Citrix ADC

Release Notes for Citrix ADC 13.1–17.42 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.1–17.42.

Notes

This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

What’s New

The enhancements and changes that are available in Build 13.1–17.42.

Bot Management

Support for IPv6 addressing

Citrix ADC bot management now supports Internet Protocol Version 6 (IPv6) addressing for bot detection techniques.

[ NSBOT-690 ]

Citrix Gateway

DF bit propagation for EDT over Citrix Gateway

The Citrix Gateway appliance now supports DF bit enforcement for the EDT Path Maximum Transmission Unit Discovery (PMTUD) feature. Path MTU discovery feature helps in dynamically determining the maximum transmission unit (MTU) when establishing an EDT session. The DF bit enforcement prevents EDT fragmentation that might result in performance degradation or failure to establish a session.

In earlier releases, Citrix Gateway supported EDT path MTUD but did not support DF bit enforcement.

[ CGOP-18438 ]

Citrix Web App Firewall

Enhanced support for learning multiple Cross-Site Scripting (XSS) violations

The Citrix Web App Firewall learning process is now enhanced to reduce false positives in cross-site scripting attacks.

With learning enabled, you can learn all violations in a request and potentially apply relaxation to all tags/attributes/patterns at one time. Previously, you can report only one violation at one time and must repeat the process for multiple violations.

For example, if there are 15 custom tags in a payload each resulting in a violation, you can apply relaxation for the first violation and run the request to flag another custom tag as a violation. The process must be repeated to apply relaxation for all custom tags one by one.

[ NSWAF-7545 ]

Load Balancing

Option to enable or disable members of LB and GSLB Autoscale service group

You can now directly enable or disable specific members of an LB or GSLB (DNS-based) Autoscale service group. Therefore, managing an LB or GSLB (DNS-based) Autoscale service group is now made easier.

Previously, you had to enable or disable an entire LB or GSLB Autoscale service group to enable or disable an individual member. Only non-autoscale service groups had an option to enable or disable an individual member.

[ NSLB-8109 ]

Networking

ISSU statistics enhancements

The following two enhancements are added to ISSU statistics:

  • An option dumpsession (Dump Session) has been added to the show migration operation to display the list of existing connections that the old primary node is currently serving. The show migration operation with the dumpsession option must be run only on the new primary node.
  • The show migration operation (without any option) now displays the following additional information related to the ISSU migration operation:
  • Total number of connections that are processed as part of ISSU migration operation
  • Number of remaining connections that are being processed as part of ISSU migration operation

For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/upgrade-downgrade-citrix-adc-appliance/issu-high-availability.html .

[ NSNET-23577 ]

Monitor the ports usage on a Citrix ADC appliance for back-end connections using SNMP

You can use the PORT-ALLOC-EXCEED SNMP alarm to monitor the ports usage on a Citrix ADC appliance for back-end connections.

PORT-ALLOC-EXCEED SNMP alarm includes the high-threshold and normal-threshold parameters, which specify the total allocated ports of the Citrix owned IP addresses as percentages. For example, if the high-threshold parameter is set to 90, the Citrix ADC appliance generates and sends trap messages when the following event happens:

  • when the port allocation percentage exceeds 90 percent on any of the Citrix ADC owned IP address for the back-end connections

The SNMP alerts help you in deciding the need for more Citrix owned IP addresses if the free ports available are nearing exhaustion.

[ NSNET-21719 ]

GENEVE protocol support

A Citrix ADC appliance now supports the Generic Network Virtualization Encapsulation (GENEVE) protocol as defined in RFC 8926.

Server virtualization and cloud computing architecture have increased the demand for isolated Layer-2 networks in a data center. The VLAN limit of 4094 has proven to be inadequate and encapsulation protocols like VXLAN and NVGRE were introduced to overcome this limitation.

These protocols differ mainly in the control plane implementation. GENEVE protocol does not define specifications for the control plane. The protocol leaves to the implementation to define the control plane specifications.

GENEVE protocol is an encapsulation technology that aims to create Layer-2 overlay networks over Layer-3 infrastructure by encapsulating Layer-2 frames in UDP packets. Each VLAN is identified by a unique 24-bit identifier called the VNID. Only within the same segment ID (VNID) can communicate with each other.

A Citrix ADC appliance supports the GENEVE encapsulation on UDP port 6081.

