Citrix ADC

Release Notes for Citrix ADC 13.0-41.28 Release

This release notes document describes the enhancements and changes, lists the issues that are fixed, and specifies the issues that exist, for the Citrix ADC release 13.0 Build 41.28.


  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • The known issues section is cumulative. It includes issues newly found in this release, and issues that were not fixed in previous Citrix ADC 13.0 releases.
  • The [# XXXXXX] labels under the issue descriptions are internal tracking IDs used by the Citrix ADC team.
  • Build 41.28 replaces Build 41.20

  • Build 41.20 included fixes for the following issues:
    • Known Issues: NSSSL-7044, NSCONFIG-2370, NSHELP-136, NSHELP-16407, NSHELP-20266
    • Fixed Issues: CGOP-11830, NSCONFIG-2232, NSHELP-19614, NSHELP-20020, NSHELP-20522, NSNET-10968, NSNET-11916
    • Enhancements: NSCONFIG-2224, NSNET-12256

Points to Note

Some important aspects to keep in mind while using Build 41.28.

  • Citrix ADC VPX appliance

    • For VPX deployment on Azure Stack, the DNS forwarder in Azure Stack must be configured to to support resolution of DNS root servers.

    [ NSPLAT-10838]

What’s New

The enhancements and changes that are available in Build 41.28.


  • Support for Logstream in Admin Partitions

    A Citrix ADC appliance can now send Logstream records from Admin Partitions.

    [ NSBASE-4777]

  • Monitoring Logstream records through NSIP address

    A Citrix ADC appliance can now connect to Citrix ADM using NSIP address to send Logstream records.

    [ NSBASE-7400]

Authentication, authorization, and auditing

Citrix ADC BLX appliance

  • Ubuntu Linux host support for Citrix ADC BLX appliances

    Citrix ADC BLX appliance now supports running in Ubuntu Linux systems.

    [ NSNET-9259]

  • BGP Dynamic routing protocol support for Citrix ADC BLX appliances

    Citrix ADC BLX appliances now supports the IPv4 and IPv6 BGP dynamic routing protocols.

    [ NSNET-7785]

  • DPDK support for Citrix ADC BLX appliances

    Citrix ADC BLX appliances now supports Data Plane Development Kit (DPDK), which is a set of Linux libraries and network interface controllers for better network performance. Citrix ADC BLX appliance supports DPDK only on dedicated mode.

    For more information, see

    [ NSNET-2456]

Citrix ADC CPX appliance

  • Default value of the monitorConnectionClose parameter value is set to RESET in lighter version of Citrix ADC CPX

    For closing a monitor-probe connection using global load balancing parameters, you can configure monitorConnectionClose to FIN or RESET. When you configure the monitorConnectionClose parameter to:

    • FIN: The appliance performs a complete TCP handshake.

    • RESET: The appliance closes the connection after receiving the SYN-ACK from the service.

    In lighter version of Citrix ADC CPX, the monitorConnectionClose parameter value is set to RESET by default and cannot be changed to FIN at the global level. However, you can change the monitorConnectionClose parameter to FIN at the service level.

    [ NSLB-4610]

Citrix ADC GUI

Citrix ADC VPX appliance

Citrix Bot Management

  • Citrix Bot Management

    Detecting and mitigating bot threats is a core security need in today’s world. This is achieved by using a bot management system. Citrix Bot Management protects your web applications, apps, and APIs from both basic as well as advanced security attacks. Citrix Bot Management uses the following six detection mechanisms to detect the bot type and, take a mitigation action.

    The techniques are bot white list, bot blacklist, IP reputation, device fingerprinting, rate limiting, and static signatures.

    IP reputation. This mechanism detects if inbound traffic is a bot by an actively updated database of malicious IP addresses.

    Device fingerprinting. Device fingerprinting injects javascript into the HTTP stream, and evaluates properties returned from that javascript to determine whether or not the inbound traffic is a bot or not.

    Rate limiting. The detection technique rate limits multiple requests coming from the same client via session, cookie, or IP.

    Bot signatures. The detection technique detects and blocks bots based on 3,500+ signatures groomed by the Citrix Threat Research team. Bots could be, e.g., unauthorized URLs that scrape websites, brute forcing logins, or those that probe for vulnerabilities

    Bot white list. The whitelist is a customizable list of URLs, IPs, CIDR blocks, and policy expressions that whitelists and permits the inbound traffic matching one of these parameters.

    Bot blacklist. The blacklist is a customizable list of URLs, IPs, CIDR blocks, and policy expressions that blacklists and denies the inbound traffic matching one of these parameters.

    Citrix Bot Management mitigates automated threats and unwanted bot traffic against your public apps, APIs, and websites. If incoming traffic is determined to be a bot, the system takes an action assigned by the ADC administrator and generates robust reporting for accountability and auditability.

    Bot Management provides the following benefits:

    • Defend against bots, scripts, and toolkits — Static-signature based defence and device fingerprinting provide threat mitigation against both basic and advanced bots.

    • Neutralize basic and advanced attacks — Prevent attacks such as App layer DDoS, password spraying, password stuffing, price scrapers, content scrapers, and more.

    • Protect your APIs and investments — Protect your APIs from misuse, probing, and data leaks, and protects infrastructure investments from unwanted traffic.

    For more information, see

    [ NSWAF-2900]

Citrix Gateway

  • Selectively using legacy or latest logon protocols for clients

    Customers using Workspace app with Citrix Gateway can now selectively use legacy or latest logon protocol based on the policies. Customers can use old network protocols for certain clients and also allow clients to use native Intune integration with Citrix Gateway clients using legacy protocol, primarily Intune compliancy check using device unique identifier.

    [ CGOP-10879]

  • AlwaysON before logon for Windows

    AlwaysON before logon for Windows enables users to establish a VPN tunnel even before a user logs in to a Windows system. This persistent VPN connectivity is achieved by an automatic establishment of a device-level VPN tunnel once the device boots up.

    For more information, see

    [ CGOP-10791]

Citrix Web App Firewall

  • Allowable file upload formats

    Citrix Web App Firewall now allows you to configure the allowable file upload formats in an Citrix Web App Firewall profile. By doing this, you restrict file uploads to specific formats and protect the appliance against malicious uploads during a multi-form submission.

    Note: The feature works only when you disable the “ExcludeFileUploadFormChecks” option in the WAF profile.

    For more information, see

    [ NSWAF-2579]

  • Detailed logging of violation pattern

    You can now configure the Web App Firewall profile for providing a detailed violation pattern when an attack happens. By configuring the Verbose log level option, you can log different parts of the payload along with attack pattern for forensic analysis or troubleshooting.

    For more information, see

    [ NSWAF-2892]

  • JSON content protection

    Citrix Web App Firewall now provides JSON protection for DOS, XSS, and SQL attacks. The JSON denial-of-service (DoS), SQL, and XSS rules examine the incoming JSON request and validate if there is any data matching the characteristics of a DoS, SQL, or XSS attack. If the request had JSON violations, the appliance blocks the request, logs the data, sends an SNMP alert, and also displays a JSON error page. The purpose of the JSON protection check is to prevent an attacker from sending JSON request to launch DoS, XSS or SQL attacks on your JSON applications or website.

    For more information, see

    [ NSWAF-2894]

  • WAF POST body threshold to reduce CPU utilization

    The application firewall signature file now includes the CPU usage, latest applicable year, and severity level. You can see the CPU usage, latest year, and CVE severity level every time a signature file is modified and uploaded periodically. After observing these values, you can decide to enable or disable the signature on the appliance.

    For more information, see

    [ NSWAF-2932]

  • Auto deploying learnt data using dynamic profiles.

    You can now auto-deploy learnt data as relaxation rules. In dynamic profiling, if Web App Firewall records learnt data within a user-defined threshold, the appliance sends an SNMP alert to the user. If the user does not skip the data within a grace period, the appliance auto deploys the data as a relaxation rule. Previously, the user had to manually deploy the learnt data as relaxation rules.

