Release Notes for Citrix ADC 12.1-55.304 Build

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 12.1-55.304.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 12.1-55.304 replaces Build 12.1-55.302.
  • This build also includes fixes for the following issues that existed in the previous Citrix ADC 12.1 release build: NSHELP-21991.
  • Build 12.1-55.302 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX584986.
  • Build 12.1-55.302 replaces Build 12.1-55.300.

What's New

The enhancements and changes that are available in Build 12.1-55.304.

Platform

  • Synchronize timer behavior in FreeBSD 11.4 and FreeBSD 8.4

    The kernel clock and timer events in FreeBSD 11.4 is made similar to that of the FreeBSD 8.4 to achieve stability in the Citrix ADC VPX platform.

    [ NSPLAT-26973 ]

  • FIPS is displayed in the output

    The output of the `show version` command on an MPX appliance now shows FIPS if the underlying appliance is using a FIPS build.

    For example,

    >show version
    Citrix ADC NS13.1: Build 37.106.nc, Date: Jan 23 2023, 01:34:26 (64-bit) (NS13.1-FIPS)
    Done

    [ NSPLAT-25763 ]

SSL

  • Changes to command output

    The output of the "show fipsStatus" command on a VPX FIPS appliance shows additional information, such as the control plane and data plane cryptographic library version.

    > sh fipsstatus
    FipsStatus: System is operating in FIPS mode
    Citrix ADC Cryptographic Module v1.0
    Citrix ADC Control Plane Cryptographic Library v1.0
    Citrix ADC Data Plane Cryptographic Library v1.0
    Done

    [ NSSSL-12374 ]

  • Validating the Basic Constraint during certificate verification

    During certificate verification, the appliance now validates that the Basic Constraint field is set to CA:TRUE for CA certificates if the "ndcppComplianceCertCheck" is set to YES in the "set ssl parameter" command.

    [ NSSSL-12107 ]

  • Validating the X.509 extension during certificate verification

    The following validations now happen during certificate verification if the "ndcppComplianceCertCheck" is set to YES in the "set ssl parameter" command:

    • When the Citrix ADC appliance acts as a client, the Extended Key Usage X.509 extension in the server certificate contains the server extension.
    • When the Citrix ADC appliance acts as a server, the Extended Key Usage X.509 extension in the client certificate contains the client extension.
    [ NSSSL-12092 ]

System

  • Limit the number of HTTP/2 RESET frames received on a connection in a minute

    You can now limit the number of HTTP/2 RESET frames received on an HTTP/2 connection in a minute. If the number of RESET frames exceeds the configured limit, Citrix ADC silently drops the packets on that connection.

    With this enhancement, you can mitigate the HTTP/2 DoS attack when an attacker opens several HTTP/2 streams and immediately cancels these streams by sending RESET STREAM frames.

    For more information, see HTTP/2 DoS mitigation.

    [ NSBASE-18564 ]

User Interface

  • The download of any core files that are present on the "Diagnostic" page ("System > Diagnostic") of the Citrix ADC GUI might fail with an error.

    [ NSHELP-33644 ]

Fixed Issues

The issues that are addressed in Build 12.1-55.304.

Analytics Infrastructure

  • The Citrix ADC MPX 26000-100G appliance might become unresponsive if the aggregator process becomes unstable.

    [ NSANINFRA-104, NSBASE-11749, NSBASE-11750 ]

Authentication, authorization, and auditing

  • After an upgrade, users cannot access the Cavium chip-based Citrix ADC FIPS appliances when the UDP transport-based RADIUS authentication method is used.

    [ NSHELP-33200 ]

  • Log in to Citrix Gateway endpoints using full URL bookmarked on user's machine browser fails, if the endpoint appliances have RelayStateRule expression configured in the samlAction command.

    For example, if you try to login using the bookmarked full URL like https://citrixgateway.com/citrix/storeweb on your browser and try to login, the login fails.

    [ NSHELP-28098 ]

  • A Citrix ADC appliance deployed for cross-domain Kerberos might fail to perform SSO if the kcdAccount parameter is configured using a keytab file.

    [ NSHELP-21406 ]
  • A Kerberos SSO might fail when a Citrix ADC appliance is deployed in a multi-domain environment (parent-child domain) and the users are in parent domain and services are in the child domain.
    [ NSHELP-20910 ]

  • In rare cases, authentication fails if the connection to the LDAP server is over HTTPS.

