Release Notes for NetScaler 13.1-37.219 FIPS Build

This release notes document describes the enhancements and changes, fixed and known issues that exist for the NetScaler release Build 13.1-37.219 FIPS.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

What's New

The enhancements and changes that are available in Build 13.1-37.219 FIPS.

Analytics Infrastructure

  • Export management logs to Syslog servers or Splunk HEC

    NetScaler now supports exporting management and host logs to external syslog servers or to HEC on Splunk. For more information, see Logs.

    [ NSANINFRA-5470 ]

Authentication, authorization, and auditing

  • Support to validate client IP address

    NetScaler now validates the client IP address after verifying the details in the NSC_TMAS cookie and ensuring that the requests are generated from the same client IP address.

    [ NSAUTH-14417 ]

Load Balancing

  • Password update on all GSLB sites

    A new parameter `sitePassword` is added to the `set gslb site` command that replaces the RPC node password. If the GSLB synchronization is enabled, the password is updated in all GSLB sites.

    For more information, see Configure a basic GSLB site.

    [ NSLB-9994 ]

Miscellaneous

  • Support for Secure Private Access for on-premises solution on FIPS

    The Secure Private Access on-premises solution is now supported on NetScaler platforms that comply with Federal Information Processing Standards (FIPS) and running the 13.1-37.219 and later FIPS builds. For more information about FIPS, see Federal Information Processing Standards. For more information about Secure Private Access for on-premises, see Secure Private Access for on-premises.

    [ SPAOP-6363 ]

Platform

  • Support for OpenSSH version 9.x

    The OpenSSH version on NetScaler is now upgraded from 8.x to 9.x.
    [ NSPLAT-29640 ]

  • Synchronize timer behavior in FreeBSD 11.4 and FreeBSD 8.4

    The kernel clock and timer events in FreeBSD 11.4 is made similar to that of the FreeBSD 8.4 to achieve stability in the NetScaler VPX platform.

    [ NSPLAT-26973 ]

  • Improved SSL performance for encryption algorithms

    SSL performance of the following encryption algorithms is enhanced for NetScaler running on Intel processors that support Intel AVX-512:

    • RSA 2048/4096
    • ChaCha20-Poly1305
    • AES-GCM
    [ NSPLAT-26379 ]

  • FIPS is displayed in the output

    The output of the `show version` command on an MPX appliance now shows FIPS if the underlying appliance is using a FIPS build.

    For example,

    >show version
    NetScaler NS13.1: Build 37.106.nc, Date: Jan 23 2023, 01:34:26 (64-bit) (NS13.1-FIPS)
    Done

    [ NSPLAT-25763 ]

  • Support for AWS EC2 instance IMDSv2 mode

    The Instance Metadata Service Version 2 (IMDSv2) mode for AWS EC2 instance is now supported in the NetScaler appliance. IMDSv1 and IMDSv2 are two modes available for accessing instance metadata from a running AWS EC2 instance and IMDSv2 is more secure than IMDSv1. Earlier, IMDSv2 was not supported by NetScaler. Hence, when the AWS EC2 instance was using the IMDSv2 mode, the NetScaler appliance was overwriting the static default route after a cold reboot.

    [ NSPLAT-21205 ]

SSL

  • Changes to command output

    The output of the "show fipsStatus" command on a VPX FIPS appliance shows additional information, such as the control plane and data plane cryptographic library version.

    > sh fipsstatus
    FipsStatus: System is operating in FIPS mode
    NetScaler Cryptographic Module v1.0
    NetScaler Control Plane Cryptographic Library v1.0
    NetScaler Data Plane Cryptographic Library v1.0
    Done

    [ NSSSL-12374 ]

  • Validating the Basic Constraint during certificate verification

    During certificate verification, the appliance now validates that the Basic Constraint field is set to CA:TRUE for CA certificates if the "ndcppComplianceCertCheck" is set to YES in the "set ssl parameter" command.