[ NSNET-21717 ]

Configure SSH access to the Linux host running a Citrix BLX appliance in dedicated mode

By default, SSH access to a Linux host running Citrix BLX appliance in a dedicated mode cannot be done through the dedicated interfaces of the appliance.

You can configure SSH access to the Linux host through the dedicated interfaces of the Citrix ADC BLX appliance. This feature is useful in a single interface Linux host running a Citrix BLX appliance in dedicated mode.

You can configure direct SSH access to the Linux host in either of the following types:

  • Provide SSH access on port 9022 of Citrix ADC IP (NSIP) of the Citrix ADC BLX appliance. - <Citrix ADC IP address (NSIP)>:9022
  • Define a new IP address in the subnet of Citrix ADC IP (NSIP) and provide SSH access on port 22. - <new IP address on the Citrix ADC IP address (NSIP) subnet>:22 Also, all other ports on the Linux host are reachable using the new IP address. For example, a rsyslog server running on the Linux host on port 514/UDP is now reachable on port 514 of the new IP address.

[ NSNET-21586 ]

Simplified deployment of a Citrix ADC BLX appliance with DPDK ports

The procedure to deploy a Citrix ADC BLX appliance with DPDK ports have been simplified with the following enhancements:

  • The Citrix ADC BLX appliance now uses libraries compiled with DPDK version 20.11.1. The appliance automatically loads the DPDK VFIO kernel module on the Linux host.
  • The dpdk-config parameter has been removed from the Citrix ADC BLX configuration (blx.conf) file. The existing worker-processes parameter now applies to the Citrix ADC BLX appliance with DPDK ports as well. The worker-processes specifies the number of packet engines for a Citrix ADC BLX appliance. In other words, the worker-processes is now a common parameter for the Citrix ADC BLX appliance irrespective of its mode (shared, or dedicated, or DPDK). If worker-process is not set, the Citrix ADC BLX appliance is configured with 1 packet engine by default.
  • The interfaces parameter now specifies the DPDK compatible NIC ports in addition to the non-DPDK NIC ports. The Citrix ADC BLX appliance automatically detects the DPDK compatible NIC ports (if any) from the list of ports specified to the interfaces parameter. The appliance then binds the detected DPDK compatible NIC ports to the DPDK VFIO module on the Linux host. After starting the Citrix ADC BLX appliance, the DPDK and non-DPDK NIC ports are automatically added as part of the appliance.
  • The dpdk-non-uio-intf parameter, which specifies the DPDK bound Mellanox NIC ports, has been removed from the Citrix ADC BLX configuration (blx.conf) file. The interfaces parameter now specifies the Mellanox NIC ports to be used as DPDK ports in the Citrix ADC BLX appliance. Before specifying the Mellanox NIC ports for the Citrix ADC BLX appliance, the Mellanox OFED DPDK libraries and kernel modules must be installed on the Linux host. The Citrix ADC BLX appliance automatically detects the specified Mellanox NIC ports and initializes them in DPDK mode. After starting the Citrix ADC BLX appliance, the DPDK bound Mellanox NIC ports are added as part of the appliance.
  • A new parameter total-hugepage-mem have been introduced in the Citrix ADC BLX configuration (blx.conf) file for setting up the hugepages for DPDK on the Linux host. The total-hugepage-mem parameter specifies the hugepages size in MB or GB (for example, 1024 MB and 2 GB).
  • On upgrading a Citrix ADC BLX appliance with DPDK ports, the upgrade module automatically converts the existing configurations to the new format in the Citrix ADC BLX configuration (blx.conf) file.

[ NSNET-20524 ]

Monitor the free ports available on a Citrix ADC appliance for a new back-end connection

For communication with the physical servers or other peer devices, the Citrix ADC appliance uses a Citrix owned IP address as the source IP address. The Citrix ADC appliance maintains a pool of its IP addresses, and dynamically selects an IP address while connecting with a server. Depending on the subnet in which the physical server is placed, the appliance decides which IP address to use. This address pool is used for sending traffic and monitor probes.

You can display the total number of free ports available on the Citrix ADC owned IP addresses for a new back-end connection. This information helps you in deciding the need for more Citrix owned IP addresses if the free ports available are nearing exhaustion.

