Citrix ADC

Release Notes for Citrix ADC 13.1-24.38 release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.1-24.38.

Notes

This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

What’s New

The enhancements and changes that are available in Build 13.1-24.38.

Load Balancing

Connection failover support for high availability INC mode

Citrix ADC now supports connection failover for high availability INC mode when all the following conditions are met:

  • The virtual server service type is ANY.
  • Mode is DSR (MAC, IPTUNNEL, or TOS).
  • USIP is enabled on the services bound to the virtual server.

[ NSLB-9121 ]

Support for CAA records

The Citrix ADC appliance now supports adding Certificate Authority Authorization (CAA) records. CAA record is a type of Domain Name System (DNS) record that allows the domain owners to specify which Certificate Authority (CA) can issue SSL certificates for the domain.

This enhancement provides an extra layer of protection to your web presence. Not having CAA records can cause a security risk as anybody can generate a Certificate Signing Request (CSR) for the domain and get the cert signed by any CA.

[ NSLB-9007 ]

Platform

On the Citrix ADC SDX 8015 platform, the lights out management (LOM) version is upgraded from 3.21 to 3.56.

On the Citrix ADC SDX 14000, SDX 14000-40G, SDX 14000-40S and SDX 14000-FIPS platforms, the LOM version is upgraded from 4.08 to 4.14.

[ NSPLAT-23416 ]

Support for Citrix ADC backend Autoscale on Azure with VMSS across resource groups

Citrix ADC VPX instance now supports Azure back-end Autoscaling across resource groups in the following scenarios:

Azure VMSS and Citrix ADC VPX instance are deployed in the same Azure virtual network. Azure VMSS and Citrix ADC VPX instance are deployed in different Azure virtual networks that are in the same Azure subscription. These two virtual networks must be connected using virtual network peering feature of Azure.

This feature enables you to segregate applications and networking resources in different resource groups.

Earlier, Citrix ADC back-end Autoscale on Azure works only if the VMSS and Citrix ADC VPX instance are deployed in the same resource group.

[ NSPLAT-16664 ]

System

Subscribe counters on the metrics collector

The Citrix ADC appliance now supports an option to subscribe counters on the metrics collector. The metrics collector supports the export of time-series analytics data every 30 seconds in different formats like AVRO, Prometheus format, and Influx DB format. The metrics collector supports the dynamic update of counters that enables you to add the required counters to a schema file. You can configure the schema file name using the CLI interface. The metrics collector reads the counter names from the schema file and exports them.

Previously, the metrics collector supported only exporting a predefined set of counters at compile time. Any change in the list of counters required a build upgrade. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/ns-ag-appflow-intro-wrapper-con/ns-ag-appflow-config-tsk.html.

[ NSBASE-11595 ]

User Interface

Configure Citrix ADC license expiry alerts

You can now configure the Citrix ADC appliance to perform the following alert operations from a specified number of days before a Citrix ADC license is due to expire:

  • Displays a license expiry alert banner on the Citrix ADC GUI.
  • Sends SNMP traps containing the license expiry information at regular intervals to the configured trap listeners if the NS_LICENSE_EXPIRY SNMP alarm is enabled.

[ NSCONFIG-6360 ]

Fixed Issues

The issues that are addressed in Build 13.1-24.38.

Authentication, authorization, and auditing

In a unified gateway setup, in rare cases you might be presented with a re-login page when accessing services behind the unified gateway even after the authentication is successful.

[ NSHELP-31148, NSHELP-27994 ]

Form-based SSO fails for the backend servers that send key-value parameters in the URL query.

[ NSHELP-30975 ]

The Citrix ADC appliance might crash due to large memory allocation because of a missing target URL in the OAuth configuration.

[ NSHELP-30963 ]

You might experience intermittent issues with RADIUS authentication while using Chrome in the Incognito mode.

[ NSHELP-30944 ]

The Citrix ADC appliance’s Authentication, authorization, and auditingD module might crash due to a missing or incorrect incoming password length from the packet engine to the Authentication, authorization, and auditingD.

[ NSHELP-30911 ]

The Citrix ADC appliance crashes during the nFactor push operation.

[ NSHELP-30577 ]

There might be an Intermittent failure in connecting to the Outlook exchange server via the Outlook app due to incorrect header addition by the Citrix ADC appliance.

