ADC

Release Notes for Citrix ADC 13.0–64.35 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.0–64.35.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 13.0–64.35 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX281474.

What’s New

The enhancements and changes that are available in Build 13.0–64.35.

Authentication, authorization, and auditing

  • Increase in the individual maximum length value for SAML attribute

    The individual maximum length for SAML attributes has been increased to allow a maximum of 40k bytes. The size of all the attributes must not exceed 40k bytes. For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/saml-authentication/citrix-adc-saml-sp.html.

    [ NSAUTH-8225 ]

  • Increase in the maximum length value for attributes

    The maximum length value for the following attributes has changed as follows.

    • set samlaction <saml-action-name> -samlissuerName - 511 (new max length)
    • set samlidPProfile <saml-idp-profile-name> -samlissuerName - 511 (new max length)
    • set samlidPProfile <saml-idp-profile-name> -serviceProviderID - 511 (new max length)
    • set tm samlSSOProfile <saml-sso-profile-name> -samlissuerName - 511 (new max length)
    • set vpn samlSSOProfile <saml-sso-profile-name> -samlissuerName - 511 (new max length)
    • set oauthaction <oauth-action-name> -clientSecret - 239 (new max length)
    • set oauthaction <oauthidp_profile-name> -clientSecret - 239 (new max length)

    [ NSAUTH-8180 ]

  • Support to disable the weak Basic, Digest, and NTLM authentication globally

    The SSO configuration is now made more secure by disabling the following weak authentication methods globally.

    • Basic authentication
    • Digest Access Authentication
    • NTLM without setting Negotiate NTLM2 Key or Negotiate Sign

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/enable-sso-for-auth-pol.html.

    [ NSAUTH-7747 ]

  • Ability to start nFactor flow with decision block in nFactor visualizer

    Using the nFactor visualizer, you can now start the nFactor flow with a decision block. For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/multi-factor-nfactor-authentication/nfactor-authentication-simplification.html.

    [ NSAUTH-7665 ]

  • Support for client_assertion_type and client_assertion in OAuth token API

    OAuth feature now supports the following capabilities in the token API from the Relying Party (RP) side and from the IdP side of Citrix Gateway and Citrix ADC.

    • PKCE (Proof Key for Code Exchange) support
    • Support for client_assertion

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/oauth-authentication/citrix-adc-oauth-sp.html.

    [ NSAUTH-6243 ]

Citrix ADC SDX Appliance

  • Auto-upgrade of the built-in agent without initialization

    From Citrix ADC release ADC 13.0 build 61.xx and higher, Citrix ADC SDX appliance has built-in agents with ADM Service Connect functionality. The Citrix ADM built-in agent available on the ADC SDX appliance starts like an active daemon and communicates with ADM service. After communication with ADM service is established, the built-in agent auto-upgrades itself to the latest software version regularly.

    [ NSSVM-3919 ]

  • Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service

    The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC SDX appliances onto Citrix ADM service. This feature lets the ADC SDX appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you can get insights and recommendations for your Citrix ADC infrastructure, on Citrix ADM service.

    By default, the Citrix ADM service connect feature is enabled when you install or upgrade the Citrix ADC SDX appliance.

    For more information, see the following topics:

    Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix updates this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.

    [ NSSVM-3911 ]

Citrix Web App Firewall

Load Balancing

  • Increased character length for the monitor name

    The number of characters in the monitor name is now increased up to 255 characters.

    [ NSLB-5223 ]

Networking

  • Change in Interface numbering scheme in Citrix ADC BLX appliances

    The interfaces numbering scheme for a Citrix ADC BLX appliance is modified such that it aligns with other Citrix ADC platforms. Citrix recommends you to update any scripts that have a dependency on the interface numbering.

    Earlier, both the internal interfaces were numbered as the first and the last interface. All the dedicated interfaces (in a Citrix ADC appliance in non-DPDK or DPDK mode) are numbered in between the first and the last internal interfaces.

    Example 1: A Citrix ADC BLX appliance in non-DPDK mode with two dedicated interfaces:

    • The internal BLX interfaces are numbered as 0/1 and 0/4.
    • The dedicated interfaces are numbered as 0/2 and 0/3.

    Example 2: A Citrix ADC BLX appliance in DPDK mode with one DPDK interface:

    • The internal BLX interfaces are numbered as 0/1 and 0/3.
    • The DPDK interface is numbered as 0/2.

    From this release onwards, the interfaces in a Citrix ADC appliance are numbered in the following sequential order:

    • Both the internal interfaces are numbered as the first and the second interface.
    • dedicated interfaces.
    • DPDK interfaces (in Citrix ADC appliances in DPDK mode).

    Example 1: A Citrix ADC BLX appliance in non-DPDK mode with two dedicated interfaces:

    • The internal BLX interfaces are numbered as 0/1 and 0/2.
    • The dedicated interfaces are numbered as 0/3 and 0/4.

    Example 2: A Citrix ADC BLX appliance in DPDK mode with one DPDK interface (40G) and one non-DPDK dedicated interface:

    • The internal BLX interfaces are numbered as 0/1 and 0/2.
    • The non-DPDK dedicated interface is numbered as 0/3.
    • The DPDK interface (40G) is numbered as 40/1.