You can provide the following information for the Citrix ADC appliance to calculate the total number of free ports available for a new back-end connection:

  • Citrix owned IP address (optional)
  • Destination IP address
  • Destination port
  • TCP or non-TCP protocol

[ NSNET-20410 ]

Platform

Support for Citrix ADC VPX configurations at the first boot of the Citrix ADC appliance on KVM hypervisor

You can now apply the Citrix ADC VPX configurations during the first boot of the Citrix ADC appliance on KVM hypervisor. Therefore, a customer setup on a VPX instance can be configured in much lesser time.

[ NSPLAT-21571 ]

Exclude nstrace folder from Citrix ADC admin partitions during backup operation

In a Citrix ADC appliance with admin partitions, backup operation of nstrace folder is excluded. This reduces the overall backup size of Citrix ADC without losing important data.

[ NSPLAT-21433 ]

Policies

Support for CIDR subnet notation in IPv4 and IPv6 addresses for policy dataset

The Policy datasets for IPv4 and IPv6 addresses now allow the bound value to be subnets using the CIDR notation (for example, a.b.c.d/n). The CIDR notation specifies the address and the range of the subnet. Previously, there was no option to add subnets in the policy datasets.

For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/appexpert/pattern-sets-data-seta/configuring-data-sets.html

[ NSPOLICY-3828 ]

SSL

Disable non-secure protocols on front-end SSL services on a Citrix ADC appliance

Standard security scans might trigger an alert for non-secure protocols on the front-end SSL services created by default when a Citrix ADC appliance boots. To avoid such alerts, these protocols are now disabled by default on the front-end SSL services when the appliances boot up. Examples of non-secure protocols are SSLv3, TLv1, and TLSv1.1.

When the default SSL profile is enabled, a new SSL profile is created in which these protocols are disabled. This new profile is bound to the front-end SSL services (ns_default_ssl_profile_internal_frontend_service). This profile is editable.

[ NSSSL-9985 ]

Support for certificates signed using the RSASSA-PSS algorithms

All Citrix ADC platforms now support certificates that are signed with the RSASSA-PSS algorithms. These algorithms are supported in the X.509 certificate path validation.

[ NSSSL-9289 ]

Fixed Issues

The issues that are addressed in Build 13.1–17.42.

Authentication, authorization, and auditing

The Citrix ADC appliance crashes if the ADFSPIP URL is set to type http://. ADFSPIP only supports https:// URL types.

[ NSHELP-29838 ]

The Citrix ADC appliance might crash during a SAML IdP flow, if there is a significant delay in request processing.

[ NSHELP-29789 ]

Rewrite policies for endpoints such as /logon/LogonPoint/Resources/List and /cgi/Resources/List are not supported.

[ NSHELP-29488 ]

In rare cases, the Citrix ADC appliance might crash due to an incorrect log position.

[ NSHELP-29267 ]

A Citrix ADC appliance configured to authenticate using OAuth Service Provider, cannot be configured with ‘client-secrete_post` to authenticate with IDP tokenEndPoint.

With this fix, the authentication method client_secret_basic is added to the OAuth service provider feature of ADC when it communicates with the token endpoint of the IDP.

[ NSHELP-28945 ]

A Citrix ADC appliance might fail to respond when SAML authentication is in progress and X.509 certificates of size 1800 bytes or more are used in the SAML authentication.

[ NSHELP-28608 ]

The Authentication, authorization, and auditing.USER.ATTRIBUTE expression might give an empty value in multi-core Citrix ADC appliance when user password is changed on expiry.

[ NSHELP-28419 ]

The Citrix ADC appliance, when configured as an OAuth Relying Party, does not add the extracted ‘email’ and ‘username’ field information from the ID token to the hash attribute of the authentication, authorization, and auditing session.

[ NSHELP-28262 ]

When SAML metadata is configured, memory leak is observed with SSL certificates.

[ NSHELP-27846 ]

When a user performs a SAML logout, the log out does not happen immediately and the following error message is displayed:

Unsupported mechanisms found in Assertion; Please contact your administrator.

This error is seen because the IDP that the customer configured uses a different URL encoding technique to encode the signature algorithm parameter in the response. This fix now supports encoding the signature algorithm parameter in a SAML response using multiple URL encoding techniques.

[ NSHELP-27621 ]

Sometimes, if nFactor is configured, incorrect IP address is logged in the logout message.

[ NSHELP-26692 ]

The Citrix ADC appliance crashes if both of the following conditions are met.

