Release Notes for NetScaler 13.1-37.190 Build

Authentication, authorization, and auditing

• RADIUS authentication support on FIPS certified appliances
  

  
  On FIPS platform, RADIUS authentication is now supported on Transport Layer Security (TLS).
  Previously, RADIUS authentication was supported only on the UDP protocol. As a result, RADIUS authentication was not supported on FIPS environments as FIPS allowed only TLS protocol. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/configure-radius-for-tls.html

  [ NSAUTH-10906 ]

• Traversal from Root domain to Tree domain for Kerberos SSO authentication is supported

  Traversal from Root domain to Tree domain is now supported during Kerberos SSO authentication for backend server from NetScaler appliance. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/single-sign-on-types/kerberos-single-sign-on/setup-citrix-adc-single-sign-on.html.

  [ NSAUTH-9836 ]

Platform

• Support for OpenSSH version 9.x
  

  The OpenSSH version on NetScaler is now upgraded from 8.x to 9.x.
  [ NSPLAT-29640 ]

• VMware ESX 7.0 update 1c support on NetScaler VPX instance

  The NetScaler VPX instance now supports the VMware ESX version 7.0 Update 1c (Build 1732555).

  [ NSHELP-26444 ]

SSL

• Support to ignore the common name if subject alternate name (SAN) is present in SSL certificate
  The NetScaler appliance now conforms to the RFC specification related to common name in a certificate as defined in https://tools.ietf.org/html/rfc6125%23section-6.4.4. A new parameter ndcppComplianceCertCheck is added.
  When the appliance acts as a client (back-end connection), the common name is ignored during certificate verification if both of the following conditions are met:

  • ndcppComplianceCertCheck parameter is set to YES (Default is NO).
  • SAN is present in the certificate.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/config-ssloffloading.html.

  [ NSSSL-597 ]

System

• New parameter added in HTTP profile

  A new parameter passProtocolUpgrade is added to the HTTP profile to prevent attacks on the back-end servers. Depending on the state of this parameter, the upgrade header is passed in the request sent to the back-end server or deleted before sending the request.

  • If the passProtocolUpgrade parameter is enabled, then the upgrade header is passed to the back end. The server accepts the upgrade request and notifies it in its response.
  • If this parameter is disabled, then the upgrade header is deleted and the remaining request is sent to the back end.

  The passProtocolUpgrade parameter is added to the following profiles:

  • nshttp_default_profile ENABLED by default
  • nshttp_default_strict_validation DISABLED by default
  • nshttp_default_internal_apps DISABLED by default
  • nshttp_default_http_quic_profile ENABLED by default

  Citrix recommends that this parameter be disabled by default. For more details, see the NetScaler Secure Deployment Guide.

  [ NSBASE-17423 ]

User Interface

• The download of any core files that are present on the "Diagnostic" page ("System > Diagnostic") of the NetScaler GUI might fail with an error.

  [ NSHELP-33644 ]

• Any of the following NetScaler upgrade operations might cause login failure for local system user accounts:

  • from NetScaler 13.0-83.x build to NetScaler 13.1-4.x build
  • from NetScaler 12.1-63.x build to NetScaler 13.1-4.x build
  • from NetScaler 12.1-63.x build to NetScaler 13.0-82.x build

  This issue is observed only for those local system user accounts that meet any of the following conditions:

  • user password was changed for the local system account on the NetScaler build (13.0-83.x or 12.1-63.x) before performing the upgrade operation.
  • the local system user account was added on the NetScaler build (13.0-83.x or 12.1-63.x) before performing the upgrade operation.

  Workaround:

  The system root administrator can reset the password for the local system user accounts facing the login failure issue.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/system/authentication-and-authorization-for-system-user/how-to-reset-nsroot-administrator-password.html

  [ NSCONFIG-5650 ]

• Changing default RPC node passwords
  In HA, cluster, and GSLB deployments, a warning message appears for the nsroot and superuser login if the default RPC node password is not changed.
  [ NSCONFIG-2224 ]

Analytics Infrastructure

• The `show syslogAction` command displays an unresolved IP address in the output when both of the following conditions are met:

  • SYSLOG action with a domain name on transport mode UDP is used.
  • ICMP is disabled on the server.

  This issue occurs because the ping-default monitor marks the service as DOWN since the server is not reachable through ICMP. Therefore, the IP address is not displayed in the output even if it is resolved.

  [ NSHELP-32886, NSHELP-33392 ]

• The `ns.log` file generates the debug logs even when the audit log level is set to none and therefore exceeds the configured file size limit. The issue occurs because the advanced policy is bound to local logging even though it is not necessary.

