Citrix ADC

Release Notes for Citrix ADC 13.1–27.59 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.1–27.59.

Notes

This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

What’s New

The enhancements and changes that are available in Build 13.1–27.59.

Authentication, authorization, and auditing

Enable users to use Intune NAC v2 configuration with the new Microsoft Graph APIs

You can now use the Intune NAC v2 configuration with the new Microsoft Graph APIs instead of the deprecated AAD Graph APIs.

For more information, see https://docs.citrix.com/en-us/citrix-gateway/current-release/microsoft-intune-integration.html. Also see https://docs.citrix.com/en-us/citrix-gateway/current-release/microsoft-intune-integration/extended-support-for-azure-ad-graph.html.

[ NSAUTH-11897 ]

Bot Management

Stylebook for WAF/Bot management on Citrix Gateway devices

You can now configure WAF and BOT policies for Citrix Gateway devices to protect the Gateway login page. Two new default stylebooks are now available for WAF/Bot management on Citrix Gateway Devices:

  • Stylebook for Citrix Gateway Logon Site protection using WAF and BOT
  • Stylebook for Citrix Gateway Logon Site protection using WAF and BOT with WAF & Bot Security Violations

To use the default Stylebook for WAF/Bot management on gateway, navigate to Applications > Configuration > StyleBooks. Type the name of the StyleBook in the search field and press the Enter key. For more information, see https://docs.citrix.com/en-us/citrix-application-delivery-management-software/current-release/stylebooks/how-to-use-default-stylebooks.html%23to-create-a-configuration-from-a-default-stylebook

[ NSBOT-755 ]

Enabling bot detection feature for all Citrix ADC premium entitlements

The bot detection feature along with the Signature and IP Reputation checks is now enabled by default for all Citrix ADC premium entitlements.

You can view the bot traffic coming to your environment and the action taken by the Citrix ADC appliance. Also, the ADC appliance captures the following bot traffic information in the SNMP log messages:

  • Number of bots detected
  • The top two categories of bots detected
  • The location where you can find more details about the detected bots

For more information, see Bot detection.

[ NSBOT-752 ]

Citrix Web App Firewall

Auto-enable new signatures

You can now select Auto Enable New Signatures to allow new WAF signature default rules to be auto-enabled after an update.

[ NSWAF-8825 ]

Confidential fields in a WAF profile

You can now add confidential fields in a WAF profile. These fields are masked and not captured in the ADC logs when a violation occurs. Earlier, you can add these fields using settings only.

[ NSWAF-8525 ]

Custom keyword support for HTML payload

You can add keywords of your choice and check if these configured keywords are present in the HTML payload. If the configured keywords are detected in the incoming requests, you can configure the Citrix ADC appliance to block the requests, update the logs, or increment the log counters.

With this feature, you can add keywords that are not covered in the SQL injection and command injection checks and therefore reduce the false positives.

[ NSWAF-8520 ]

Grammar-based approach for command injection detection in HTML payloads

The NextGen Citrix Web App Firewall solution is now enhanced to support the grammar-based approach for command injection detection. This approach reduces false positives in HTML payloads.

Previously, only the pattern-based approach was supported.

[ NSWAF-8270 ]

Networking

Now, you can use the NSIP:8080 port on Citrix ADC CPX for the virtual server configuration. Earlier, this port was reserved and not available for user configuration.

[ NSNET-25399 ]

Geneve tunnels support in a cluster setup

Geneve tunnels are now supported in a cluster setup of Citrix ADC appliances.

[ NSNET-24773 ]

Enhancements to include the severity level when sending SNMP Trap messages

The Citrix ADC VPX appliance now includes the severity level in the SNMP trap messages as a variable bind. Use the following command with the severityInfoInTrap option:

  • set snmp option -severityInfoInTrap ENABLED

When this option is enabled, the trap severity level is included in the SNMP trap message.

[ NSNET-21603 ]

Platform

IPv6 address support for Citrix ADC high availability in AWS

The Citrix ADC VPX high availability pair now supports IPv6 addresses in the same AWS availability zone. Previously, only IPv4 addresses were supported.

[ NSPLAT-16672 ]

User Interface

Microsoft has discontinued the support for the Internet Explorer browser from June 2022. For more information, see https://support.microsoft.com/en-us/windows/internet-explorer-help-23360e49-9cd3-4dda-ba52-705336cc0de2.

From Citrix ADC release 13.1 27.x onwards, the Citrix ADC appliance no longer supports the Internet Explorer for accessing its GUI.