    For more information, see

    [ NSWAF-2895]



  • DNS flag day 2019 compliance

    The Citrix ADC appliance is now fully compliant with DNS flag day 2019.

    [ NSLB-4275]


  • Dynamic routing protocols in standard license

    The Citrix ADC standard licence now includes the Citrix ADC dynamic routing protocols. Citrix ADC supports the following dynamic protocols:

    • RIP (IPv4 and IPv6)

    • OSPF (IPv4 and IPv6)

    • BGP (IPv4 and IPv6)

    • IS-IS (IPv4 and IPv6)

    [ NSNET-12256]

  • New values for SDX minimum bandwidth and minimum instances

    The minimum bandwidth and minimum instances values for SDX appliances that support Citrix ADC pooled capacity have changed. For more information, see:

    [ NSSVM-2770]

  • Dynamic routing protocols in standard license

    The Citrix ADC standard licence now includes the Citrix ADC dynamic routing protocols. Citrix ADC supports the following dynamic protocols:

    • RIP (IPv4 and IPv6)

    • OSPF (IPv4 and IPv6)

    • BGP (IPv4 and IPv6)

    • IS-IS (IPv4 and IPv6)

    [ NSPLAT-6179]

Load Balancing

  • Support for secure NTLM monitor

    You can now use the script to create a monitor for monitoring a secure NTLM server.

    [ NSLB-4806]


  • Update service group with desired member set seamlessly using Desired State API

    You can now use Desired State API to update a service group with a desired set of service group members. Using Desired State API, you can provide a list of service group members along with their weight and state (optional) in a single PUT request on the “servicegroup_servicegroupmemberlist_binding” resource. The Citrix ADC appliance compares the requested desired member set with the configured member set. Then, it automatically binds the new members and unbinds the members that are not present in the request.

    [ NSLB-4543]

  • Restricting system users to a specific management interface

    A Citrix ADC appliance now allows you to restrict user access to a specific management interface (CLI or API). You can configure the allowed management interface list for a particular user or a group of users at the user level.

    For more information, see

    [ NSCONFIG-1376]


  • Setting the receive ring size and ring type for an interface

    You can now increase the receive ring size and ring type for IX, F1X, F2X, and F4X interfaces on Citrix ADC MPX and SDX platforms.

    An increased ring size provides more cushion to handle burst traffic, but might impact the performance. A ring size of up to 8192 is supported on IX interfaces. A ring size of up to 4096 is supported on F1X, F2X, and F4X interfaces. The default ring size continues to be 2048.

    Interface ring types are elastic by default. They increase or decrease in size based on packet arrival rate. You can configure the ring type as “fixed” so that it does not change based on traffic rate.

    [ NSPLAT-9264]



  • Support for optional client certificate verification with policy based client authentication

    You can set client certificate verification to optional when you have configured policy based client authentication. Previously, mandatory was the only option. Now both optional and mandatory options are available, and configurable.

    For more information, see

    [ NSSSL-690]

  • Support for displaying RSA 3072-bit key values in stat ssl command

    The output of the stat ssl now includes the RSA 3072-bit key exchange values.

    stat ssl -detail

    SSL Offloading

    SSL cards present 8

    SSL cards UP 8

    SSL engine status 1

    SSL sessions (Rate) 0

    Key Exchanges

    RSA 512-bit key exchanges 0 0

    RSA 1024-bit key exchanges 0 0

    RSA 2048-bit key exchanges 0 0

    RSA 3072-bit key exchanges 0 106380

    RSA 4096-bit key exchanges 0 0


    [ NSSSL-1954]

  • Support for longer names of SSL entities

    To help customers maintain a standard naming convention across all ADC entities, the Citrix ADC appliance now supports a certificate name of up to 63 characters. Earlier, the limit was 31 characters.

    [ NSSSL-5976]

  • Intel Coleto chip health check enhancements

    Citrix ADC appliances with the Intel Coleto chip now support enhanced health checks for symmetric (SYM) and asymmetric (ASYM) operations.

    [ NSSSL-6299]

  • Support for fragmented TLS messages

    The Citrix ADC appliance now supports fragmentation of server certificate messages and certificate request messages. The maximum supported size of these messages across all records is 32 KB. Earlier, fragmentation was not supported and the maximum supported size of the messages was 16 KB.

    [ NSSSL-5971]


  • Implementing ICAP request timeout and response timeout

    For handling ICAP response timeout issue, you can configure the ICAP request timeout value for ‘reqTimeout’ parameter in the ICAP Profile. By doing this, you can set a request timeout Action for the appliance to take any action when there is delayed ICAP response from the ICAP-Server. If the appliance does not receive any ICAP response within the configured request timeout, the appliance can perform one of the following actions according to the ‘ReqTimeoutAction’ parameter configured on the Icapprofile.

    ReqTimeoutAction: Possible values are BYPASS, RESET, DROP.

    BYPASS: If the ICAP response with Encapsulated headers is not received within the timeout value, this Ignores the remote ICAP server’s response and sends the Full request/response to Client/Server

    RESET (default): Reset the client connection by closing it.

    DROP: Drop the request without sending a response to the user

    For more information, see

    [ NSBASE-3040, NSBASE-2264]

  • Handling ICAP server downtime during the content inspection

    For handling ICAP server downtime during content inspection, the Citrix ADC appliance now enables you to configure the ifserverdown parameter and assign of the following actions.

    CONTINUE: If the User wants to bypass the contentinspection if the remote server is down, this action can be chosen.

    RESET (default): This action responds to the client by closing the connection with RST.

    DROP: This action silently drop the packets without sending a response to the user.

    [ NSBASE-4936]

  • Intrusion Detection System (IDS) integration with L3 connectivity

    A Citrix ADC appliance is now integrated with passive security devices such as Intrusion Detection System (IDS). In this setup, the appliance sends a copy of the original traffic securely to remote IDS devices. These passive devices store logs and trigger alerts when it detects a bad or non-compliant traffic. It also generate reports for compliance purpose. If Citrix ADC appliance is integrated with two or more IDS devices and when there is a high volume of traffic, the appliance can load balance the devices by cloning traffic at the virtual server level.

    For advanced security protection, a Citrix ADC appliance is integrated with passive security devices such as Intrusion Detection System (IDS) deployed in detection-only mode. These devices store log and trigger alerts when it sees a bad or non-compliant traffic. It also generates reports for compliance purpose. Following are some of the benefits of integrating Citrix ADC with an IDS device.

    1. Inspecting encrypted traffic – Most security devices bypass encrypted traffic, thereby leaving servers vulnerable to attacks. A Citrix ADC appliance can decrypt traffic and send it to IDS devices for enhancing customer’s network security.

    2. Offloading IDS devices from TLS/SSL processing – TLS/SSL processing is expensive and it results in high system CPU in intrusion detection devices if they decrypt the traffic. As encrypted traffic is growing at a fast pace, these systems fail to decrypt and inspect encrypted traffic. Citrix ADC helps in offloading traffic to IDS devices from TLS/SSL processing. This way of offloading data results in an IDS device supporting a high volume of traffic inspection.

    3. Loading balancing IDS devices – The Citrix ADC appliance load balances multiple IDS devices when there is a high volume of traffic by cloning traffic at the virtual server level.

    4. Replicating traffic to passive devices – The traffic flowing into the appliance can be replicated to other passive devices for generating compliance reports. For example, few government agencies mandate every transaction to be logged in some passive devices.

    5. Fanning traffic to multiple passive devices – Some customers prefer to fan out or replicate incoming traffic into multiple passive devices.

    6. Smart selection of traffic – Every packet flowing into the appliance might not be need to be content inspected, for example download of text files. User can configure the Citrix ADC appliance to select specific traffic (for example .exe files) for inspection and send the traffic to IDS devices for processing data.

