to load the file services.html and upgrading the plug-in both fail.
  • Issue ID 86122: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue ID 86470 and 86787: When users log on with the Access Gateway Plug-in for Windows using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on using Internet Explorer 9.
  • Issue ID 86471: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

Application Firewall Issues

  • Issue ID 83089: The users can look at the default signature rules in configuration utility, but it will be useful to have a comprehensive list of all the rules accessible in documentation or white papers for users to review.
  • Issue ID 86782: Importing appfw objects such as signatures, htmlerror page, and so on, may fail on first attempt if the import command contains a very long source URL. The command will succeed if executed a second time.
  • Issues ID 0259458: Attempts to upload a 30 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.

CloudBridge Issues

  • Issue ID 91850 (nCore and nCore VPX): NetScaler drops TCP packets when the server has to send a full-size packet, that has the DF bit unset, across the cloud bridge. This happens due to bad checksum.

Command Line Interface Issues

  • Issue ID 82908 (nCore and nCore VPX): In certain rare cases, when the NetScaler appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If this does not resolve the issue, restart the appliance.

DataStream Issues

  • Issue ID 83862 (nCore and nCore VPX): In this release, IPv6 addresses are not supported.

Load Balancing Issues

  • Issue ID 82872: The setting of maximum requests per connection may be violated when a transaction is going on with the physical server.
  • Issue ID 82929: When using a TCP monitor for a MYSQL service, the MySQL server blocks the MIP for making new connections.
  • Issue ID 82996: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' .

    For example:

    add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa

    -password bbb -domain ccc

  • Issue ID 87201 (Classic and nCore): On a load balancing virtual server for TCP services on which stateful connection failover is enabled, an established connection may be broken if a failover occurs more than once while a large amount of data is being transferred. 
  • Issue ID 87407 (nCore and nCore VPX): When an RDP service is configured, the NetScaler appliance automatically maintains persistence through session cookies using Session Directory. You need not explicitly configure persistency on NetScaler. In the next releases, IP address based persistency will be supported.

    In some situations, (where multiple persons use same user-login credentials) session cookie persistence may not be helpful and IP-based persistence methods will be necessary. In some other situations, load balancing of the RDP services without persistence may be necessary. That is, each new connection to an RDP virtual server needs to be load balanced irrespective of a user's disconnected session existing on a terminal server.

  • Issue ID 88593 (nCore): After failover, the 'maxclient' setting on a service is not honored.

NetScaler SDX Appliance Issues

  • Issue ID 88515: Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556: While provisioning a NetScaler instance, if you have entered invalid NetScaler settings for the IP address, Netmask, or Gateway parameters, you cannot modify the values for these parameters later.

    Workaround: To rectify the parameter values, log on to the NetScaler instance through the Xen Console. You also need to rectify the values for this instance in the XenStore.

    After correcting in the both the places, rediscover the NetScaler instances from the Management Service VM user interface without selecting any specific instance by clicking Rediscovery in the NetScaler Instance pane.

  • Issue ID 89148: When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.

Platform Issues

  • Issue ID 87419 (nCore): When you launch the remote console from the LOM configuration utility on the MPX 11500/13500/14500/16500/18500 appliance, remote keyboard redirection does not work.

    Workaround: Reset the LOM firmware. Note that the appliance may become unresponsive for approximately 60 seconds when you reset the LOM firmware.

    Warning: You should reset the LOM firmware only when one of the following conditions apply:

    • The appliance has just been installed.
    • The appliance is the secondary  node in a high availability setup.
  • Issues ID 90018 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.

Reporting Issues

  • Issue ID 85025 (nCore and nCore VPX): Reporting charts do not support plotting of counters per packet engine

SSL Issues

  • Issue ID 80830 (nCore): When you attempt to delete an SSL certificate key-pair object that is referenced by a Certificate Revocation List (CRL), the message, "ERROR: Configuration possibly inconsistent. Please check with the "show configstatus" command or reboot," is displayed.

    This message is not the intended message. However, on the subsequent attempt to delete the certificate key-pair object, the correct message, "ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate," is displayed.

  • Issue ID 81850 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:

    openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

  • Issue ID 85393: DSA certificate signed with SHA-2 algorithm is not supported in the client authentication process.
  • Issues ID 74279: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.