When you access the Citrix ADC GUI using the Internet Explorer, the Citrix ADC appliance displays a message that the Internet Explorer is not supported. It also recommends a list of supported browsers to access the GUI.

[ NSUI-18224 ]

Confirmation prompt for enabling or disabling a feature in Citrix ADC GUI

The Citrix ADC GUI now prompts you to confirm the operation when you enable or disable a Citrix ADC feature in the GUI. The confirmation prompt prevents any accidental enabling or disabling of a Citrix ADC feature.

[ NSUI-18098 ]

Fixed Issues

The issues that are addressed in Build 13.1–27.59.

Authentication, authorization, and auditing

Rewrite policies for endpoints such as /logon/LogonPoint/Resources/List and /cgi/Resources/List are not supported.

[ NSHELP-29488 ]

Citrix ADC SDX Appliance

The Citrix Service Virtual Machine timezone settings do not work as expected.

[ NSHELP-32114 ]

In a Citrix ADC SDX appliance, higher memory usage is detected due to high volume of SNMP data processing.

[ NSHELP-30222 ]

The SNMP walk application running on the Citrix ADC SDX appliance for the SDX-ROOT-MIB::xenTable takes more time than expected.

[ NSHELP-30085 ]

Citrix Gateway

Sometimes, users cannot access the bookmarks in advanced clientless VPN mode.

[ NSHELP-30939 ]

The Citrix Gateway appliance configured in ICA Proxy mode for UDP Audio connection might crash due to memory corruption.

[ NSHELP-30919 ]

ICA app launch fails in the following conditions:

  • Content Security Policy (CSP) feature is enabled.
  • The user logs in from a browser but uses the Citrix Workspace app to launch the app.

[ NSHELP-30534 ]

The Citrix Gateway appliance might crash during channel parsing when HDX Insight is enabled and NSAP is disabled.

[ NSHELP-30029 ]

Gateway Insight reports a false authentication failure even before the user submits the credentials for login when the authentication rule is configured to match one of the requests in the login flow.

[ NSHELP-29313 ]

App launch fails after you enter your credentials if the session profile contains the FQDN of StoreFront. The following error appears.

‘Http/1.1 Internal Server Error 43531’

With this fix, customers can enter the FQDN instead of the session profile WI address to IP.

[ NSHELP-26671 ]

Citrix Web App Firewall

The logs for No user-agent header action and multi user-agent header action might incorrectly use the log message of IP Reputation check.

[ NSHELP-31935 ]

A Citrix ADC appliance might crash while processing BOT signature lookups with slow DNS servers.

[ NSHELP-31642 ]

The Citrix ADC appliance might crash if cross-site scripting is enabled in the signature rule.

[ NSHELP-31617 ]

Load Balancing

In some instances, the state of the service is not synchronized with the state of the monitor.

[ NSHELP-31747 ]

Citrix ADC appliance crashes during removal of nameserver if the following conditions are met:

  • DNS server and name server are configured on the same IP address and port.
  • Listen policy is set on the DNS server.

[ NSHELP-31142 ]

A Citrix ADC appliance might crash during clear configuration if persistence entries are present, and a large number of dummy load balancing virtual servers and group virtual servers are configured.

[ NSHELP-30051 ]

Creating a wildcard virtual service fails if an unresolved WIHOME configuration exists on the Citrix ADC appliance.

[ NSHELP-25627 ]

Miscellaneous

In a Citrix ADC appliance, when an additional HDD is added to the appliance, a link for the /var/nslog file is created in the crash folder /var/crash/nslog. The newnslog files available in the crash folder are not collected in the collector folder generated by tech support.

[ NSHELP-31354 ]

The Citrix ADC SWG appliance might crash when the memory allocated to a resource is not freed resulting in high memory usage even when there is no traffic.

[ NSHELP-31290 ]

In a Citrix ADC cluster setup with public-key system authentication configured, the following issue is observed:

  • VTYSH does not display information of all cluster nodes on the cluster configuration coordinator (CCO).

[ NSHELP-28762 ]

Platform

On the SDX 26000 platform (SDX 26100-100G, 26160-100G, 26200-100G, 26250-100G), the maximum number of CPU cores that can be assigned to a single VPX instance is changed from 26 to 25 CPU cores.

[ NSPLAT-21233 ]

The BYOL license cannot be applied to a Citrix ADC VPX instance running on the ALI cloud platform.

[ NSHELP-31546 ]

SSL

The Citrix ADC SDX appliance crashes when crypto units are assigned to a VPX instance and jumbo config is enabled.