    For more information, see

    [ NSBASE-6800]

  • New entity counter for debugging load balancing virtual servers

    A new entity counter is added for debugging virtual servers and analytics purpose.

    [ NSBASE-8087]

  • SNMP traps for In Service Software Upgrade process

    The In Service Software Upgrade (ISSU) process for a high availability setup now supports sending SNMP trap messages at the start and end of the ISSU migration operation.

    For more information, see

    [ NSNET-9959]

  • Rollback for In Service Software Upgrade process

    High availability setups now support rollback of the In Service Software Upgrade (ISSU) process. The ISSU rollback feature is helpful if you observe that the HA setup after or during the ISSU process is not stable, or is not performing at an optimum level as expected.

    For more information, see

    [ NSNET-9958]

  • Changing default RPC node passwords

    In HA, cluster, and GSLB deployments, a warning message appears for the nsroot and superuser login if the default RPC node password is not changed.

    [ NSCONFIG-2224]

Video Optimization

Fixed Issues

The issues that are addressed in Build 41.28.

Admin Partition

  • In a high availability setup with admin partition configuration, the audit logs generated from the secondary node are sent to SYSLOG or NSLOG server only when the SYSLOG or NSLOG server is reachable from the admin partition.

    [ NSHELP-19399]

  • In a partitioned setup, the “diff ns config” CLI command displays misleading information.

    [ NSHELP-19530]


  • An AppFlow policy is not triggered if it is bound to a load balancing virtual server that is behind a content switching virtual server.

    [ NSHELP-18782, NSBASE-8180]

  • The Citrix ADC appliance crashes if you bind a user-defined analytics profile, other than the internally bound profile, to an AppFlow action.

    [ NSHELP-19362]

  • When the AppFlow “client side measurements” feature is enabled, the Citrix ADC appliance unexpectedly parses the CSS files of an HTML page. Any error during the CSS parse can cause the HTML page to load incorrectly.

    [ NSHELP-19375]

  • The Citrix ADC appliance might crash if AppFlow is disabled but front-end optimization (FEO) is enabled with client side measurements, in the FEO action.

    [ NSHELP-19531]

  • A Citrix ADC appliance might reboot if the AppFlow collector closes in Logstream transport mode.

    [ NSHELP-19837]

Authentication, authorization, and auditing

  • A Citrix ADC appliance might allow unauthorized access if the following conditions are met:

    • Appropriate authorization policies are not configured.

    • The defaultAuthorizationAction parameter in the “set tm sessionParameter” command is ALLOW by default.

    [ NSAUTH-6013]

  • The SNMP sends traps even after the SSH public key authentication is succeeded.

    [ NSHELP-18303]

  • The probe server command provides an appropriate message when the TACACS server closes the TCP connection with FIN or RST packets without sending an authentication response.

    [ NSHELP-18399]

  • When upgrading Citrix ADC cluster setup that is on release 10.5 to a higher version, the system login to a non-CCO node on the higher version fails.

    [ NSHELP-18511, NSAUTH-5561]

  • A Citrix ADC appliance configured as SAML SP fails if the server sends a large RelayState parameter name along with assertion.

    [ NSHELP-18559]

  • A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.

    [ NSHELP-18751]

  • A Citrix ADC appliance fails to obtain Kerberos tickets through a constrained delegation, if one of the following conditions are met:

    • The enterprise “realm” parameter is configured for the user.

    • The domain name in the “keytab” parameter is in lower case.

    [ NSHELP-18946]

  • The buffer gets corrupted if the following conditions are met:

    • The data in the buffer is overwritten.

    • Core-to-core message processing results in a buffer recycle condition.

    [ NSHELP-18952]

  • A Citrix ADC appliance does not drop unauthenticated HTTP OPTIONS requests if User-Agent contains one of the patterns mentioned in ns_aaa_activesync_useragents.

    [ NSHELP-19024]

  • WebAuth authentication fails after multiple failovers on a Citrix Gateway appliance.

    [ NSHELP-19050]

  • A Citrix ADC appliance might crash if the following conditions are met:

    • Password change option is enabled in an LDAP action command.

    • LDAP action with authentication, authorization, and auditing session run into session propagation issue.

    [ NSHELP-19053]

  • The memory usage of a Citrix ADC appliance increases when Citrix Gateway or traffic management virtual server uses Kerberos authentication.

    [ NSHELP-19085]

  • If the metadataURL parameter is configured and the Citrix appliance is rebooted, then the SAMLAction command is not saved and the configuration is lost.

    [ NSHELP-19140]

  • If you set “Import Metadata URL” and later edit it by providing the redirect URL from Citrix ADC GUI, the Redirect URL is set but the Import Metadata URL is not unset. Because of this, the Citrix ADC appliance uses the metadata URL.

    [ NSHELP-19202]

  • A Citrix ADC appliance might crash if the input to Citrix GUI or NITRO API login request has an invalid username or password value.

    [ NSHELP-19254]

  • The Citrix appliance might crash if an authentication login schema policy is set to noschema.

    [ NSHELP-19292]

  • A Citrix ADC appliance occasionally fails if a defaultAuthenticationGroup parameter is configured in a samlIdPProfile command.

    [ NSHELP-19301]

  • System user login from Citrix GUI or NITRO API using role-based access (RBA) authentication fails when the Citrix ADC management is accessed through load balancing virtual server and load balancing service.

    [ NSHELP-19385]

  • Active Directory Federation Services (ADFS) fails to import metadata generated by the Citrix ADC SAML Service Provider (SP).

    [ NSHELP-19390]

  • The base64 decoding fails if a digital signature has HTML entity encoded characters.

    [ NSHELP-19410]

  • A Citrix ADC appliance configured for SAML Identity Provider (IdP) fails to authenticate incoming authentication request for certain applications.

    [ NSHELP-19443]

  • If a dialogue cookie in the client request is processed before checking for any existing sessions, a Citrix ADC appliance sends a change password page to the client.

    [ NSHELP-19528]

  • If the URL contains “;” special character, the TASS cookie encodes the URL redirect at the time of login.

    [ NSHELP-19634]

  • If user group extraction is done during an administrator login, the memory usage of Citrix ADC AAA increases gradually.

    [ NSHELP-19671]

  • Authentication might fail when a Citrix ADC appliance configured as SAML with WS-Fed protocol contains a special character “&” in the password.

    [ NSHELP-19740]

  • A 500 error message is observed if the following conditions are met:

    • Authentication, authorization, and auditing enabled traffic management virtual server gets post request without the cookie.

    • The post body contains newline characters.

    [ NSHELP-19852]

  • A Citrix ADC appliance processes unauthenticated HTTP requests with OPTIONS method received from authentication, authorization, and auditing traffic management virtual server. At this point, the appliance responds with a corresponding HTTP 401 error message.

    [ NSHELP-19916]

  • A Citrix ADC appliance sends a negative value if the maximum age value for HSTS header is set above 2,147,483,647.

    [ NSHELP-19945]

  • The SAML attribute value in the SAML response includes multiple SAML AttributeValue lines, instead of one.

    [ NSHELP-19961]

  • In an OpenID-Connect mechanism, OAuth Relying Party (RP) does not encode username or password properties while making password grant API call.

    [ NSHELP-19987]

  • A Citrix ADC appliance configured as SAML Identity Provider (IdP) truncates relaystate from Service Provider (SP) if it contains quotes.

    [ NSHELP-20131]

  • A Citrix Gateway appliance might fail if the following conditions are met:

    • When a user logs out of a session.

    • The appliance is deployed in an HDX platform.

    • SAML authentication is used in Citrix Gateway.

    [ NSHELP-20206]

  • A Citrix ADC appliance might crash when you use a SAML IdP on a FIPS appliance.

    [ NSHELP-20282]

  • A Citrix Gateway appliance might occasionally fail if users try to login when taking VPX snapshot.

    [ NSHELP-20292]

  • A Citrix ADC appliance configured as a SAML Service Provider (SP) on traffic management virtual server does not send post body response to the back-end server after SAML login.