[ NSHELP-30555 ]

The Citrix ADC appliance might crash due to memory corruption in case of core to core communication failure.

[ NSHELP-30275 ]

Single sign-on fails during an authentication session when the password change event is triggered. This issues occurs only if the persistentLogin attempts parameter is enabled.

[ NSHELP-28085 ]

In some cases, invalid credentials error message is displayed during the RADIUS authentication process. The error is seen when the Citrix ADC appliance is accessed from a client device using the Google Chrome browser.

[ NSHELP-27113 ]

When a Citrix ADC appliance performs a nested LDAP group search, some of the groups information from the active directory is missed because of an invalid behavior of the Citrix ADC appliance. The ADC appliance takes an incorrect value even when the groupSearchSubAttribute parameter is configured appropriately.

[ NSHELP-26316 ]

The Citrix ADC appliance dumps core when NOAUTH is configured as the first factor and Negotiate as the subsequent factor in the 401 based authentication flow.

[ NSHELP-25203 ]

Citrix ADC SDX Appliance

On a Citrix ADC SDX GUI, displaying the NTP servers can freeze the user interface if the NTP configuration file (ntp.conf) has only spaces in any of the lines.

[ NSHELP-31530 ]

On a Citrix ADC SDX appliance with Mellanox NICs, modifying the throughput of a VPX instance having Mellanox NICs reboots the VPX instance.

[ NSHELP-31305 ]

Citrix Gateway

In rare cases, the Citrix ADC appliance configured with VPN virtual server might crash after successful login to Citrix Gateway.

[ NSHELP-31481 ]

In an ICA DTLS setup, the Citrix Gateway appliance crashes when processing the STA ticket.

[ NSHELP-31211 ]

The Citrix ADC appliance incorrectly logs the UDPFLOWSTAT message that indicates traffic as Allowed for UDP traffic denied by an authorization policy.

[ NSHELP-29542 ]

Memory leak is observed in a Citrix ADC appliance when an outbound proxy is configured.

[ NSHELP-29234 ]

The Active Users Session page does not display all the active user sessions unless the numbers of entries is changed to 2000 per page.

With this fix, a new link All user session (Citrix gateway -> Monitor Connections > All user session) is added in the admin UI that lists all the user sessions and connections.

[ NSHELP-29151 ]

The show vpn icaConnection command output does not display the serial numbers of the ICA connections correctly. This issue occurs because the serial number is reset arbitrarily when the show vpn icaconnection is run.

[ NSHELP-25646 ]

Citrix Web App Firewall

A Web App Firewall policy can be saved twice in the configuration (ns.conf) file.

[ NSHELP-30899 ]

In the WAF SQL injection containing a quote (single quote, double quote, or back tick), the opening and closing quote must be present for marking the pattern as an attack. However, when a comment is present in the pattern the closing quote is not required.

[ NSHELP-30379 ]

Load Balancing

Scope prefix is not set correctly when ECS is enabled on the ADC appliance and the location is not found. This issue results in creating an incorrect persistence entry. The incorrect persistence entry is created based on LDNS IP address instead of ECS IP address received in the request for the non-static proximity-based GSLB method.

[ NSHELP-30846 ]

In a rare race-condition scenario, the packet engine might crash with core dump when following configuration is present on the Citrix ADC appliance:

  • The GSLB virtual server is configured with the source IP address-based persistence and DNS logging is enabled on the DNS profile bound to the ADNS service.
  • The DNS load balancing server is configured without DNS logging enabled on the DNS profile.

[ NSHELP-29791 ]

Miscellaneous

The portal jQuery UI is updated from 1.12.1 to 1.13.1 to address the vulnerability described in Security Bulletins: CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184.

[ NSHELP-30209 ]

Networking

On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file (/etc/blx/blx.conf) settings. This issue occurs because mawk, which is present by default on Debian based Linux systems, does not run some of the awk commands present in the blx.conf file.

[ NSNET-14603 ]

In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • LSN filtering and mapping entries are not present in the appliance.

[ NSHELP-30225 ]

The Citrix ADC appliance might crash if you unbind a dataset from an ACL rule when some packets matched the ACL rule.

[ NSHELP-30221 ]

In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • Session reference count is not zero while deleting a filtering entry.

[ NSHELP-29348 ]

Platform

On a Citrix ADC SDX appliance with single bundle image (SBI) and VPX versions 13.1-24.x or later, the active-active deployment using VRRP on Fortville NICs is supported. This deployment is not supported in L2 mode.