System Issues

  • Issue ID 84099 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server on which connection failover is enabled and the load balancing method is the token method.
  • Issue ID 84282: If the global setting for the maximum segment size (MSS) to use for TCP connections is less than 1220, the NetScaler appliance causes an excessive delay in saving the configuration.
  • Issue ID 84320: The NetScaler appliance may fail if failover happens while high availability (HA) synchronization is in progress.

Web Interface Issues

  • Issue ID 89052 (nCore and nCore VPX): The response from a Web Interface site, configured in direct mode, may have Java errors.

XML Issues

  • Issue ID 81650: NetScaler import utility already does validation of XML Schema during import. But, it may fail to validate certain XHTML files while being imported as XMLSchema. These invalid XmlSchemas though, will be rejected if the user tries to use them in profile configuration (XMLValidation binding).
  • Issue ID 82058: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069: When the application firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

  • Issue ID 83707: Import feature for Schema and WSDL files does not support Non-ASCII characters. If an importing WSDL/Schema file contains Non-ASCII characters then it results in a partial import.

    Workaround: Convert XML schema or WSDL files to ASCII before importing them.

XML API Issues

  • Issue ID 80170: The syntax of the unset servicegroup command has been changed to allow unsetting of the parameters of the service group members. This can cause XML API incompatibility with respect to the unset servicegroup command.

Build 50.3

Release version: Citrix® NetScaler® release 9.3 build 50.3

Replaces build: None

Release date: July 2011

Release notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (Classic, nCore, and nCore VPX) of Citrix Netscaler and Citrix Access Gateway.

Changes and Fixes

Access Gateway Issues

  • Issue ID 81781: When users connect to Access Gateway and change an expired password on the challenge response page, users can enter up to 256 characters. If users create a password with more than 31 characters, however, when they log on again, Access Gateway displays a 401 authentication error and logon fails.
  • Issue ID 87050: When users log on with Citrix online plug-ins and you configure Access Gateway in a high availability pair, if the primary appliance fails, occasionally the connection fails and users receive an error message stating that the connection to the appliance is interrupted.
  • Issue ID 90098: If there is a large amount of network traffic through the Access Gateway VPN tunnel and if users access 40,000 or more resources through the tunnel, access to new resources fail.

Application Firewall Issues

  • Issue ID 89103: In some cases with application firewall enabled malformed http requests can cause users to re-login.
  • Issue ID 89417: Relaxation rules for transformation of SQL special characters do not work in some cases.
  • Issue ID 90909: Config sync is triggered every minute instead of exponentially backing off when files are missing in secondary required by the configuration.

Cache Redirection Issues

  • Issue ID 91008: If the cache redirection virtual server receives a request without a backslash (/) after the hostname (at the end of a request), the request gets corrupted when it is sent to the destination. When the NetScaler sends the request to the destination, the space is missed between ‘/’ and ‘HTTP/1.1’.
  • Issue ID 91062: If forward proxy is configured, NetScaler always connects to the physical server using port 443 instead of using the port specified in the client request, and there is a failure in serving the request.

CloudBridge Issues

  • Issue ID 89428 (nCore and nCore VPX): This build supports the NAT implementation of RFC 3947 and 3948 for the cloud bridge peers to communicate properly when any of the peer is behind a NAT device. For more information about configuring a cloud bridge, see the "Cloud Bridge" chapter of the Citrix NetScaler Networking Guide at http://support.citrix.com/article/CTX128671.

Configuration Utility Issues

  • Issue ID 88379: Now "NetScaler Management Pack for System Center Operation Manager 2007 (SCOM)" can be downloaded from NetScaler GUI Downloads page. The Citrix NetScaler Operation Manager pack provides monitors and rules to monitor the NetScaler systems deployed in your network. The Citrix NetScaler Performance and Resource Optimization (PRO) Management Pack (MP) provides monitors and rules to monitor the health of the virtual servers configured on the managed NetScaler systems and initiate corrective actions using the PRO feature of SCVMM when the virtual servers become unhealthy.

Content Switching Issues

  • Issue ID 89906: The NetScaler appliance does not support content switching based on the parameters of a stored procedure call for database protocols.