[ NSHELP-30950 ]

A Citrix ADC appliance might crash in the following scenarios:

  • A load balancing monitor of type SSL and SSL service have the same name
  • An SSL service is renamed
  • A load balancing monitor is deleted

[ NSHELP-30445 ]

If the SSL interception is enabled, and the DNS servers do not return a valid DNS response, then the website access is blocked.

[ NSHELP-30201 ]

A Citrix ADC appliance crashes when all of the following conditions occur:

  • A default RSA certificate-key pair is bound to an internal service.
  • A non-RSA certificate-key pair is bound to the same service.
  • HA sync occurs.

[ NSHELP-30084 ]

Any customizations that are part of the rc.netscaler file are not applied because this file is not run during system initialization.

[ NSHELP-31914 ]

System

The Citrix ADC appliance crashes when the managing Citrix ADM appliance has a network MTU greater than 1500.

[ NSHELP-30835 ]

A Citrix ADC appliance with the client-side measurement configuration might corrupt a variable resulting in the page load failure under the following condition:

  • The HTTP response contains a javascript variable that is greater than 2000 bytes.

[ NSHELP-30026 ]

In a Citrix ADC appliance, if you unbind default advanced global policies and save the configuration, the changes are not reflected on the next reboot.

[ NSHELP-19867 ]

The Citrix ADC appliance drops packets that contain custom HTTP headers with a dot character in the header name field. This action occurs because the allowOnlyWordCharactersAndHyphen parameter is enabled by default in the default HTTP profile.

From 13.1-27.x and later, the allowOnlyWordCharactersAndHyphen parameter in the default HTTP profile set is disabled, by default. However, Citrix recommends that you keep this parameter enabled for better security.

[ NSBASE-16722 ]

User Interface

You cannot unbind members of load balancing service groups using the GUI on Citrix ADC version 13.0 version 85.15 build.

[ NSHELP-31474 ]

The System > Diagnostics page in the Citrix ADC GUI does not display the page details for customers with an Advanced license.

[ NSHELP-31330 ]

Recording a packet trace might not work as expected on an admin partition.

[ NSHELP-31321 ]

Reconnection to the Citrix ADC appliance fails with the following error when CTRL+C is entered while running the show run command in the CLI interface:

  • Invalid username or password

This issue happens if the characters in the key and password are the same.

[ NSHELP-30817 ]

Due to an incorrect upgrade installation sequence, the following issue occurs in the Citrix ADC appliance.

  • The kernel image is updated first and after a few steps, the encryption keys are copied. In between these steps some failure happens and the ADC appliance comes up with a new image. The missing encryption keys in the new image lead to decryption failure and missing configuration.

[ NSHELP-30755 ]

Known Issues

The issues that exist in release 13.1–27.59.

AppFlow

HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.

[ NSINSIGHT-943 ]

Authentication, authorization, and auditing

A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

[ NSHELP-563 ]

The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of the Citrix ADC GUI.

[ NSAUTH-6106 ]

ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command. show adfsproxyprofile <profile name>

Workaround:

Connect to the primary active Citrix ADC in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

[ NSAUTH-5916 ]

The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

  • The Test LDAP Reachability option is opened.
  • Invalid login credentials are populated and submitted.
  • Valid login credentials are populated and submitted.

Workaround:

Close and open the Test LDAP Reachability option.

[ NSAUTH-2147 ]

Caching

A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

[ NSHELP-22942 ]

Citrix ADC SDX Appliance

On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.

[ NSSVM-4333 ]

In a Citrix ADC SDX appliance, the VLAN whitelist is not updated with the correct value for the Mellanox interfaces assigned to a Citrix ADC VPX instance.

[ NSHELP-31849 ]

When you upgrade a Citrix SDX appliance, even though the hypervisor version is the same for both the current and the upgraded SDX versions, the following incorrect event is notified in the Management Service GUI:

SVM and Hypervisor version mismatch

[ NSHELP-31769 ]

Installing an SSL certificate on a Citrix ADC SDX appliance fails if the certificate name or key name contains any space.

[ NSHELP-31711 ]

Citrix Gateway

Direct connections to the resources outside of the tunnel established by Citrix Secure Access might fail if there is a significant delay or congestion.

[ NSHELP-31598 ]

When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.

[ NSHELP-30662 ]

Users cannot connect to the Citrix Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.

[ NSHELP-30236 ]

The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully. To fix this issue, the following registry value is introduced.

\HKLM\Software\Citrix\Secure Access Client\SecureChannelResetTimeoutSeconds Type: DWORD

By default, this registry value is not set or added. When the value of SecureChannelResetTimeoutSeconds is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).

[ NSHELP-30189 ]

The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.