The following points apply to the deployment:

  • Citrix recommends removing the VRID configuration from the Management Service before upgrading or downgrading the associated VPX instance. Add the VRID configuration from the Management Service after the upgrade or downgrade operation is complete.
  • If you do not follow the preceding recommendation, you must manually rediscover the VPX instances from the Management Service to enable VRRP convergence.

[ NSHELP-30670 ]

The HA failover for Citrix ADC VPX instance on the GCP and AWS cloud fails when the password of an RPC node contains a special character.

[ NSHELP-28600 ]

Policies

In some scenarios, a Citrix ADC appliance might crash when an assignment action is used with the clear operation for an AppExpert variable.

[ NSHELP-29766 ]

SSL

A Citrix ADC MPX/SDX 14000 FIPS appliance might crash due to continuous use of APIs for crypto operations, by internal applications such as SAML, over a period of time.

[ NSHELP-27952 ]

System

The REST collector is down even when the AppFlow parameter TimeSeriesOverNSIP is enabled.

[ NSHELP-30759 ]

In a Citrix ADC appliance, latency issue is observed in HTTP/2 transactions if the following conditions are met:

  • HTTP/2 SSL configuration is enabled on the back-end service
  • Service does not support HTTP/2 protocol.

[ NSHELP-30020 ]

The Citrix ADC appliance reports a false SNMP alarm on the service SYN flood counters.

[ NSHELP-28710, NSHELP-28713 ]

User Interface

If a Citrix ADC appliance configured with pooled licensing is upgraded, the appliance might restart with a partial configuration.

[ NSHELP-30926 ]

In a Citrix ADC appliance, binding the cache policy to override global or default global using the GUI interface fails with the following error:

  • Required argument missing.

This error is not seen while binding the cache policy using the CLI interface.

[ NSHELP-30826 ]

The search filter is not available for the ‘Name’ key in the Citrix ADC GUI Manage Certificates > CSR page.

[ NSHELP-30274 ]

Known Issues

The issues that exist in release 13.1-24.38.

AppFlow

HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.

[ NSINSIGHT-943 ]

Authentication, authorization, and auditing

A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

[ NSHELP-563 ]

The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

[ NSAUTH-6106 ]

ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command. show adfsproxyprofile <profile name>

Workaround:

Connect to the primary active Citrix ADC in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

[ NSAUTH-5916 ]

The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

  • The Test LDAP Reachability option is opened.
  • Invalid login credentials are populated and submitted.
  • Valid login credentials are populated and submitted.

Workaround:

Close and open the Test LDAP Reachability option.

[ NSAUTH-2147 ]

Caching

A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

[ NSHELP-22942 ]

Citrix ADC SDX Appliance

On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.

[ NSSVM-4333 ]

Installing an SSL certificate on a Citrix ADC SDX appliance fails if the certificate name or key name contains any space.

[ NSHELP-31711 ]

On a Citrix ADC SDX appliance, the ADC instances do not burst to maximum capacity when you configure burst throughput allocation mode.

[ NSHELP-27477 ]

Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

  • Throughput allocation mode is burst.
  • There is a large difference between the throughput and the maximum burst capacity.

[ NSHELP-21992 ]

After upgrading a Citrix ADC SDX appliance to release 13.1 build 21.50 or later, SSL decryption and MAC comparison might fail. As a result, you might see SSL handshake failures, VPX status flapping, unavailability of the VPX instance GUI, and virtual servers and application going down.

Note: This issue is observed on the SDX 8900, SDX 15000, SDX 15000-50G, SDX 26000, and SDX 26000-50S platforms.

[ NSHELP-31672 ]

Citrix Gateway

When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.

[ NSHELP-30662 ]

Users cannot connect to the Citrix Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.

[ NSHELP-30236 ]

The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully. To fix this issue, the following registry value is introduced. \HKLM\Software\Citrix\Secure Access Client\SecureChannelResetTimeoutSeconds Type: DWORD

[ NSHELP-30189 ]

The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.

[ NSHELP-29675 ]

In some cases, the server validation code fails when the server certificate is trusted. As a result, end users cannot access the gateway.

[ NSHELP-28942 ]

You might notice some Citrix internal IP addresses in the rdx.js file.

[ NSHELP-28682 ]

Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

[ NSHELP-28551 ]

Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

[ NSHELP-28404 ]

You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.