    [ NSHELP-20348]

  • The following behavior is observed in the Citrix ADC GUI:

    • You cannot edit the OAuth Policies.

    • You can edit only OAuth Actions.

    • The OAuth Policies option must only be under Advanced Policies not under Basic Policies.

    [ NSHELP-2131]

  • Occasionally, a Citrix Gateway appliance might fail when it receives /vpns/services.html request from a client.

    [ NSHELP-8513]


  • Feature: Citrix ADC CPX

    The following default TCP profiles were not automatically set with the TCP maximum segment size (MSS):

    • nstcp_default_profile

    • nstcp_internal_apps

    [ NSNET-11916]

Citrix ADC BLX appliance

  • On a Citrix ADC BLX appliance, you cannot bind interface 0/1 to a VLAN because this interface is used for internal communication between the BLX appliance and Linux host applications.

    [ NSNET-10014]

  • Interface features (for example, Rx, Tx, GRO, GSO, and LRO) are disabled for interfaces (Linux host) allocated to the Citrix ADC BLX appliance. These features continue to remain in the disabled state even after these BLX interfaces are released to the default namespace when the BLX appliance is stopped.

    [ NSNET-9697]

Citrix ADC CLI

  • When logged in as nsrecover user, nscli -U commands are throwing error.

    [ NSCONFIG-1414]

  • A Citrix ADC appliance becomes unresponsive, if it hits the maximum number of user sessions (approximately 1000 sessions) and if the management interface stops responding.

    [ NSHELP-19212, NSCONFIG-1369]

Citrix ADC CPX

  • The lighter version of Citrix ADC CPX instance was not getting registered on Citrix ADM.

    [ NSCONFIG-2232]

  • You cannot configure an NSIP with /32 bit subnet mask for Citrix ADC CPX.

    [ NSNET-10968]

Citrix ADC GUI

  • An error message, “Cannot read property ‘get’ of undefined.” appears when you click Action in the Stream Identifiers GUI page.

    [ NSHELP-19369]

  • The following error message appears after you perform steps 1 through 4.

    “Ambiguous argument value []”

    1. Create an SSL profile with default values.

    2. Bind the profile to an SSL virtual server.

    3. Edit SSL parameters, but do not change any values.

    4. Select OK to close the SSL parameters dialog box.

    [ NSHELP-19402]

  • Due to some technical issues in the framework, all service groups are not displayed in the ADC GUI.

    [ NSUI-13754]

Citrix ADC SDX appliance

  • The maximum number of cores that you can configure now on a VPX instance depends on the available cores on the particular SDX platform. Earlier, you could configure a maximum of only five cores even if more cores were available.

    For information about maximum number of cores you can assign to a VPX instance, see

    [ NSHELP-18632]

  • After an SDX appliance is restored, partition MACs from the backup file were not restored on the respective VPX instances running on the SDX appliance.

    [ NSHELP-19008]

  • In a VPX HA setup running on SDX appliances, when one of the switches in the virtual port channel (VPC) goes down, all the interfaces that are part of the LACP flap. This triggers HA failover.

    [ NSHELP-19095]

  • SDX 8900 appliances might crash while you are applying the SSL configuration to set client certificate verification to optional with policy-based client authentication.

    [ NSHELP-19297]

  • After upgrading an SDX appliance, the LA channel and VLAN configuration on the appliance might be lost.

    [ NSHELP-19392, NSHELP-19610]

  • When configuring pooled licensing in SDX 14000 FIPS appliance, the minimum instances you could check out was 25. With this fix, the minimum instances you can check out is two. For more information, see the Citrix ADC pooled capacity document:

    [ NSHELP-20305]

  • After a reset operation, the transmit rate drops.

    [ NSPLAT-7792]

  • On SDX 26000 and SDX 15000 platforms, management access through SSH to DOM0 might stop when the following conditions are met:

    • More than one VPX instance is restarted simultaneously.

    • 100 GE or 50 GE interfaces are assigned to the VPX instances.

    [ NSPLAT-9185]

  • An SDX appliance might hang at the end of its reboot cycle when all of the following conditions are met:

    • The SDX appliance is booting up.

    • All the VPX instances running on the SDX appliance are yet to come up.

    • Warm reboot commands are run on the SDX appliance.

    On the Citrix hypervisor console, as a result, the SDX appliance goes through regular cleanup and stops at the line “Reached target Final Step.”

    [ NSPLAT-9417]

  • After you have configured a VLAN from the allowed VLAN list (AVL) on a VPX instance running on an SDX appliance, the instance fails to restart automatically. As a result, communication between the VPX instance and AVL stops.

    [ NSSVM-135]

Citrix ADC VPX appliance

  • You might not be able to access a VPX instance by using the management IP if the instance has a vCPU license. The issue is seen in all VPX instances, on-premises and cloud. If the VPX instance is running on an SDX appliance, you can access the instance from the SDX Management Service GUI.

    [ NSPLAT-10710]

  • If you set MTU size through Citrix ADC VPX GUI, the error message “Operation not supported” appears.

    [ NSPLAT-9594]

Citrix Gateway

  • Citrix Gateway intranet applications now support comma-separated host names for FQDN based tunneling.

    [ CGOP-10855]

  • If the Citrix Gateway plug-in for macOS is not installed and if the user tries to access VPN from Safari, an error message appears.

    [ CGOP-11240]

  • An error message appears when you add or edit a session policy from the Citrix ADC GUI.

    [ CGOP-11830]

  • Encapsulating Security Payload (ESP) packets in transit are dropped if LSN configuration is not enabled on the Citrix ADC appliance.

    [ NSHELP-18502]

  • In a high availability setup, the secondary node might crash if SAML is configured.

    [ NSHELP-18691]

  • If an RDP server profile is set to the same port number and IP address as that of the content switching virtual server, the content switching configuration is lost after reboot.

    [ NSHELP-18818]

  • In some cases, upon accessing the Citrix Gateway appliance using an IE browser, the Citrix Gateway logon page appears only after a refresh.

    [ NSHELP-18938]

  • In Citrix ADM, the Analytics > Gateway Insight page reports the terminated VPN sessions incorrectly.

    [ NSHELP-19037]

  • In a high availability setup, the secondary node crashes if the removed user information is not synced with the node.

    [ NSHELP-19065]

  • Server busy dialog box is displayed on the VPN plugin window on the client machine if the machine remains inactive for more than two hours.

    [ NSHELP-19072]

  • UDP, DNS, and ICMP authorization policies do not get applied for the connections between a client in the internal network and a VPN client (server initiated connections).

    [ NSHELP-19142]

  • In some cases, the login script configured on the Citrix Gateway server fails to run on the client machines.

    [ NSHELP-19163]

  • Advanced End-point Analysis (EPA) scan fails for the macOS devices.

    [ NSHELP-19328]

  • In some cases, a Citrix ADC appliance dumps core, if the following conditions are met.

    • Two-factor authentication is enabled for the native VMware horizon client.

    • Radius is configured as the first factor of authentication.

    • Radius server responds with the group names upon successful authentication.

    [ NSHELP-19333]

  • In some cases, log out from Windows VPN plug-in takes longer than expected.

    [ NSHELP-19394]

  • In some cases, the Citrix Gateway appliance sets invalid cookie while processing the unauthenticated requests.

    [ NSHELP-19403]

  • In some cases, a Citrix Gateway appliance dumps core, if PCOIP virtual server profile is set on a VPN virtual server but pcoipProfile is not set under session action.

    [ NSHELP-19412]

  • In some cases, the Citrix Gateway appliance dumps core if the appliance is accessed in

    the Full VPN tunnel mode.

    [ NSHELP-19444]

  • The Citrix Gateway plug-in for macOS cannot resolve internal host names if the Local LAN Access option is enabled on a Citrix ADC appliance.