DataStream Issues

  • Issue ID 88227 (nCore): The NetScaler appliance does not support the MySQL server version 5.5.7 or later. The NetScaler fails when you log on to the MySQL load balancing virtual server.
  • Issue ID 90228 (nCore and nCore VPX): You can use the following expressions to configure content switching based on remote procedure call (RPC) names or IDs:
    • MSSQL.REQ.RPC.NAME. Returns the name of the procedure that is being called in a remote procedure call (RPC) request. The name is returned as a string.
    • MSSQL.REQ.RPC.IS_PROCID. Returns a Boolean value that indicates whether the remote procedure call (RPC) request contains a process ID or an RPC name. A return value of TRUE indicates that the request contains a process ID and a return value of FALSE indicates that the request contains an RPC name.
    • MSSQL.REQ.RPC.PROCID. Returns the process ID of the remote procedure call (RPC) request as an integer.
  • Issue ID 91217: For MySQL virtual servers, the NetScaler appliance does not correctly handle a query of the format 'SET NAMES 'UTF8'' with the character set name in quotation marks. This causes the further requests on the same connection to fail.

EdgeSight Monitoring Issues

  • Issue ID 90241: When EdgeSight monitoring is enabled on a LB/CS VIP, the user is given options to choose if the responses to the clients from that VIP should be compressed or not. The decision to bind/unbind compression policies to that VIP will be taken accordingly.

Integrated Caching Issues

  • Issue ID 89374 (Classic): If all the three following conditions are met, when the NetScaler appliance receives a request for an object and it attempts to re-validate and serve, NetScaler fails:
    • The content group setting "alwaysEvalPolicies" is set to YES.
    • The response cached in this group has status codes greater than 300.
    • The object is in expired state.

Load Balancing Issues

  • Issue ID 81582: When an SNIP address is configured as an ADNS service and later the ADNS servers IP address is changed, the ADNS count for the old IP address does not get decremented, and an error occurs when you try to remove the old IP address. Example:

    add ip 1.1.1.1 255.255.255.0 [configured as SNIP]

    add service adns 1.1.1.1 adnS 53 [configuring the same IP as ADNS]

    set server 1.1.1.1 -ipaddress 1.1.1.2 [changing the adns server IP to new IP]

    rm ip 1.1.1.1 [Removing old IP returns error]

  • Issue ID 82185 (nCore): In low-traffic-rate scenarios as mentioned below, the least connection load balancing becomes uneven. For example, when a service gets very low traffic rate such as two or three requests per second per service, and the service takes an average of 800 milliseconds to respond with the first byte. To make the load balancing precise and even in low-traffic scenarios, the following option is provided:

    set lb parameter  -consolidatedLConn ( YES | NO )

    By default, the option is set to 'Yes'. If and only if there is uneven least connection load balancing in low-traffic scenarios, you can set the "consolidatedLConn" to 'No' to make the load balancing even.

  • Issue ID 82571: When a load balancing virtual server and content switching virtual server are configured on the NetScaler appliance, when a server connection terminates, some counters on the load balancing virtual server such as open established connections (OEs) are not decremented until the connection is flushed. This may lead to other side effects like unnecessary spillover.
  • Issue ID 87893: If you set the maxclient value very low, the NetScaler appliance closes connections frequently in spite of reusing them.
  • Issue ID 89697 (nCore): If all the Branch Repeater appliances bound to a load balancing virtual server are DOWN, the NetScaler appliance should bypass the Branch Repeater appliances and send traffic directly to the data center.
  • Issue ID 90426 (nCore and nCore VPX): The MS-SQL ECV monitor may have errors when the expected response is a result set.
  • Issue ID 90917: When you create a load balancing monitor of type MSSQL-ECV, the default expression prefix is now changed from HTTP to MSSQL. When you create a load balancing monitor of type MySQL-ECV, the default expression prefix is now changed from HTTP to MySQL.

NetScaler SDX Appliance Issues

  • Issue ID 90966: While modifying nsroot user if password contains special characters such as $, then password is not correctly updated on hypervisor and management vm cannot communicate with hypervisor anymore.

Networking Issues

  • Issue ID 88583: When OSPF authentication is in use and the packet size is 512, the authentication digest verification on the NetScaler can go wrong resulting in dropped packets.

NITRO API Issues

  • Issue ID 90781: In getlbvserver, cookieipport information is missing for servicegroup bindings. In lbvserver response structure, servicegroup member information is missing.