    [ NSSSL-12107 ]

  • Validating the X.509 extension during certificate verification

    The following validations now happen during certificate verification if the "ndcppComplianceCertCheck" is set to YES in the "set ssl parameter" command:

    • When the NetScaler appliance acts as a client, the Extended Key Usage X.509 extension in the server certificate contains the server extension.
    • When the NetScaler appliance acts as a server, the Extended Key Usage X.509 extension in the client certificate contains the client extension.
    [ NSSSL-12092 ]

System

  • Limit the number of HTTP/2 RESET frames received on a connection in a minute

    You can now limit the number of HTTP/2 RESET frames received on an HTTP/2 connection in a minute. If the number of RESET frames exceeds the configured limit, NetScaler silently drops the packets on that connection.

    With this enhancement, you can mitigate the HTTP/2 DoS attack when an attacker opens several HTTP/2 streams and immediately cancels these streams by sending RESET STREAM frames.

    For more information, see HTTP/2 DoS mitigation.

    [ NSBASE-18564 ]

User Interface

  • View FIPS status for VPX FIPS and MPX FIPS platforms on the NetScaler GUI

    You can now view FIPS status for VPX FIPS and MPX FIPS platforms in the NetScaler GUI, similar to the CLI.

    [ NSUI-20100 ]

  • The download of any core files that are present on the "Diagnostic" page ("System > Diagnostic") of the NetScaler GUI might fail with an error.

    [ NSHELP-33644 ]

  • Smart card-based authentication for system users

    NetScaler supports smart card-based authentication for NetScaler management GUI, where a user can be authenticated using the client certificate stored in the smart card. This feature simplifies the login process for smart card users, granting them access to the NetScaler management GUI without the need for entering their credentials (user name and password).

    For more information, see Smart card-based authentication for management GUI access.

    [ NSCONFIG-8034 ]

Fixed Issues

The issues that are addressed in Build 13.1-37.219 FIPS.

Analytics Infrastructure

  • When an advanced syslog policy is bound to Syslog Global, some messages related to the SSLVPN do not appear in the ns.log file:

    • SSLVPN LOGIN
    • SSLVPN LOGOUT
    [ NSHELP-37051 ]

  • The `show syslogAction` command displays an unresolved IP address in the output when both of the following conditions are met:

    • SYSLOG action with a domain name on transport mode UDP is used.
    • ICMP is disabled on the server.

    This issue occurs because the ping-default monitor marks the service as DOWN since the server is not reachable through ICMP. Therefore, the IP address is not displayed in the output even if it is resolved.

    [ NSHELP-32886, NSHELP-33392 ]

  • The `ns.log` file generates the debug logs even when the audit log level is set to none and therefore exceeds the configured file size limit. The issue occurs because the advanced policy is bound to local logging even though it is not necessary.

    [ NSHELP-32404, NSHELP-32641, NSCXLCM-1374, NSCXLCM-1551, NSCXLCM-1708, NSCXLCM-2422, NSCXLCM-3181, NSCXLCM-3483, NSCXLCM-4148, NSCXLCM-5934 ]

  • On NetScaler ADC 14.1-29.x release, adding a syslog action in an admin partition throws an "Operation not permitted" error.

    [ NSANINFRA-5997, NSHELP-38582 ]

AppFlow

  • Metrics collector in the NetScaler instance stops to respond intermittently. As a result, whenever the metrics collector stops to respond, one interval (30 seconds) of analytics data might not get exported.

    [ NSHELP-34048, NSCXLCM-120, NSCXLCM-560, NSCXLCM-793, NSCXLCM-887, NSCXLCM-1430, NSCXLCM-1615, NSCXLCM-2194, NSCXLCM-4132 ]

Authentication, authorization, and auditing

  • SAML authentications might fail if NetScaler is configured as a SAML on MPX/SDX 14000 FIPS. This issue occurs when the context is not saved across the asynchronous code path while signing a SAML requests.

    [ NSHELP-38211, NSCXLCM-4841 ]

  • NetScaler crashes when users attempt to re-login before the stale entries are cleared (prior to DHT timeout) after being logged out due to an expired Kerberos ticket.

    [ NSHELP-37528 ]

  • After an upgrade, the message "AAA DHT : VPN entry resume notification failed due to invalid subtype 1" appears repeatedly in the NetScaler log file.

    [ NSHELP-35649 ]

  • Kerberos SSO might fail when there are large number of incoming requests at the same time.

    [ NSHELP-34177 ]

  • When NetScaler is configured as a SAML service provider, the SAML assertion validation might fail because of a parsing issue in the saml:statusCode tag.