    [ NSHELP-19543]

  • The DTLS service on a VPN virtual server functions with a default set of ciphers that cannot be modified through the bind or unbind cipher commands using CLI.

    [ NSHELP-19561]

  • Audio clarity for Skype calls is negatively affected when multiple applications/connections are tunneled over the VPN. This happens because of an improper memory management.

    [ NSHELP-19630]

  • A Citrix Gateway does not recognize the logon expression policy in a Windows plug-in during nFactor authentication.

    [ NSHELP-19640]

  • The “Location based awareness” functionality doesn’t work on client machines when the machine is brought into a network connected zone [Internet or intranet] from a no-network zone.

    [ NSHELP-19657]

  • If an authentication factor hosted in Azure is used in Citrix MFA, logon to Citrix Gateway using Windows plug-in fails. This happens because the MFA HTTP timeout value is lesser than the Citrix Gateway Windows plug-in timeout value.

    With this fix, Citrix Gateway Windows plug-in timeout value is increased to avoid logon failure. Also, the HTTP timeout value can now be configured by setting the below registry value (in seconds):

    ComputerHKEY_LOCAL_MACHINESOFTWARECitrixSecure Access ClientHttpTimeout

    [ NSHELP-19848]

  • In some cases EPA scan fails on Windows machines.

    [ NSHELP-19865]

  • In rare cases, Citrix ADC appliances deployed in a high availability (HA) setup might crash resulting in frequent HA failover, if both of the following conditions are met:

    • Gateway Insight is enabled.

    • SSO fails.

    [ NSHELP-19922]

  • Windows Intune enrollment check cannot be disabled on the client machines. The check is enabled by default.

    With this fix, Windows Intune enrollment check can be disabled.

    To disable the check, set the following registry entry to 1:

    ComputerHKEY_LOCAL_MACHINESOFTWARECitrixSecure Access ClientDisableIntuneDeviceEnrollment

    [ NSHELP-19942]

  • Audio clarity for VOIP applications is negatively impacted when multiple applications or connections are tunneled over the VPN.

    [ NSHELP-20097]

  • Finding URLs to rewrite for advanced clientless VPN processing results in high CPU usage. As a results, the system slows down.

    [ NSHELP-20122]

  • A client machine fails to reconnect to a Citrix Gateway appliance because the appliance sends an incorrect STA ticket upon STA refresh.

    [ NSHELP-20285]

  • When adding domains for clientless access profile, a horizontal scrollbar appears when the FQDN is long.

    [ NSHELP-20341]

  • In a high availability setup, the secondary Citrix ADC appliance might crash if session reliability on a high availability setup is enabled.

    [ NSHELP-5257, NSINSIGHT-1208, NSHELP-3807, NSHELP-3808, NSHELP-5414, NSHELP-5417, NSHELP-5428, NSHELP-17883, NSHELP-17894, NSHELP-17904]

  • An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.

    [ NSHELP-7872]

  • In some cases, a Citrix Gateway appliance dumps core because the pending STA refresh operations build up infinitely.

    [ NSHELP-8684]

Citrix Web App Firewall

  • The Citrix Web App Firewall original settings are overridden to default.

    For example, if you have selected the “enable” option for some signatures, the setting gets overridden to “disable” during the signature merge operation.

    [ NSHELP-17841]

  • A configuration loss is observed when you reboot a high availability or cluster setup with rfcprofile option enabled in the running configuration.

    [ NSHELP-18856]

  • A Citrix ADC appliance might crash if the Citrix Web App Firewall configuration changes are not handled properly in a cluster setup.

    [ NSHELP-18870]

  • After you add a relaxation rule, similar URLs are not getting deleted from the learned rules list.

    [ NSHELP-19298]

  • A Citrix ADC appliance might crash when processing large form bodies and if the field consistency parameter is enabled on the Citrix Web App Firewall profile.

    [ NSHELP-19299]

  • A Citrix ADC appliance might reset client connections when there is a high XML traffic.

    [ NSHELP-19314]

  • If you enable the URL transform policy and if the response from a body attribute value contains special characters, the ContentSwitching in an SSL offload might replace the special characters as entity encoded values.

    [ NSHELP-19356]

  • A Citrix ADC appliance might crash when CONNECT requests are received. The issue occurs if you set the default profile settings to any value other than APPFW_BYPASS, APPFW_RESET, APPFW_DROP, APPFW_BLOCK.

    [ NSHELP-19603]

  • Web Requests with many query parameters might receive no response if the field consistency protection parameter is enabled.

    [ NSHELP-19811]

  • A Citrix ADC appliance fails, if the following conditions are observed:

    • Web App Firewall policies use HTTP body based rule, for example, HTTP.REQ.BODY(..)),

    • Web App Firewall feature is disabled.

    [ NSHELP-19879]

  • New option to limit post body bytes inspected by signature

    After you upgrade your appliance to Citrix ADC version 13.0, you can now see a new profile option, “Signature Post Body Limit (Bytes)” with a default value of 8192 bytes. Your appliance upgrade will set the option to the default value. You can change this option to limit the request payload (in bytes) inspected for signatures with the location specified as ‘HTTP_POST_BODY’.

    Previously, Web Citrix Web App Firewall had no option to limit payload inspection and keep CPU under check.

    Navigation: Configuration > Security > Citrix Web App Firewall > Profiles > Profile Settings.

    [ NSWAF-2887, NSUI-13251]


  • In a cluster setup with ACL6 configuration, the ICMPv6 error packets loop between the nodes causing high CPU usage.

    [ NSHELP-19535]

  • In a cluster setup, the cluster propagation might fail if one of the following condition is met:

    • Connection fails between cluster daemon and configuration daemon.

    • Increase in memory usage in cluster daemon.

    [ NSHELP-19771]

  • In a cluster setup, the Citrix ADC GUI fails to upload an SSL certificate in the following conditions:

    • Commands are executed from the CLIP.

    • “sh partition” command responds with an invalid response.

    [ NSHELP-19905]

  • In a cluster setup, you might observe continuous failure logs that indicate connection failure between ZebOS dynamic routing IMI daemon and internal cluster daemon. This issue occurs when either the ZebOS dynamic routing IMI daemon or internal cluster daemon is restarted.

    [ NSNET-10655]

  • The following behavior is observed in a cluster setup:

    • There is a configuration mismatch if you execute enable/disable servicegroupmember, service group, and server command.

    • The unset command does not reset the netprofile for service/service group.

    [ NSNET-9599]


  • The Citrix ADC appliances might crash when filling cached negative response for a DNS ANY query for an authoritative zone.

    [ NSHELP-19496]

  • You can add a wildcard domain for the zone you own.

    [ NSHELP-19498]

  • A Citrix ADC VPX instance running on an SDX appliance might crash if an invalid DNS request is received on a Jumbo enabled interface.

    [ NSHELP-19854]


  • The GSLB site backup parent list configuration is lost if both of the following conditions are met:

    • The triggerMonitor option is set to either MEPDOWN or MEPDOWN_SVCDOWN.

    • The Citrix ADC appliance is restarted.

    [ NSCONFIG-1760]

  • In a GSLB cluster setup, MEP connection might get terminated resulting in a MEP flap when a node joins the cluster.

    [ NSHELP-19532]


  • After upgrading an MPX perpetual license to Pooled Capacity license, the ADM GUI prompts to save the config and restart the instance. With this fix, the GUI prompts only to restart the instance.

    [ NSHELP-20137]

Load Balancing

  • When LRTM is enabled on a monitor bound to a service group, response time is not shown.

    [ NSHELP-12689]

  • In rare cases, a Citrix ADC appliance might fail when the service is marked DOWN before the SSL session is received from the server that has the following configuration.

    • A load-balancing virtual server of type SSL_BRIDGE

    • Persistence type is set to SSLSESSION ID

    • Backup persistence type is set to SOURCEIP​

    [ NSHELP-18482]

  • The inactive services number for a load balancing virtual server might return a large value for few seconds after some services or service group members are unbound from the load balancing virtual server. This is a display issue and does not impact any functionality.