Platform Issues

  • Issue ID 88559 (nCore): On the MPX 17500/19500/21500 and MPX 11500/13500/14500/16500/18500 appliances, programming the IP address, default gateway, and netmask from the front panel keypad does not work. Note: You can use the keypad for this purpose only when the appliance has a factory default configuration.
  • Issue ID 91248 (nCore): The following table shows the maximum throughput available on the Citrix NetScaler MPX 11500/13500/14500/16500/18500 appliances.

    Model Maximum throughput (in Gbps)

    11500 8

    13500 12

    14500 18

    16500 24

    18500 36

                                                                                                                                                                                                                            

SNMP Issues

  • Issue ID 90440: An snmp request from a manager will not get a response from the NetScaler if an rnat rule has been configured on the NetScaler for the manager's subnet with a SNIP as natip and that SNIP has dynamic routing enabled on it.

SSL Issues

  • Issue ID 89491: If a policy for client authentication during renegotiation over SSLv3 protocol is configured on the backend server, the NetScaler fails during SSL renegotiation.

System Issues

  • Issue ID 88885 (nCore and nCore VPX): During race conditions between user logins and session timeouts on the NetScaler appliance, if a core-to-core message for logout request handling fails, the core that receives the logout message might not clean up the user session. When a user whose session has not been cleaned up logs on to the appliance again, session duplication occurs on the core and the appliance might fail.
  • Issue ID 89527: The NetScaler appliance fails when a large number of HTTP pipeline POST requests with large content lengths are received over the same client-side connection.
  • Issue ID 89864: When a server does not receive a window update sent by the NetScaler appliance, download latency is observed.
  • Issue ID 89986 (nCore and nCore VPX): If addition of an IP on NetScaler was failing in one of the PE's and succeeding in other PE's, it would lead to config inconsistency across PE's in NetScaler. Now we have added proper recovery mechanism to recover from this failure where if "add ip" command fails on one of PE, we will revert this command across all the successful PE's also.
  • Issue ID 90715 (nCore): If the channel is Down/Disable, sh channel command always gives channel downtime as 0h00m00s i.e downtime not increasing. However sh interface gives the correct channel downtime.

Web Interface Issues

  • Issue ID 90121 (nCore and nCore VPX): Launching of XenApp application fails on iPad when using Web Interface on NetScaler through Safari with error "Unable to download file". The root cause of this issue is that Safari on iPad does not pass the downloaded ica file to Citrix Receiver correctly since file extension is jsp. In 9.3 build 50.1 onwards, this issue has been fixed by configuring rewrite policy in WI wizard which changes the file extension to .ica while downloading the ICA file.
  • Issue ID 90658 (nCore and nCore VPX): If vpn vserver is configured on port other than 443, Single Sign On from Access Gateway to Web Interface fails and Web Interface login remains stuck with blank page at agesso.jsp when logging in to the Web Interface through Access Gateway. Root cause of this issue was incorrect port configuration in AGEWebServiceURL within WebInterface.conf for Web Interface site. Also, DNS record for Access Gateway VIP was not added correctly. This issue is resolved in 9.3 build 50.x onwards.

XML Issues

  • Issue ID 68633: You cannot set the total import size limit to less than the currently imported object size.

