Citrix ADC

Release Notes for Citrix ADC 13.0-85.19 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.0-85.19.


  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 13.0-85.19 and later builds address the security vulnerabilities described in
  • Build 85.19 replaces Build 85.15.
  • This build also includes a fix for the following issue: NSHELP-31668.

What’s New

The enhancements and changes that are available in Build 13.0-85.19.

Authentication, authorization, and auditing

  • Support for GSLB active-active deployment for nFactor authentication using connection proxy

    Support is now added for GSLB active-active deployment for nFactor authentication using connection proxy. This support is applicable for both Citrix Gateway and Authentication, authorization, and auditing scenarios.
    Currently, if various factors are configured in nFactor authentication and if gateway is configured for GSLB, then the authentication might break if the client request lands on different GSLB sites.

    For example, if LDAP is configured as first factor and RADIUS is configured as second factor, then the authentication might break in the following scenario.

    • Client request for LDAP lands on GSLB site 1.
    • Radius request lands on GSLB site 2.

    Connection proxy is now used to route request to the correct GSLB sites for completing authentication and serving traffic.

    [ NSAUTH-7141 ]

Fixed Issues

The issues that are addressed in Build 13.0-85.19.

Authentication, authorization, and auditing

  • The Citrix ADC appliance might crash if there is an error while updating SSL certificate-key pair being used in SAML configuration. To fix this issue, you can unbind the certificate, update and then bind the certificate again.

    [ NSHELP-30270 ]

  • Users cannot log in to the Citrix ADC appliance if the login request using SAML contains whitespace characters other than ‘ ‘ (single quotes). With this fix, all whitespace characters are permitted.

    [ NSHELP-29773 ]

  • In rare cases, the Citrix ADC appliance might crash due to an incorrect log position.

    [ NSHELP-29267 ]

  • A Citrix ADC appliance configured to authenticate using OAuth Service Provider, cannot be configured with ‘client-secrete_post” to authenticate with IDP tokenEndPoint.

    With this fix, the authentication method “client_secret_basic” is added to the OAuth service provider feature of ADC when it communicates with the token endpoint of the IDP.

    [ NSHELP-28945 ]

  • A Citrix ADC appliance might fail to respond when SAML authentication is in progress and X.509 certificates of size 1800 bytes or more are used in the SAML authentication.

    [ NSHELP-28608, NSHELP-29913 ]

  • In a Citrix ADC high availability setup, some authentications commands are displayed during CLI configuration as a result of syncing issue.

    [ NSHELP-28448 ]

  • The Authentication, authorization, and auditing.USER.ATTRIBUTE expression might give an empty value in multi-core Citrix ADC appliance when user password is changed on expiry.

    [ NSHELP-28419 ]

  • The Citrix ADC appliance, when configured as an OAuth Relying Party, does not add the extracted ‘email’ and ‘username’ field information from the ID token to the hash attribute of the authentication, authorization, and auditing session.

    [ NSHELP-28262 ]

  • Sometimes, authentication might fail when Authentication, authorization, and auditing.LOGIN.PASSWORD is used.

    [ NSHELP-28101 ]

  • When SAML metadata is configured, memory leak is observed with SSL certificates.

    [ NSHELP-27846, NSHELP-25020 ]

  • The Citrix ADC appliance might go into an SSO loop with the backend server and result in memory build up if both the following conditions are met.

    • The ADC appliance performs a negotiate and NTLM SSO authentications with the backend server.
    • The backend server fails to perform both the authentications.

    [ NSHELP-27757 ]

  • The Citrix ADC appliance might crash during active directory group extraction if the distinguished name of an extracted group is NULL.

    [ NSHELP-26899 ]

  • Sometimes, if nFactor is configured, incorrect IP address is logged in the logout message.

    [ NSHELP-26692 ]

  • In a high availability setup, the Citrix ADC appliance crashes when a forced synchronization is initiated.

    [ NSAUTH-11876 ]

  • Intune NAC v2 is not supported for Android 11 and later.

    [ NSAUTH-11872 ]

  • Admins cannot use the LDAP or RADIUS connectivity tool if the password contains a certain special character or if the arguments have a space in it.

    [ NSAUTH-11322 ]

Bot Management

  • When the CAPTCHA challenge is in progress, the Citrix ADC bot management does not honor the configured value set by the user for the CAPTCHA retry attempts.

    [ NSBOT-801 ]


  • CallHome registration might fail for Citrix ADC MPX appliances using pooled licensing. The registration fails because CallHome uses an incorrect serial number for registering the appliances with the Citrix Support Server.

    [ NSHELP-28667 ]

Citrix ADC SDX Appliance

  • When you restore a Citrix ADC SDX appliance from the backup, the CLI prompt string is not restored.

