Citrix ADC

Notes

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.1–21.50.

This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

What’s New

The enhancements and changes that are available in Build 13.1–21.50.

Bot Management

Bot rate limit technique based on user’s geographic location

The bot rate limit detection technique now enables you to limit traffic bot based on the user’s geographic location. In this configuration, you can set a country name as a value similar to the URL or Cookie name. By doing this, you can apply different rate-limitation for different countries. Previously, the detection technique can rate limit traffic only based on the client’s IP address, session, or URL.

[ NSBOT-753 ]

Enhanced Device Fingerprint (DFP) technique for headless browser detection

A hacker can access server resources through a headless browser by automating processes such as creating multiple-user accounts, booking tickets, scrapping-prices, credential-stuffing, ticket-spinning-attacks, and so forth.

The Device Fingerprint (DFP) detection technique in a bot profile is now enhanced with intelligence to detect headless and web-driver bots. To mitigate headless browser bot traffic, you must enable the Headless Browser Detection option along with the Device Fingerprint detection feature.

[ NSBOT-747 ]

Citrix Web App Firewall

Fine grained relaxation for JSON Command Injection attacks

The Citrix ADC appliance now enables you to configure fine grained relaxation for JSON Command Injection attacks.

[ NSWAF-8511 ]

Fine grained relaxation for JSON Cross-Site Scripting attacks

The Citrix ADC appliance now enables you to configure fine grained relaxation for JSON Cross-Site Scripting attacks.

[ NSWAF-8510 ]

Fine grained relaxation for JSON SQL injection attacks

The Citrix ADC appliance now enables you to configure fine grained relaxation for JSON SQL injection attacks.

[ NSWAF-8509 ]

Load Balancing

Enhanced Desired State API error messages

The error message displayed, when the IP address of a service group member is already associated with other Citrix ADC entities such as CS virtual server, is enhanced. The reason for failure is now made clear in the error message. Previously, the reason for failure in the error message was unclear.

[ NSLB-9005 ]

Desired State API supports reusing existing server IP addresses and names

Desired State API now supports binding service group members to a service group even if the IP address of a service group member matches an existing server. The IP address and name of the existing server is reused while binding the service group member.

Previously, when the IP address matched, binding the service group members to a service group was not successful.

[ NSLB-9004 ]

Networking

Support for CIDR based bindings in IPv4 datasets for extended ACLs

The extended ACLS now supports IPv4 datasets containing IPv4 address ranges specified in the CIDR notation.

[ NSNET-24452 ]

Software Receive Side Scaling support for Citrix ADC BLX appliance in DPDK mode

A Citrix ADC BLX appliance in DPDK mode and configured with a higher number of packet engines, does not support a NIC port with a lesser number of send (Tx) and receive (Rx) queues.

A Citrix ADC BLX appliance in DPDK mode does not use a NIC port if both of the following conditions are met:

  • The appliance has a NIC port that supports a limited number of send queues (Tx) and receive queues (Rx). For example, 7.
  • The appliance is configured with a higher number of packet engines. For example, 28.

To resolve this issue, from build 13.1 21.x, the Citrix ADC BLX appliance uses software receive side scaling (RSS) to efficiently distribute received packets on the NIC ports across multiple packet engines.

The software RSS module assigns a logical Rx and Tx queue pair to each NIC port. The queue pair is then mapped to packet engine PE-0.

For each packet in the Rx queue of a NIC port, the PE-0 selects a packet engine using an RSS hash algorithm. PE-0 then sends the packet to the selected packet engine for processing. After processing of the packet is complete, PE-0 sends the packet to the Tx queue of the NIC port.

[ NSNET-23133 ]

Configure the internal HTTP GUI service by using Citrix ADC GUI, or Citrix ADC CLI, or Citrix ADC NITRO APIs

On a Citrix ADC appliance, the /etc/httpd.conf is the configuration file for the internal HTTP GUI service that manages connections to the Citrix ADC GUI.

Instead of using the httpd.conf file for configuring the internal HTTP GUI service, you can now use Citrix ADC GUI, or Citrix ADC CLI, or Citrix ADC NITRO APIs. For example, you can use the Citrix ADC CLI to modify the maximum number of clients that can connect to the internal HTTP service at a time.