    [ NSHELP-33574 ]

  • When NetScaler is used as an OpenID provider (OAuth IdP) and GSLB is configured with it, OAuth authentication with the relying party (RP) fails during token validation which might result in an authentication failure at the OAuth Relaying Party (RP).

    [ NSHELP-33455 ]

  • The NetScaler appliance might crash when it is configured as a SAML service provider and the SSL certificates are updated.

    [ NSHELP-33243, NSCXLCM-342, NSCXLCM-1114, NSHELP-32966, NSHELP-33242 ]

  • After an upgrade, users cannot access the Cavium chip-based NetScaler FIPS appliances when the UDP transport-based RADIUS authentication method is used.

    [ NSHELP-33200 ]

  • Kerberos SSO impersonation with advanced encryption types might fail when an incorrect user principal name is used in the SSO credentials.

    [ NSHELP-32890, NSCXLCM-103, NSCXLCM-550, NSCXLCM-613 ]

  • NetScaler might crash if one of the following authentication methods is used as a second factor and there are subsequent factors that are configured and require user interaction in an nFactor flow.

    • SAML
    • OAuth
    • Client certificate
    [ NSHELP-29573, NSCXLCM-492, NSCXLCM-872, NSCXLCM-1216, NSCXLCM-2904, NSHELP-32631, NSHELP-32765 ]

  • In an HA setup, users frequently reboot the secondary NetScaler instances due to memory leaks.

    [ NSHELP-28659 ]

Load Balancing

  • In rare cases, an active NetScaler CLI session is aborted when you run the `add dns key` command.

    [ NSHELP-36938, NSCXLCM-3096 ]

  • In a HA setup, the DNS server might send an empty response for a GSLB domain query intermittently when the following conditions are met:

    • Persistence is configured on the GSLB virtual server.
    • A large number of load balancing deployments are configured.
    • HA failover occurs.
    [ NSHELP-35981 ]

  • The NTLM monitor does not support the following options:

    • Concurrent probing by monitors of both NTLM version 1 and version 2 configurations.
    • Directing the probe to the IP address of the server when the URL in "scriptArg" parameter resolves to a different IP address.
    • NTLM version 2.
    [ NSHELP-35185 ]

  • The probes to the StoreFront user monitor might fail due to an incorrect timeout calculation. This issue occurs when the timeout value is set to 1 or 2 seconds when configuring the StoreFront user monitor.

    [ NSHELP-34418 ]

  • The "show server name" command displays the service status as unknown even though the service is bound to the server.

    [ NSHELP-33668 ]

  • NetScaler might crash when the following conditions are met:

    • A load balancing virtual server is configured with a redirect URL in multiple partitions.
    • A memory recovery is triggered.
    [ NSHELP-33638, NSCXLCM-227, NSCXLCM-509, NSCXLCM-4636 ]

  • The secondary node might crash if you use the same GSLB virtual server as the backup for multiple GSLB virtual servers.

    [ NSHELP-33400, NSCXLCM-412, NSCXLCM-470, NSCXLCM-1084, NSCXLCM-2454 ]

  • NetScaler might crash when the monitor probe fails for a few internal virtual servers.

    [ NSHELP-30985 ]

  • The NetScaler VPX appliance crashes when the following conditions are met:

    1. The autosync option is used to synchronize the configuration with other GSLB sites.
    2. The incarnation number that is used to fetch the GSLB cache is a multiple of 1024.
    [ NSHELP-30075 ]

  • In a GSLB setup, the SSL certificate is missing from the subordinate sites. This issue occurs when the auto-sync option is enabled, and the subordinate sites have SSL certificates that are not available on the master site.

    [ NSHELP-29309 ]

Miscellaneous

  • In an HA mode, the secondary NetScaler instance crashes when processing the ICA packets.

    [ NSHELP-37256, NSCXLCM-3410, NSCXLCM-3573, NSCXLCM-4796, NSCXLCM-4805, NSCXLCM-4982, NSCXLCM-5033 ]

  • NetScaler configured with HDX Insight might reboot when the secondary node receives the packets for processing.

    [ NSHELP-34152 ]

  • A NetScaler appliance might crash when it tries to access resources on the freed ICAP. This condition happens when the ICAP is in response modification (RESPMOD) mode.