    [ NSHELP-30238 ]

  • An incorrect message appears when clean install fails because the factory partition doesn’t have enough space.

    [ NSHELP-30136 ]

  • On a Citrix ADC SDX 115xx appliance, restoring a VPX allotted with a high number of CPU cores (3-5 cores) might fail if the appliance backup contains three or more instances.

    [ NSHELP-30135 ]

  • The backplane field in the Add Cluster Node page is no longer mandatory unless one of the following conditions is met:

    • The node group already exists for layer 3 clusters.
    • It is a layer 2 cluster.

    [ NSHELP-29701 ]

  • On a Citrix ADC SDX appliance, the default value for raising the alarm on the “Hypervisor Disk Usage High” alert is increased to 98 percentage.

    [ NSHELP-29688 ]

  • In rare cases, ADC inventory does not occur on a Citrix ADC SDX appliance.

    [ NSHELP-29607 ]

  • The data in ADC events table can now be sorted across pages if the total number of data records is less than 5000.

    [ NSHELP-29170 ]

Citrix Gateway

  • Users cannot add an authentication profile while configuring Citrix Gateway by using the Citrix ADC GUI standard license edition. With this fix, users can attach the nFactor authentication profile available with a standard license.

    [ NSHELP-30647 ]

  • Users cannot launch the EPA plug-in or the VPN plug-in after an upgrade to Chrome 98 or Edge 98 browser versions. To fix this issue, perform the following:
    1. For the VPN plug-in upgrade, end users must connect using VPN client for the first time to get the fix on their machines. In the subsequent login attempts, users can choose the browser or the plug-in to connect.
    2. For EPA only use case, the end users will not have the VPN client to connect to gateway. In this case, perform the following:
      1. Connect to the gateway using a browser.

      2. Wait for the download page to appear and download the nsepa_setup.exe.
      3. After downloading, close the browser and install the nsepa_setup.exe file.
      4. Restart the client.

    [ NSHELP-30641 ]

  • In a Citrix ADC GSLB and SSL VPN setup, memory leak is observed while handling a DTLS ICA connection. As a result, the connection drops and memory builds up.

    [ NSHELP-30182 ]

  • EPA scan for checking the antivirus last full system scan fails on macOS.

    [ NSHELP-29571 ]

  • In a high availability setup with TCP SYSLOG configuration, a node might crash during HA failover or during clear config operation.

    [ NSHELP-29251 ]

  • Memory leak is observed in a Citrix ADC appliance when an outbound proxy is configured.

    [ NSHELP-29234 ]

  • In the Citrix Gateway portal page, RDP proxy link icon does not change with RfWebUI portal theme.

    [ NSHELP-28974 ]

  • The Citrix Gateway VPN full tunnel does not work as expected if binary response is enabled. As a result, the NSAAC cookie is corrupted. With this fix, the binary response works in the earlier VPN plug-ins. However, Citrix recommends that you use the latest VPN plug-in which works with the JSON response.

    [ NSHELP-28729 ]

  • The Citrix Gateway appliance crashes while processing STA in DTLS Audio because the allocated memory is not reset.

    [ NSHELP-28432, NSHELP-29796 ]

  • The directory /var/netscaler/logon/LogonPoint/custom/ is not created after an upgrade if the directory was was not present initially.

    [ NSHELP-28223 ]

  • Access to StoreFront through a VPN virtual server fails if StoreFront is accessed through a backup load balancing virtual server.

    [ NSHELP-27852 ]

  • The Citrix Gateway appliance might crash when reconnecting to an existing ICA session.

    [ NSHELP-27441 ]

  • When you enter the FQDN as the proxy in the Create Citrix Gateway Traffic Profile page, the message “Invalid Proxy Value” appears.

    [ NSHELP-26613 ]

Citrix Web App Firewall

  • An upgrade to XML library version 2.9.12 causes the WAF signature-related XML files to break during parsing.

    [ NSWAF-8662 ]

  • The JSON command injection protection appears “Not blocked” in the ns.log message, even if the HTTP request was blocked by the Web App Firewall module.

    [ NSHELP-29709 ]

  • The Web App Firewall log message displays, “BAD URL” for Cross-Site Scripting (XSS) URL attribute violations, and the term “Bad URL” is not clear as to which category it belongs (such as tag, pattern, or attribute).

    [ NSHELP-29358 ]

  • The bot device fingerprint post URL might fail if the bot management policy is enabled on a load balancing virtual server of type SSL.

    [ NSHELP-29198 ]

  • A Citrix ADC appliance might crash if the following modules are enabled:

    • Web App Firewall with advanced security checks.
    • Appqoe.

    [ NSHELP-28251 ]

Load Balancing

  • In an autoscale DNS deployment, the members in the TROFS state do not detect and respond to health check failure.

