Citrix ADC

Release Notes for Citrix ADC 13.1–30.52 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.1–30.52.


This release notes document does not include security-related fixes. For a list of security-related fixes and advisories, see the Citrix security bulletin.

What’s New

The enhancements and changes that are available in Build 13.1–30.52.


Asdot format support for 4-byte BGP ASN

The Citrix ADC appliance now supports configuring and displaying 4-byte BGP autonomous system numbers (ASN) in the asdot format as defined in RFC 5396. The Citrix ADC appliance overall supports the following two formats for BGP ASNs:

  • asplain - Decimal value notation where both 2-byte and 4-byte ASNs are represented by their decimal value. For example, 65527 is a 2-byte ASN and 234567 is a 4-byte ASN.

  • asdot - Autonomous system dot notation where 2-byte ASNs are represented by their decimal value (same as in asplain), and 4-byte ASNs are represented by a dot notation. For example, 65527 is a 2-byte ASN and 3.37959 is a 4-byte ASN. (3.37959 is asdot format for the 234567 decimal number).

[ NSNET-26101 ]

Amazon Linux 2 on AWS cloud support for Citrix ADC BLX appliances

The Citrix ADC BLX appliance is now supported on Amazon Linux 2 on the AWS cloud. The Citrix ADC BLX supports running with AWS Elastic Network Adapters (ENA) as DPDK ports on Amazon Linux 2.

[ NSNET-25802 ]

Even distribution of monitor probes on available routes

From 13.1-30.x, the Citrix ADC appliance uses the hashing algorithm based on the following five tuples to select a route for a load balancing monitor probe.

  • Source IP address
  • Source Port
  • Destination IP address
  • Destination Port
  • Protocol number

The selection of routes based on five tuples information ensures even distribution of monitor probes on the available routes. This even distribution prevents the overloading of traffic in a route.

For more information, see

[ NSNET-24646 ]


Support for OCSP multi-stapling solution

When TLS 1.3 protocol is used, all the intermediate certificates now include the OCSP response extension in the response to the status request from the client. Earlier, only the server certificate included this extension in the response to the status request from the client.

[ NSSSL-9281 ]

User Interface

Optimized the show ns licenseserverpool command to fetch licenses in lesser time

When you run the show ns licenseserverpool command, it takes lesser time in fetching the licenses. A new parameter licensemode is added to the add ns licenseserver command to specify the license mode. So, the show ns licenseserverpool command displays only licenses based on the specified license mode. If you want an inventory of all the licenses, use the show ns licenseserverpool -get alllicenses command.

Earlier, the show ns licenseserverpool command used to display all the licenses irrespective of license mode that is configured. As a result, the command was taking more time in fetching all the licenses.

For more information, see

[ NSCONFIG-6961 ]

Support for Self Managed Pool license

The Citrix ADC appliance now supports the Self Managed Pool license, which simplifies and automates license file uploads to license server after the purchase. You can use Citrix ADM to create a licensing framework that comprises of a common bandwidth or vCPU and the instance pool.

For more information, see

[ NSCONFIG-6592 ]

Support for Citrix ADC CPX license aggregator

Now, you can use Citrix ADC CPX license aggregator, a new Kubernetes micro service provided by Citrix, to obtain licenses for Citrix ADC CPX. When you start Citrix ADC CPX, you should configure the environment variable CLA with the IP address or domain name of the Citrix ADC CPX license aggregator. If the environment variable is configured, Citrix ADC CPX license aggregator checks out the aggregate licenses for all the connected Citrix ADC CPXs.

[ NSCONFIG-6394 ]

Fixed Issues

The issues that are addressed in Build 13.1–30.52.

Authentication, authorization, and auditing

The Citrix ADC appliance might crash if the SAML metadata URL in the configuration does not end with or contains backslash ( / ).

[ NSHELP-31937 ]

If you have configured a syslog server, you see a single SAML-related log in two lines.

[ NSHELP-31750 ]

There might be issues with application rewrite while applying rewrite policies for content security policy (CSP) on an authentication-virtual server.