The internal HTTP GUI service has the following name format: nshttpd-gui-<loop back IP address>-80

Use the Citrix ADC service command operations to configure the internal HTTP GUI service.

[ NSNET-20350 ]

Platform

Support for Citrix ADC MPX 9100 platform

This release supports the Citrix ADC MPX 9100 platform. It includes MPX 9110, MPX 9120, and MPX9130 models. For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-adc-mpx-9100.html.

[ NSPLAT-23308 ]

Support for Citrix ADC SDX 9100 platform

This release supports the Citrix ADC SDX 9100 platform. It includes SDX 9120 and SDX 9130 models. For more information, see https://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-9100.html.

[ NSPLAT-23299 ]

Improve SSL-TPS performance on AWS and GCP clouds

You can obtain better SSL-TPS performance on AWS and GCP clouds by distributing the packet engine (PE) weights equally. To do so, run the following command at the Citrix ADC CLI to set the PE mode:

set cpuparam pemode [CPUBOUND | Default]

In an Azure cloud, the PE weights are equally distributed by default. This feature does not improve any performance for the Azure instances.

[ NSPLAT-22570 ]

VMware ESXi 7.0 update 3c support on Citrix ADC VPX instance

The Citrix ADC VPX instance now supports the VMware ESXi version 7.0 update 3c (Build 19193900).

[ NSPLAT-22468 ]

SSL

View details of the SSL chip utilization on Citrix ADC platforms

From release 13.1 build 21.x, counters are added to view more details about the SSL chip utilization on MPX and SDX platforms that ship with Intel Coleto chips and, MPX 9100 (Lewisburg) platform. On unsupported platforms, these counters display a value of 0.0.

For more information, see Support for Intel Coleto and Lewisberg SSL chip based platforms.

[ NSSSL-10996 ]

Support for ECDSA certificates and ciphers with DTLS

ECDSA certificates and ciphers can now be used on DTLS entities, such as virtual servers and services.

[ NSSSL-9535 ]

System

  • The Citrix ADC appliance now inserts the Client IP address in the final ACK packet of the three-way handshake in addition to in the first data packet. Previously, the appliance sends the client IP address only in the first data packet.
  • The Citrix ADC appliance now supports sending client port in the TCP option for insert mode configuration. A parameter Send Client Port in Tcp Option (sendClientPortInTcpOption) has been introduced in the TCP profile for enabling or disabling this feature.

[ NSBASE-15635 ]

Fixed Issues

The issues that are addressed in Build 13.1–21.50.

Authentication, authorization, and auditing

The Citrix ADC appliance might crash if there is an error while updating the SSL certificate-key pair being used in the SAML configuration. To fix this issue, you can unbind the certificate, update and then bind the certificate again.

[ NSHELP-30270 ]

Users cannot log in to the Citrix ADC appliance if the login request using SAML contains whitespace characters other than ‘ ‘ (single quotes). With this fix, all whitespace characters are permitted.

[ NSHELP-29773 ]

While sending an AS_REQ request for a delegated user, which is part of KCD SSO, the Citrix ADC appliance selects an encryption type with the following priority when the domain controller (DC) publishes all encryption types.

  1. ETYPE_ARCFOUR_HMAC_MD5
  2. ETYPE_AES128_CTS_HMAC_SHA1_96
  3. ETYPE_AES256_CTS_HMAC_SHA1_96Instead of
  4. ETYPE_AES256_CTS_HMAC_SHA1_96
  5. ETYPE_AES128_CTS_HMAC_SHA1_96
  6. ETYPE_ARCFOUR_HMAC_MD5

[ NSHELP-28681 ]

Sometimes, authentication might fail when Authentication, authorization, and auditing.LOGIN.PASSWORD is used.

[ NSHELP-28101 ]

The Citrix ADC appliance might go into an SSO loop with the backend server and result in memory build up if both the following conditions are met.

  • The ADC appliance performs a negotiate and NTLM SSO authentications with the backend server.
  • The backend server fails to perform both the authentications.

[ NSHELP-27757 ]

The Citrix ADC appliance might crash when the synchronization of the session and key configuration happens between the primary to the secondary controller card.

[ NSHELP-26891 ]

Citrix ADC SDX Appliance

An incorrect message appears when clean install fails because the factory partition doesn’t have enough space.