    [ NSHELP-29628 ]

  • The Citrix ADC appliance might crash while binding the rewrite policy to the load balancing virtual server if the following conditions are met:

    1. Evaluation of the second expression overwrites the policy state variables of the first expression which is in progress.
    2. DETERMINE_SERVICES policy state variables are overwritten by the rule defined by the load balancing virtual server.

    [ NSHELP-29449 ]

  • The Citrix ADC appliance crashes while trying to free up memory allocated in a different partition from the one it is being freed from.

    [ NSHELP-29038 ]

  • The Monitor response time shown when you run the show service command is sometimes incorrect.

    [ NSHELP-28994 ]

  • Some service group members are not removed from the Autoscale service group list when there is a conflict between statically bound member and dynamically resolved DNS records. This issue leads to memory corruption.

    [ NSHELP-28949 ]

  • In rare cases, the location database configuration might be missing from the configuration (ns.conf) file.

    [ NSHELP-28570 ]

  • In a persistence-enabled deployment, an incorrect virtual server is stored during context save.

    [ NSHELP-28342 ]

  • A Citrix ADC appliance might fail when handling monitor probe for mysql type of monitor, which eventually leads to a system reboot.

    [ NSHELP-27953 ]


  • Citrix Gateway login page fails to load on a fresh install of the Citrix ADC appliance because of missing GUI files in the /var/netscaler/logon directory.

    [ NSHELP-31668 ]

  • The following issue occurs after upgrading the appliance to Citrix ADC version 12.1 build 63.22:

    • The Extension Find API might not work after the upgrade.

    [ NSHELP-29860 ]


  • In a Citrix ADC appliance with even number of packet engines (PE), the appliance incorrectly displays the status of active interfaces as inactive of a redundant interface set (LR channels). This issue does not impact any functionality of the Citrix ADC appliance.

    [ NSHELP-28099 ]

  • The Citrix ADC appliance might not generate “coldStart” SNMP trap messages after a cold restart.

    [ NSHELP-27917 ]


  • The serial console of a Citrix ADC VPX instance hosted on the Azure cloud is not accessible when the virtual machine is in the early stages of booting.

    [ NSPLAT-23010 ]


  • In rare cases, you might see a crash during DTLS processing on the following platforms:

    • MPX 5900
    • MPX/SDX 8900
    • MPX/SDX 15000
    • MPX/SDX 15000-50G
    • MPX/SDX 26000
    • MPX/SDX 26000-50S
    • MPX/SDX 26000-100G

    [ NSHELP-29538 ]

  • A Citrix ADC appliance crashes if the following steps are followed:

    1. A monitor of type SSL is added.
    2. A certificate-key pair is bound to the monitor.
    3. The monitor is removed.
    4. Another monitor with the same name is added.
    5. The certificate-key pair is updated.

    [ NSHELP-28666, NSHELP-29784 ]

  • In a high availability setup, the certificate type is not synchronised correctly between the primary and secondary nodes.

    [ NSHELP-27589 ]

  • In a VPN deployment, the Citrix ADC appliance picks up an SSL session for session reuse from cache to communicate to the proxy or back-end server. It does this without matching the SNI received from the client to the SNI present in the cached session.

    As a result, either the SNI is not sent or a different SNI is sent depending on the cached data.

    [ NSHELP-27439 ]

  • In a high availability setup, CRL auto refresh fails intermittently if both of the following conditions are met:

    • Files are syncing from the primary node to the secondary node.
    • CRL file is downloading from the CRL server at the same time.

    [ NSHELP-27435 ]

  • The CA certificate name that issued the CRL is truncated to 32 characters, even though a certificate-key name can be up to 64 characters. This issue occurs because the CRL field has a limit of 32 characters.

    [ NSHELP-26986 ]

  • SSL handshake fails if you use DH ciphers with an external HSM.

    [ NSHELP-25307 ]


  • The Citrix ADC appliance crashes if either of the following conditions occur:

    • The syslog action is configured with the domain name and you clear the configuration by using the GUI or the CLI.
    • High availability synchronization happens on the secondary node.

    [ NSHELP-30987, NSHELP-28121, NSHELP-29843 ]

  • Citrix ADC appliance is unable to forward some of the non-HTTP data packets to the back-end servers.

    [ NSHELP-30192 ]

  • Memory leak is observed in a Citrix ADC appliance when clearing the allocated memory for Intrusion Prevention System (IPS) resources.

    [ NSHELP-29992 ]

  • In certain scenarios, Citrix ADC appliance does not forward some HTTP packets to the back-end server, if the following condition is met:

    • If a Citrix ADC feature internally clones HTTP packets.