[ NSHELP-31583 ]

Non-ASCII characters are recorded in nsvpn.log when LDAP action is configured to an FQDN instead of an IP address.

[ NSHELP-27281 ]

The Citrix ADC GUI does not display the default cache policies bound to a VPN virtual server.

[ NSHELP-26874 ]

Citrix ADC SDX Appliance

In a Citrix ADC SDX appliance, creating or editing the system groups fail.

[ NSHELP-32359 ]

The Citrix ADC SDX appliance does not send SNMP traps for hypervisor disk usage to Citrix ADM.

[ NSHELP-32323 ]

In a Citrix ADC SDX appliance, the VLAN whitelist is not updated with the correct value for the Mellanox interfaces assigned to a Citrix ADC VPX instance.

[ NSHELP-31849 ]

When you upgrade a Citrix SDX appliance, even though the hypervisor version is same for both the current and the upgraded SDX versions, the following incorrect event is notified in the Management Service GUI:

SVM and Hypervisor version mismatch

[ NSHELP-31769 ]

Installing an SSL certificate on a Citrix ADC SDX appliance fails if the certificate name or key name contains any space.

[ NSHELP-31711 ]

Sometimes, upload of the post-install script file ( to Citrix Hypervisor fails during platform upgrade, when you upgrade the Citrix ADC SDX appliance from 13.0 to 13.1 firmware.

[ NSHELP-31125 ]

Citrix Gateway

In a cluster setup, the Citrix ADC appliance crashes while sending the CGP_FINISH_REQUEST request to the client.

[ NSHELP-32029 ]

Sometimes, a Citrix ADC appliance might crash while assigning an Intranet IP address to a client.

[ NSHELP-31712 ]

The policy-based routing (PBR) policies do not take effect for DNS traffic over VPN.

[ NSHELP-31123 ]

When classic EPA policy and nFactor auth are configured, the Gateway Insight events for successful authentication are not sent to Citrix Application Delivery Management.

[ NSHELP-30901 ]

You might see an extra line for NS_AUDITLOG_STR* logs in the ns_aaa_json.c file.

[ NSHELP-28160 ]

You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.

With this fix, you can now unbind the authorization policy by using the GUI.

[ NSHELP-27064 ]

The Gateway Insight does not display accurate information on the VPN users.

[ NSHELP-23937 ]

The logs flagging vulnerability do not capture the source IP address of the client. These logs are:

  • Dropping HTTP request with invalid header/version
  • Path traversal detected
  • Found ‘/vpns/’ in unwanted place
  • Dropping invalid HTTP request

[ CGOP-18190 ]

Citrix Web App Firewall

On a Citrix ADC appliance, the console might be flooded with log messages and the appliance might send DNS queries to the Webroot public cloud service provider. This happens because the IP Reputation feature, when disabled, is running every five minutes instead of once every 24 hours.

[ NSWAF-9299 ]

Load Balancing

A Citrix ADC appliance might crash and dump core if the user monitor script returns a response with more than 1024 bytes.

[ NSHELP-32097 ]

In rare cases, a Citrix ADC appliance might crash and dump core if DNSSEC processing is enabled and DNS zone configuration is present.

[ NSHELP-31993 ]

Due to a rare race condition, there might be inconsistencies between the local site and the remote site. This inconsistency might be due to the remote site not learning the dynamic member from the local site.

The removal of dynamic members on the remote site might be unsuccessful due to an issue while communicating between packet engines.

[ NSHELP-31982 ]

SNMP WALK requests corresponding to the vserverAdvanceSslConfigTable OID result in a core dump when the priority order of virtual servers is configured.

[ NSHELP-31704 ]


A Citrix ADC BLX appliance with DPDK might fail to restart if the following condition is met:

  • The Citrix ADC BLX appliance is allocated with a high number of hugepages. For example, 16 GB.

The issue is logged as an error message in /var/log/ns.log:

  • EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Too many open files

[ NSNET-24727 ]

With ECMP configured on a Citrix ADC appliance, the following issue might be observed for an SSH load balancing connection:

  • The Citrix ADC appliance sends the first packet through a different route than for the rest of the packets of the same flow.