    [ NSNET-17067 ]

  • Non-default password support for the root user on Citrix ADC CPX

    Citrix ADC CPX now supports non-default password for the root user (nsroot). When you deploy CPX, a random password is generated and assigned for the root user. You can also change it manually.

    [ NSNET-10520 ]

  • Subscription local licenses support for Citrix ADC BLX appliances

    A Local license is similar to a perpetual license however they have an expiration date. The software subscription that makes up local licenses are term-based and can be installed without requiring ADM as a licensing server.

    The following type of subscription local licenses is available for Citrix ADC BLX appliances:

    Bandwidth-based subscription local license. This type of license is enforced with a maximum allowed throughput that a particular Citrix ADC BLX appliance is entitled to. Each local license is also tied up with one of the Citrix ADC software editions (Standard, Enterprise, or Platinum), which unlocks the ADC feature set of this edition in a Citrix ADC BLX appliance. Embedded Select support is included with the subscription local license purchase.

    Example:

    A Citrix ADC BLX Subscription 10 Gbps Premium Edition - entitles a Citrix ADC BLX appliance with a maximum allowed throughput of 10 Gbps. This license also unlocks all the ADC features, listed in the Premium edition, in the Citrix ADC BLX appliance.

    [ NSNET-9189 ]

  • Mellanox NICs support for Citrix ADC BLX appliances in DPDK mode

    Citrix ADC BLX appliances now support Mellanox NICs with MLX5 driver for deployment in DPDK mode.

    [ NSNET-8946 ]

Policies

  • Server certificate verification for importing responder HTML pageYou can now use the “import responder htmlpage” command for sending HTML error responses to the client. Previously, no server certification validation happened during HTML page import. This issue is now resolved by using a new parameter, “CAcertFile. You can configure the parameter to verify the server certificate authentication when importing an HTML page.
    Note: If you do not configure the CA certificate file name, the default root CA certificates are used for verifying the server certificate.
    import responder htmlpage [<src>] <name> [-comment <string>] [-overwrite][-CAcertFile <string>]

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/appexpert/responder/configuring-responder-action.html%23configure-html-page-import.

    [ NSPOLICY-3620 ]

System

User Interface

  • Auto-upgrade of built-in agents without initialization

    From Citrix ADC release 13.0 build 61.xx and higher, the Citrix ADM built-in agent available on Citrix ADC instances communicates with ADM service without initialization on the respective ADC instance. After communication with ADM service is established, the built-in agent auto-upgrades to the latest software version regularly.

    Previously, you had to initialize the built-in agent on Citrix ADC instances, using “mastools” commands, to establish communication with ADM service, and for regular auto-upgrades.

    [ NSCONFIG-4153 ]

  • Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service

    The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC MPX, SDX, and VPX instances, and Citrix Gateway appliances onto Citrix ADM service. This feature lets the ADC instance or Gateway appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you get insights and recommendations for your Citrix ADC infrastructure on Citrix ADM service.

    By default, the Citrix ADM service connect feature is enabled when you install or upgrade Citrix ADC MPX, SDX, and VPX instances or Citrix Gateway appliance.

    For more information, see the following topics:

    Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix updates this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.

    [ NSCONFIG-4150 ]

  • Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service

    The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC MPX, SDX, and VPX instances, and Citrix Gateway appliances onto Citrix ADM service. This feature lets the ADC instance or Gateway appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you get insights and recommendations for your Citrix ADC infrastructure on Citrix ADM service.

    By default, the Citrix ADM service connect feature is enabled when you install or upgrade Citrix ADC MPX, SDX, and VPX instances or Citrix Gateway appliance.

    For more information, see the following topics:

    Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix updates this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.

    [ NSCONFIG-3793 ]

Fixed Issues

The issues that are addressed in Build 13.0–64.35.

Authentication, authorization, and auditing

  • If a Citrix ADC appliance is configured for the OTP login and the OTP field is left blank, the authentication fails. In such a scenario, the appliance logs the user password in ns.log leading to a security concern.

    [ NSHELP-24027 ]

  • In some cases, the SAML assertion breaks when the attribute values have XML tags. This results in the failure of attribute extraction.

    [ NSHELP-23940 ]

  • A Citrix ADC appliance configured as an Identity Provider (IdP) for Citrix Workspace might crash when users are part of a large number of active directory groups.

    [ NSHELP-23899 ]

  • The user does not get a 401 authentication prompt because the Citrix ADC appliance requests the authentication configuration from a wrong virtual server structure.

    [ NSHELP-23892 ]

  • The Citrix Workspace login fails when a Citrix ADC appliance is configured as an Identity Provider (IdP) for Citrix Workspace and a custom attribute extraction error occurs.

    [ NSHELP-23843 ]

  • In some cases, the “ns.log” file in the Citrix ADC appliance gets incorrectly flooded with the following log messages “claims allowed in current loginschema”.

    [ NSHELP-23593 ]

  • VPN session policies bound to a Authentication, authorization, and auditing user or group are not applied if the Citrix ADC appliance is accessed by VPN client using webview nFactor authentication method.