    [ NSHELP-29958 ]

  • Configuration operations that associate SSL profiles and SSL certificate keys with an HTTP QUIC virtual server, might fail on a Citrix ADC cluster deployment.

    [ NSHELP-29655 ]

  • A second request on the same client connection fails if the following conditions are met:

    • clientSideMeasurements is enabled.
    • HEAD request is received.

    [ NSHELP-29353 ]

  • The Citrix ADC appliance might incorrectly add an IPv4 address to an AppFlow record related to an IPv6 transaction.

    [ NSHELP-29261 ]

  • In some scenarios, a Citrix ADC appliance might crash under the following conditions:

    • TCP jumbo frames are used.
    • Persistence is configured on a TCP load balancing virtual server.

    [ NSHELP-29162 ]

  • A Citrix ADC appliance crashes if the following conditions are met:

    • The client-side measurements option is enabled on the AppFlow action.
    • The chunk headers fall on the packet boundary.

    [ NSHELP-29049 ]

  • A Citrix ADC appliance resets a connection if the HTTP pipeline (one or multiple requests) size exceeds 128 KB. The issue occurs because the pipeline size is hard limited to 128 KB.

    [ NSHELP-28846 ]

  • A Citrix ADC appliance might crash when replaying a chunked response from the ICAP-module to the client.

    [ NSHELP-28788 ]

  • In a TCP connection, the Citrix ADC appliance might drop a FIN packet, received from a server, instead of forwarding it to the client if all of the following conditions are met:

    • TCP buffering is enabled.
    • The server sends the FIN packet and the data packet separately.

    [ NSHELP-27274 ]

User Interface

  • You can accidentally unlink an SSL certificate because there is no prompt for confirmation. With this fix, when the user clicks on a linked certificate, it will prompt for a confirmation before unlinking a certificate.

    [ NSUI-17897 ]

  • For a RPC node configuration, with the “Secure” option disabled, the configure RPC node dialog box in the Citrix ADC GUI incorrectly displays the “Secure” option as enabled.

    [ NSHELP-30887 ]

  • Cache filtering might not work as expected on the Citrix ADC GUI.

    [ NSHELP-30392 ]

  • The Citrix ADC GUI does not process the RAPI calls resulting in some components of the GUI becoming unresponsive.

    [ NSHELP-30231 ]

  • In some cases, you might not be able to load SSL keys from the SSL keys tab in the Citrix ADC GUI.

    [ NSHELP-28870 ]

  • The API response for a NITRO GET request with filter might contain additional information even if it is not mentioned in the filter.

    [ NSHELP-28598 ]

  • While configuring or checking SSL certificates using the Citrix ADC GUI, the error “Directory doesn’t exist” might appear. This issue occurs when a filename with two consecutive dots (“..”) exists in the SSL folder “/nsconfig/ssl”.

    [ NSHELP-28589 ]

  • In a high availability setup, HA synchronization might fail for a built-in policy pattern set binding, if the built-in policy pattern set was modified on the primary node.

    [ NSHELP-28460 ]

  • When the user tries to change the page size of a list in the side panel views, the page gets distorted.

    [ NSHELP-28220 ]

  • ping or ping6 command with interface (-I) option might fail with the following error:

    • “interface option not supported”

    [ NSHELP-26962 ]

  • In a Citrix ADC VPX appliance, a set capacity operation might fail after adding a license server. The issue occurs because the Flexera related components take a longer time to initialize because of the large number of supported licenses of type check-in and check-out (CICO)

    [ NSHELP-23310 ]

Known Issues

The issues that exist in release 13.0-85.19.


  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.

    [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

  • Form-based SSO fails for the backend servers that send key-value parameters in the URL query.

    [ NSHELP-30975 ]

  • The Citrix ADC appliance might crash due to large memory allocation because of a missing target URL in the OAuth configuration.

    [ NSHELP-30963 ]

  • The Citrix ADC appliance’s Authentication, authorization, and auditingD module might crash due to a missing or incorrect incoming password length from the packet engine to the Authentication, authorization, and auditingD.

    [ NSHELP-30911 ]

  • There might be an Intermittent failure in connecting to the Outlook exchange server via the Outlook app due to incorrect header addition by the Citrix ADC appliance.

    [ NSHELP-30555 ]

  • The Citrix ADC appliance crashes if the ADFSPIP URL is set to type “http://”. ADFSPIP only supports “https://” URL types.

    [ NSHELP-29838 ]

  • Single sign-on fails during an authentication session when the password change event is triggered. This issues occurs only if the persistentLogin attempts parameter is enabled.

    [ NSHELP-28085 ]

  • In some cases, “invalid credentials” error message is displayed during the RADIUS authentication process. The error is seen when the Citrix ADC appliance is accessed from a client device using the Google Chrome browser.