[ NSHELP-30136 ]

The backplane field in the Add Cluster Node page is no longer mandatory unless one of the following conditions is met:

  • The node group already exists for layer 3 clusters.
  • It is a layer 2 cluster.

[ NSHELP-29701 ]

Citrix Gateway

VPN client users cannot log out successfully if SAML and EPA are configured as the successive factors in an nFactor authentication. With this fix, users can log out without any issues.

[ NSHELP-30193 ]

In a Citrix ADC GSLB and SSL VPN setup, memory leak is observed while handling a DTLS ICA connection. As a result, the connection drops and memory builds up.

[ NSHELP-30182 ]

The PCoIP Apps and Desktops launch fails when launched from a browser and the error message VMware client missing is displayed. This issue occurs because the vmware-view protocol is not added to the list of allowed protocols.

[ NSHELP-30062 ]

EPA scan for checking the antivirus last full system scan fails on macOS.

[ NSHELP-29571 ]

The Citrix Gateway VPN full tunnel does not work as expected if binary response is enabled. As a result, the NSAAC cookie is corrupted. With this fix, the binary response works in the earlier VPN plug-ins. However, Citrix recommends that you use the latest VPN plug-in that is compatible with the JSON response.

[ NSHELP-28729 ]

Load Balancing

A partitioned Citrix ADC appliance might dump core while processing a DNS request packet with an additional header (EDNS).

[ NSHELP-30796 ]

In an autoscale DNS deployment, the members in the TROFS state do not detect and respond to health check failure.

[ NSHELP-29628 ]

The Citrix ADC appliance might crash while binding the rewrite policy to the load balancing virtual server if the following conditions are met:

  1. Evaluation of the second expression overwrites the policy state variables of the first expression which is in progress.
  2. DETERMINE_SERVICES policy state variables are overwritten by the rule defined by the load balancing virtual server.

[ NSHELP-29449 ]

The Monitor response time shown when you run the show service command is sometimes incorrect.

[ NSHELP-28994 ]

The SMPP retry messages are sent to all nodes in a cluster even when the request is successful. This scenario leads to high memory consumption on the Citrix ADC appliance.

[ NSHELP-28332 ]

Networking

On upgrading a Citrix ADC BLX appliance to release 13.1 build 17.x, the appliance might not start.

[ NSNET-25002 ]

Installation of a Citrix ADC BLX appliance on an RHEL based Linux host fails if the jsonschema python module is absent on the host.

[ NSNET-24638 ]

Upgrading a Citrix ADC BLX appliance with DPDK fails if all of the following conditions are met:

  • Citrix ADC BLX appliance is running on a Debian based Linux host
  • Upgrade is done from Citrix ADC release 13.0 build 82.x or earlier to release 13.1 build 17.x.

[ NSNET-24622 ]

When you configure an ICMP ACL rule after configuring a TCP ACL rule with port settings, the following issue might be observed:

  • The Citrix ADC appliance incorrectly adds the same port settings of the TCP ACL to the ICMP ACL as well.

[ NSHELP-31114 ]

Modifying a private IP address in an INAT rule by using the GUI fails if the following condition is met:

  • Connection failover is enabled on the INAT rule.

[ NSHELP-30792 ]

On the serial console of a Citrix ADC appliance, the VTYSH prompt or the shell prompt might not display any output.

[ NSHELP-30446 ]

Modifying a net profile that already has an IP set bound to it might fail with the following error:

  • IP set is already bound to the network profile

[ NSHELP-29363 ]

In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • Filtering and mapping reference counts are non-zero for the LSN module in the appliance.

[ NSHELP-28842 ]

Platform

The serial console of a Citrix ADC VPX instance hosted on the Azure cloud is not accessible when the virtual machine is in the early stages of booting.

[ NSPLAT-23010 ]

During the Citrix ADC VPX HA failover, the Elastic IP address movement in the AWS cloud fails if you configure an IPset without binding the IPset to any IP address.

[ NSHELP-29425 ]

SSL

RC4 cipher suite fails during an SSL handshake with an Illegal parameter error message.

[ NSSSL-11463 ]

The Citrix ADC appliance crashes when SSL interception is enabled and there are multiple parallel requests to access a backend server with an expired certificate.