[ NSHELP-32089 ]

The Citrix ADC appliance might crash in some scenarios when the following conditions are met:

  • The Citrix ADC appliance receives multiple first fragments with different offsets.
  • The Citrix ADC appliance does not reassemble the fragments.

[ NSHELP-32084 ]

In a load balancing configuration with sessionless option enabled on the virtual server and ECMP on the server side, the following issue might be observed:

  • The Citrix ADC appliance sends the packets to a server always through the same route.

[ NSHELP-32061 ]

In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • Because of stale filtering entry.

[ NSHELP-28895 ]


On a Citrix ADC SDX appliance, the ring size is increased from 1024 to 2048 entries for the Mellanox interfaces.

[ NSPLAT-24539 ]

The log rotation fails for files stored in the /var/log/waagent folder and takes up more disk space. This failure is seen when you apply a backup configuration taken from a Citrix ADC VPX instance on another ADC VPX instance hosted on the Azure cloud using the restore functionality.

[ NSHELP-31599 ]

From Citrix ADC release 13.1 onwards, the Citrix ADC appliance fails to boot up in an ESXi hypervisor with more than 8 VMXNET3 network interfaces.

[ NSHELP-31266 ]


In a Citrix ADC appliance, following is observed.

  • Issues related to memory accounting in some unusual cases.
  • Issues related to memory allocation/deallocation of certain entities.

Also tracking of allocation/deallocation of certain entities was added/improved.

[ NSHELP-29215 ]


When both RSA and ECDSA certificate-key pairs are bound to a virtual server and the peer supports a compatible signature algorithm, the TLS 1.3 server selects the ECDSA certificate-key pair. Previously, the TLS 1.3 server selected the RSA certificate-key pair. With this change, the TLS 1.3 server now behaves the same as the TLS 1.2 server.

[ NSSSL-11650 ]

The TLS 1.3 server returns a decode_error alert when it encounters a TLS 1.3 handshake message that is split (fragmented) across multiple TLS records. This may have an impact on successful handshake completion if the client is authenticating with a certificate and the client’s certificate is larger than the maximum TLS record size (approx. 16 KB).

[ NSSSL-2940 ]

An SSL handshake might fail if the following sequence of conditions is met:

  1. Hello Verify Request (HVR) is enabled on DTLS.
  2. The Citrix ADC appliance sends an HVR to the client.
  3. The client does not receive the HVR.
  4. The client tries to retransmit the first client hello instead of responding to the HVR with a session cookie.Note: In response to the retransmitted client hello message, the ADC appliance sends the HVR to the client a maximum of three times. If a proper response is not received, the appliance fails the handshake.

[ NSHELP-31808 ]

A Citrix ADC appliance configured to process SSL traffic might crash if the memory utilization exceeds 80%.

[ NSHELP-29996 ]


A Citrix ADC appliance crashes in the syslog action configuration flow. This crash is observed during High Availability synchronization on the secondary node.

[ NSHELP-32254, NSHELP-32397 ]

In a Citrix ADC appliance, the default value of the maxHeaderFieldLen parameter in the HTTP profile causes the following issue.

  • Traffic failure after upgrading to 13.0 build.

[ NSHELP-32079 ]

A Citrix ADC appliance might crash when AppFlow is enabled only on the client side.

[ NSHELP-31892 ]

A Citrix ADC appliance might crash when the following condition is met:

  • Both analytics profile and AppFlow policy are bound, and the profile has the httpAllHdrs option enabled.

[ NSHELP-30628 ]

In a Citrix ADC appliance, the following issue is observed when enabling the HTTP/2 configuration for a content switching or load balancing virtual IP(VIP).

  • An increase in latency of up to 100 ms while forwarding the HTTP/2 header and data frames to the website through the Citrix ADC appliance.

[ NSHELP-30094 ]

User Interface

In a High Availability (HA) setup, while fetching the local IP address for the nsconf tool, the following issue is observed.