    [ NSHELP-27113 ]

  • Access to a service is denied if the following conditions are met:

    • The service is bound to an authentication virtual server.
    • 401 authentication is configured on the service and the virtual server that the service is bound to.

    [ NSHELP-26903 ]

  • The Citrix ADC appliance might crash when the synchronization of the session and key configuration happens between the primary to the secondary controller card.

    [ NSHELP-26891 ]

  • In certain scenarios, the Bind Authentication, authorization, and auditing group command might fail if policy name is longer than intranet application name.

    [ NSHELP-25971 ]

  • The Citrix ADC appliance dumps core when NOAUTH is configured as the first factor and Negotiate as the subsequent factor in the 401 based authentication flow.

    [ NSHELP-25203 ]

  • If the admin password for LDAP, RADIUS or TACACS services contains the double quotes (“) character, the Citrix ADC appliance strips it during the “Test Connectivity” check, resulting in connection failure.

    [ NSHELP-23630 ]

  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

    [ NSHELP-563 ]

  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

    [ NSAUTH-6106 ]

  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command: show adfsproxyprofile <profile name>

    Workaround: Connect to the primary active Citrix ADC in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

    [ NSAUTH-5916 ]

  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

    • The Test LDAP Reachability option is opened.
    • Invalid login credentials are populated and submitted.
    • Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.

    [ NSAUTH-2147 ]


  • A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

    [ NSHELP-22942 ]

Citrix ADC SDX Appliance

  • On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.

    [ NSSVM-4333 ]

  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

    • Throughput allocation mode is burst.
    • There is a large difference between the throughput and the maximum burst capacity.

    [ NSHELP-21992 ]

Citrix Gateway

  • In some cases, the Citrix Secure Access for macOS drops connections because of issues with some non-DNS protocols using port 53, such as STUN.

    [ NSHELP-31004 ]

  • Sometimes, users cannot access the bookmarks in advanced clientless VPN mode.

    [ NSHELP-30939 ]

  • When Always on is configured, the user tunnel fails because of the incorrect version number ( in the aoservice.exe file.

    [ NSHELP-30662 ]

  • Users cannot connect to the Citrix Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.

    [ NSHELP-30236 ]

  • The PCoIP Apps and Desktops launch fails when launched from a browser and the error message “VMware client missing” is displayed. This issue occurs because the “vmware-view” protocol is not added to the list of allowed protocols.

    [ NSHELP-30062 ]

  • The Citrix Gateway appliance might crash during channel parsing when HDX Insight is enabled and NSAP is disabled.

    [ NSHELP-30029 ]

  • The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.

    [ NSHELP-29675 ]

  • Gateway Insight reports a false authentication failure even before the user submits the credentials for login when the authentication rule is configured to match one of the requests in the login flow.

    [ NSHELP-29313 ]

  • The Active Users Session page does not display all the active user sessions unless the numbers of entries is changed to 2000 per page.

    With this fix, a new link “All user session” (Citrix gateway -> Monitor Connections > All user session) is added in the admin UI that lists all the user sessions and connections.

    [ NSHELP-29151 ]

  • You might notice some Citrix internal IP addresses in the rdx.js file.

    [ NSHELP-28682 ]

  • Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

    [ NSHELP-28551 ]

  • The Citrix ADC appliance might crash if EPA is configured and sufficient memory is not available.

    [ NSHELP-28329 ]

  • The Citrix Gateway appliance might crash while processing server-initiated UDP traffic.

    [ NSHELP-27611 ]

  • The Citrix Gateway appliance might crash if async is blocked and you modify the content switching policy configuration.

    [ NSHELP-27570 ]

  • The Citrix Gateway appliance might crash if an unknown VPN client option is set in the session policy.

    [ NSHELP-27380 ]

  • Sometimes, during transfer login, Intranet IP subnets are incorrectly displayed on the client side.

    [ NSHELP-26904 ]

  • The Citrix Gateway GUI displays the message “Invalid IP or Port” when editing a VPN session profile.

    [ NSHELP-26722 ]

  • While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:

    • A default pre-shared key (PSK) is configured.
    • You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.

    [ NSHELP-25694 ]

  • The “show vpn icaConnection” command output does not display the serial numbers of the ICA connections correctly. This issue occurs because the serial number is reset arbitrarily when the “show vpn icaconnection” is run.

    [ NSHELP-25646 ]

  • In a high availability setup, VPN user sessions get disconnected if the following condition is met:

    • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.

    Workaround: Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

    [ NSHELP-25598 ]

  • EPA plug-in for Windows does not use local machine’s configured proxy and connects directly to the gateway server.

    [ NSHELP-24848 ]

  • The Gateway Insight does not display accurate information on the VPN users.