  • Email OTP is configured
  • Email server does not respond or there is a network issue with the email server

[ NSHELP-26137 ]

In a high availability setup, the Citrix ADC appliance crashes when a forced synchronization is initiated.

[ NSAUTH-11876 ]

Intune NAC v2 is not supported for Android 11 and later.

[ NSAUTH-11872 ]

Admins cannot use the LDAP or RADIUS connectivity tool if the password contains a certain special character or if the arguments have a space in it.

[ NSAUTH-11322 ]

Bot Management

When the CAPTCHA challenge is in progress, the Citrix ADC bot management does not honor the configured value set by the user for the CAPTCHA retry attempts.

[ NSBOT-801 ]

CallHome

CallHome registration might fail for Citrix ADC MPX appliances using pooled licensing. The registration fails because CallHome uses an incorrect serial number for registering the appliances with the Citrix Support Server.

[ NSHELP-28667 ]

Citrix ADC SDX Appliance

When you restore a Citrix ADC SDX appliance from the backup, the CLI prompt string is not restored.

[ NSHELP-30238 ]

On a Citrix ADC SDX 115xx appliance, restoring a VPX allotted with a high number of CPU cores (3–5 cores) might fail if the appliance backup contains three or more instances.

[ NSHELP-30135 ]

On a Citrix ADC SDX appliance, the default value for raising the alarm on the Hypervisor Disk Usage High alert is increased to 98 percentage.

[ NSHELP-29688 ]

When the interface speed value is more than 4 Gbps, a wrong value is returned due to integer overflow.

[ NSHELP-29658 ]

In rare cases, ADC inventory does not occur on a Citrix ADC SDX appliance.

[ NSHELP-29607 ]

On a Citrix ADC SDX appliance, the Management Service does not send syslog or email notifications if the power supply, voltage, or disk failures occur more than once.

[ NSHELP-29443 ]

Citrix Gateway

Users cannot launch the EPA plug-in or the VPN plug-in after an upgrade to Chrome 98 or Edge 98 browser versions. To fix this issue, perform the following:

  1. For the VPN plug-in upgrade, end users must connect using VPN client for the first time to get the fix on their machines. In the subsequent login attempts, users can choose the browser or the plug-in to connect.
  2. For EPA only use case, the end users will not have the VPN client to connect to gateway. In this case, perform the following:

    1. Connect to the gateway using a browser.
    2. Wait for the download page to appear and download the nsepa_setup.exe.
    3. After downloading, close the browser and install the nsepa_setup.exe file.
    4. Restart the client.

[ NSHELP-30641 ]

In a high availability setup with TCP SYSLOG configuration, a node might crash during HA failover or during clear config operation.

[ NSHELP-29251 ]

In the Citrix Gateway portal page, RDP proxy link icon does not change with RfWebUI portal theme.

[ NSHELP-28974 ]

After you upgrade the Citrix Gateway appliance to version 13.0, the proxy configuration in session profile does not work as intended. The Proxy connection is bypassed for non-HTTP NS proxy configured.

Example: add vpn sessionAction-proxy NS -httpProxy 192.0.2.0:24 -sslProxy 192.0.2.0:24

In this example, -httpProxy works as intended but -sslProxy does not work.

[ NSHELP-28640 ]

The Citrix Gateway appliance crashes while processing STA in DTLS Audio because the allocated memory is not reset.

[ NSHELP-28432 ]

The Citrix ADC appliance logs stale messages related to the VPND process that is deprecated.

[ NSHELP-28163 ]

Access to StoreFront through a VPN virtual server fails if StoreFront is accessed through a backup load balancing virtual server.

[ NSHELP-27852 ]

The Citrix Gateway appliance might crash when reconnecting to an existing ICA session.

[ NSHELP-27441 ]

You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.

With this fix, you can now unbind the authorization policy by using the GUI.

[ NSHELP-27064 ]

Citrix Web App Firewall

An upgrade to XML library version 2.9.12 causes the WAF signature-related XML files to break during parsing.

[ NSWAF-8662 ]

The JSON command injection protection appears Not blocked in the ns.log message, even if the HTTP request was blocked by the Web App Firewall module.

[ NSHELP-29709 ]

The Web App Firewall log message displays, BAD URL for Cross-Site Scripting (XSS) URL attribute violations, and the term Bad URL is not clear as to which category it belongs (such as tag, pattern, or attribute).