    [ NSHELP-33403 ]

  • NetScaler log files contain gateway insight logs even if NetScaler Gateway insights are disabled.

    [ GOPHDX-5091 ]

  • When clearing the configurations by using the GUI or CLI, a NetScaler appliance might crash when the Secure Token Authority (STA) related entities are cleared.

    [ GOPHDX-1743 ]

NetScaler Gateway

  • After an upgrade, the NetScaler Gateway portal fails to display the customized login schema and the RfWebUI theme settings. Instead, it shows the default settings. This issue occurs when the default CSP header is enabled on NetScaler Gateway.

    [ NSHELP-38000 ]

  • The Traffic Management > SSL > SSL Files option is missing in the GUI if the following conditions are met:

    • A NetScaler Gateway license is used.
    • The software is upgraded to NetScaler release 13.0 build 91.x.
    [ NSHELP-36186 ]

  • After an upgrade, NetScaler Gateway proxy settings fail to work in a full VPN mode.

    [ NSHELP-35853 ]

  • The NetScaler Gateway home page might fail to enumerate the apps when you try to access it on clientless VPN mode using a mobile browser.

    [ NSHELP-35541, NSCXLCM-1132, NSCXLCM-1212, NSCXLCM-1248, NSCXLCM-1774 ]

  • A NetScaler Gateway appliance crashes when evaluating a policy for a VPN URL.

    [ NSHELP-33683, CGOP-20369, NSCXLCM-1507, NSCXLCM-219, NSCXLCM-220, NSCXLCM-223, NSCXLCM-245, NSCXLCM-275, NSCXLCM-297, NSCXLCM-311, NSCXLCM-368, NSCXLCM-369, NSCXLCM-378, NSCXLCM-391, NSCXLCM-439, NSCXLCM-461, NSCXLCM-474, NSCXLCM-487, NSCXLCM-525, NSCXLCM-540, NSCXLCM-542, NSCXLCM-551, NSCXLCM-552, NSCXLCM-606, NSCXLCM-611, NSCXLCM-624, NSCXLCM-740, NSCXLCM-872, NSCXLCM-895, NSCXLCM-1061, NSCXLCM-1237, NSCXLCM-1387, NSHELP-34076, NSHELP-34077, NSHELP-34100, NSHELP-34180 ]

  • After upgrading a NetScaler appliance, the RDP proxy URLs do not work with the X1 portal theme and the message
    "Http/1.1 Object Not Found" appears.

    [ NSHELP-33676, NSCXLCM-266, NSHELP-33845, NSHELP-33921 ]

  • When a NetScaler appliance is upgraded, the appliance might crash while processing the UDP traffic.

    [ NSHELP-33417, NSCXLCM-562, NSCXLCM-594, NSCXLCM-986, NSCXLCM-1358 ]

  • Some of the VPN sessions might get cleared or removed from the secondary ADC appliance after a failover.

    [ NSHELP-33125 ]

  • After upgrading a NetScaler Gateway appliance, the Configuration > Integrate with Citrix Products section is not displayed in the NetScaler GUI.

    [ NSHELP-32335 ]

NetScaler Web App Firewall

  • The load balancing virtual server might not be accessible after a high availability failover. This issue occurs when the URL transform action is performed on the request or response based on the order of adding the configuration, instead of the priority.

    [ NSHELP-36761 ]

  • NetScaler might crash when Web App Firewall takes longer to perform the command injection protection check than the expected time.

    [ NSHELP-36343, NSCXLCM-2189, NSHELP-37692 ]

  • The NetScaler might crash when "VerboseLogLevel" is set to "patternPayloadHeader" in the Web App Firewall profile.

    [ NSHELP-35915 ]

  • The NetScaler appliance might crash due to invalid HTTP header information. This issue occurs when the following conditions are met:

    • SQL/XSS violation occurs in the HTTP request body.
    • The verbose logging is set to "patternPayloadHeader".

    [ NSHELP-35297, NSCXLCM-1127 ]

  • The cookie hijacking redirect drops the query parameters from the request URL. As a result, the redirected request might fail.

    [ NSHELP-33633, NSCXLCM-307 ]

Networking

  • In an HA setup, the NetScaler VPX secondary node crashes after upgrading to release 13.1 build 53.17.