    [ NSHELP-23937 ]

  • VPN plug-in doesn’t establish tunnel after Windows logon, if the following conditions are met:

    • Citrix Gateway appliance is configured for Always On feature
    • The appliance is configured for certificate based authentication with two factor authentication “off”

    [ NSHELP-23584 ]

  • The “show tunnel global” command output includes advanced policy names. Previously, the output did not display the advanced policy names.


    New output:

     > show tunnel global  
     Policy Name: ns_tunnel_nocmp Priority: 0
     Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy  
     Priority: 1  
     Global bindpoint: REQ_DEFAULT
     Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy  
     Priority: 100  
     Global bindpoint: RES_DEFAULT  

    Previous output:

     > show tunnel global  
     Policy Name: ns_tunnel_nocmp Priority: 0 Disabled
     Advanced Policies:
     Global bindpoint: REQ_DEFAULT  
     Number of bound policies: 1

    [ NSHELP-23496 ]

  • Sometimes while browsing through schemas, the error message “Cannot read property ‘type’ of undefined” appears.

    [ NSHELP-21897 ]

  • If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

    [ CGOP-19355 ]

  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

    [ CGOP-13621 ]

  • The Gateway Insight report incorrectly displays the value “Local” instead of “SAML” in the Authentication Type field for SAML error failures.

    [ CGOP-13584 ]

  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ CGOP-13511 ]

  • When an ICA connection is launched from a MAC receiver version or Citrix Virtual Apps and Desktops version 7.18, HDX Insight feature is disabled.

    [ CGOP-13494 ]

  • When EDT Insight feature is enabled, sometimes audio channels might fail during network discrepancy.

    [ CGOP-13493 ]

  • While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

    [ CGOP-13050 ]

  • The text “Home Page” in the Citrix SSO app > Home page is truncated for some languages.

    [ CGOP-13049 ]

  • An error message appears when you add or edit a session policy from the Citrix ADC GUI.

    [ CGOP-11830 ]

  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]

Citrix Web App Firewall

  • In the WAF SQL injection containing a quote (single quote, double quote, or back tick), the opening and closing quote must be present for marking the pattern as an attack. However, when a comment is present in the pattern the closing quote is not required.

    [ NSHELP-30379 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]

  • Scope prefix is not set correctly when ECS is enabled on the ADC appliance and the location is not found. This issue results in creating an incorrect persistence entry. The incorrect persistence entry is created based on LDNS IP address instead of ECS IP address received in the request for the non-static proximity-based GSLB method.

    [ NSHELP-30846 ]

  • In a rare race-condition scenario, the packet engine might crash with core dump when following configuration is present on the Citrix ADC appliance:

    • The GSLB virtual server is configured with the source IP address-based persistence and DNS logging is enabled on the DNS profile bound to the ADNS service.
    • The DNS load balancing server is configured without DNS logging enabled on the DNS profile.

    [ NSHELP-29791 ]

  • Incremental synchronization fails for the “add dns action” and “add location” commands with policy expressions that contain wildcards.

    [ NSHELP-29301 ]

  • The state of the service group displayed in the show and stat commands is inconsistent.

    [ NSHELP-28931 ]

  • The load balancing or GSLB domain-based Autoscale servicegroup state remains DOWN if you use a wildcard port.

    [ NSHELP-28548 ]

  • SQL or Oracle type monitors crash when the peer sends a request to reset the existing connection.

    [ NSHELP-28478 ]

  • The SMPP retry messages are sent to all nodes in a cluster even when the request is successful. This scenario leads to high memory consumption on the Citrix ADC appliance.

    [ NSHELP-28332 ]

  • In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.

    [ NSHELP-21196 ]

  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

    [ NSHELP-20406 ]


  • When a forced synchronization takes place in a high availability setup, the appliance executes the “set urlfiltering parameter” command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the “TimeOfDayToUpdateDB” parameter.

    [ NSSWG-849 ]

  • The portal jQuery UI is updated from 1.12.1 to 1.13.1 to address the vulnerability described in Security Bulletins: CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184.

    [ NSHELP-30209 ]

  • Citrix ADC CPX instance, running on a Linux system with 64-bit architecture and 1 TB of file storage, can load certificate and key files now.

    [ NSHELP-28986 ]

  • A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

    [ NSHELP-22409 ]


  • A Citrix ADC appliance might crash if all of the following conditions are met:

    • A load balancing route is configured in a traffic domain on the appliance.
    • A clear config operation is performed on the appliance.

    [ NSNET-23847 ]

  • A Citrix ADC BLX appliance in DPDK mode might crash if a Web Application Firewall profile is configured with advanced security protection checks.

    Workaround: Remove the Advanced security protection configuration for WAF.

    [ NSNET-22654 ]

  • In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.