    [ NSHELP-19400]

  • A Citrix ADC appliance crashes if the virtual server is of type ANY and spillover persistence is enabled on the virtual server.

    [ NSHELP-19540]

  • In a high availability setup in INC mode, the GUI and CLI of the secondary node incorrectly displays the following status message for some load balancing monitors:

    “Probe skipped - node secondary”

    [ NSHELP-19617]

  • You might run out of disk space on a Citrix ADC VPX appliance because the appliance generates multiple temporary files. When an rsync operation occurs for a particular location file, a temporary file is created for that location file. These files fill up the /var directory.

    [ NSHELP-20020]

  • Path monitoring for autoscale servicegroups is not supported in a cluster deployment.

    [ NSLB-4660]


  • The Citrix ADC appliance responds with an internal error message for show routerdynamicrouting NITRO API call.

    [ NSCONFIG-1325]


  • In a high availability setup with OSPF dynamic routing configured, the new primary node does not generate the OSPF MD5 sequence number in an increasing order after a failover.

    This issue has been fixed. For the fix to work properly, you must synchronize the time between the primary and secondary nodes either manually or by using NTP.

    [ NSHELP-18958]

  • When a PBR rule with next hop parameter set to NULL is added for a load balancing service or a monitor, the Citrix ADC appliance might become unresponsive.

    [ NSHELP-19245]

  • A Citrix ADC appliance might create an SYN+ACK packet loop, which in turn cause high CPU usage, when all the following conditions are true:

    • If an outstanding RNAT probe connection to an IP address, which is not currently Citrix ADC owned IP address, is present in the ADC appliance.

    • If you make this IP address as ADC owned IP address as part of the ADC configuration. For example, adding a load balancing virtual server with this IP address.

    [ NSHELP-19376]

  • The Citrix ADC appliance allows configuration through NITRO APIs even before the protocol modules are not completely initialised. Because of this reason, the write memory command fail with the following error message:

    “save config denied – modules not ready”

    [ NSHELP-19431]

  • In some rare cases in a high availability setup, the secondary node might establish BGP session over the Citrix ADC IP address (NSIP).

    [ NSHELP-19720]

  • The BGP process might fail due to memory corruption if it receives bgp updates with multiple 4-byte AS numbers in the path.

    [ NSHELP-19860]

  • For a RNAT rule with useproxyport parameter disabled, and RNAT clients accessing INAT public IP address, the Citrix ADC appliance might incorrectly allocate/de-allocate ports for sessions related to the RNAT rule. This incorrect allocation/de-allocation of ports results in port leak.

    [ NSNET-10089]

  • On the Citrix ADC GUI, when you go to Configuration > Network > Interfaces, and click Interface Statistics, the Interface Summary is not displayed and the “Invalid value [arg]” error message appears.

    [ NSUI-13043]


  • The Lazy Loading mode does not load images in a simple web page that are above the fold with no attributes such as height or width.

    [ NSHELP-19193]

  • A Citrix ADC appliance restarts by itself if the following conditions are observed:

    • Front end optimization feature is enabled.

    • Cached objects are re-optimized.

    [ NSHELP-19428]


  • The SDX 14000 FIPS appliance might crash and restart while configuring a FIPS HSM partition.

    [ NSHELP-18503]


  • In a Citrix ADC appliance, if you unbind default advanced global policies and save the configuration, the changes are not reflected on the next reboot.

    [ NSHELP-19867]

  • A Citrix ADC appliance might crash if the configuration has responder action with respondwithhtmlpage as an action type.

    [ NSHELP-5821]

  • A Citrix ADC appliance might crash if you use responder action of redirect action type.

    [ NSPOLICY-3196]

  • Classic policy-based features and functionalities are deprecated from Citrix ADC 12.0 build 56.20 onwards. As an alternative, Citrix recommends you to use the Advanced policy infrastructure.

    These features and functionalities will no longer be available from Citrix ADC 13.1 release in 2020. Also, other smaller features will be deprecated.

    [ NSPOLICY-3228]


  • After an upgrade in a high availability set up from release 12.1 build 49.23 to release 12.1 build 49.37, the primary node does not send an SNMP coldstart trap message during a restart.

    [ NSHELP-18631]


  • The ADC appliance might occasionally send extra data to the client if both of the following conditions are met:

    • The appliance is connected to the backend server through SSL.

    • The size of the data received from the server exceeds 9k.

    [ NSHELP-11183]

  • You cannot create an RSA key by using the GUI if the PEM algorithm is DES or DES3.

    [ NSHELP-13018]

  • Safenet directory is missing when you install a VPX instance on Citrix XenServer, VMware ESX, or Linux-KVM platform.

    [ NSHELP-14582]

  • A Citrix ADC appliance might crash when you execute an audit log message action based on the expression “ssl.origin.server_cert”. The log action is bound to a responder policy.

    [ NSHELP-19014]

  • If the client and CA certificates have different encoding, the client certificate is incorrectly rejected when -clientAuthUseBoundCAChain is ENABLED, even though the client and server certificates are issued by the same CA.

    [ NSHELP-19077]

  • A Citrix ADC appliance might crash while executing the SSL action “clientcertFingerprint” to insert the client certificate’s fingerprint into the HTTP header of the request to be sent to the server, if both of the following conditions are met:

    • Session ticket is enabled.

    • SSL policy is bound at request bind point.

    [ NSHELP-19331]

  • An SSL virtual server may reset the connection with reset code 9820 instead of fragmenting the record into multiple TCP packets as expected, if the following conditions are met:

    • A TLSv1.3 enabled virtual server encrypts application data from the backend application server to send to a TLSv1.3 client.

    • The resulting encrypted record length is exactly one byte larger than the TCP maximum segment size.

    [ NSHELP-19466]

  • The handshake fails on a Citrix ADC SDX appliance with N2 chips, because ECDSA ciphers are not supported on this platform. With this fix, ECDSA ciphers are not advertised on this platform.

    [ NSHELP-19614, NSHELP-20630]

  • CRL refresh takes the old IP address instead of the new one, if the URL is changed from IP-based address to domain name-based address.

    [ NSHELP-19648]

  • The ssl_tot_enc_bytes counter reports incorrect plain text bytes to be encrypted.

    [ NSHELP-19830]

  • The following appliances might crash if they receive the “ChangeCipherSpec” message from a client but not the “Finished” message:

    • MPX 5900/8900

    • MPX 15000-50G

    • MPX 26000-100G

    [ NSHELP-19856]

  • If you add a certificate with an AIA extension on a cluster IP (CLIP) address, the following error message appears when you try to remove the certificate from the CLIP:

    ‘Internal Error’.

    [ NSHELP-19924]

  • When TLS 1.3 and SNI are both enabled on a front-end virtual server, the appliance crashes during the TLS handshake if the following sequence of events occur:

    1. A TLS 1.3 client includes the server_name extension in its initial ClientHello message.

    2. The server responds with a HelloRetryRequest message.

    3. The client responds with an illegal ClientHello message that omits the server_name extension.

    [ NSHELP-20245]

  • An error message “Error- File Too Large” appears in both of the following cases:

    • You first upgrade the Citrix ADC software to version 13.0 and then upgrade the FIPS firmware.

    [ NSHELP-20522]

  • The SSL handshake fails on the following platforms if the Client Key Exchange and Client Verify messages come in a single record.

    • MPX 59xx

    • MPX/SDX 89xx

    • MPX/SDX 261xx-100G

    • MPX/SDX 15xxx-50G

    [ NSSSL-3359, NSSSL-1608]

  • TLS and DTLS handshakes with RSA based key exchange fail on the front end of N3-based Citrix ADC MPX and SDX appliances when the following conditions are met.