    [ NSHELP-37950, NSHELP-38808, NSCXLCM-4553, NSCXLCM-4618, NSCXLCM-4625, NSCXLCM-4834, NSCXLCM-4991, NSCXLCM-5157, NSHELP-37332 ]

  • The NetScaler appliance might crash when you configure a dataset based ACL.

    [ NSHELP-35744, NSCXLCM-2170, NSCXLCM-2195, NSCXLCM-2200, NSCXLCM-2203, NSCXLCM-2376, NSCXLCM-2748 ]

  • NetScaler sends VOLTAGE-LOW traps immediately after reboot before the system stabilises.

    [ NSHELP-35672, NSHELP-36231 ]

  • When a NetScaler appliance, which contains a large integrated cache or a large scale NAT configuration, is upgraded from release 12.1 or 13.0 to release 13.1 or 14.1, the recovery time from a packet engine crash is relatively longer than the pre upgraded version.

    [ NSHELP-33797 ]

  • For internal SSL services on a non-default HTTPS port, even if you change the default SSL certificate binding and restart the appliance, the default certificate continues to be bound to internal services.

    [ NSHELP-24034 ]

Platform

  • The updated time log is not captured under /var/log/ns.log and /var/log/notice.log after a user updates the date by using the "date" command.

    [ NSPLAT-30021 ]

  • When the interface configuration is disabled, the Tx Laser might not be OFF after the appliance is restarted.

    [ NSPLAT-28484, NSHELP-35272 ]

  • After you upgrade the ADC appliance to release 13.1 build 42.47, on some public cloud VPX deployments, you might observe the HTTP and TCP services flap between UP and DOWN states.

    [ NSPLAT-26310 ]

  • For a NetScaler VPX release 13.1 build 37.38 on VMware ESX hypervisor with VMXNET3 interfaces, you see the following behaviour in the HA setup:

    The NetScaler VPX HA pair is not configured because the communication between the HA nodes is not established. As a result, the peer node status is displayed as UNKNOWN.

    [ NSPLAT-25677 ]

  • The NetScaler VPX instance drops packets from a client if both of the following conditions are met:

    • The VPX instance is hosted on VMware Cloud on AWS using a VMXNET3 adapter.
    • The VMXNET3 adapter fails to generate the RSS hash for the packet.
    [ NSHELP-33150 ]

SSL

  • When you run the 'show fipsstatus' command from the NetScaler CLI, the output displays the details about NetScaler Crypto Library on MPX FIPS and VPX FIPS.

    [ NSSSL-14391 ]

  • On NetScaler MPX FIPS and VPX FIPS, any unbound ECC curves are rebound to the SSL service after a reboot.

    [ NSSSL-14369 ]

  • When a corrupt encrypted finish message is received from the back-end server, the SSL handshake fails on NetScaler MPX but the SSL audit log is not updated.

    [ NSSSL-14368 ]

  • A virtual server crashes due to a failed TLS1.3 connection, because the NetScaler appliance runs out of memory and a memory allocation request fails during the start of a TLS 1.3 handshake.

    With this fix, the TLS 1.3 connection fails but the appliance does not crash.

    [ NSSSL-12200 ]

  • The NetScaler GUI, when accessed through a Cluster IP (CLIP) address, does not display the server certificate bindings to an SSL service, service group, and internal services.

    [ NSSSL-12191 ]

  • NetScaler might crash after repeated login attempts if the following conditions are met:

    • Client authentication is enabled.
    • The client tries to authenticate with the root certificate.
    [ NSHELP-36094, NSCXLCM-2866 ]

  • Cross-signed certificate validation fails when there is a long chain and one of the intermediate certificates in the chain is a cross-signed root certificate.

    [ NSHELP-34615, NSCXLCM-1131, NSCXLCM-1291, NSCXLCM-1397 ]

  • A virtual server may incorrectly terminate a TLS 1.3 handshake with a `decrypt_error` alert if the following conditions are met:

    • The client is authenticating with a certificate.
    • The virtual server is configured to perform a certificate status check using OCSP or a CRL.
    • The client sends both Certificate and CertificateVerify messages in the same TLS record.
    [ NSHELP-33355 ]

System

  • NetScaler might stop the data transfer if the following conditions are met:

    • Multiple features are enabled.
    • More than one feature tries to delete the same part of the TCP or HTTP payload.
    [ NSHELP-33793, NSCXLCM-1512, NSCXLCM-1954 ]

  • In some cases, a NetScaler appliance might crash while processing a corrective acknowledgment sent by a server connection that is in the TIME_WAIT state.