    [ NSHELP-23526 ]

  • The Citrix ADC GUI under “System Global Authentication Policy Binding” page has the following errors:

    • Goto Expression field incorrectly displays “END” instead of “NEXT”.
    • The bound next factor policy is not reflected under the “Next Factor” field.

    [ NSHELP-23474 ]

  • In rare cases, the session user name is incorrectly shown as “anonymous” instead of common name for the device certificate if both the following conditions are met.

    • A Citrix ADC appliance is configured for nFactor authentication.
    • Device Certificate is configured as the only factor in an nFactor configuration.

    [ NSHELP-23243 ]

  • SAML authentication for the last factor fails when both the following conditions are met:

    • The Citrix ADC appliance is configured as SAML SP.
    • EPA is enabled on the VPN virtual server as pre-authentication policy and the RfWebUI theme is bound to the server.

    [ NSHELP-22932, NSHELP-22819 ]

  • The session establishment fails when accessed from the Citrix Workspace app using Webview if preauthentication EPA is configured along with nFactor authentication.

    [ NSHELP-22845 ]

  • The login page for a Citrix ADC appliance is not displayed correctly when LDAP and SAML are configured as the primary authentication mechanism.

    [ NSHELP-22713 ]

  • When you log on to the Citrix Gateway appliance, a blank page is displayed if the following conditions are met:

    • The Citrix Gateway appliance is configured for nFactor authentication with SAML as next factor EULA
    • You click the back arrow to go the previous page during the logon process.

    [ NSHELP-22604 ]

  • In some cases, a Citrix ADC appliance crashes because of the memory corruption caused by a buffer overwrite for the list of OTP devices.

    [ NSHELP-22478 ]

  • Sometimes, the form-based SSO authentication fails for the first time if a Set-Cookie is contained in the HTTP response header of the HTML form.

    [ NSHELP-21740 ]

Bot Management

  • Service disruption might occur at runtime if the bot management TPS detection technique is configured with the “mitigation” action.

    [ NSBOT-124 ]

  • During an upgrade, a Citrix ADC appliance might crash if the bot signature file contains long strings.

    [ NSBOT-37 ]

  • A Citrix ADC appliance might crash if you modify the bot management profile when the traffic is being processed.

    [ NSBOT-4, NSHELP-25196 ]

Citrix ADC SDX Appliance

  • An incorrect platform model string is displayed when you configure pooled licensing on the Citrix ADC SDX 8400, 8600, or 8015 appliances.

    [ NSHELP-24234 ]

  • If you take a backup of one SDX appliance, restoring the instances on another SDX appliance fails.

    [ NSHELP-23947 ]

  • On a Citrix ADC SDX 8900 appliance, the number of instances available for provisioning is reduced after you upgrade the appliance.

    [ NSHELP-23808 ]

  • Upgrading a Citrix ADC SDX appliance to release 12.1 build 57.x might fail because a process in the Management Service is unresponsive.

    [ NSHELP-23612 ]

  • On the Citrix ADC SDX appliance, a user with read-only permissions can transfer files to Management Service using a file transfer utility, such as SCP or SFTP.

    [ NSHELP-22638 ]

Citrix Gateway

  • The Citrix Gateway appliance might crash when adding a cookie_watch JavaScript while serving clientless VPN traffic.

    [ NSHELP-24096 ]

  • You cannot disable the Citrix Gateway EPA plug-in from the GUI after upgrading to release 13.0 build 58.30.

    [ NSHELP-24016 ]

  • The VPN plug-in cannot load the Citrix Gateway logon page if a port number is specified during login. This issue occurs only if nFactor authentication is configured for the virtual server on the appliance.

    [ NSHELP-23925 ]

  • When a VPN tunnel is active, users cannot access a portal if the following conditions are met:

    • Host-name based intranet applications are configured along with reverse split tunnel.
    • The host name of the portal matches an intranet application name.

    [ NSHELP-23912 ]

  • In the VPN virtual server page, the configured portal themes, policies, and profiles summary do not appear on the left side of the page.

    [ NSHELP-23903 ]

  • In rare cases, a Citrix Gateway appliance might crash while handling transfer logon or logout requests.

    [ NSHELP-23863 ]

  • The Windows plug-in cannot perform a seamless Transfer Logon in the Always On service mode if the RfWebUI portal theme is bound to the Citrix ADC virtual server.

    [ NSHELP-23837 ]

  • When you upgrade your VPN plug-in to 13.0, DNS queries are sent to both local and remote DNS servers if the split tunnel is set to OFF.

    [ NSHELP-23826 ]

  • Local DNS queries over the VPN plug-in if specified to a particular DNS server are not honored because the queries are sent to randomly selected DNS servers on the client.

    [ NSHELP-23743 ]

  • The Windows credential screen does not refresh after the network comes back up.

    [ NSHELP-23594 ]

  • SAP CFolders do not work as intended when accessed over advanced clientless VPN.

    [ NSHELP-23561 ]

  • In the Citrix Gateway Always On service mode, when the machine is rebooted, the tunnel is not established if an Intranet IP address is configured.

    [ NSHELP-23304 ]

  • The Citrix ADC appliance crashes if the “show vpn storeinfo” command is run repeatedly.