    [ NSNET-18586 ]

  • The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a Citrix ADC BLX appliance with DPDK:

    • Disable
    • Enable
    • Reset

    [ NSNET-16559 ]

  • On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file (“/etc/blx/blx.conf”) settings. This issue occurs because “mawk”, which is present by default on Debian based Linux systems, does not run some of the awk commands present in the “blx.conf” file.

    Workaround: Install “gawk” before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install “gawk”:

    • apt-get install gawk

    [ NSNET-14603 ]

  • Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

    “The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable”

    Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

    • dpkg –add-architecture i386
    • apt-get update
    • apt-get dist-upgrade
    • apt-get install libc6:i386

    [ NSNET-14602 ]

  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

    [ NSNET-5233 ]

  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • LSN filtering and mapping entries are not present in the appliance.

    [ NSHELP-30225 ]

  • The Citrix ADC appliance might crash if you unbind a dataset from an ACL rule when some packets matched the ACL rule.

    [ NSHELP-30221 ]

  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • Session reference count is not zero while deleting a filtering entry.

    [ NSHELP-29348 ]

  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • The LSN module does not find the service while decrementing the reference count or deleting the service.

    [ NSHELP-29134 ]

  • In a Large scale NAT44 deployment, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • The LSN module accessed the memory location of an already deleted service.

    [ NSHELP-28815 ]

  • In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:

    • A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.

    As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition

    [ NSHELP-24000 ]

  • When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

    [ NSHELP-21082 ]


  • The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:

    1. During the first boot of the Citrix ADC appliance, you do not save the prompted password.
    2. Subsequently, you reboot the Citrix ADC appliance.

    [ NSPLAT-22013 ]

  • When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:

    • 13.1-4.x
    • 13.0-82.31 and later
    • 12.1-62.21 and later

    The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:

    • Any 11.1 build
    • 12.1-62.21 and earlier
    • 13.0-81.x and earlier

    [ NSPLAT-21691 ]

  • In a cluster setup on a Citrix ADC SDX appliance, there is a CLAG MAC mismatch on the second node and CLIP if the following conditions are met:

    • The CLAG is created on a Mellanox NIC.
    • You add another VPX instance to the cluster and CLAG setup.

    As a result, traffic to the VPX instance stops.

    [ NSPLAT-21049 ]

  • In a cluster setup on a Citrix ADC SDX appliance, the first node goes DOWN because of a MAC address mismatch on CLIP and MAC table, if the following conditions are met:

    • The CLAG is created on a Mellanox NIC.
    • You remove the second node from the cluster.

    [ NSPLAT-21042 ]

  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the “rm cloudprofile” command to delete the profile.

    [ NSPLAT-4520 ]

  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.

    [ NSPLAT-4451 ]

  • On a Citrix ADC SDX appliance with single bundle image (SBI) and VPX versions 13.1-24.x or later, the active-active deployment using VRRP on Fortville NICs is supported. This deployment is not supported in L2 mode.

    The following points apply to the deployment:

    • Citrix recommends removing the VRID configuration from the Management Service before upgrading or downgrading the associated VPX instance. Add the VRID configuration from the Management Service after the upgrade or downgrade operation is complete.
    • If you do not follow the preceding recommendation, you must manually rediscover the VPX instances from the Management Service to enable VRRP convergence.

    [ NSHELP-30670 ]

  • During the Citrix ADC VPX HA failover, the Elastic IP address movement in the AWS cloud fails if you configure an IPset without binding the IPset to any IP address.

    [ NSHELP-29425 ]

  • The HA failover for Citrix ADC VPX instance on the GCP and AWS cloud fails when the password of an RPC node contains a special character.

    [ NSHELP-28600 ]


  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]

  • In some scenarios, a Citrix ADC appliance might crash when an assignment action is used with the clear operation for an AppExpert variable.

    [ NSHELP-29766 ]


  • On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.


    1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
    2. Save the configuration.

    [ NSSSL-9572 ]

  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

    [ NSSSL-6478 ]

  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

    [ NSSSL-6213 ]

  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled

    [ NSSSL-6106 ]

  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]

  • An incorrect warning message, “Warning: No usable ciphers configured on the SSL vserver/service,” appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]

  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

    [ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]

  • On MPX 8900 and MPX 15000 FIPS certified appliances, running ECDHE traffic can cause a memory leak.

    [ NSHELP-30744 ]

  • The Citrix ADC appliance crashes when SSL interception is enabled and there are multiple parallel requests to access a backend server with an expired certificate.

    [ NSHELP-29520 ]

  • In a cluster setup, when two installed certificates are issuers of one server certificate that has the OCSP AIA extension, the appliance becomes unreachable if you remove the server certificate.