Known Issues and Workarounds

Access Gateway Issues

  • Issue ID 80175 and 82022: If you enable split tunneling, split DNS, and assign an intranet IP address on Access Gateway, when users log on with the Access Gateway Plug-in using a mobile broadband wireless device that uses the Sierra driver (for example, Telstra Compass or AT&T USBConnect) on a Windows 7 computer, Domain Name Service (DNS) resolution fails and the home page fails to open. You can use one of the following options to resolve the issue:
    1. Disable split tunneling.
    2. Configure Access Gateway so user connections do not receive an intranet IP address.
    3. Configure the wireless device to use an Ethernet connection instead of a mobile broadband connection. For example:
      • Disable the setting Windows 7 Mobile Broadband in the Telstra Connection Manager Options dialog box.
      • Install Sierra Wireless Watcher (6.0.2849) if users connect with an AT&T USBConnect 881 network card. This installs an Ethernet adapter instead of the mobile broadband adapter.
      • Contact the manufacturer for other devices.
  • Issue ID 89427: If users connect with the Access Gateway Plug-in by using an airtel 3G device and the Repeater Plug-in accelerates VPN traffic after the establishing the VPN connection, when users put the user device in standby or hibernate, when users resume the device, the Access Gateway Plug-in fails to reestablish the connection. When users disable acceleration with the Repeater Plug-in, restoration of the VPN connection is successful. Users can then enable acceleration with the Repeater Plug-in.
  • Issue ID 89439: If users connect with the Access Gateway Plug-in and a T-Mobil 3G device and if you enable split tunneling and assign an intranet IP address to users on Access Gateway, users cannot connect to either intranet or external resources. To allow users to connect to both internal and external resources, disable split tunneling.
  • Issue ID 89791: If users log on with a Windows-based computer that is not part of a domain by using a 3G network adapter and the Access Gateway Plug-in for Windows, requests that use the host name fail. In this instance, use the fully qualified domain name (FQDN) instead of the host name.
  • Issue ID 90675: If users log on with the Access Gateway Plug-in for Windows and then access a CIFS share by using the Run dialog box, when users navigate to a folder in the share and attempt to copy a file to another file share, users receive an error message and the attempt fails.
  • Issue ID 84787: When you issue the command "sh vpn vserver" on Access Gateway, the number of current ICA connections does not appear when Access Gateway is in Basic mode.
  • Issue ID 84986: If users log on with clientless access and attempt to open an external Web site (such as http://www.google.com) from the Email tab in the Access Interface, users might receive the Access Gateway logon page instead of the external Web site.
  • Issue ID 88268: If users attempt to open a large Microsoft Word file from a Distributed File Share (DFS) hosted on Windows Server 2008 64-bit, the Access Gateway fails.
  • Issue ID 81494: If users access a Distributed File Share on a computer running Windows Server 2008 64-bit, a blank folder appears in the directory path.
  • Issue ID 83492: When users log on using clientless access, a JavaScript error might appear when the logon page opens.
  • Issue ID 83819: If you configure a load balancing virtual server and the destination port is 21, when users log on with the Access Gateway Plug-in, logon is successful but data connections do not go through. When you configure a load balancing virtual server, do not use port 21.
  • Issue ID 84894: When users log off from the Access Gateway Plug-in and then clear the cache in Internet Explorer and Firefox, users might receive an error message that says "Error. Not a privileged user." Access Gateway records an HTTP/1.1 403 Access Forbidden error message in the logs.
  • Issue ID 84915: If users attempt to open and edit a Microsoft Office file from Outlook Web Access, users might receive an error and the file takes a long time to open. To allow users to edit files from Outlook Web Access, do the following:
    1. Create a clientless access Outlook Web Access Profile and enable persistent cookies.
    2. Bind the Outlook Web Outlook regular expression to this profile.
    3. Bind the profile so that is assumes the highest priority.
  • Issue ID 85861: If you enable ICA Proxy on Access Gateway, when users log on and attempt to open a virtual application, the connection to the Web Interface through Access Gateway times out and closes.
  • Issue ID 85906: When users log on with an earlier version of the Access Gateway Plug-in, users do not receive the upgrade prompt and the user device receives a session ID. However, the session is not established and the Web browser trying to load the file services.html and upgrading the plug-in both fail.
  • Issue ID 86022: If you configure the user device to enable users to log on only using the Access Gateway Plug-in and then change the plug-in Web address to an unresolvable address, when users try to log on through the logon dialog box, an authentication error appears. Then, if users try to log on using the plug-in, the logon dialog box does not appear and users cannot change the Web address. Users should exit and then restart the plug-in to subsequently change the Web address.
  • Issue ID 86122: If you disable transparent interception and set the force time-out setting, when users log on with the Access Gateway Plug-in for Java, when the time-out period expires, a session time-out message appears on the user device, however the session is not terminated on Access Gateway.
  • Issue ID 86123: If users log on with clientless access in the Firefox Web browser, when users click a link for a virtual application, the tab closes and the application does not start. If users right-click the virtual application and attempt to open it in a new window, the Web Interface appears and users receive the warning "Published resource shortcuts are currently disabled." Users can open the virtual application in Internet Explorer.
  • Issue ID 86323: If you configure single sign-on with Windows and configure the user name with special characters, when users log on to Windows 7 Professional, single sign-on fails. Users receive the error message "Invalid username or password. Please try again." This issue does not occur if users log on to Windows XP.
  • Issue ID 86470 and 86787: When users log on with the Access Gateway Plug-in for Windows using Internet Explorer 9, a delay may occur in establishing the connection. The Access Interface, or a custom home page, might take a long time to appear when users log on using Internet Explorer 9.
  • Issue ID 86471: When users log on with the Access Gateway Plug-in by using a Web browser, users might see a delay during logon.
  • Issue ID 86722: When users log on with clientless access using Internet Explorer 9 and connect to SharePoint 2007, some images might not appear correctly.