[ NSHELP-29675 ]

In some cases, the server validation code fails when the server certificate is trusted. As a result, end users cannot access the gateway.

[ NSHELP-28942 ]

You might notice some Citrix internal IP addresses in the rdx.js file.

[ NSHELP-28682 ]

Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

[ NSHELP-28551 ]

Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

[ NSHELP-28404 ]

You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.

With this fix, you can now unbind the authorization policy by using the GUI.

[ NSHELP-27064 ]

EPA plug-in for Windows does not use local machine’s configured proxy and connects directly to the gateway server.

[ NSHELP-24848 ]

The Gateway Insight does not display accurate information on the VPN users.

[ NSHELP-23937 ]

VPN plug-in doesn’t establish tunnel after Windows log on, if the following conditions are met:

  • Citrix Gateway appliance is configured for Always On feature
  • The appliance is configured for certificate based authentication with two factor authentication off

[ NSHELP-23584 ]

Sometimes while browsing through schemas, the error message Cannot read property 'type' of undefined appears.

[ NSHELP-21897 ]

If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

[ CGOP-19355 ]

Application launch failure due to an invalid STA ticket is not reported in Gateway Insight.

[ CGOP-13621 ]

The Gateway Insight report incorrectly displays the value Local instead of SAML in the Authentication Type field for SAML error failures.

[ CGOP-13584 ]

In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

[ CGOP-13511 ]

When an ICA connection is launched from a MAC receiver version 19.6.0.32 or Citrix Virtual Apps and Desktops version 7.18, HDX Insight feature is disabled.

[ CGOP-13494 ]

When EDT Insight feature is enabled, sometimes audio channels might fail during network discrepancy.

[ CGOP-13493 ]

While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

[ CGOP-13050 ]

The text Home Page in the Citrix SSO app > Home page is truncated for some languages.

[ CGOP-13049 ]

An error message appears when you add or edit a session policy from the Citrix ADC GUI.

[ CGOP-11830 ]

In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

[ CGOP-7269 ]

Citrix Web App Firewall

A Citrix ADC appliance might crash while processing BOT signature lookups with slow DNS servers.

[ NSHELP-31642 ]

The Citrix ADC appliance might crash if cross-site scripting is enabled in the signature rule.

[ NSHELP-31617 ]

Load Balancing

In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

[ NSLB-7679 ]

In some instances, the state of the service is not synchronized with the state of the monitor.

[ NSHELP-31747 ]

The Citrix ADC appliance might crash and dump core if the following conditions are met:

  • Static proximity or RTT is used as the primary or backup load balancing method.
  • Source IP address persistence is enabled

[ NSHELP-31735 ]

The serviceGroupName format in the entityofs trap for the service group is as follows: <service(group)name>?<ip/DBS>?<port>

In the trap format, the service group is identified by an IP address or a DBS name and port. The question mark (?) is used as a separator. The Citrix ADC sends the trap with the question mark (?). The format appears the same in the Citrix ADM GUI. This is the expected behavior.

[ NSHELP-28080 ]

In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.

[ NSHELP-21196 ]

Miscellaneous

When a forced synchronization takes place in a high availability setup, the appliance executes the set urlfiltering parameter command in the secondary node. As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the TimeOfDayToUpdateDB parameter.

[ NSSWG-849 ]

AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.

[ NSHELP-31836 ]

A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

[ NSHELP-22409 ]

Networking

In a Citrix ADC BLX appliance with DPDK support, tagged VLANs are not supported for DPDK Intel i350 NIC ports. This is observed as it is a known issue present on the DPDK driver.

[ NSNET-25299 ]

A Citrix ADC BLX appliance with DPDK might fail to restart if all of the following conditions are met:

  • The Citrix ADC BLX appliance is allocated with a low number of hugepages. For example, 1G.
  • The Citrix ADC BLX appliance is allocated with a high number of worker-process. For example, 28.

The issue is logged as an error message in /var/log/ns.log:

  • BLX-DPDK:DPDK Mempool could Not be Initialized for PE-x

Note: x is a number <= number of worker-processes.

Workaround:

Allocate a high number of hugepages and then restart the appliance.

[ NSNET-25173 ]

A Citrix ADC BLX appliance with DPDK might fail to restart if the following condition is met:

  • The Citrix ADC BLX appliance is allocated with a high number of hugepages. For example, 16 GB.

The issue is logged as an error message in /var/log/ns.log:

  • EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Too many open files

Workaround:

Use one of the following workarounds for this issue:

  • Increase the open file limit on the Linux host by using either the ulimit command or editing the limits.conf file.
  • Reduce the number of allocated hugepages.

