Release Notes for Citrix ADC 12.1-55.307 Build

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 12.1-55.307.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 12.1-55.307 replaces Build 12.1-55.304.
  • This build also includes fixes for the following issues that existed in the previous Citrix ADC 12.1 release build: NSPLAT-29640 and NSHELP-36761.
  • Build 12.1-55.304 replaces Build 12.1-55.302.
  • This build also includes fixes for the following issues that existed in the previous Citrix ADC 12.1 release build: NSHELP-21991.
  • Build 12.1-55.302 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX584986.
  • Build 12.1-55.302 replaces Build 12.1-55.300.

What's New

The enhancements and changes that are available in Build 12.1-55.307.

Authentication, authorization, and auditing

  • RADIUS authentication support on FIPS certified appliances


    On FIPS platform, RADIUS authentication is now supported on Transport Layer Security (TLS).
    Previously, RADIUS authentication was supported only on the UDP protocol. As a result, RADIUS authentication was not supported on FIPS environments as FIPS allowed only TLS protocol. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/configure-radius-for-tls.html

    [ NSAUTH-10906 ]

Platform

  • Support for OpenSSH version 9.x

    The OpenSSH version on Citrix ADC is now upgraded from 8.x to 9.x.
    [ NSPLAT-29640 ]

  • VMware ESX 7.0 update 1c support on Citrix ADC VPX instance

    The Citrix ADC VPX instance now supports the VMware ESX version 7.0 Update 1c (Build 1732555).

    [ NSHELP-26444 ]

SSL

  • Support to ignore the common name if subject alternate name (SAN) is present in SSL certificate
    The Citrix ADC appliance now conforms to the RFC specification related to common name in a certificate as defined in https://tools.ietf.org/html/rfc6125%23section-6.4.4. A new parameter ndcppComplianceCertCheck is added.
    When the appliance acts as a client (back-end connection), the common name is ignored during certificate verification if both of the following conditions are met:
    • ndcppComplianceCertCheck parameter is set to YES (Default is NO).
    • SAN is present in the certificate.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/config-ssloffloading.html.

    [ NSSSL-597 ]

System

  • New parameter added in HTTP profile

    A new parameter passProtocolUpgrade is added to the HTTP profile to prevent attacks on the back-end servers. Depending on the state of this parameter, the upgrade header is passed in the request sent to the back-end server or deleted before sending the request.

    • If the passProtocolUpgrade parameter is enabled, then the upgrade header is passed to the back end. The server accepts the upgrade request and notifies it in its response.
    • If this parameter is disabled, then the upgrade header is deleted and the remaining request is sent to the back end.

    The passProtocolUpgrade parameter is added to the following profiles:

    • nshttp_default_profile ENABLED by default
    • nshttp_default_strict_validation DISABLED by default
    • nshttp_default_internal_apps DISABLED by default
    • nshttp_default_http_quic_profile ENABLED by default

    Citrix recommends that this parameter be disabled by default. For more details, see the Citrix ADC Secure Deployment Guide.

    [ NSBASE-17423 ]

User Interface

  • The download of any core files that are present on the "Diagnostic" page ("System > Diagnostic") of the Citrix ADC GUI might fail with an error.

    [ NSHELP-33644 ]

  • Any of the following Citrix ADC upgrade operations might cause login failure for local system user accounts:

    • from Citrix ADC 13.0-83.x build to Citrix ADC 13.1-4.x build
    • from Citrix ADC 12.1-63.x build to Citrix ADC 13.1-4.x build
    • from Citrix ADC 12.1-63.x build to Citrix ADC 13.0-82.x build

    This issue is observed only for those local system user accounts that meet any of the following conditions:

    • user password was changed for the local system account on the Citrix ADC build (13.0-83.x or 12.1-63.x) before performing the upgrade operation.
    • the local system user account was added on the Citrix ADC build (13.0-83.x or 12.1-63.x) before performing the upgrade operation.

    Workaround:

    The system root administrator can reset the password for the local system user accounts facing the login failure issue.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/system/authentication-and-authorization-for-system-user/how-to-reset-nsroot-administrator-password.html

    [ NSCONFIG-5650 ]
  • Changing default RPC node passwords
    In HA, cluster, and GSLB deployments, a warning message appears for the nsroot and superuser login if the default RPC node password is not changed.
    [ NSCONFIG-2224 ]

Fixed Issues

The issues that are addressed in Build 12.1-55.307.

Analytics Infrastructure

  • The Citrix ADC MPX 26000-100G appliance might become unresponsive if the aggregator process becomes unstable.

    [ NSANINFRA-104, NSBASE-11749, NSBASE-11750 ]

Authentication, authorization, and auditing

  • After an upgrade, users cannot access the Cavium chip-based Citrix ADC FIPS appliances when the UDP transport-based RADIUS authentication method is used.

    [ NSHELP-33200 ]

  • Log in to Citrix Gateway endpoints using full URL bookmarked on user's machine browser fails, if the endpoint appliances have RelayStateRule expression configured in the samlAction command.

    For example, if you try to login using the bookmarked full URL like https://citrixgateway.com/citrix/storeweb on your browser and try to login, the login fails.

    [ NSHELP-28098 ]

  • A Citrix ADC appliance deployed for cross-domain Kerberos might fail to perform SSO if the kcdAccount parameter is configured using a keytab file.