[ NSHELP-29520 ]

In a cluster setup, you might observe the following issues:

  • Missing command for the default certificate-key pair binding to the SSL internal services on the CLIP. However, if you upgrade from an older build you might have to bind the default certificate-key pair to the affected SSL internal services on the CLIP.
  • Configuration discrepancy between the CLIP and the nodes for the default set command to the internal services.
  • Missing default cipher bind command to the SSL entities in the output of the show running config command run on a node. The omission is only a display issue and has no functional impact. The binding can be viewed using the show ssl <entity> <name> command.

[ NSHELP-25764 ]

System

The Citrix ADC appliance crashes if either of the following conditions occur:

  • The syslog action is configured with the domain name and you clear the configuration by using the GUI or the CLI.
  • High availability synchronization happens on the secondary node. [ NSHELP-30987, NSHELP-28121, NSHELP-29843 ]

All forwarded data packets from a Citrix ADC appliance do not have the configured TTL value instead have the value sent by the client or the server.

[ NSHELP-30683 ]

Citrix ADC appliance is unable to forward some of the non-HTTP data packets to the back-end servers.

[ NSHELP-30192 ]

In certain scenarios, Citrix ADC appliance does not forward some HTTP packets to the back-end server, if the following condition is met:

  • If a Citrix ADC feature internally clones HTTP packets.

[ NSHELP-29958 ]

The Citrix ADC appliance might incorrectly add an IPv4 address to an AppFlow record related to an IPv6 transaction.

[ NSHELP-29261 ]

A Citrix ADC appliance might crash when replaying a chunked response from the ICAP-module to the client.

[ NSHELP-28788 ]

Pitboss failure occurs when looping a large number of packets in the retransmission queue.

[ NSHELP-26071 ]

Some SYSLOG messages are dropped when logging on to an external SYSLOG server using TCP protocol.

[ NSHELP-24522 ]

In certain scenarios, the nstrace packet capture misses all packets if you apply the IP address based filter.

[ NSHELP-23483 ]

User Interface

Cache filtering might not work as expected on the Citrix ADC GUI.

[ NSHELP-30392 ]

When a Citrix ADC appliance is configured to use an external authentication server, there might be a delay in running the stat commands irrespective of the RBAOnResponse parameter set to be disabled globally. The parameter can be disabled from the GUI or CLI.

[ NSHELP-30289 ]

The Citrix ADC GUI does not process the RAPI calls resulting in some components of the GUI becoming unresponsive.

[ NSHELP-30231 ]

In some cases, you might not be able to load SSL keys from the SSL keys tab in the Citrix ADC GUI.

[ NSHELP-28870 ]

The API response for a NITRO GET request with a filter might contain additional information even if it is not mentioned in the filter.

[ NSHELP-28598 ]

Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

[ NSHELP-20988 ]

Known Issues

The issues that exist in release 13.1–21.50.

AppFlow

HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.

[ NSINSIGHT-943 ]

Authentication, authorization, and auditing

A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

[ NSHELP-563 ]

The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of the Citrix ADC GUI.

[ NSAUTH-6106 ]

ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command. show adfsproxyprofile <profile name>

Workaround:

Connect to the primary active Citrix ADC in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

[ NSAUTH-5916 ]

The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

  • The Test LDAP Reachability option is opened.
  • Invalid login credentials are populated and submitted.
  • Valid login credentials are populated and submitted.

Workaround:

Close and open the Test LDAP Reachability option.

[ NSAUTH-2147 ]

Caching

A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

[ NSHELP-22942 ]

Citrix ADC SDX Appliance

On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.

[ NSSVM-4333 ]

On a Citrix ADC SDX appliance, the ADC instances do not burst to maximum capacity when you configure burst throughput allocation mode.

[ NSHELP-27477 ]

Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

  • Throughput allocation mode is burst.
  • There is a large difference between the throughput and the maximum burst capacity.

[ NSHELP-21992 ]

Citrix Gateway

In some cases, the Citrix Secure Access for macOS drops connections because of issues with some non-DNS protocols using port 53, such as STUN.

[ NSHELP-31004 ]

When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.

[ NSHELP-30662 ]

Users cannot connect to the Citrix Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.

[ NSHELP-30236 ]

The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.

[ NSHELP-29675 ]

In some cases, the server validation code fails when the server certificate is trusted. As a result, end users cannot access the gateway.

[ NSHELP-28942 ]

Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

[ NSHELP-28551 ]

Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

[ NSHELP-28404 ]

You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.