[ NSHELP-29358 ]

The bot device fingerprint post URL might fail if the bot management policy is enabled on a load balancing virtual server of type SSL.

[ NSHELP-29198 ]

The Web App Firewall signature ID 1048 blocks the Citrix Gateway page from loading.

[ NSHELP-29113 ]

A Citrix ADC appliance might crash if the following modules are enabled:

  • Web App Firewall with advanced security checks.
  • Appqoe.

[ NSHELP-28251 ]

Load Balancing

When a member of the DNS service group of type Autoscale is in TROFS state and if the same member is added to the group again, the status of this member is not propagated.

[ NSHELP-29493 ]

Incremental synchronization fails for the add dns action and add location commands with policy expressions that contain wildcards.

[ NSHELP-29301 ]

Some service group members are not removed from the Autoscale service group list when there is a conflict between statically bound member and dynamically resolved DNS records. This issue leads to memory corruption.

[ NSHELP-28949 ]

The state of the service group displayed in the show and stat commands is inconsistent.

[ NSHELP-28931 ]

In rare cases, the location database configuration might be missing from the configuration (ns.conf) file.

[ NSHELP-28570 ]

SQL or Oracle type monitors crash when the peer sends a request to reset the existing connection.

[ NSHELP-28478 ]

In a persistence-enabled deployment, an incorrect virtual server is stored during context save.

[ NSHELP-28342 ]

Persistence configuration for an LB group is lost after an HA failover or when the Citrix ADC appliance is rebooted.

[ NSHELP-28071 ]

The configured state of the default monitor shows as disabled even when the default monitor is bound to a service.

[ NSHELP-27669 ]

Miscellaneous

The following issue occurs after upgrading the appliance to Citrix ADC version 12.1 build 63.22:

  • The Extension Find API might not work after the upgrade.

[ NSHELP-29860 ]

Networking

A Citrix ADC appliance might crash if all of the following conditions are met:

  • A load balancing route is configured in a traffic domain on the appliance.
  • A clear config operation is performed on the appliance.

[ NSNET-23847 ]

In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • The LSN module does not find the service while decrementing the reference count or deleting the service.

[ NSHELP-29134 ]

In a Large scale NAT44 deployment, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • The LSN module accessed the memory location of an already deleted service.

[ NSHELP-28815 ]

In a Citrix ADC appliance with even number of packet engines (PE), the appliance incorrectly displays the status of active interfaces as inactive of a redundant interface set (LR channels). This issue does not impact any functionality of the Citrix ADC appliance.

[ NSHELP-28099 ]

The Citrix ADC appliance might not generate coldStart SNMP trap messages after a cold restart.

[ NSHELP-27917 ]

Platform

The ntpdate command crashes leading to a core dump.

[ NSHELP-29649 ]

SSL

A Citrix ADC MPX 7500 appliance crashes if an EXPORT cipher suite is used.

[ NSSSL-11294 ]

In rare cases, you might see a crash during DTLS processing on the following platforms:

  • MPX 5900
  • MPX/SDX 8900
  • MPX/SDX 15000
  • MPX/SDX 15000-50G
  • MPX/SDX 26000
  • MPX/SDX 26000-50S
  • MPX/SDX 26000-100G

[ NSHELP-29538 ]

In a high availability setup, the certificate type is not synchronized correctly between the primary and secondary nodes.

[ NSHELP-27589 ]

In a VPN deployment, the Citrix ADC appliance picks up an SSL session for session reuse from cache to communicate to the proxy or back-end server. It does this without matching the SNI received from the client to the SNI present in the cached session.

As a result, either the SNI is not sent or a different SNI is sent depending on the cached data.

[ NSHELP-27439 ]

System

Memory leak is observed in a Citrix ADC appliance when clearing the allocated memory for Intrusion Prevention System (IPS) resources.

[ NSHELP-29992 ]

Configuration operations that associate SSL profiles and SSL certificate keys with an HTTP QUIC virtual server, might fail on a Citrix ADC cluster deployment.

[ NSHELP-29655 ]

A second request on the same client connection fails if the following conditions are met:

  • clientSideMeasurements is enabled.
  • HEAD request is received.

[ NSHELP-29353 ]

In some scenarios, a Citrix ADC appliance might crash under the following conditions:

  • TCP jumbo frames are used.
  • Persistence is configured on a TCP load balancing virtual server.