    [ NSHELP-28058 ]

  • A Citrix ADC MPX/SDX 14000 FIPS appliance might crash due to continuous use of APIs for crypto operations, by internal applications such as SAML, over a period of time.

    [ NSHELP-27952 ]


  • In a Citrix ADC appliance, latency issue is observed in HTTP/2 transactions if the following conditions are met:

    • HTTP/2 SSL configuration is enabled on the back-end service
    • Service does not support HTTP/2 protocol.

    [ NSHELP-30020 ]

  • The Citrix ADC appliance reports a false SNMP alarm on the service SYN flood counters.

    [ NSHELP-28710, NSHELP-28713 ]

  • The Citrix ADC VPX instance might crash if responder policies are configured, and you add some rewrite policies that lead to header corruption.

    Workaround: Remove the responder policy.

    [ NSHELP-28512, NSHELP-30415 ]

  • Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.

    [ NSHELP-27410 ]

  • A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.

    [ NSHELP-27179 ]

  • Pitboss failure occurs when looping a large number of packets in the retransmission queue.

    [ NSHELP-26071 ]

  • A mismatch in Logstream records is observed in the Citrix ADC appliance and the dataloader.

    [ NSHELP-25796 ]

  • Some SYSLOG messages are dropped when logging on to an external SYSLOG server using TCP protocol.

    [ NSHELP-24522 ]

  • In certain scenarios, the nstrace packet capture misses all packets if you apply the IP address based filter.

    [ NSHELP-23483 ]

  • In a cluster setup, the “set ratecontrol” command works only after restarting the Citrix ADC appliance.

    Workaround: Use the -ys icmp_rate_threshold=<new value> command.

    [ NSHELP-21811 ]

  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

    [ NSHELP-21240 ]

  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

    [ NSHELP-10972 ]

  • In a cluster deployment, if you run “force cluster sync” command on a non-CCO node, the ns.log file contains duplicate log entries.

    [ NSBASE-16304, NSGI-1293 ]

  • When you install Citrix ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.

    Workaround : Reboot the Management pod.

    [ NSBASE-15556 ]

  • In a cluster configuration, a node with CCO priority gets disconnected from Open vSwitch (OVS) because of network issues. After the node rejoins to the cluster configuration, it does not receive the latest SYN cookie.

    [ NSBASE-14419 ]

  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

    [ NSBASE-8506 ]

User Interface

  • In Citrix ADC GUI, the “Help” link present under the “Dashboard” tab is broken.

    [ NSUI-14752 ]

  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

    [ NSUI-13024 ]

  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.

    [ NSUI-6838 ]

  • If a Citrix ADC appliance configured with pooled licensing is upgraded, the appliance might restart with a partial configuration.
    Workaround: Delete the cluster configuration database that is created after the upgrade, and warm reboot the appliance.

    [ NSHELP-30926 ]

  • In a Citrix ADC appliance, binding the cache policy to override global or default global using the GUI interface fails with the following error:

    • Required argument missing.

    This error is not seen while binding the cache policy using the CLI interface.

    [ NSHELP-30826 ]

  • Reconnection to the Citrix ADC appliance fails with the following error when “CTRL+C” is entered while running the “show run” command in the CLI interface:

    • “Invalid username or password”

    This issue happens if the characters in the key and password are the same.

    [ NSHELP-30817 ]

  • When a Citrix ADC appliance is configured to use an external authentication server, there might be a delay in running the stat commands irrespective of the RBAOnResponse parameter set to be disabled gloabally. The parameter can be disabled from GUI or CLI.

    [ NSHELP-30289 ]

  • The search filter is not available for the ‘Name’ key in the Citrix ADC GUI Manage Certificates > CSR page.

    [ NSHELP-30274 ]

  • Citrix ADC GUI might incorrectly generate a cluster technical support bundle of only one node instead of all the cluster nodes.

    [ NSHELP-28606 ]

  • Generating a cluster technical support bundle by using Citrix ADC GUI might fail with an error.

    [ NSHELP-28586 ]

  • After upgrading a high availability setup or a cluster setup to release 13.0 build 74.14 or later, config synchronization might fail because of the following reason:

    • Both “ssh_host_rsa_key” private and public keys are an incorrect pair.

    Workaround: Regenerate “ssh_host_rsa_key”. For more information, see

    [ NSHELP-27834 ]

  • You cannot bind a service or a service group to a priority load balancing virtual server using the Citrix ADC GUI.

    [ NSHELP-27252 ]

  • Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.

    [ NSCONFIG-4330 ]

  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:

      • 13.0 52.24 build
      • 12.1 57.18 build
      • 11.1 65.10 build
    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]


    To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see

    [ NSCONFIG-3188 ]

Release Notes for Citrix ADC 13.0-85.19 Release