    [ NSHELP-23144 ]

  • The ICA Proxy application launch over SOCKS channel fails.

    [ NSHELP-23111 ]

  • Users cannot access resources over the VPN when the machines resume from sleep or hibernate state.

    [ NSHELP-23024 ]

  • VPN plug-in cannot establish a seamless session after the Citrix Gateway appliance is restarted because the configuration is overwritten when Always On is enabled.

    [ NSHELP-22674 ]

  • In rare cases, the Citrix ADC appliance might become unresponsive if the appliance is configured for EDT, and HDX Insight is enabled for EDT sessions.

    [ NSHELP-22640 ]

  • The Citrix Gateway appliance crashes when accessing the DNS server configuration if RDP Proxy is configured and DNS resolution is attempted after WINS resolution.

    [ NSHELP-22577 ]

  • In a Citrix Gateway double hop high availability setup, the ICA connection might be lost after an HA failover.

    [ NSHELP-22444 ]

  • The Citrix Gateway appliance might crash because some commands are not run.

    [ NSHELP-22371 ]

  • The Citrix Gateway appliance might crash intermittently if a syslog policy is configured.

    [ NSHELP-22304 ]

Citrix Web App Firewall

  • A Citrix ADC appliance might crash if the response side or XML security checks are enabled and log expressions are configured in a Web App Firewall profile.

    [ NSWAF-6466 ]

  • In a cluster configuration, the unbind command to configure an HTML Cross-Site Scripting check relaxation rule with the location as URL is unsuccessful.

    [ NSWAF-6463 ]

  • In a cluster configuration, the Citrix Web App Firewall aslearn data aggregation on the cluster coordinator node (CCO) fails when RPC nodes are secured.

    [ NSWAF-6460 ]

  • After an upgrade, the “bufferOverflowMaxqueryLength” and “bufferOverflowmaxHeaderLength” values in an existing Citrix Web App Firewall profile might not be appropriate for deployment. As a result, you might have to modify the values if incorrect.

    [ NSWAF-6346 ]

  • A Citrix ADC appliance might crash if bot signature is enabled with external DNS server configuration.

    [ NSHELP-24190 ]

  • POST requests with content-type “application/octet-stream” are not processed if Streaming is enabled without a signature set.

    [ NSHELP-22668 ]

  • In a high availability setup, the Web App Firewall session in the secondary node is a stale session.

    [ NSHELP-20288 ]

Load Balancing

  • The real-time synchronization of GSLB configuration from the master site to the subordinate sites might fail if the secure option is enabled for the remote site RPC node.

    [ NSHELP-24178 ]

  • A Citrix ADC appliance might crash when trying to evaluate subscriber policies and gxSessionReporting is enabled.

    [ NSHELP-24159 ]

  • The Citrix ADC appliance crashes if the storeDB parameter is enabled in the MYSQL-ECV monitor.

    [ NSHELP-23983 ]

  • When you add two service groups with the same value for “devno” parameter explicitly using CLI, the addition of the second service group fails. This is because the same devno is already assigned to the first service group. It is recommended not to provide the devno explicitly from CLI because it is automatically populated.

    [ NSHELP-23817 ]

  • If the health check option is enabled for Gx interface and Gx server is not responsive, negative TTL sessions are not created.

    [ NSHELP-23355 ]

  • For DNS UDP requests that the subscriber session is created based on the destination IP address instead of the source IP address, if both a subscriber expression and a DNS expression are used in the same policy.

    [ NSHELP-22521 ]

  • In a cluster setup, ACL rules with VLAN settings do not take effect resulting in packets hitting other ACL rules.

    This issue occurs when you delete a virtual server on the cluster setup resulting in the cluster nodes not adding VLAN information on the steered packets.

    [ NSHELP-22103 ]

  • In a high availability (HA) setup, when the secondary node restarts, the primary node might crash during connection mirroring of sessions to the secondary node.

    [ NSHELP-21715, NSHELP-34301 ]

Miscellaneous

  • Some commands present in the rc.netscaler file are not applied correctly after a Citrix ADC appliance is restarted because of which the appliance might not work as intended.

    [ NSHELP-22507 ]

Networking

  • The nstcpdump.sh script fails to run on the Citrix ADC BLX CLI connected through SSH and logged in using the default admin (nsroot) credentials. The script fails because the default admin (nsroot) does not have permission to access certain files and network resources.

    [ NSNET-16816 ]

  • In a high availability set up with connection mirroring enabled for FTP traffic, the secondary node might crash if the following condition is true.

    • data connection propagates to the secondary node before the control connection

    [ NSHELP-24088 ]

  • When the L2 mode is enabled, the Citrix ADC appliance forwards the DHCP broadcast packets received in the default partition.

    [ NSHELP-23957 ]

  • The Citrix ADC appliance might fail during a NAT64 translation of a received IPv6 request packet if the following condition is true:

    The last 32 bits of the destination IPv6 address, which is the translated destination IPv4 address, is greater than 240.0.0.0 (falls in reserved IP range).

    [ NSHELP-22742, NSHELP-25331 ]

  • You might observe high CPU usage on a Citrix ADC appliance when it sends fragmented IPv6 packets.