With this fix, you can now unbind the authorization policy by using the GUI.

[ NSHELP-27064 ]

EPA plug-in for Windows does not use local machine’s configured proxy and connects directly to the gateway server.

[ NSHELP-24848 ]

The Gateway Insight does not display accurate information on the VPN users.

[ NSHELP-23937 ]

VPN plug-in doesn’t establish tunnel after Windows logon, if the following conditions are met:

  • Citrix Gateway appliance is configured for Always On feature
  • The appliance is configured for certificate based authentication with two factor authentication off

[ NSHELP-23584 ]

Sometimes while browsing through schemas, the error message Cannot read property 'type' of undefined appears.

[ NSHELP-21897 ]

If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

[ CGOP-19355 ]

Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

[ CGOP-13621 ]

The Gateway Insight report incorrectly displays the value Local instead of SAML in the Authentication Type field for SAML error failures.

[ CGOP-13584 ]

In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

[ CGOP-13511 ]

When an ICA connection is launched from a MAC receiver version 19.6.0.32 or Citrix Virtual Apps and Desktops version 7.18, HDX Insight feature is disabled.

[ CGOP-13494 ]

When EDT Insight feature is enabled, sometimes audio channels might fail during network discrepancy.

[ CGOP-13493 ]

While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

[ CGOP-13050 ]

The text Home Page in the Citrix SSO app > Home page is truncated for some languages.

[ CGOP-13049 ]

An error message appears when you add or edit a session policy from the Citrix ADC GUI.

[ CGOP-11830 ]

In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

[ CGOP-7269 ]

Load Balancing

In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

[ NSLB-7679 ]

The serviceGroupName format in the entityofs trap for the service group is as follows: <service(group)name>?<ip/DBS>?<port>

In the trap format, the service group is identified by an IP address or a DBS name and port. The question mark (?) is used as a separator. The Citrix ADC sends the trap with the question mark (?). The format appears the same in the Citrix ADM GUI. This is the expected behavior.

[ NSHELP-28080 ]

In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.

[ NSHELP-21196 ]

Miscellaneous

When a forced synchronization takes place in a high availability setup, the appliance executes the set urlfiltering parameter command in the secondary node. As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the TimeOfDayToUpdateDB parameter.

[ NSSWG-849 ]

A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

[ NSHELP-22409 ]

Networking

In a Citrix ADC BLX appliance with DPDK support, tagged VLANs are not supported for DPDK Intel i350 NIC ports. This is observed as it is a known issue present on the DPDK driver.

[ NSNET-25299 ]

A Citrix ADC BLX appliance with DPDK might fail to restart if all of the following conditions are met:

  • The Citrix ADC BLX appliance is allocated with a low number of hugepages. For example, 1G.
  • The Citrix ADC BLX appliance is allocated with a high number of worker-process. For example, 28.

The issue is logged as an error message in /var/log/ns.log:

  • BLX-DPDK:DPDK Mempool could Not be Initialized for PE-x

Note: x is a number <= number of worker-processes.

Workaround:

Allocate a high number of hugepages and then restart the appliance.

[ NSNET-25173 ]

A Citrix ADC BLX appliance with DPDK might fail to restart if the following condition is met:

  • The Citrix ADC BLX appliance is allocated with a high number of hugepages. For example, 16 GB.

The issue is logged as an error message in /var/log/ns.log:

  • EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Too many open files

Workaround:

Use one of the following workarounds for this issue:

  • Increase the open file limit on the Linux host by using either the ulimit command or editing the limits.conf file.
  • Reduce the number of allocated hugepages.

[ NSNET-24727 ]

A Citrix ADC BLX appliance in DPDK mode might take a little longer to restart because of the DPDK easiness functionality.

[ NSNET-24449 ]

The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a Citrix ADC BLX appliance with DPDK:

  • Disable
  • Enable
  • Reset

[ NSNET-16559 ]

Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable

Workaround:

Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

  • dpkg –add-architecture i386
  • apt-get update
  • apt-get dist-upgrade
  • apt-get install libc6:i386

[ NSNET-14602 ]

In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

[ NSNET-5233 ]

When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

[ NSHELP-21082 ]

Platform

The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:

  1. During the first boot of the Citrix ADC appliance, you do not save the prompted password.
  2. Subsequently, you reboot the Citrix ADC appliance.