    [ NSHELP-20181 ]
  • In rare cases, there might be memory leak issues when handling authentication, authorization, and auditing sessions.
    [ NSHELP-19703 ]

  • The authentication from Citrix Workspace app fails when Citrix ADC is configured with SAML authentication and relayStateRule. The browser based login is not impacted.

    [ NSAUTH-10517 ]

  • In some cases, the Citrix ADC appliance crashes if any expired Authentication, authorization, and auditing session exists during the configuration clean-up.

    [ NSAUTH-7767, NSHELP-24764 ]

  • Citrix ADC management access is restricted through the console if a user is locked.

    [ NSAUTH-2821, NSAUTH-1885 ]

Citrix Gateway

  • In a Citrix Gateway high availability setup, the secondary node might crash during core-to-core communication.
    [ NSHELP-21991, NSHELP-23681, NSCXLCM-747, NSCXLCM-3879 ]
  • The Citrix Gateway logon page becomes unresponsive if RfWebUI based custom themes or nFactor with custom themes are used.
    [ NSHELP-21763 ]
  • The Citrix Gateway appliance might crash if there are multiple cores and Intranet IP address is enabled with RfWebUI theme.
    [ NSHELP-21722 ]
  • When the syslog server is configured through TCP, intermittently some logs are not sent to the syslog server.
    [ NSHELP-21624 ]

Citrix Web App Firewall

  • If you are using WAF signatures, after upgrading the build, you must update all the WAF signatures including the default signatures to the latest version. Then, re-enable the required signature rules.

    [ NSWAF-8668 ]

  • The Citrix ADC appliance might crash because of a timeout issue when adding a violation record to a long list of records.

    [ NSHELP-25507 ]
  • A Citrix ADC appliance might crash if a Web App Firewall profile uses APPFW_DROP and APPFW_RESET policy actions.
    [ NSHELP-21283 ]
  • A Citrix ADC appliance might crash when APPFW_DROP and APPFW_RESET are used as Web App Firewall policy actions.
    [ NSHELP-21220 ]

Miscellaneous

  • In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.

    [ NSHELP-28856 ]

  • While adding an authentication virtual server using the XenApp and XenDesktop wizard, test connectivity for that authentication server fails.

    [ GOPHDX-1620 ]

Platform

  • If you modify the checksum of the kernel provided by Citrix and then install the kernel, you might observe one of the following issues:

    • The installns command completes. After the appliance restarts, it reports that the kernel installation could not be completed and the booting process halts. You must then load a different kernel to bring up the box.
    • The installns command detects the mismatch and stops installation. An error message appears.
    [ NSHELP-27420 ]

  • The Citrix ADC VPX appliance crashes on Azure while initializing a NIC resource. The crash leads to a kernel dump on the boot up process. This issue occurs when there is a delay in response to certain messages that the driver needs to send to the backend hypervisor as part of the initialization process. This delay is observed in the Mellanox Connectx3 and Connectx4 platforms. The fix is to increase the timeout value so that the driver waits for a longer duration to receive the response.

    [ NSHELP-21034, NSHELP-22206 ]

SSL

  • In some cases, the following appliances might crash while running SSL traffic:
    • MPX 59xx
    • MPX/SDX 89xx
    • MPX/SDX MPX 26xxx
    • MPX/SDX 26xxx-50S
    • MPX/SDX 26xxx-100G
    • MPX/SDX 15xxx-50G
    [ NSSSL-7606 ]

  • On MPX 8900 and MPX 15000 FIPS certified appliances, running ECDHE traffic can cause a memory leak.

    [ NSHELP-30744 ]

  • A Citrix ADC appliance might dump core if the following conditions are met:

    • Appliance is low on memory.
    • DTLS is enabled.
    • DEBUG level log is enabled.
    [ NSHELP-26114 ]

  • A Citrix ADC appliance closes a DTLS session by sending an alert if the maximum retry timeout value is reached.

    [ NSHELP-24560 ]

  • A Citrix ADC appliance might crash if the following conditions are met:

    • A certificate-key pair is added with the expiry monitor option enabled.
    • The certificate date is earlier than 01/01/1970.
    [ NSHELP-22934 ]

User Interface

  • When binding the AppFW profile to the log expression, the state parameter is set to enabled by default. However, when the system is upgraded, the parameter is reset to disabled.

    [ NSHELP-34187 ]

  • In a high availability setup, a Citrix ADC appliance might crash during a system user authentication process, if the following condition is met:

    • The password hash computation takes more time to miss five heartbeats.

    Note: The system user (nsroot) password must be updated after upgrading the Citrix ADC appliance to the fixed build

    [ NSHELP-27066 ]

Top