With this fix, you can now unbind the authorization policy by using the GUI.

[ NSHELP-27064 ]

In a high availability setup, VPN user sessions get disconnected if the following condition is met:

  • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.

Workaround:

Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

[ NSHELP-25598 ]

EPA plug-in for Windows does not use the local machine’s configured proxy and connects directly to the gateway server.

[ NSHELP-24848 ]

The Gateway Insight does not display accurate information on the VPN users.

[ NSHELP-23937 ]

VPN plug-in doesn’t establish tunnel after Windows logon, if the following conditions are met:

  • Citrix Gateway appliance is configured for Always On feature
  • The appliance is configured for certificate based authentication with two factor authentication off

[ NSHELP-23584 ]

Sometimes while browsing through schemas, the error message Cannot read property 'type' of undefined appears.

[ NSHELP-21897 ]

If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

[ CGOP-19355 ]

Application launch failure due to an invalid STA ticket is not reported in Gateway Insight.

[ CGOP-13621 ]

The Gateway Insight report incorrectly displays the value Local instead of SAML in the Authentication Type field for SAML error failures.

[ CGOP-13584 ]

In a high availability setup, during a Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

[ CGOP-13511 ]

When an ICA connection is launched from a MAC receiver version 19.6.0.32 or Citrix Virtual Apps and Desktops version 7.18, the HDX Insight feature is disabled.

[ CGOP-13494 ]

When the EDT Insight feature is enabled, sometimes audio channels might fail during network discrepancy.

[ CGOP-13493 ]

While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

[ CGOP-13050 ]

The text Home Page in the Citrix SSO app > Home page is truncated for some languages.

[ CGOP-13049 ]

An error message appears when you add or edit a session policy from the Citrix ADC GUI.

[ CGOP-11830 ]

In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

[ CGOP-7269 ]

Load Balancing

In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

[ NSLB-7679 ]

The serviceGroupName format in the entityofs trap for the service group is as follows: <service(group)name>?<ip/DBS>?<port>

In the trap format, the service group is identified by an IP address or a DBS name and port. The question mark (?) is used as a separator. The Citrix ADC sends the trap with the question mark (?). The format appears the same in the Citrix ADM GUI. This is the expected behavior.

[ NSHELP-28080 ]

Miscellaneous

When a forced synchronization takes place in a high availability setup, the appliance runs the set urlfiltering parameter command in the secondary node. As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the TimeOfDayToUpdateDB parameter.

[ NSSWG-849 ]

A Citrix ADC appliance might restart due to management CPU stagnation if a connectivity issue occurs with the URL Filtering third party vendor.

[ NSHELP-22409 ]

Networking

In a Citrix ADC BLX appliance with DPDK support, tagged VLANs are not supported for DPDK Intel i350 NIC ports. This is observed as it is a known issue present on the DPDK driver.

[ NSNET-25299 ]

A Citrix ADC BLX appliance with DPDK might fail to restart if all of the following conditions are met:

  • The Citrix ADC BLX appliance is allocated with a low number of hugepages. For example, 1G.
  • The Citrix ADC BLX appliance is allocated with a high number of worker-process. For example, 28.

The issue is logged as an error message in /var/log/ns.log:

  • BLX-DPDK:DPDK Mempool could Not be Initialized for PE-x

Note: x is a number <= number of worker-processes.

Workaround:

Allocate a high number of hugepages and then restart the appliance.

[ NSNET-25173 ]

A Citrix ADC BLX appliance with DPDK might fail to restart if the following condition is met:

  • The Citrix ADC BLX appliance is allocated with a high number of hugepages. For example, 16 GB.

The issue is logged as an error message in /var/log/ns.log:

  • EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Too many open files

Workaround:

Use one of the following workarounds for this issue:

  • Increase the open file limit on the Linux host by using either the ulimit command or editing the limits.conf file.
  • Reduce the number of allocated hugepages.

[ NSNET-24727 ]

A Citrix ADC BLX appliance in DPDK mode might take a little longer to restart because of the DPDK easiness functionality.