    1. TLS handshake fails when the TLS Client Hello message contains TLSv1.2 as the protocol version, but TLSv1.2 is disabled on the Citrix ADC appliance. Therefore, the appliance negotiates a lower version (TLSv1.1, TLSv1.0, or SSLv3.0)

    2. DTLS handshake fails when the DTLS Client Hello message contains DTLSv1.2 as the protocol version, but the Citrix ADC appliance negotiates DTLSv1.0.

    Use the ‘show hardware’ command to identify whether your appliance has N3 chips.

    [ NSSSL-6630]

  • In a NITRO call for a virtual server that has a profile bound to it, some entities of the virtual server, such as HSTS and OCSP_stapling that are part of the profile, are also displayed.

    [ NSSSL-6673]

SWG URL Filtering

  • During content filtering, a rare race condition occurs between policy evaluation and obfuscation of a private URL set. This issue generates an AppFlow record that contains the URL as a clear text and not as “ILLEGAL”.

    [ NSSWG-890]


  • A Citrix ADC appliance crashes if the current_tcp_profile and current_adtcp_profile is not set.

    [ NSHELP-18889]

  • Memory issue occurs in a Citrix ADC appliance if closed connections are not flushed completely.

    [ NSHELP-18891]

  • In a corner case, A Citrix ADC appliance terminates zombie connections without a reset. When the peer side connections send packets if they are active and the appliance resets the connection when processing them.

    [ NSHELP-18998]

  • The policy evaluation might fail if the following conditions are met:

    • 256 policy expressions have reference to a same custom header.

    • Custom header reference counter wraps to 0 (8 bits counter).

    [ NSHELP-19082]

  • A configuration loss occurs every time a high availability configuration synchronization happens along with a high availability failure.

    [ NSHELP-19210]

  • The primary node is unable to read the response from the secondary causing the connection to reset. As a result, the connection closes on the secondary node.

    [ NSHELP-19432]

  • A Citrix ADC appliance crashes if you set the TCP profile value to NULL.

    [ NSHELP-19555]

  • Strong password validation is done on MONITOR passwords created for external servers. When you enable Strong password configuration (system > global setting) on a Citrix ADC appliance, you do not allow the appliance to configure a weak password for LDAP monitor.

    [ NSHELP-19582]

  • SNMP alarm on SDX device does not work for disk, memory, or temperature parameters but works only for CPU.

    [ NSHELP-19713]

  • In some cases, you will see a delay or timeout in connecting to the backend server. This happens because the appliance has freed the connection and released the port. When the appliance reuses the same port to establish a new connection with the server there is a delay or timeout because the connection is in TIME_WAIT state on the server.

    [ NSHELP-19772]

  • In rare cases, a cluster node might crash when a client or server sends an out-of-order packet followed by an in-sequence packet with the FIN message.

    [ NSHELP-19824]

  • The Citrix ADC appliance might crash, when a retransmitted TCP segment is received on an interface with MTU > 1500 bytes as:

    • Jumbo frames, or

    • Set of IP fragments

    [ NSHELP-19920, NSHELP-20273]

  • A TCP transaction delay is observed if a Citrix ADC appliance is unable to use the TCP connection to connect to the back-end server. In this case, the appliance opens a new connection to forward the client requests to the back-end server after some waiting period. The waiting period ranges from 400 ms to 600 ms.

    [ NSHELP-9118]

  • The Global Binding and Show Binding options are not working on the Content Inspection Policy GUI page. As an alternative, you can configure these parameters through the command interface.

    [ NSUI-13193, NSUI-11561]


  • A Citrix ADC appliance might crash if both of the following conditions are met:

    • The appliance receives two HTTP requests when retrieving subscriber information.

    • There is an incorrect operation to resume normal traffic flow.

    [ NSHELP-18955]

Known Issues

The issues that exist in release 13.0.

Authentication, authorization, and auditing

  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.

    show adfsproxyprofile <profile name>

    Workaround: Connect to the primary active Citrix ADC in the cluster and issue show adfsproxyprofile <profile name> command. It would display the proxy profile status.

    [ NSAUTH-5916]

  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

    [ NSAUTH-6106]

  • Protocol switching from HTTP to WebSockets fails when SSO is configured on a Citrix ADC appliance.

    [ NSAUTH-6354]

  • In rare cases, authentication fails if the connection to the LDAP server is over HTTPS.

    [ NSHELP-20181]

  • The Citrix ADC appliance crashes after an upgrade to version 13.0 because of a buffer overflow condition.

    [ NSHELP-20416, NSAUTH-6770]

  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

    [ NSHELP-563]

Citrix ADC BLX appliance

  • A Citrix ADC BLX appliance fails to start because of DPDK misconfiguration (for example, if hugepages are not configured) on the Linux host. You need to run the start command (systemctl start blx) twice to start the Citrix ADC BLX appliance.

    [ NSNET-11107]

  • A Citrix ADC BLX appliance with DPDK support fails to start and dumps core if DPDK is misconfigured (for example, if hugepages are not configured) on the Linux host.

    For more information on configuring DPDK on a linux host for Citrix ADC BLX appliance, see

    [ NSNET-11349]

Citrix ADC GUI

  • If the feature “Force password change for nsroot user when default nsroot password is being used” is enabled and the nsroot password is changed at the first logon to the Citrix ADC appliance, the nsroot password change is not propagated to non-CCO nodes. Therefore, when an nsroot user logs on to non-CCO nodes, the appliance asks for password change again.

    [ NSCONFIG-2370]

  • You cannot search for an entity using the search filter in the ADC GUI if the entity name contains a space.

    [ NSHELP-20506]

  • If you access the Syslog GUI page, the following error message appears: “Cannot read property ‘0’ of undefined”.

    [ NSHELP-20574]

  • Using the GUI, you cannot modify or unset the TTL or the name server of a binding once a domain based service (DBS) server is bound to a service group and the server names are resolved.

    [ NSUI-13060]

  • From the Citrix ADM GUI, when you go to System > Diagnostic > Saved v/s Running , no data is displayed. This happens if the size of ns. conf file is above 10 MB.

    Workaround: Use CLI to check Saved vs Running data, by using the “diff ns config” command.

    [ NSUI-13242]

Citrix ADC SDX appliance

  • On SDX 22XXX and 24XXX appliances, during system health monitoring, the SDX Management Service raises false alerts.

    [ NSHELP-19795]

  • If the backup file name has any special character, restoring the SDX appliance to that backup fails. With the fix, an error message appears if the backup file has any special character.

    [ NSHELP-19951]

  • The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:

    ERROR: Operation timed out

    ERROR: Communication error with the packet engine

    [ NSNET-4312]

  • Health Monitoring alarm misrepresents PSU numbering. When power supply cable is disconnected from PSU #1, then health monitoring sends an incorrect alarm that PSU #2 has failed.

    [ NSPLAT-4985]

  • On SDX 8200/8400/8600 platforms, the SDX appliance hangs on the Citrix Hypervisor console if the SDX appliance or the VPX instances running on it are restarted multiple times. When the appliance hangs, the message “INFO: rcu_sched detected stalls on CPUs/tasks,” appears. Workaround:

    • Restart the SDX appliance by pressing the NMI button at the back.

    • From the LOM GUI, use NMI to restart the appliance.

    • Use LOM to restart the SDX appliance.

    [ NSPLAT-9155]

Citrix ADC VPX appliance

  • When you attempt to log on to a Citrix ADC VPX instance immediately after provisioning it on Azure, the user name and password might not work. This issue happens because after provisioning a Citrix ADC VPX instance, it might take up to one min for the user-provided credentials (user name and password) to be active on first boot.

    Workaround: Wait for a minute and log on again.

    [ NSPLAT-10962]

  • A Citrix ADC VPX instance deployed on AWS fails to communicate through the configured IP addresses (VIP, ADC IP, SNIP) if the following conditions are met:

    • The AWS instance type is M5/C5, which are KVM hypervisor based

    • The VPX instance has more than one networking interface

    This is an AWS limitation., and AWS plans to fix the issue soon.