[ NSPLAT-22013 ]

When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:

  • 13.1-4.x
  • 13.0-82.31 and later
  • 12.1-62.21 and later

The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:

  • Any 11.1 build
  • 12.1-62.21 and earlier
  • 13.0-81.x and earlier

[ NSPLAT-21691 ]

In a cluster setup on a Citrix ADC SDX appliance, there is a CLAG MAC mismatch on the second node and CLIP if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You add another VPX instance to the cluster and CLAG setup.

As a result, traffic to the VPX instance stops.

[ NSPLAT-21049 ]

In a cluster setup on a Citrix ADC SDX appliance, the first node goes DOWN because of a MAC address mismatch on CLIP and MAC table, if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You remove the second node from the cluster.

[ NSPLAT-21042 ]

When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the rm cloudprofile command to delete the profile.

[ NSPLAT-4520 ]

In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears. Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.

[ NSPLAT-4451 ]

From Citrix ADC release 13.1 onwards, the Citrix ADC appliance fails to boot up in an ESXi hypervisor with more than 8 VMXNET3 network interfaces.

[ NSHELP-31266 ]

Policies

Connections might hang if the size of processing data is more than the configured default TCP buffer size.Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

[ NSPOLICY-1267 ]

SSL

On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

Workaround:

  1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
  2. Save the configuration.

[ NSSSL-9572 ]

You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

[ NSSSL-6478 ]

You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

[ NSSSL-6213 ]

The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type. ERROR: crl refresh disabled

[ NSSSL-6106 ]

Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

[ NSSSL-4427 ]

An incorrect warning message, Warning: No usable ciphers configured on the SSL vserver/service, appears if you try to change the SSL protocol or cipher in the SSL profile.

[ NSSSL-4001 ]

An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover. [ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]

On MPX 8900 and MPX 15000 FIPS certified appliances, running ECDHE traffic can cause a memory leak.

[ NSHELP-30744 ]

System

The Citrix ADC VPX instance might crash if responder policies are configured, and you add some rewrite policies that lead to header corruption.

Workaround:

Remove the responder policy.

[ NSHELP-28512, NSHELP-30415 ]

The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

[ NSHELP-21240 ]

The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

[ NSHELP-10972 ]

In a cluster deployment, if you run force cluster sync command on a non-CCO node, the ns.log file contains duplicate log entries. [ NSBASE-16304, NSGI-1293 ]

When you install Citrix ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.

Workaround : Reboot the Management pod.

[ NSBASE-15556 ]

Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

[ NSBASE-8506 ]

The Citrix ADC appliance drops packets that contain custom HTTP headers with a dot (“.”) character in the header name field. This action occurs because the allowOnlyWordCharactersAndHyphen parameter is enabled by default in the default HTTP profile.

Workaround: Disable allowOnlyWordCharactersAndHyphen in the default HTTP profile. However, Citrix recommends that you keep it enabled.

[ NSBASE-16722 ]

User Interface

For the MQTT Rewrite feature, you cannot delete an expression using the Expression Editor in the GUI.

Workaround:

Use the add or edit action command of type MQTT through the CLI.

[ NSUI-18049 ]

In Citrix ADC GUI, the Help link present under the Dashboard tab is broken.

[ NSUI-14752 ]

Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

Workaround:

Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

[ NSUI-13024 ]

If you create an ECDSA key by using the GUI, the type of curve is not displayed.

[ NSUI-6838 ]

In a high availability setup, VPN user sessions get disconnected if the following condition is met:

  • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.

Workaround:

Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

[ NSHELP-25598 ]

In a high availability setup of Citrix ADC BLX appliances, the primary node might become unresponsive blocking any CLI or API request.

Workaround:

Restart the primary node.

[ NSCONFIG-6601 ]

If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

  1. Upgrade the Citrix ADC appliance to one of the builds:
  • 13.0 52.24 build
  • 12.1 57.18 build
  • 11.1 65.10 build
  1. Add a system user, or change the password of an existing system user, and save the configuration, and
  2. Downgrade the Citrix ADC appliance to any older build.

To display the list of these system users by using the CLI: At the command prompt, type:

query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]

Workaround:

To fix this issue, use one of the following independent options:

  • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
  • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
  • If none of the above options work, a system administrator can reset the system user passwords.

For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

[ NSCONFIG-3188 ]

Release Notes for Citrix ADC 13.1-24.38 release