  [ NSHELP-32404, NSHELP-32641, NSCXLCM-1374, NSCXLCM-1551, NSCXLCM-1708, NSCXLCM-2422, NSCXLCM-3181, NSCXLCM-3483, NSCXLCM-4148 ]

AppFlow

• Metrics collector in the NetScaler instance stops to respond intermittently. As a result, whenever the metrics collector stops to respond, one interval (30 seconds) of analytics data might not get exported.

  [ NSHELP-34048, NSCXLCM-120, NSCXLCM-560, NSCXLCM-793, NSCXLCM-887, NSCXLCM-1430, NSCXLCM-1615, NSCXLCM-2194, NSCXLCM-4132 ]

Authentication, authorization, and auditing

• After an upgrade, the message "AAA DHT : VPN entry resume notification failed due to invalid subtype 1" appears repeatedly in the NetScaler log file.

  [ NSHELP-35649 ]

• When NetScaler is configured as a SAML service provider, the SAML assertion validation might fail because of a parsing issue in the saml:statusCode tag.

  [ NSHELP-33574 ]

• When NetScaler is used as an OpenID provider (OAuth IdP) and GSLB is configured with it, OAuth authentication with the relying party (RP) fails during token validation which might result in an authentication failure at the OAuth Relaying Party (RP).

  [ NSHELP-33455 ]

• The NetScaler appliance might crash when it is configured as a SAML service provider and the SSL certificates are updated.

  [ NSHELP-33243, NSCXLCM-342, NSCXLCM-1114, NSHELP-32966, NSHELP-33242 ]

• After an upgrade, users cannot access the Cavium chip-based NetScaler FIPS appliances when the UDP transport-based RADIUS authentication method is used.

  [ NSHELP-33200 ]

• Kerberos SSO impersonation with advanced encryption types might fail when an incorrect user principal name is used in the SSO credentials.

  [ NSHELP-32890, NSCXLCM-103, NSCXLCM-550, NSCXLCM-613 ]

• NetScaler might crash if one of the following authentication methods is used as a second factor and there are subsequent factors that are configured and require user interaction in an nFactor flow.

  • SAML
  • OAuth
  • Client certificate
  [ NSHELP-29573, NSCXLCM-492, NSCXLCM-872, NSCXLCM-1216, NSCXLCM-2904, NSHELP-32631, NSHELP-32765 ]

Load Balancing

• In rare cases, an active NetScaler CLI session is aborted when you run the `add dns key` command.

  [ NSHELP-36938, NSCXLCM-3096 ]

• In a HA setup, the DNS server might send an empty response for a GSLB domain query intermittently when the following conditions are met:

  • Persistence is configured on the GSLB virtual server.
  • A large number of load balancing deployments are configured.
  • HA failover occurs.
  [ NSHELP-35981 ]

• The NTLM monitor does not support the following options:

  • Concurrent probing by monitors of both NTLM version 1 and version 2 configurations.
  • Directing the probe to the IP address of the server when the URL in "scriptArg" parameter resolves to a different IP address.
  • NTLM version 2.
  [ NSHELP-35185 ]

• The probes to the StoreFront user monitor might fail due to an incorrect timeout calculation. This issue occurs when the timeout value is set to 1 or 2 seconds when configuring the StoreFront user monitor.

  [ NSHELP-34418 ]

• The "show server name" command displays the service status as unknown even though the service is bound to the server.

  [ NSHELP-33668 ]

• NetScaler might crash when the following conditions are met:

  • A load balancing virtual server is configured with a redirect URL in multiple partitions.
  • A memory recovery is triggered.
  [ NSHELP-33638, NSCXLCM-227, NSCXLCM-509, NSCXLCM-4636 ]

• The secondary node might crash if you use the same GSLB virtual server as the backup for multiple GSLB virtual servers.

  [ NSHELP-33400, NSCXLCM-412, NSCXLCM-470, NSCXLCM-1084, NSCXLCM-2454 ]

• The NetScaler VPX appliance crashes when the following conditions are met:

  1. The autosync option is used to synchronize the configuration with other GSLB sites.
  2. The incarnation number that is used to fetch the GSLB cache is a multiple of 1024.
  [ NSHELP-30075 ]

• In a GSLB setup, the SSL certificate is missing from the subordinate sites. This issue occurs when the auto-sync option is enabled, and the subordinate sites have SSL certificates that are not available on the master site.