[ NSHELP-29162 ]

A Citrix ADC appliance crashes if the following conditions are met:

  • The client-side measurements option is enabled on the AppFlow action.
  • The chunk headers fall on the packet boundary.

[ NSHELP-29049 ]

A Citrix ADC appliance resets a connection if the HTTP pipeline (one or multiple requests) size exceeds 128 KB. The issue occurs because the pipeline size is hard limited to 128 KB.

[ NSHELP-28846 ]

A Citrix ADC Intrusion Prevention System (IPS) observes an issue with the rewrite policy when inserting or modifying data if the following condition is met:

  • The Citrix ADC appliance sends data packets to the IPS server before the back-end server connection opens.

[ NSHELP-28496 ]

In a high availability setup, HA synchronization of admin partition configurations fails on the secondary node because of the following reason:

  • Low memory issues caused because of huge config loads on the secondary node

[ NSHELP-28409 ]

When a client resets a connection with multiple TCP streams, the server-side transaction record is not sent which results in L4 records missing for those data streams.

[ NSHELP-28281 ]

In a TCP connection, the Citrix ADC appliance might drop a FIN packet, received from a server, instead of forwarding it to the client if all of the following conditions are met:

  • TCP buffering is enabled.
  • The server sends the FIN packet and the data packet separately.

[ NSHELP-27274 ]

In a cluster setup, the set ratecontrol command works only after restarting the Citrix ADC appliance.

[ NSHELP-21811 ]

When a Citrix ADC appliance receives an out-of-order TCP packet with the FIN flag set, the following issues might be observed:

  • The Citrix ADC appliance sends an incorrect SACK, which says the appliance received a 2 bytes instead of a 1 byte out-of-order TCP packet.
  • The Citrix ADC appliance does not acknowledge the TCP FIN packet by receiving in-order TCP packets.

[ NSBASE-15735 ]

User Interface

You can accidentally unlink an SSL certificate because there is no prompt for confirmation. With this fix, when the user clicks a linked certificate, it prompts for a confirmation before unlinking a certificate.

[ NSUI-17897 ]

Modifying an ACL based RNAT rule, which already has connection failover enabled, by using the Citrix ADC GUI might fail with the following error:

  • Invalid argument value [connfailover]

[ NSHELP-29243 ]

While configuring or checking SSL certificates using the Citrix ADC GUI, the error Directory doesn't exist might appear. This issue occurs when a file name with two consecutive dots (..) exists in the SSL folder /nsconfig/ssl.

[ NSHELP-28589 ]

In a high availability setup, HA synchronization might fail for a built-in policy pattern set binding, if the built-in policy pattern set was modified on the primary node.

[ NSHELP-28460 ]

When you deselect the secure option for RPC node in the ADC GUI, the following error message appears:

Argument pre-requisite missing [validateCert, secure==YES]

[ NSHELP-28239 ]

When the user tries to change the page size of a list in the side panel views, the page gets distorted.

[ NSHELP-28220 ]

An extra backslash character is incorrectly introduced if special characters are used within arguments in some SSL commands, such as create ssl rsakey and create ssl cert.

[ NSHELP-27378 ]

ping or ping6 command with interface (-I) option might fail with the following error:

  • interface option not supported

[ NSHELP-26962 ]

Known Issues

The issues that exist in release 13.1–17.42.

AppFlow

HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.

[ NSINSIGHT-943 ]

Authentication, authorization, and auditing

A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

[ NSHELP-563 ]

The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

[ NSAUTH-6106 ]

ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command. show adfsproxyprofile <profile name>

Workaround:

Connect to the primary active Citrix ADC in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

[ NSAUTH-5916 ]

The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

  • The Test LDAP Reachability option is opened.
  • Invalid login credentials are populated and submitted.
  • Valid login credentials are populated and submitted.

Workaround:

Close and open the Test LDAP Reachability option.

[ NSAUTH-2147 ]

Caching

A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

[ NSHELP-22942 ]

Citrix ADC SDX Appliance

On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.

[ NSSVM-4333 ]

On a Citrix ADC SDX appliance, the ADC instances do not burst to maximum capacity when you configure burst throughput allocation mode.

[ NSHELP-27477 ]

Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

  • Throughput allocation mode is burst.
  • There is a large difference between the throughput and the maximum burst capacity.

[ NSHELP-21992 ]

Citrix Gateway

In some cases, the server validation code fails when the server certificate is trusted. As a result, end users cannot access the gateway.