[ NSNET-24449 ]

The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a Citrix ADC BLX appliance with DPDK:

  • Disable
  • Enable
  • Reset

[ NSNET-16559 ]

Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable

Workaround:

Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

  • dpkg –add-architecture i386
  • apt-get update
  • apt-get dist-upgrade
  • apt-get install libc6:i386

[ NSNET-14602 ]

In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

[ NSNET-5233 ]

When an admin partition memory limit is changed in the Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

[ NSHELP-21082 ]

Platform

The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:

  1. During the first boot of the Citrix ADC appliance, you do not save the prompted password.
  2. Subsequently, you reboot the Citrix ADC appliance.

[ NSPLAT-22013 ]

When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:

  • 13.1-4.x
  • 13.0–82.31 and later
  • 12.1–62.21 and later

The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:

  • Any 11.1 build
  • 12.1–62.21 and earlier
  • 13.0-81.x and earlier

[ NSPLAT-21691 ]

In a cluster setup on a Citrix ADC SDX appliance, there is a CLAG MAC mismatch on the second node and CLIP if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You add another VPX instance to the cluster and CLAG setup.

As a result, traffic to the VPX instance stops.

[ NSPLAT-21049 ]

In a cluster setup on a Citrix ADC SDX appliance, the first node goes DOWN because of a MAC address mismatch on the CLIP and MAC table, if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You remove the second node from the cluster.

[ NSPLAT-21042 ]

When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the rm cloudprofile command to delete the profile.

[ NSPLAT-4520 ]

In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears. Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile must be always configured on the primary node.

[ NSPLAT-4451 ]

Policies

Connections might hang if the size of processing data is more than the configured default TCP buffer size.Workaround: Set the TCP buffer size to a maximum size of data that needs to be processed.

[ NSPOLICY-1267 ]

SSL

On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

Workaround:

  1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
  2. Save the configuration.

[ NSSSL-9572 ]

You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

[ NSSSL-6478 ]

You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

[ NSSSL-6213 ]

The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type. ERROR: crl refresh disabled

[ NSSSL-6106 ]

Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

[ NSSSL-4427 ]

An incorrect warning message, Warning: No usable ciphers configured on the SSL vserver/service, appears if you try to change the SSL protocol or cipher in the SSL profile.

[ NSSSL-4001 ]

An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover. [ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]

On MPX 8900 and MPX 15000 FIPS certified appliances, running ECDHE traffic can cause a memory leak.

[ NSHELP-30744 ]

System

The Citrix ADC VPX instance might crash if responder policies are configured, and you add some rewrite policies that lead to header corruption.

Workaround:

Remove the responder policy.

[ NSHELP-28512, NSHELP-30415 ]

The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

[ NSHELP-21240 ]

The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

[ NSHELP-10972 ]

In a cluster deployment, if you run the force cluster sync command on a non-CCO node, the ns.log file contains duplicate log entries. [ NSBASE-16304, NSGI-1293 ]

When you install Citrix ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.

Workaround : Reboot the Management pod.

[ NSBASE-15556 ]

Client IP and Server IP are inverted in the HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

[ NSBASE-8506 ]

ICAP support for Citrix ADC

A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request. For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html

[ NSBASE-825 ]

User Interface

For the MQTT Rewrite feature, you cannot delete an expression using the Expression Editor in the GUI.

Workaround:

Use the add or edit action command of type MQTT through the CLI.

[ NSUI-18049 ]

In the Citrix ADC GUI, the Help link present under the Dashboard tab is broken.

[ NSUI-14752 ]

Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

Workaround:

Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

[ NSUI-13024 ]

If you create an ECDSA key by using the GUI, the type of curve is not displayed.

[ NSUI-6838 ]

In a high availability setup of Citrix ADC BLX appliances, the primary node might become unresponsive blocking any CLI or API request.

Workaround:

Restart the primary node.

[ NSCONFIG-6601 ]

If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

  1. Upgrade the Citrix ADC appliance to one of the builds:
  • 13.0 52.24 build
  • 12.1 57.18 build
  • 11.1 65.10 build
  1. Add a system user, or change the password of an existing system user, and save the configuration, and
  2. Downgrade the Citrix ADC appliance to any older build.

To display the list of these system users by using the CLI: At the command prompt, type:

query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]

Workaround:

To fix this issue, use one of the following independent options:

  • If the Citrix ADC appliance is not yet downgraded (step 3 in the earlier mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
  • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
  • If none of the above options work, a system administrator can reset the system user passwords.

For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

[ NSCONFIG-3188 ]

Notes