  [ NSHELP-29309 ]

Miscellaneous

• A NetScaler appliance might crash when it tries to access resources on the freed ICAP. This condition happens when the ICAP is in response modification (RESPMOD) mode.

  [ NSHELP-33403 ]

• When clearing the configurations by using the GUI or CLI, a NetScaler appliance might crash when the Secure Token Authority (STA) related entities are cleared.

  [ GOPHDX-1743 ]

NetScaler Gateway

• The NetScaler Gateway home page might fail to enumerate the apps when you try to access it on clientless VPN mode using a mobile browser.

  [ NSHELP-35541, NSCXLCM-1132, NSCXLCM-1212, NSCXLCM-1248, NSCXLCM-1774 ]

• A NetScaler Gateway appliance crashes when evaluating a policy for a VPN URL.

  [ NSHELP-33683, CGOP-20369, NSCXLCM-1507, NSCXLCM-219, NSCXLCM-220, NSCXLCM-223, NSCXLCM-245, NSCXLCM-275, NSCXLCM-297, NSCXLCM-311, NSCXLCM-368, NSCXLCM-369, NSCXLCM-378, NSCXLCM-391, NSCXLCM-439, NSCXLCM-461, NSCXLCM-474, NSCXLCM-487, NSCXLCM-525, NSCXLCM-540, NSCXLCM-542, NSCXLCM-551, NSCXLCM-552, NSCXLCM-606, NSCXLCM-611, NSCXLCM-624, NSCXLCM-740, NSCXLCM-872, NSCXLCM-895, NSCXLCM-1061, NSCXLCM-1237, NSCXLCM-1387, NSHELP-34076, NSHELP-34077, NSHELP-34100, NSHELP-34180 ]

• After upgrading a NetScaler appliance, the RDP proxy URLs do not work with the X1 portal theme and the message
  "Http/1.1 Object Not Found" appears.

  [ NSHELP-33676, NSCXLCM-266, NSHELP-33845, NSHELP-33921 ]

• When a NetScaler appliance is upgraded, the appliance might crash while processing the UDP traffic.

  [ NSHELP-33417, NSCXLCM-562, NSCXLCM-594, NSCXLCM-986, NSCXLCM-1358 ]

• After upgrading a NetScaler Gateway appliance, the Configuration > Integrate with Citrix Products section is not displayed in the NetScaler GUI.

  [ NSHELP-32335 ]

NetScaler Web App Firewall

• The NetScaler might crash when "VerboseLogLevel" is set to "patternPayloadHeader" in the Web App Firewall profile.

  [ NSHELP-35915 ]

• The NetScaler appliance might crash due to invalid HTTP header information. This issue occurs when the following conditions are met:

  • SQL/XSS violation occurs in the HTTP request body.
  • The verbose logging is set to "patternPayloadHeader".

  [ NSHELP-35297, NSCXLCM-1127 ]

• The cookie hijacking redirect drops the query parameters from the request URL. As a result, the redirected request might fail.

  [ NSHELP-33633, NSCXLCM-307 ]

Networking

• In an HA setup, the NetScaler VPX secondary node crashes after upgrading to release 13.1 build 53.17.

  [ NSHELP-37950, NSCXLCM-4553, NSCXLCM-4618, NSCXLCM-4625, NSCXLCM-4834, NSCXLCM-4991, NSHELP-37332 ]

• The NetScaler appliance might crash when you configure a dataset based ACL.

  [ NSHELP-35744, NSCXLCM-2170, NSCXLCM-2195, NSCXLCM-2200, NSCXLCM-2203, NSCXLCM-2376, NSCXLCM-2748 ]

• When a NetScaler appliance, which contains a large integrated cache or a large scale NAT configuration, is upgraded from release 12.1 or 13.0 to release 13.1 or 14.1, the recovery time from a packet engine crash is relatively longer than the pre upgraded version.

  [ NSHELP-33797 ]

• For internal SSL services on a non-default HTTPS port, even if you change the default SSL certificate binding and restart the appliance, the default certificate continues to be bound to internal services.

  [ NSHELP-24034 ]

Platform

• When the interface configuration is disabled, the Tx Laser might not be OFF after the appliance is restarted.

  [ NSPLAT-28484, NSHELP-35272 ]

• After you upgrade the ADC appliance to release 13.1 build 42.47, on some public cloud VPX deployments, you might observe the HTTP and TCP services flap between UP and DOWN states.