[ NSHELP-28942 ]

In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.

[ NSHELP-28856 ]

Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

[ NSHELP-28551 ]

Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

[ NSHELP-28404 ]

In a high availability setup, VPN user sessions get disconnected if the following condition is met:

  • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.

Workaround:

Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

[ NSHELP-25598 ]

EPA plug-in for Windows does not use local machine’s configured proxy and connects directly to the gateway server.

[ NSHELP-24848 ]

The Gateway Insight does not display accurate information on the VPN users.

[ NSHELP-23937 ]

VPN plug-in doesn’t establish tunnel after Windows logon, if the following conditions are met:

  • Citrix Gateway appliance is configured for Always On feature
  • The appliance is configured for certificate based authentication with two factor authentication off

[ NSHELP-23584 ]

Sometimes while browsing through schemas, the error message Cannot read property 'type' of undefined appears.

[ NSHELP-21897 ]

If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

[ CGOP-19355 ]

Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

[ CGOP-13621 ]

The Gateway Insight report incorrectly displays the value Local instead of SAML in the Authentication Type field for SAML error failures.

[ CGOP-13584 ]

In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

[ CGOP-13511 ]

While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

[ CGOP-13050 ]

The text Home Page in the Citrix SSO app > Home page is truncated for some languages.

[ CGOP-13049 ]

An error message appears when you add or edit a session policy from the Citrix ADC GUI.

[ CGOP-11830 ]

In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

[ CGOP-7269 ]

In a cluster deployment, if you run force cluster sync command on a non-CCO node, the ns.log file contains duplicate log entries.

[ CGOP-6794 ]

Load Balancing

In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

[ NSLB-7679 ]

The serviceGroupName format in the entityofs trap for the service group is as follows: <service(group)name>?<ip/DBS>?<port>

In the trap format, the service group is identified by an IP address or a DBS name and port. The question mark (?) is used as a separator. The Citrix ADC sends the trap with the question mark (?). The format appears the same in the Citrix ADM GUI. This is the expected behavior.

[ NSHELP-28080 ]

Miscellaneous

When a forced synchronization takes place in a high availability setup, the appliance runs the set urlfiltering parameter command in the secondary node. As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the TimeOfDayToUpdateDB parameter.

[ NSSWG-849 ]

A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

[ NSHELP-22409 ]

Networking

A Citrix ADC BLX appliance with DPDK might fail to restart if all of the following conditions are met:

  • The Citrix ADC BLX appliance is allocated with a low number of hugepages. For example, 1G.
  • The Citrix ADC BLX appliance is allocated with a high number of worker-process. For example, 28.

The issue is logged as an error message in /var/log/ns.log:

  • BLX-DPDK:DPDK Mempool could Not be Initialized for PE-x

Note: x is a number <= number of worker-processes.

Workaround:

Allocate a high number of hugepages and then restart the appliance.

[ NSNET-25173 ]

A Citrix ADC BLX appliance with DPDK might fail to restart if the following condition is met:

  • The Citrix ADC BLX appliance is allocated with a high number of hugepages. For example, 16 GB.

The issue is logged as an error message in /var/log/ns.log:

  • EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Too many open files

Workaround:

Use one of the following workarounds for this issue:

  • Increase the open file limit on the Linux host by using either the ulimit command or editing the limits.conf file.
  • Reduce the number of allocated hugepages.

[ NSNET-24727 ]

A Citrix ADC BLX appliance in DPDK mode might take a little longer to restart because of the DPDK easiness functionality.

[ NSNET-24449 ]

After an upgrade from Citrix ADC BLX appliance 13.0 61.x build to 13.0 64.x build, settings on the BLX configuration file are lost. The BLX configuration file is then reset to default.

[ NSNET-17625 ]

The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a Citrix ADC BLX appliance with DPDK:

  • Disable
  • Enable
  • Reset

[ NSNET-16559 ]

On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file (/etc/blx/blx.conf) settings. This issue occurs because mawk, which is present by default on Debian based Linux systems, does not run some of the awk commands present in the blx.conf file.