    [ NSHELP-22699 ]

  • A packet with an invalid virtual MAC address as the destination address is wrongly classified as a packet having the Citrix ADC owned MAC address.

    [ NSHELP-22697 ]

Platform

  • On the Citrix ADC SDX 24000 platform, a critical alert on logical drives is generated after you upgrade the appliance to software version 13.0. This is a false positive.

    [ NSHELP-23505 ]

  • In some cases on a Citrix ADC SDX appliance, configuring some virtual instances with 50G and 100G Mellanox interfaces exhausts the memory.

    [ NSHELP-23394 ]

  • You need to reboot a Citrix ADC SDX appliance to reset and initialize an SSL card when the card returns an error. With this fix, reboot is not required.

    [ NSHELP-22725 ]

Policies

  • A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.

    [ NSPOLICY-1462 ]

SSL

  • The Citrix ADC appliance might crash if the following conditions are met:

    • TLS 1.3 early data processing is enabled in an SSL profile of a non-default admin partition.
    • TLS 1.3 early data processing is disabled in all the SSL profiles of the default admin partition.

    [ NSHELP-23607 ]

  • On a Citrix ADC appliance, running the “force failover” command or the “clear config” command might cause a crash if Admin partitions are configured with one of the following entities:

    • Transparent virtual servers.
    • Dynamic services.

    [ NSHELP-23321 ]

  • A Citrix ADC appliance might crash if the following conditions are met:

    • A certificate-key pair is added with the expiry monitor option enabled.
    • The certificate date is earlier than 01/01/1970.

    [ NSHELP-22934 ]

  • In a cluster setup, a NITRO API query to fetch SSL policy bindings is a success from the CLIP address, but the query fails if is run from a cluster node.

    [ NSHELP-22853 ]

  • A Citrix ADC appliance might crash if there are a large number of OCSP cached entries and you run the clear config command.

    [ NSHELP-22695 ]

  • Configuring empty CRLs for frequent updates exhausts the shared allocated memory on the Citrix ADC appliance.

    [ NSHELP-22166 ]

  • A partitioned Citrix ADC appliance might not respond as expected if you perform the following actions:

    1. Create two OCSP responders in different partitions.
    2. Clear the config in one partition.
    3. Remove the OCSP responder in the other partition.

    [ NSHELP-20861 ]

System

  • A Citrix ADC appliance might not optimize and compress large objects such as Javascript or CSS if front end optimization is enabled.

    [ NSHELP-24041 ]

  • If connection mirroring does not synchronize PCB parameters, it might lead to loss of TCP options such as Maximum Segment Size (MSS) and Window Scaling.

    [ NSHELP-23990 ]

  • In the case of TLS v1.2 session reuse protocol, the following behavior is observed in the Citrix ADC appliance:

    • The categorization information is saved in the server PCB, and the domain information is saved in the client PCB.
    • Data is sent to AppFlow only from the client PCB, hence for session reuse cases, categorization information is sent as null.

    [ NSHELP-23542 ]

  • If a service, representing an inline device, is down when traffic is being inspected, a resource is not freed properly. The Citrix ADC appliance crashes when this freed resource is accessed again.

    [ NSHELP-23145 ]

  • A Citrix ADC appliance might crash if the following conditions are observed:

    • Flash Cache is enabled.
    • The client connection is reset.
    • Client request in the queue to be serviced as part of the caching process.

    [ NSHELP-21872 ]

  • For synflood trap generation, if you do not reset the varbinding values, the appliance uses the old trap varbinding values instead of the current and threshold values.

    [ NSHELP-20653, NSHELP-20401, NSHELP-24490 ]

  • In Multi-path TCP (MPTCP) the si_cur_Clients and si_cur_clnt_ConnOpenEst counters are incremented twice.

    [ NSHELP-19896 ]

  • Sometimes, analytics data is not populated in ADM service.

    [ NSBASE-11508 ]

User Interface

  • Multi-Factor(nFactor) login does not work using the Citrix ADC GUI. After the first factor login, the next factor login input does not work.

    [ NSHELP-24078 ]

  • A Citrix ADC appliance might crash when an internal process restarts for a maximum number of times.

    [ NSHELP-23378 ]

  • Only the last three digits of the year are displayed in “Up since (Local)” line of the “stat system” command.

    [ NSHELP-22960 ]

  • Adding a service group member directly is successful. However, the operation fails if you perform the following steps:

    1. Navigate to Traffic Management > Load Balancing > Service Groups.

    2. Select a service group and click Service Group Members.

    3. Right click one of the entries and select Add.

    4. In the Create Service Group Member, change the IP address and click Create.

    [ NSHELP-21925 ]

  • NITRO API (routerdynamicrouting) for fetching the ZebOS running configuration does not fetch the complete output for large configurations (more than 25 lines).

    [ NSCONFIG-3535 ]

Known Issues

The issues that exist in release 13.0-64.35.

Authentication, authorization, and auditing

  • On some Citrix ADC appliances that have GSLB enabled, redirection from the authentication virtual server to the load balancing virtual server fails due to an invalid URL computation.