  [ NSPLAT-26310 ]

• For a NetScaler VPX release 13.1 build 37.38 on VMware ESX hypervisor with VMXNET3 interfaces, you see the following behaviour in the HA setup:

  The NetScaler VPX HA pair is not configured because the communication between the HA nodes is not established. As a result, the peer node status is displayed as UNKNOWN.

  [ NSPLAT-25677 ]

• The NetScaler VPX instance drops packets from a client if both of the following conditions are met:

  • The VPX instance is hosted on VMware Cloud on AWS using a VMXNET3 adapter.
  • The VMXNET3 adapter fails to generate the RSS hash for the packet.
  [ NSHELP-33150 ]

SSL

• A virtual server crashes due to a failed TLS1.3 connection, because the NetScaler appliance runs out of memory and a memory allocation request fails during the start of a TLS 1.3 handshake.

  With this fix, the TLS 1.3 connection fails but the appliance does not crash.

  [ NSSSL-12200 ]

• The NetScaler GUI, when accessed through a Cluster IP (CLIP) address, does not display the server certificate bindings to an SSL service, service group, and internal services.

  [ NSSSL-12191 ]

• NetScaler might crash after repeated login attempts if the following conditions are met:

  • Client authentication is enabled.
  • The client tries to authenticate with the root certificate.
  [ NSHELP-36094, NSCXLCM-2866 ]

• A virtual server may incorrectly terminate a TLS 1.3 handshake with a `decrypt_error` alert if the following conditions are met:

  • The client is authenticating with a certificate.
  • The virtual server is configured to perform a certificate status check using OCSP or a CRL.
  • The client sends both Certificate and CertificateVerify messages in the same TLS record.
  [ NSHELP-33355 ]

System

• NetScaler might stop the data transfer if the following conditions are met:

  • Multiple features are enabled.
  • More than one feature tries to delete the same part of the TCP or HTTP payload.
  [ NSHELP-33793, NSCXLCM-1512, NSCXLCM-1954 ]

• In some cases, a NetScaler appliance might crash while processing a corrective acknowledgment sent by a server connection that is in the TIME_WAIT state.

  [ NSHELP-33469 ]

• NetScaler might stall the data transfer on an HTTP/2 connection when an HTTP-based feature tries to buffer a large amount of application data.

  [ NSHELP-32612, NSCXLCM-3400, NSHELP-36243 ]

• The NetScaler appliance might crash if it processes a corrective ACK packet related to a server-side TCP connection.

  [ NSHELP-32290 ]

• The NetScaler appliance configured with an SSL service crashes when the appliance receives a TCP FIN control packet followed by a TCP RESET control packet.

  [ NSHELP-31656 ]

• A memory leak might occur in the NetScaler appliance if both the following conditions are met:

  • HTTP compression feature is enabled.
  • The connection is reset in the middle of the transaction.
  [ NSHELP-30631 ]

User Interface

• In an HA setup, even though you have unique SSL certificates for the NSIP address of the primary and secondary node, the secondary node certificate is overwritten by the primary node certificate.

  [ NSHELP-35938 ]

• When you configure a responder policy or a rewrite policy on the NetScaler GUI without adding any values in the Log Action and AppFlow Action fields, which are not mandatory, the following error is displayed:

  "Invalid name; names must begin with an alphanumeric character or underscore and must contain only alphanumerics, '_', '%23', '.', ' ', ':', '@', '=' or '-' [logAction, ]"

  [ NSHELP-35726 ]

• You might observe high management CPU usage in a NetScaler appliance when both of the following conditions are met:

  • Admin partitions are configured on the appliance.

  • The appliance is managed by NetScaler ADM.
  [ NSHELP-34825, NSCXLCM-192, NSCXLCM-501, NSCXLCM-1279 ]

• When binding the AppFW profile to the log expression, the state parameter is set to enabled by default. However, when the system is upgraded, the parameter is reset to disabled.

  [ NSHELP-34187 ]

• A few built-in configurations are not available when a NetScaler ADC instance is created.

  [ NSHELP-33451, NSCXLCM-502 ]

• The following error appears on the NetScaler UI when there is a huge difference between the saved and the running configuration:

  "Error in fetching the configuration"

  [ NSHELP-32752 ]

• On the NetScaler GUI, the System Log Files page (Configuration > System > Auditing > Syslog messages) and the Logs page (Configuration > Authentication > Logs) fail to load the log files.

  [ NSHELP-30868 ]

User Interface

• In the NetScaler GUI (System > FIPS System Information page), the following fields are blank:

  • Control Plane Version
  • Data Plane Version
  • Graphic Module Version
  [ NSUI-19559 ]