    [ NSHELP-33469 ]

  • NetScaler might stall the data transfer on an HTTP/2 connection when an HTTP-based feature tries to buffer a large amount of application data.

    [ NSHELP-32612, NSCXLCM-3400, NSCXLCM-4979, NSHELP-36243 ]

  • The NetScaler appliance might crash if it processes a corrective ACK packet related to a server-side TCP connection.

    [ NSHELP-32290, NSCXLCM-6031 ]

  • The NetScaler appliance configured with an SSL service crashes when the appliance receives a TCP FIN control packet followed by a TCP RESET control packet.

    [ NSHELP-31656 ]

  • A memory leak might occur in the NetScaler appliance if both the following conditions are met:

    • HTTP compression feature is enabled.
    • The connection is reset in the middle of the transaction.
    [ NSHELP-30631 ]

User Interface

  • In an HA setup, even though you have unique SSL certificates for the NSIP address of the primary and secondary node, the secondary node certificate is overwritten by the primary node certificate.

    [ NSHELP-35938 ]

  • When you configure a responder policy or a rewrite policy on the NetScaler GUI without adding any values in the Log Action and AppFlow Action fields, which are not mandatory, the following error is displayed:

    "Invalid name; names must begin with an alphanumeric character or underscore and must contain only alphanumerics, '_', '%23', '.', ' ', ':', '@', '=' or '-' [logAction, ]"

    [ NSHELP-35726 ]

  • A user login to a non-default partition might fail when the GUI or the NITRO API is used.

    [ NSHELP-34849 ]

  • You might observe high management CPU usage in a NetScaler appliance when both of the following conditions are met:

    • Admin partitions are configured on the appliance.
    • The appliance is managed by NetScaler ADM.
    [ NSHELP-34825, NSCXLCM-192, NSCXLCM-501, NSCXLCM-1279 ]

  • When binding the AppFW profile to the log expression, the state parameter is set to enabled by default. However, when the system is upgraded, the parameter is reset to disabled.

    [ NSHELP-34187 ]

  • A few built-in configurations are not available when a NetScaler ADC instance is created.

    [ NSHELP-33451, NSCXLCM-502 ]

  • In a high-availability setup configured with a large number (thousands) of SSL certificates, configuration synchronization might take longer than usual. As a result, you might see the synchronization state in progress for a long time.

    [ NSHELP-32959, NSCXLCM-1752, NSCXLCM-1989, NSCXLCM-4425, NSCXLCM-4800, NSHELP-35003 ]

  • The following error appears on the NetScaler UI when there is a huge difference between the saved and the running configuration:

    "Error in fetching the configuration"

    [ NSHELP-32752 ]

  • On the NetScaler GUI, the System Log Files page (Configuration > System > Auditing > Syslog messages) and the Logs page (Configuration > Authentication > Logs) fail to load the log files.

    [ NSHELP-30868 ]

  • The /var/log/notice.log file does not capture the log details when a user initiates the upgrade by using the "install" command.

    [ NSCONFIG-9823 ]

Known Issues

The issues that exist in release 13.1-37.219 FIPS.

NetScaler Gateway

  • The Audit server file, in Windows machines, crashes when the log level is set to INFO on NetScaler.

    [ NSHELP-25692 ]

Platform

  • The NetScaler appliance crashes if VRID is bound to an LA channel that does not have member interfaces configured.

    Workaround:

    Configure the member interfaces for an LA channel before binding VRID to the LA channel.

    [ NSPLAT-26707 ]

System

  • NetScaler Weblog and Auditserver components might crash after completing any addns parameter operation that adds the details of NetScaler to the log configuration file.

    [ NSBASE-19384 ]

User Interface

  • The NetScaler GUI is inaccessible with an IPv6 address.

    Workaround: Access the NetScaler GUI using an IPv4 address instead of an IPv6 address.

    [ NSHELP-38811, NSCXLCM-6327 ]

  • You cannot unbind a Log Action from NetScaler GUI but works using NetScaler CLI.

    [ NSHELP-36973 ]

Top