    [ NSHELP-33459 ]

  • The Citrix ADC appliance might crash when the authentication virtual server is used in a non-default partition.

    [ NSHELP-32054 ]

  • Single sign-on (SSO) fails if SSO is enabled for the traffic that does not have the required bearer token to handle SSO.

    [ NSHELP-31362, NSHELP-33814 ]

  • Non-ASCII characters are recorded in nsvpn.log when LDAP action is configured to an FQDN instead of an IP address.

    [ NSHELP-27281 ]

  • In certain scenarios, the Bind Authentication, authorization, and auditing group command might fail if policy name is longer than intranet application name.

    [ NSHELP-25971 ]

  • The Citrix ADC appliance dumps core when NOAUTH is configured as the first factor and Negotiate as the subsequent factor in the 401 based authentication flow.

    [ NSHELP-25203 ]

  • If the admin password for LDAP, RADIUS or TACACS services contains the double quotes (“) character, the Citrix ADC appliance strips it during the “Test Connectivity” check, resulting in connection failure.

    [ NSHELP-23630 ]

  • Administrators cannot perform custom logging for authentication failures that happen due to invalid credentials. This issue occurs because the Citrix ADC responder policies fail to detect errors for login failures.

    [ NSAUTH-11151 ]

  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    show adfsproxyprofile <profile name>

    Workaround: Connect to the primary active Citrix ADC in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

    [ NSAUTH-5916 ]

Citrix ADC SDX Appliance

  • When you upgrade a Citrix ADC SDX appliance, in rare cases the following incorrect event appears in the Management Service GUI:

    “SVM version and Hypervisor version are not compatible”

    [ NSHELP-32949 ]

  • On a Citrix ADC SDX GUI, displaying the NTP servers can freeze the user interface if the NTP configuration file (ntp.conf) has only spaces in any of the lines.

    [ NSHELP-31530 ]

Citrix Gateway

  • Intranet resources overlapping with a spoofed IP address range cannot be accessed with split-tunnel set to OFF on the Citrix Secure Access client.

    [ NSHELP-34334 ]

  • Always-On VPN connection fails intermittently on start up due to Gateway server reachability.

    [ NSHELP-33500 ]

  • If the Citrix Secure Access related registry values are greater than 1500 characters, then the log collector fails to gather the error logs.

    [ NSHELP-33457 ]

  • The Citrix Gateway appliance might crash if HDX Insight is enabled and a user logs in to StoreFront immediately after logging out.

    [ NSHELP-32907, NSHELP-33079, NSHELP-33289 ]

  • The Citrix Secure Access client, version 21.7.1.2 and later, fails to upgrade to later versions for users with no administrative privileges. This issue is applicable only if the Citrix Secure Access client upgrade is done from a Citrix ADC appliance.

    [ NSHELP-32793 ]

  • When users click the Home Page tab on the Citrix Secure Access screen for Windows, the page displays the connection refused error.

    [ NSHELP-32510 ]

  • On a Mac device using Chrome, the VPN extension crashes while accessing two FQDNs.

    [ NSHELP-32144 ]

  • Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always-On service mode. The machine tunnel does not transition to the user tunnel and the message “Connecting…” is displayed in the VPN plug-in UI.

    [ NSHELP-31357, CGOP-21192, NSHELP-34211 ]

  • When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.

    [ NSHELP-30662 ]

  • Users cannot connect to the Citrix Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.

    [ NSHELP-30236 ]

  • The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully. To fix this issue, the following registry value is introduced.

    HKLMSoftwareCitrixSecure Access ClientSecureChannelResetTimeoutSeconds
    Type: DWORD

    By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).

    [ NSHELP-30189 ]

  • The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.

    [ NSHELP-29675 ]

  • Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

    [ NSHELP-28551 ]

  • Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

    [ NSHELP-28404 ]

  • The Citrix Gateway appliance might crash while processing server-initiated UDP traffic.

    [ NSHELP-27611 ]

  • The Citrix Gateway appliance might crash if async is blocked and you modify the content switching policy configuration.

    [ NSHELP-27570 ]

  • The Citrix Gateway appliance might crash if an unknown VPN client option is set in the session policy.

    [ NSHELP-27380 ]

  • While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:

    • A default pre-shared key (PSK) is configured.
    • You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.

    [ NSHELP-25694 ]

  • The “show tunnel global” command output includes advanced policy names. Previously, the output did not display the advanced policy names.

    Example:

    New output:

    show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0

    Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
    Priority: 1
    Global bindpoint: REQ_DEFAULT

    Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
    Priority: 100
    Global bindpoint: RES_DEFAULT
    Done

    Previous output:

    show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0 Disabled

    Advanced Policies:

    Global bindpoint: REQ_DEFAULT
    Number of bound policies: 1

    Done

    [ NSHELP-23496 ]

  • Sometimes while browsing through schemas, the error message “Cannot read property ‘type’ of undefined” appears.

    [ NSHELP-21897 ]

  • In a Citrix ADC cluster setup, HDX Insight and Gateway Insight cannot be enabled simultaneously.