Workaround:

Install gawk before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install gawk:

  • apt-get install gawk

[ NSNET-14603 ]

Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable

Workaround:

Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

  • dpkg –add-architecture i386
  • apt-get update
  • apt-get dist-upgrade
  • apt-get install libc6:i386

[ NSNET-14602 ]

In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

[ NSNET-5233 ]

When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

[ NSHELP-21082 ]

Platform

The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:

  1. During the first boot of the Citrix ADC appliance, you do not save the prompted password.
  2. Subsequently, you reboot the Citrix ADC appliance.

[ NSPLAT-22013 ]

When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:

  • 13.1-4.x
  • 13.0–82.31 and later
  • 12.1–62.21 and later

The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:

  • Any 11.1 build
  • 12.1–62.21 and earlier
  • 13.0-81.x and earlier

[ NSPLAT-21691 ]

In a cluster setup on a Citrix ADC SDX appliance, there is a CLAG MAC mismatch on the second node and CLIP if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You add another VPX instance to the cluster and CLAG setup.

As a result, traffic to the VPX instance stops.

[ NSPLAT-21049 ]

In a cluster setup on a Citrix ADC SDX appliance, the first node goes DOWN because of a MAC address mismatch on CLIP and MAC table, if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You remove the second node from the cluster.

[ NSPLAT-21042 ]

When you delete an Autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the rm cloudprofile command to delete the profile.

[ NSPLAT-4520 ]

In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for Autoscale cloud profile configuration appears. Workaround: Skip the screen, and log on to the primary node to create the cloud profile. Always configure the cloud profile on the primary node.

[ NSPLAT-4451 ]

The HA failover for Citrix ADC VPX instance on the GCP and AWS cloud fails when the password of an RPC node contains a special character.

[ NSHELP-28600 ]

Policies

Connections might hang if the size of processing data is more than the configured default TCP buffer size.Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

[ NSPOLICY-1267 ]

SSL

On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

Workaround:

  1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
  2. Save the configuration.

[ NSSSL-9572 ]

You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

[ NSSSL-6478 ]

You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

[ NSSSL-6213 ]

The following incorrect error message appears when you remove an HSM key without specifying Key Vault as the HSM type. ERROR: crl refresh disabled

[ NSSSL-6106 ]

Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

[ NSSSL-4427 ]

An incorrect warning message, Warning: No usable ciphers configured on the SSL vserver/service, appears if you try to change the SSL protocol or cipher in the SSL profile.

[ NSSSL-4001 ]

An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

[ NSSSL-3184 ]

System

The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

[ NSHELP-21240 ]

The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

[ NSHELP-10972 ]

An issue is observed in generating the PCI DSS reports on the Citrix ADC GUI (Navigation: System > Reports > Generate PCI DSS Report).

[ NSBASE-16225 ]

Client IP and Server IP are inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

[ NSBASE-8506 ]

The Citrix ADC appliance drops packets that contain custom HTTP headers with a dot (“.”) character in the header name field. This action occurs because the allowOnlyWordCharactersAndHyphen parameter is enabled by default in the default HTTP profile.

Workaround: Disable allowOnlyWordCharactersAndHyphen in the default HTTP profile. However, Citrix recommends that you keep it enabled.

[ NSBASE-16722 ]

User Interface

For the MQTT Rewrite feature, you cannot delete an expression using the Expression Editor in the GUI.

Workaround:

Use the add or edit action command of type MQTT through the CLI.

[ NSUI-18049 ]

In Citrix ADC GUI, the Help link present under the Dashboard tab is broken.

[ NSUI-14752 ]

Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

Workaround:

Configure cloudbridge connectors by adding IPsec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

[ NSUI-13024 ]

If you create an ECDSA key by using the GUI, the type of curve is not displayed.

[ NSUI-6838 ]

Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

[ NSHELP-20988 ]

When you downgrade a Citrix ADC appliance version 13.0-71.x to an earlier build, some NITRO APIs might not work because of the file permission changes.

Workaround:

Change permission for /nsconfig/ns.conf to 644.

[ NSCONFIG-4628 ]

If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

  1. Upgrade the Citrix ADC appliance to one of the builds:

    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build
  2. Add a system user, or change the password of an existing system user, and save the configuration, and
  3. Downgrade the Citrix ADC appliance to any older build.

To display the list of these system users by using the CLI: At the command prompt, type:

query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]

Workaround:

To fix this issue, use one of the following independent options:

  1. If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
  2. Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
  3. If none of the above options work, a system administrator can reset the system user passwords.

For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

[ NSCONFIG-3188 ]

Release Notes for Citrix ADC 13.1–17.42 Release