- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- Build 12.1-55.276 replaces Build 12.1-55.265.
- Citrix Secure Access agent (formerly known as Citrix Gateway plug-in for Windows) build 126.96.36.199 and later contains the fix for https://support.citrix.com/article/CTX341455. The Citrix Secure Access agent build 188.8.131.52 is included in the Citrix ADC build 12.1-55.276.
VMware ESX 7.0 update 1c support on Citrix ADC VPX instance
The Citrix ADC VPX instance now supports the VMware ESX version 7.0 Update 1c (Build 1732555).[ NSHELP-26444 ]
Support to ignore the common name if subject alternate name (SAN) is present in SSL certificateThe Citrix ADC appliance now conforms to the RFC specification related to common name in a certificate as defined in https://tools.ietf.org/html/rfc6125%23section-6.4.4. A new parameter ndcppComplianceCertCheck is added.
When the appliance acts as a client (back-end connection), the common name is ignored during certificate verification if both of the following conditions are met:
- ndcppComplianceCertCheck parameter is set to YES (Default is NO).
- SAN is present in the certificate.
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/config-ssloffloading.html.[ NSSSL-597 ]
Any of the following Citrix ADC upgrade operations might cause login failure for local system user accounts:
- from Citrix ADC 13.0-83.x build to Citrix ADC 13.1-4.x build
- from Citrix ADC 12.1-63.x build to Citrix ADC 13.1-4.x build
- from Citrix ADC 12.1-63.x build to Citrix ADC 13.0-82.x build
This issue is observed only for those local system user accounts that meet any of the following conditions:
- user password was changed for the local system account on the Citrix ADC build (13.0-83.x or 12.1-63.x) before performing the upgrade operation.
- the local system user account was added on the Citrix ADC build (13.0-83.x or 12.1-63.x) before performing the upgrade operation.
The system root administrator can reset the password for the local system user accounts facing the login failure issue.[ NSCONFIG-5650 ]
Changing default RPC node passwordsIn HA, cluster, and GSLB deployments, a warning message appears for the nsroot and superuser login if the default RPC node password is not changed.[ NSCONFIG-2224 ]
Authentication, authorization, and auditing
Log in to Citrix Gateway endpoints using full URL bookmarked on user's machine browser fails, if the endpoint appliances have RelayStateRule expression configured in the samlAction command.
For example, if you try to login using the bookmarked full URL like https://citrixgateway.com/citrix/storeweb on your browser and try to login, the login fails.[ NSHELP-28098 ]
A Citrix ADC appliance deployed for cross-domain Kerberos might fail to perform SSO if the kcdAccount parameter is configured using a keytab file.[ NSHELP-21406 ]
- A Kerberos SSO might fail when a Citrix ADC appliance is deployed in a multi-domain environment (parent-child domain) and the users are in parent domain and services are in the child domain.[ NSHELP-20910 ]
In rare cases, authentication fails if the connection to the LDAP server is over HTTPS.[ NSHELP-20181 ]
- In rare cases, there might be memory leak issues when handling authentication, authorization, and auditing sessions.[ NSHELP-19703 ]
The authentication from Citrix Workspace app fails when Citrix ADC is configured with SAML authentication and relayStateRule. The browser based login is not impacted.[ NSAUTH-10517 ]
In some cases, the Citrix ADC appliance crashes if any expired Authentication, authorization, and auditing session exists during the configuration clean-up.[ NSAUTH-7767, NSHELP-24764 ]
Citrix ADC management access is restricted through the console if a user is locked.[ NSAUTH-2821, NSAUTH-1885 ]
In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.[ NSHELP-28856 ]
- When the syslog server is configured through TCP, intermittently some logs are not sent to the syslog server.[ NSHELP-21624 ]
While adding an authentication virtual server using the XenApp and XenDesktop wizard, test connectivity for that authentication server fails.[ CGOP-16792 ]
Citrix Web App Firewall
If you are using WAF signatures, after upgrading the build, you must update all the WAF signatures including the default signatures to the latest version. Then, re-enable the required signature rules.[ NSWAF-8668 ]
- A Citrix ADC appliance might crash if a Web App Firewall profile uses APPFW_DROP and APPFW_RESET policy actions.[ NSHELP-21283 ]
- A Citrix ADC appliance might crash when APPFW_DROP and APPFW_RESET are used as Web App Firewall policy actions.[ NSHELP-21220 ]
If you modify the checksum of the kernel provided by Citrix and then install the kernel, you might observe one of the following issues:
[ NSHELP-27420 ]
- The installns command completes. After the appliance restarts, it reports that the kernel installation could not be completed and the booting process halts. You must then load a different kernel to bring up the box.
- The installns command detects the mismatch and stops installation. An error message appears.
The Citrix ADC VPX appliance crashes on Azure while initializing a NIC resource. The crash leads to a kernel dump on the boot up process. This issue occurs when there is a delay in response to certain messages that the driver needs to send to the backend hypervisor as part of the initialization process. This delay is observed in the Mellanox Connectx3 and Connectx4 platforms. The fix is to increase the timeout value so that the driver waits for a longer duration to receive the response.[ NSHELP-21034, NSHELP-22206 ]
- In some cases, the following appliances might crash while running SSL traffic:
[ NSSSL-7606 ]
- MPX 59xx
- MPX/SDX 89xx
- MPX/SDX MPX 26xxx
- MPX/SDX 26xxx-50S
- MPX/SDX 26xxx-100G
- MPX/SDX 15xxx-50G
On MPX 8900 and MPX 15000 FIPS certified appliances, running ECDHE traffic can cause a memory leak.
[ NSHELP-30744 ]
A Citrix ADC appliance might dump core if the following conditions are met:
[ NSHELP-26114 ]
- Appliance is low on memory.
- DTLS is enabled.
- DEBUG level log is enabled.
A Citrix ADC appliance closes a DTLS session by sending an alert if the maximum retry timeout value is reached.[ NSHELP-24560 ]
A Citrix ADC appliance might crash if the following conditions are met:
[ NSHELP-22934 ]
- A certificate-key pair is added with the expiry monitor option enabled.
- The certificate date is earlier than 01/01/1970.
The Citrix ADC MPX 26000-100G appliance might become unresponsive if the aggregator process becomes unstable.[ NSBASE-11747 ]
In a high availability setup, a Citrix ADC appliance might crash during a system user authentication process, if the following condition is met:
[ NSHELP-27066 ]
- The password hash computation takes more time to miss five heartbeats.