    [ NSHELP-21406 ]
  • A Kerberos SSO might fail when a Citrix ADC appliance is deployed in a multi-domain environment (parent-child domain) and the users are in parent domain and services are in the child domain.
    [ NSHELP-20910 ]

  • In rare cases, authentication fails if the connection to the LDAP server is over HTTPS.

    [ NSHELP-20181 ]
  • In rare cases, there might be memory leak issues when handling authentication, authorization, and auditing sessions.
    [ NSHELP-19703 ]

  • The authentication from Citrix Workspace app fails when Citrix ADC is configured with SAML authentication and relayStateRule. The browser based login is not impacted.

    [ NSAUTH-10517 ]

  • In some cases, the Citrix ADC appliance crashes if any expired Authentication, authorization, and auditing session exists during the configuration clean-up.

    [ NSAUTH-7767, NSHELP-24764 ]

  • Citrix ADC management access is restricted through the console if a user is locked.

    [ NSAUTH-2821, NSAUTH-1885 ]

Citrix Gateway

  • In a Citrix Gateway high availability setup, the secondary node might crash during core-to-core communication.
    [ NSHELP-21991, NSHELP-23681, NSCXLCM-747, NSCXLCM-3879 ]
  • The Citrix Gateway logon page becomes unresponsive if RfWebUI based custom themes or nFactor with custom themes are used.
    [ NSHELP-21763 ]
  • The Citrix Gateway appliance might crash if there are multiple cores and Intranet IP address is enabled with RfWebUI theme.
    [ NSHELP-21722 ]
  • When the syslog server is configured through TCP, intermittently some logs are not sent to the syslog server.
    [ NSHELP-21624 ]

Citrix Web App Firewall

  • If you are using WAF signatures, after upgrading the build, you must update all the WAF signatures including the default signatures to the latest version. Then, re-enable the required signature rules.

    [ NSWAF-8668 ]

  • The load balancing virtual server might not be accessible after a high availability failover. This issue occurs when the URL transform action is performed on the request or response based on the order of adding the configuration, instead of the priority.

    [ NSHELP-36761 ]

  • The Citrix ADC appliance might crash because of a timeout issue when adding a violation record to a long list of records.

    [ NSHELP-25507 ]
  • A Citrix ADC appliance might crash if a Web App Firewall profile uses APPFW_DROP and APPFW_RESET policy actions.
    [ NSHELP-21283 ]
  • A Citrix ADC appliance might crash when APPFW_DROP and APPFW_RESET are used as Web App Firewall policy actions.
    [ NSHELP-21220 ]

Miscellaneous

  • In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.

    [ NSHELP-28856 ]

  • While adding an authentication virtual server using the XenApp and XenDesktop wizard, test connectivity for that authentication server fails.

    [ GOPHDX-1620 ]

Platform

  • If you modify the checksum of the kernel provided by Citrix and then install the kernel, you might observe one of the following issues:

    • The installns command completes. After the appliance restarts, it reports that the kernel installation could not be completed and the booting process halts. You must then load a different kernel to bring up the box.
    • The installns command detects the mismatch and stops installation. An error message appears.
    [ NSHELP-27420 ]

  • The Citrix ADC VPX appliance crashes on Azure while initializing a NIC resource. The crash leads to a kernel dump on the boot up process. This issue occurs when there is a delay in response to certain messages that the driver needs to send to the backend hypervisor as part of the initialization process. This delay is observed in the Mellanox Connectx3 and Connectx4 platforms. The fix is to increase the timeout value so that the driver waits for a longer duration to receive the response.

    [ NSHELP-21034, NSHELP-22206 ]

SSL

  • In some cases, the following appliances might crash while running SSL traffic:
    • MPX 59xx
    • MPX/SDX 89xx
    • MPX/SDX MPX 26xxx
    • MPX/SDX 26xxx-50S
    • MPX/SDX 26xxx-100G
    • MPX/SDX 15xxx-50G
    [ NSSSL-7606 ]

  • On MPX 8900 and MPX 15000 FIPS certified appliances, running ECDHE traffic can cause a memory leak.

    [ NSHELP-30744 ]

  • A Citrix ADC appliance might dump core if the following conditions are met:

    • Appliance is low on memory.
    • DTLS is enabled.
    • DEBUG level log is enabled.
    [ NSHELP-26114 ]

  • A Citrix ADC appliance closes a DTLS session by sending an alert if the maximum retry timeout value is reached.

    [ NSHELP-24560 ]

  • A Citrix ADC appliance might crash if the following conditions are met:

    • A certificate-key pair is added with the expiry monitor option enabled.
    • The certificate date is earlier than 01/01/1970.
    [ NSHELP-22934 ]

User Interface

  • When binding the AppFW profile to the log expression, the state parameter is set to enabled by default. However, when the system is upgraded, the parameter is reset to disabled.

    [ NSHELP-34187 ]

  • In a high availability setup, a Citrix ADC appliance might crash during a system user authentication process, if the following condition is met:

    • The password hash computation takes more time to miss five heartbeats.

    Note: The system user (nsroot) password must be updated after upgrading the Citrix ADC appliance to the fixed build

    [ NSHELP-27066 ]

Top