[ NSNET-24727 ]

A Citrix ADC BLX appliance in DPDK mode might take a little longer to restart because of the DPDK easiness functionality.

[ NSNET-24449 ]

The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a Citrix ADC BLX appliance with DPDK:

  • Disable
  • Enable
  • Reset

[ NSNET-16559 ]

Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable

Workaround:

Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

  • dpkg –add-architecture i386
  • apt-get update
  • apt-get dist-upgrade
  • apt-get install libc6:i386

[ NSNET-14602 ]

In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

[ NSNET-5233 ]

When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

[ NSHELP-21082 ]

Platform

The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:

  1. During the first boot of the Citrix ADC appliance, you do not save the prompted password.
  2. Subsequently, you reboot the Citrix ADC appliance.

[ NSPLAT-22013 ]

When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:

  • 13.1-4.x
  • 13.0-82.31 and later
  • 12.1-62.21 and later

The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:

  • Any 11.1 build
  • 12.1-62.21 and earlier
  • 13.0-81.x and earlier

[ NSPLAT-21691 ]

In a cluster setup on a Citrix ADC SDX appliance, there is a CLAG MAC mismatch on the second node and CLIP if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You add another VPX instance to the cluster and CLAG setup.

As a result, traffic to the VPX instance stops.

[ NSPLAT-21049 ]

In a cluster setup on a Citrix ADC SDX appliance, the first node goes DOWN because of a MAC address mismatch on CLIP and MAC table, if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You remove the second node from the cluster.

[ NSPLAT-21042 ]

When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the rm cloudprofile command to delete the profile.

[ NSPLAT-4520 ]

In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears. Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.

[ NSPLAT-4451 ]

From Citrix ADC release 13.1 onwards, the Citrix ADC appliance fails to boot up in an ESXi hypervisor with more than 8 VMXNET3 network interfaces.

[ NSHELP-31266 ]

Policies

Connections might hang if the size of processing data is more than the configured default TCP buffer size.Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

[ NSPOLICY-1267 ]

SSL

On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

Workaround:

  1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
  2. Save the configuration.

[ NSSSL-9572 ]

You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

[ NSSSL-6478 ]

You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

[ NSSSL-6213 ]

The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type. ERROR: crl refresh disabled

[ NSSSL-6106 ]

Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

[ NSSSL-4427 ]

An incorrect warning message, Warning: No usable ciphers configured on the SSL vserver/service, appears if you try to change the SSL protocol or cipher in the SSL profile.

[ NSSSL-4001 ]

An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover. [ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]

A Citrix ADC appliance might crash in the following scenarios:

  • A load balancing monitor of type SSL and SSL service have the same name
  • An SSL service is renamed
  • A load balancing monitor is deleted

[ NSHELP-30445 ]

System

The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

[ NSHELP-21240 ]

The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

[ NSHELP-10972 ]

In a cluster deployment, if you run force cluster sync command on a non-CCO node, the ns.log file contains duplicate log entries. [ NSBASE-16304, NSGI-1293 ]

When you install Citrix ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.

Workaround: Reboot the Management pod.

[ NSBASE-15556 ]

Client IP and Server IP are inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

[ NSBASE-8506 ]

User Interface

For the MQTT Rewrite feature, you cannot delete an expression using the Expression Editor in the GUI.

Workaround:

Use the add or edit action command of type MQTT through the CLI.

[ NSUI-18049 ]

In Citrix ADC GUI, the Help link present under the Dashboard tab is broken.

[ NSUI-14752 ]

Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

Workaround:

Configure cloudbridge connectors by adding IPsec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

[ NSUI-13024 ]

If you create an ECDSA key by using the GUI, the type of curve is not displayed.

[ NSUI-6838 ]

In a high availability setup, VPN user sessions get disconnected if the following condition is met:

  • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.

Workaround:

Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

[ NSHELP-25598 ]

In a high availability setup of Citrix ADC BLX appliances, the primary node might become unresponsive blocking any CLI or API request.

Workaround:

Restart the primary node.

[ NSCONFIG-6601 ]

If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

  1. Upgrade the Citrix ADC appliance to one of the builds:

    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build
  2. Add a system user, or change the password of an existing system user, and save the configuration, and
  3. Downgrade the Citrix ADC appliance to any older build.

To display the list of these system users by using the CLI: At the command prompt, type:

query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]

Workaround:

To fix this issue, use one of the following independent options:

  • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
  • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
  • If none of the above options work, a system administrator can reset the system user passwords.

For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

[ NSCONFIG-3188 ]

Release Notes for Citrix ADC 13.1–27.59 Release