Application Firewall Issues

  • Issue ID 81616: Attempts to upload a 10 MB or larger file may fail when Cross-Site Scripting (XSS) and SQL Injection checks are enabled.
  • Issue ID 83089: The users can look at the default signature rules in configuration utility, but it will be useful to have a comprehensive list of all the rules accessible in documentation or white papers for users to review.
  • Issue ID 86782: Importing appfw objects such as signatures, htmlerror page, and so on, may fail on first attempt if the import command contains a very long source URL. The command will succeed if executed a second time.

CloudBridge Issues

  • Issue ID 91805 (nCore and nCore VPX): NetScaler crashes while sending TCP RST to those devices in the cloud, whose connection it manages.
  • Issue ID 91850 (nCore and nCore VPX): NetScaler drops TCP packets when the server has to send a full-size packet, that has the DF bit unset, across the cloud bridge. This happens due to bad checksum.

Command Line Interface Issues

  • Issue ID 82908: In certain rare cases, when the NetScaler appliance is subject to conditions of heavy SSL-related traffic, CLI commands fail and report a configuration inconsistency error.

    Workaround: Check for configuration inconsistency by using the "show configstatus" command and reconfigure the appliance under low traffic conditions or during a maintenance period. If this does not resolve the issue, restart the appliance.

DataStream Issues

  • Issue ID 83862 (nCore, nCore VPX): In this release, IPv6 addresses are not supported.

Integrated Caching Issues

  • Issue ID 81159: When the NetScaler appliance receives a single byte-range request, if the starting position of the range is beyond 9 megabytes, the appliance sends the client a full response with a status code of 200 OK instead of a partial response.

Load Balancing Issues

  • Issue ID 82872: The setting of maximum requests per connection may be violated when a transaction is going on with the physical server.
  • Issue ID 82929: When using a TCP monitor for MYSQL service, the MySQL server blocks the MIP for making new connections.
  • Issue ID 82996: The MYSQL monitor shows the service state as UP when no SNIP or MIP is configured.
  • Issue ID 86096: While configuring the WI-EXTENDED monitor, the user will have to provide the value of sitepath in such a way that it does not end with a '/' .

    For example:

    add monitor wi CITRIX-WI-EXTENDED -sitepath "/Citrix/DesktopWeb" -username aaa -password bbb -domain ccc

  • Issue ID 87201 (Classic, nCore): On a load balancing virtual server for TCP services on which stateful connection failover is enabled, an established connection may be broken if a failover occurs more than once while a large amount of data is being transferred.
  • Issue ID 87407 (nCore and nCore VPX): When an RDP service is configured, the NetScaler appliance automatically maintains persistence through session cookies using Session Directory. You need not explicitly configure persistency on NetScaler. In the next releases, IP address based persistency will be supported. In some situations, (where multiple persons use same user-login credentials) session cookie persistence may not be helpful and IP-based persistence methods will be necessary. In some other situations, load balancing of the RDP services without persistence may be necessary. That is, each new connection to an RDP virtual server needs to be load balanced irrespective of a user's disconnected session existing on a terminal server.

NetScaler SDX Appliance Issues

  • Issue ID 88515: Client authentication is enabled by default in the Management Service VM. Consequently, HTTPS connections fail when you access the Management Service VM user interface from the Apple Safari browser.
  • Issue ID 88556: While provisioning a NetScaler instance, if you have entered invalid NetScaler settings for the IP address, Netmask, or Gateway parameters, you cannot modify the values for these parameters later.