    Workaround: Configure separate VLANs for ADC IP, VIP, and SNIP. For more information about configuring VLANs, see

    [ NSPLAT-9830]

Citrix Bot Management

  • The device fingerprinting technique for detecting bot traffic is not working for XML responses.

    [ NSDOC-1047]

Citrix Gateway

  • In Outlook Web App (OWA) 2013, clicking “Options” under the Setting menu displays a “Critical error” dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269]

  • StoreFront server cannot be accessed because the Citrix Gateway appliance uses the IP address of the client machine instead of using the SNIP to send traffic to the StoreFront server.

    [ NSHELP-19476]

  • In some cases, the external facing Citrix Gateway in a double-hop deployment with ICA Insight enabled, dumps core for a particular network traffic pattern.

    [ NSHELP-19487]

  • In isolated cases, there is a memory corruption causing a core dump while clearing a corrupted SSL VPN authentication, authorization, and auditing session entry after the timeout.

    [ NSHELP-19775]

  • When you click “Retrieve Store” in the XenApp and XenDesktop Wizard, the following error message appears. “Failed to Fetch StorePath from StoreFront FQDN.”

    Workaround: Manually enter the store in “Receiver for Web Path.”

    [ NSHELP-20249]

  • If reverse split tunneling is enabled, intranet routes are either added with wrong prefix values or not added at all.

    [ NSHELP-20825]

  • After an upgrade of Citrix ADC and gateway plug-in to release 13.0 build 41.20, users experience continuous blue screen of death (BSOD) error when trying to set up the VPN tunnel.

    [ NSHELP-20832]

  • In AlwaysOn service with user persona, the machine tunnel goes down intermittently when the user logs out.

    [ NSHELP-21163]

  • For command “add vpn intranetApplication”, description for “protocol” parameter is incorrectly displayed in man page. The description has “BOTH” as a possible value instead of “ANY”. However, the man page correctly displays the possible values required for configuration.

    [ NSHELP-8392]

  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ NSINSIGHT-2059]

  • The Gateway Insight report incorrectly displays the value “Local” instead of “SAML” in the Authentication Type field for SAML error failures.

    [ NSINSIGHT-2108]

  • The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).

    Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.

    [ NSINSIGHT-924]

Citrix SDX appliance

  • SDX 26000-100G 15000-50 G appliances might take longer time to upgrade. As a result, the system might display the message “The Management Service could not come up after 1 hour 20 minutes. Contact the administrator.”

    Workaround: Ignore the message, wait for some time, and log on to the appliance.

    [ NSSVM-3018]

Citrix Web App Firewall

  • Deploying a relaxation rule by using Learned Rules visualizer displays an error message that the rule is already added.

    [ NSHELP-18582]

  • A Citrix ADC appliance might crash if there is high memory usage and memory values are not freed up because of an application failure.

    [ NSHELP-18863]

  • In a high availability setup, enabling IP reputation feature might result in high availability command propagation failures.

    [ NSHELP-20010]

Cloudbridge connector

  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

    [ NSUI-13024]


  • A high CPU usage is observed on a Citrix ADC appliance or in a cluster setup if “show ns ip” command displays many IP addresses.

    [ NSHELP-11193]

  • In a Citrix ADC cluster setup, the flow processor node might encounter SYN cookie rejection for a TCP connection under the following condition:

    • SYN Cookie is enabled

    • SYN spoof protection is disabled

    The flow processor node processes the new TCP flow packets as stray packets and responds with a connection reset.

    [ NSHELP-20098]


  • The Citrix ADC appliance might crash when a backend server is DOWN and the appliance, while selecting a new backend server, tries to collect server information such as RTT.

    [ NSHELP-11969]

Load Balancing

  • Redirecting an HTTPS URL fails if the URL contains the % special character.

    [ NSHELP-19993]

  • A Citrix ADC VPX appliance reboots several times after being unresponsive.

    [ NSHELP-20435]


  • When the Citrix ADC appliance is cleaning up large number of server connections as part of remove command, the Pitboss process might restart. This Pitboss restart might cause the ADC appliance to crash.

    [ NSHELP-136]

  • If a static virtual server is added with the same IP address of an existing dynamic virtual server (RNAT), the ADC appliance might crash during a name search operation in the hash table.

    [ NSHELP-15851]

  • On restarting the Citrix ADC appliance, default route is originated before the IP address of the interface is populated. Because of this issue, the next hop of a route is set to NULL leading to a martian error.

    [ NSHELP-16407]


  • On the Citrix ADC SDX 26000-100G platform, the interface might not come up after you restart the appliance.

    Workaround: Ensure auto negotiation is set to ON. To check and edit the auto negotiation status, navigate to SDX GUI > System > Interfaces.

    [ NSPLAT-11985]

  • The following Citrix ADC SDX appliances might not boot up correctly with VPX version 13.0-41.x. Upgrade to VPX version 13.0-47.x or later builds.

    • SDX 11xxx

    • SDX 14xxx

    • SDX 14xxx-40S

    • SDX 14xxx-40G

    • SDX 14xxx FIPS

    • SDX 22xxx

    • SDX 24xxx

    • SDX 25xxx

    [ NSSSL-7044]


  • In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.

    [ NSHELP-13466]

  • The HTTPS-ECV monitor fails during an SSL handshake if all of the following conditions are met:

    • The monitor is bound to an SSL profile.

    • Session reuse is enabled on the SSL profile.

    • The monitor is bound to two or more back-end servers.

    • Different protocol versions (for example, TLS1.0 & TLS1.2) are running on the servers.

    [ NSHELP-18384]

  • If your ADC appliance is integrated with an unsupported version of Thales HSM, the appliance crashes after generating the HSM key and certificate, installing the certificate-key pair on the appliance, and binding it to the SSL virtual server. With this fix, the appliance reports an error instead of crashing.

    [ NSHELP-20352]

  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427]

  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.

    ERROR: crl refresh disabled

    [ NSSSL-6106]

  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

    [ NSSSL-6213]

  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

    [ NSSSL-6478]

  • Update command is not available for the following add commands:

    • add azure application

    • add azure keyvault

    • add ssl certkey with hsmkey option

    [ NSSSL-6484, NSSSL-6379, NSSSL-6380]


  • During a Clear Config, the metricscollector application running on a Citrix ADC appliance does not respond but it might be restarted by the PITBOSS module.

    [ NSBASE-7846]

  • A Citrix ADC appliance might generate a false SNMP SYN flood entity trap if some internal connections cause a mismatch between the number of TCP SYN received and the number of TCP connections established.

    [ NSHELP-18671]

  • Role based authentication (RBA) does not allow group names to start with “#” character.

    [ NSHELP-20266]

  • Memory usage increases if you enable proxy protocol and if retransmission occurs because of network congestion.

    [ NSHELP-20613]

  • A Citrix ADC appliance resets MPTCP subflows if a subflow is alive and active for more than the idle timeout period.

    [ NSHELP-20648]

  • A Citrix ADC appliance resets an MPTCP subflow if it receives a plain acknowledgment before the subflow is confirmed as MTPCP.

    [ NSHELP-20649]

  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267]

URL Filtering

  • In a compound URLSet expression such as <URL expression>. URLSET_MATCHES_ANY(URLSET1 || URLSET2), the “Urlset Matched” field in an appflow record reflects only the state of the last evaluated URLSet. For example, if the requested URL belongs only to URLSET1, the “URLSet Matched” field is set to 0, although the URL belongs to one of the URLSets. As a result, the URLSET1 changes URLSet Matched” field to 1 but the URLSET2 sets it back to 0

    [ NSSWG-1100]

Video Optimization

  • In certain scenarios, when you enable video detection in a Cluster setup, there might be a gradual increase in Citrix ADC memory utilization. But the increase is low enough not to affect the normal system operations

    [ NSVIDEOOPT-921]

Release Notes for Citrix ADC 13.0-41.28 Release