    [ CGOP-23570 ]

  • The Windows OS option is not listed in the Expression Editor drop-down list for pre-authentication policies and authentication actions on the Citrix ADC GUI. However, if you have already configured the Widows OS scan on a previous Citrix ADC build using the GUI or the CLI, the upgrade does not impact the functionality. You can use the CLI to make changes, if required.

    Workaround:

    Use the CLI commands for the configuration.

    • To configure advanced EPA action in nFactor authentication, use the following command.
      add authentication epaAction adv_win_scan -csecexpr “sys.client_expr(“sys_0_WIN-OS_NAME_anyof_WIN-10[COMMENT: Windows OS]”)”
    • To configure a classic pre-authentication action, use the following commands.
      add aaa preauthenticationaction win_scan_action ALLOW add aaa preauthenticationpolicy win_scan_policy "CLIENT.SYSTEM('WIN-OS_NAME_anyof_WIN-10[COMMENT: Windows OS]') EXISTS" win_scan_action

    [ CGOP-22966 ]

  • The Gateway Insight report incorrectly displays the value “Local” instead of “SAML” in the Authentication Type field for SAML error failures.

    [ CGOP-13584 ]

  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ CGOP-13511 ]

  • While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

    [ CGOP-13050 ]

  • The text “Home Page” in the Citrix SSO app > Home page is truncated for some languages.

    [ CGOP-13049 ]

  • An error message appears when you add or edit a session policy from the Citrix ADC GUI.

    [ CGOP-11830 ]

  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]

Citrix Web App Firewall

  • When the Web App Firewall policy is updated on the virtual server, the following issues are observed:

    • The Citrix ADC GUI and CLI did not respond or took longer than usual.
    • The packet CPU utilization has increased to 100%
    • The number of persistence sessions has been increased.

    [ NSHELP-33975 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]

  • In an HA setup, the Citrix ADC appliance crashes when the service group that is bound to multiple virtual server is removed.

    [ NSHELP-34029 ]

  • During connection mirroring, the Citrix ADC appliance crashes when the rewrite policy is greater than 30 bytes.

    [ NSHELP-32902 ]

  • The Citrix ADC appliance triggers an incorrect SNMP alert for a high server connection due to a wrong calculation of the number of servers.

    [ NSHELP-31582 ]

  • In a GSLB setup, the SSL certificate is missing from the subordinate sites. This issue occurs when the auto-sync option is enabled, and the subordinate sites have SSL certificates that are not available on the master site.

    [ NSHELP-29309 ]

  • In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.

    [ NSHELP-21196 ]

  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

    [ NSHELP-20406 ]

Miscellaneous

  • When you run the “ns_hw_err.bash” script on the Citrix ADC appliance, the following error message appears:
    “error: can’t open file ‘ns_hw_plugins.py’: [Errno 2] No such file or directory”

    [ NSHELP-32991 ]

  • The Citrix ADC appliance sets the buffer size for the web server logging feature to an incorrect default value of 3 MB instead of 16 MB.

    [ NSHELP-32429 ]

  • AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.

    [ NSHELP-31836 ]

  • Citrix ADC CPX instance, running on a Linux system with 64-bit architecture and 1 TB of file storage, can load certificate and key files now.

    [ NSHELP-28986 ]

Networking

  • In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.

    [ NSNET-18586 ]

  • The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a Citrix ADC BLX appliance with DPDK:

    • Disable
    • Enable
    • Reset

    [ NSNET-16559 ]

  • On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file (“/etc/blx/blx.conf”) settings. This issue occurs because “mawk”, which is present by default on Debian based Linux systems, does not run some of the awk commands present in the “blx.conf” file.

    Workaround: Install “gawk” before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install “gawk”:

    • apt-get install gawk

    [ NSNET-14603 ]

  • Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

    “The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable”

    Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

    • dpkg –add-architecture i386
    • apt-get update
    • apt-get install libc6:i386

    [ NSNET-14602 ]

  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • The LSN module does not find the service while decrementing the reference count or deleting the service.

    [ NSHELP-29134 ]

  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • Because of stale filtering entry.

    [ NSHELP-28895 ]

  • In a Large scale NAT44 deployment, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • The LSN module accessed the memory location of an already deleted service.

    [ NSHELP-28815 ]

  • The Citrix ADC appliance might not generate “coldStart” SNMP trap messages after a cold restart.

    [ NSHELP-27917 ]

  • In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:

    • A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.

    As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition

    [ NSHELP-24000 ]

Platform

  • The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:

    1. During the first boot of the Citrix ADC appliance, you do not save the prompted password.
    2. Subsequently, you reboot the Citrix ADC appliance.

    [ NSPLAT-22013, NSHELP-34441 ]

  • Some python packages are not installed, when you downgrade the Citrix ADC appliance from 13.1-4.x version and higher versions to any of the following versions:

    • Any 11.1 build
    • 12.1–62.21 and earlier
    • 13.0-81.x and earlier

    [ NSPLAT-21691 ]

  • On the Citrix ADC SDX 8015/8400/8600 platform, you might see increased memory consumption on Xen Server.
    Workaround: Run the following command on Xen Server, and then reboot the appliance.
    /opt/xensource/libexec/xen-cmdline –set-xen “dom0_mem=1024M,max:1024M”

    [ NSHELP-32260 ]

  • During the Citrix ADC VPX HA failover, the Elastic IP address movement in the AWS cloud fails if you configure an IPset without binding the IPset to any IP address.