    Workaround: To rectify the parameter values, log on to the NetScaler instance through the Xen Console. You also need to rectify the values for this instance in the XenStore. After correcting in the both the places, rediscover the NetScaler instances from the Management Service VM user interface without selecting any specific instance by clicking Rediscovery in the NetScaler Instance pane.

  • Issue ID 89148: When you attempt to shut down the SDX appliance from the Management Service VM user interface, the appliance restarts instead of shutting down.
  • Issue ID 91335: In certain complex SDX configurations involving LA and HA, one or more 1G interfaces might not begin to receive traffic.  A "reset interface" is then needed to start RX traffic flowing. This is applicable to the e1kvf 1G interfaces only, not the management interfaces.

Platform Issues

  • Issue ID 87419 (nCore): When you launch the remote console from the LOM configuration utility on the MPX 11500/13500/14500/16500/18500 appliance, remote keyboard redirection does not work.
    Workaround: Reset the LOM firmware. Note that the appliance may become unresponsive for approximately 60 seconds when you reset the LOM firmware. Warning: You should reset the LOM firmware only when one of the following conditions apply:
    • The appliance has just been installed.
    • The appliance is the secondary  node in a high availability setup.
  • Issue ID 90018 (nCore): When you upgrade any MPX appliance, except MPX 15000/17000, to release 9.3 build 50.3, restart the appliance, and then apply the default configuration, the 1G interfaces are reset.

Reporting Issues

  • Issue ID 85025 (nCore, nCore VPX): Reporting charts do not support plotting of counters per packet engine.

SSL Issues

  • Issue ID 74279: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 80830 (nCore): When you attempt to delete an SSL certificate key-pair object that is referenced by a Certificate Revocation List (CRL), the message, "ERROR: Configuration possibly inconsistent. Please check with the "show configstatus" command or reboot," is displayed. This message is not the intended message. However, on the subsequent attempt to delete the certificate key-pair object, the correct message, "ERROR: Certificate is referenced by a CRL, OCSP responder, virtual server, service, or another certificate," is displayed.
  • Issue ID 81850 (nCore): You cannot import an external, encrypted FIPS key directly to an MPX 9700/10500/ 12500/15500 10G FIPS appliance.

    Workaround: First, decrypt the key, and then import it. To decrypt the key, at the shell prompt, type:

    openssl rsa -in <EncryptedKey.key> > DecryptedKey.out

System Issues

  • Issue ID 84099 (nCore): The NetScaler appliance may fail if traffic reaches a load balancing virtual server on which connection failover is enabled and the load balancing method is the token method.
  • Issue ID 84282: If the global setting for the maximum segment size (mss) to use for TCP connections is less than 1220, the NetScaler appliance causes excessive delay to save the configuration.
  • Issue ID 84320 (nCore): The NetScaler appliance may fail if failover happens while high availability (HA) synchronization is in progress.
  • Issue ID 88593 (nCore): After failover, the maxclient configuration on a service is not honored.

Web Interface Issues

  • Issue ID 89052 (nCore and nCore VPX): The response from a Web Interface site, configured in direct mode, may have Java errors.

XML Issues

  • Issue ID 81650: NetScaler import utility already does validation of XML Schema during import.  But, it may fail to validate certain XHTML files while being imported as XMLSchema. These invalid XmlSchemas though, will be rejected if the user tries to use them in profile configuration (XMLValidation binding).
  • Issue ID 82058: The 'unique' element in the XML schema is currently not supported.
  • Issue ID 82059: The 'redefine' element in the XML schema is currently not supported.
  • Issue ID 82069: When the application firewall validates XML messages, it does not validate the contents of elements that are defined as type "any" in the applicable XML schema. Specifically, it treats these elements as if the processContent attribute was set to "skip".

    Workaround: Replace the "any" type definitions in the XML schemas with definitions of the actual elements that occur in the XML message. (The "any" type is rarely used.)

  • Issue ID 83707: Import feature for Schema and WSDL files does not support Non-ASCII characters. If an importing WSDL/Schema file contains Non-ASCII characters then it results in a partial import.

    Workaround: Convert XML schema or WSDL files to ASCII before importing them.

XML API Issues

  • Issue ID 80170: The syntax of the unset servicegroup command has been changed to allow unsetting of the parameters of the service group members. This can cause XML API incompatibility with respect to the unset servicegroup command.
Back to top