    [ NSHELP-29425 ]

  • The HA failover for Citrix ADC VPX instance on the GCP and AWS cloud fails when the password of an RPC node contains a special character.

    [ NSHELP-28600 ]

Policies

  • In the Citrix ADC GUI, you can see the rewrite actions only when you click Show Built-in Rewrite action in AppExpert > Rewrite > Actions.

    [ NSPOLICY-4843 ]

  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]

SSL

  • When a virtual server receives a TLS 1.3 record with invalid padding, it sends a fatal “decode_error” alert instead of an “unexpected_message” alert.

    [ NSSSL-11890 ]

  • On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

    Workaround:

    1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
    2. Save the configuration.

    [ NSSSL-9572 ]

  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

    [ NSSSL-6478 ]

  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

    [ NSSSL-6213 ]

  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled

    [ NSSSL-6106 ]

  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]

  • An incorrect warning message, “Warning: No usable ciphers configured on the SSL vserver/service,” appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]

System

  • High RTT is observed for a TCP connection if the following condition is met:

    • a high maximum congestion window (>4 MB) is set
    • TCP NILE algorithm is enabled

    For a Citrix ADC appliance to use the NILE algorithm for congestion control, the conditions must exceed the slow start threshold, which is coupled with the maximum congestion window

    So, until the maximum configured congestion window is reached, the Citrix ADC continues to accept data and ends up with high RTT.

    [ NSHELP-31548 ]

  • A Citrix ADC appliance might crash when the following condition is met:

    • Both analytics profile and AppFlow policy are bound, and the profile has the “httpAllHdrs” option enabled.

    [ NSHELP-30628 ]

  • The Citrix ADC appliance reports a false SNMP alarm on the service SYN flood counters.

    [ NSHELP-28710, NSHELP-28713 ]

  • Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.

    [ NSHELP-27410 ]

  • A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.

    [ NSHELP-27179 ]

  • A mismatch in Logstream records is observed in the Citrix ADC appliance and the dataloader.

    [ NSHELP-25796 ]

  • When you install Citrix ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.

    Workaround : Reboot the Management pod.

    [ NSBASE-15556 ]

  • In a cluster configuration, a node with CCO priority gets disconnected from Open vSwitch (OVS) because of network issues. After the node rejoins to the cluster configuration, it does not receive the latest SYN cookie.

    [ NSBASE-14419 ]

User Interface

  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPsec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

    [ NSUI-13024 ]

  • When binding the AppFW profile to the log expression, the state parameter is set to enabled by default. However, when the system is upgraded, the parameter is reset to disabled.

    [ NSHELP-34187 ]

  • Modifying a static route by using the Citrix ADC GUI (system > network > routes) might incorrectly fail with the following error message:

    • “Required argument missing [gateway]”

    [ NSHELP-32024 ]

  • In an HA / Cluster setup, configuration synchronization fails if you have configured SSH keys other than RSA. For example, ECDSA or DSA keys.

    [ NSHELP-31675 ]

  • In a Citrix ADC appliance, binding the cache policy to override global or default global using the GUI interface fails with the following error:

    • Required argument missing.

    This error is not seen while binding the cache policy using the CLI interface.

    [ NSHELP-30826 ]

  • Due to an incorrect upgrade installation sequence, the following issue occurs in the Citrix ADC appliance.

    • The kernel image is updated first and after a few steps, encryption keys are copied. In between these steps some failure happens and the ADC appliance comes up with a new image. The missing encryption keys in the new image lead to decryption failure and missing configuration.

    [ NSHELP-30755 ]

  • Citrix ADC GUI might incorrectly generate a cluster technical support bundle of only one node instead of all the cluster nodes.

    [ NSHELP-28606 ]

  • Generating a cluster technical support bundle by using Citrix ADC GUI might fail with an error.

    [ NSHELP-28586 ]

  • After upgrading a high availability setup or a cluster setup to release 13.0 build 74.14 or later, config synchronization might fail because of the following reason:

    • Both “ssh_host_rsa_key” private and public keys are an incorrect pair.

    Workaround: Regenerate “ssh_host_rsa_key”. For more information, see https://support.citrix.com/article/CTX322863.

    [ NSHELP-27834 ]

  • You cannot bind a service or a service group to a priority load balancing virtual server using the Citrix ADC GUI.

    [ NSHELP-27252 ]

  • On the Citrix ADC GUI, the Saved vs Running configuration screen (System > Diagnostics) incorrectly displays HTML tags instead of displaying plain text.

    [ NSHELP-27169 ]

  • While viewing the policies bound to a content switching policy label in the Citrix ADC GUI, only 25 policies are displayed even though there are more policies bound to that policy label.

    [ NSHELP-23428 ]

  • Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.

    [ NSCONFIG-4330 ]

  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds
      • 13.0 52.24 build
      • 12.1 57.18 build
      • 11.1 65.10 build
    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]

    Workaround: To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html.

    [ NSCONFIG-3188 ]

Release Notes for Citrix ADC 13.0–64.35 Release