  • Local host connection login failure. This failure happens if the RPC node password is different for primary and secondary nodes in the HA setup.

[ NSHELP-32083 ]

The following exception is seen in the Python API SDK while trying to delete an SSL virtual server and certificate-key pair binding. TypeError: cannot concatenate ‘str’ and ‘bool’ objects

[ NSHELP-31746 ]

Load balancing server statistics details are misaligned in the Citrix ADC GUI dashboard.

[ NSHELP-20752 ]

Known Issues

The issues that exist in release 13.1–30.52.


HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.


Authentication, authorization, and auditing

A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

[ NSHELP-563 ]

The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

[ NSAUTH-6106 ]

ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command. show adfsproxyprofile <profile name>


Connect to the primary active Citrix ADC in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

[ NSAUTH-5916 ]

The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

  • The Test LDAP Reachability option is opened.
  • Invalid login credentials are populated and submitted.
  • Valid login credentials are populated and submitted.


Close and open the Test LDAP Reachability option.

[ NSAUTH-2147 ]

Citrix ADC SDX Appliance

On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.

[ NSSVM-4333 ]

Citrix Gateway

On a MAC device using Chrome, the VPN extension crashes while accessing two FQDNs.

[ NSHELP-32144 ]

Direct connections to the resources outside of the tunnel established by Citrix Secure Access might fail if there is a significant delay or congestion.

[ NSHELP-31598 ]

When Always on is configured, the user tunnel fails because of the incorrect version number ( in the aoservice.exe file.

[ NSHELP-30662 ]

Users cannot connect to the Citrix Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.

[ NSHELP-30236 ]

The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully. To fix this issue, the following registry value is introduced.

\HKLM\Software\Citrix\Secure Access Client\SecureChannelResetTimeoutSeconds Type: DWORD

By default, this registry value is not set or added. When the value of SecureChannelResetTimeoutSeconds is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).

[ NSHELP-30189 ]

The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.

[ NSHELP-29675 ]

Sometimes, the server validation code fails when the server certificate is trusted. As a result, end users cannot access the gateway.

[ NSHELP-28942 ]

You might notice some Citrix internal IP addresses in the rdx.js file.

[ NSHELP-28682 ]

Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

[ NSHELP-28551 ]

Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

[ NSHELP-28404 ]

EPA plug-in for Windows does not use local machine’s configured proxy and connects directly to the gateway server.

[ NSHELP-24848 ]

VPN plug-in doesn’t establish tunnel after Windows Logon, if the following conditions are met:

  • Citrix Gateway appliance is configured for Always On feature
  • The appliance is configured for certificate-based authentication with two factor authentication off

[ NSHELP-23584 ]

Sometimes while browsing through schemas, the error message Cannot read property 'type' of undefined appears.

[ NSHELP-21897 ]

If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to use the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

[ CGOP-19355 ]

Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

[ CGOP-13621 ]

The Gateway Insight report incorrectly displays the value Local instead of SAML in the Authentication Type field for SAML error failures.

[ CGOP-13584 ]

In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

[ CGOP-13511 ]

When an ICA connection is launched from a MAC receiver version or Citrix Virtual Apps and Desktops version 7.18, HDX Insight feature is disabled.

[ CGOP-13494 ]

When EDT Insight feature is enabled, sometimes audio channels might fail during network discrepancy.

[ CGOP-13493 ]

While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

[ CGOP-13050 ]

The text Home Page in the Citrix SSO app > Home page is truncated for some languages.

[ CGOP-13049 ]

An error message appears when you add or edit a session policy from the Citrix ADC GUI.

[ CGOP-11830 ]

In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

[ CGOP-7269 ]

Load Balancing

In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

[ NSLB-7679 ]

In a High Availability (HA) setup, routes are dropped on the new primary node and not learned again when the following condition is met.

  • Dynamic Route deletion and HA failover happens at the same time because of critical interface failure.

[ NSHELP-32264 ]

The serviceGroupName format in the entityofs trap for the service group is as follows: <service(group)name>?<ip/DBS>?<port>

In the trap format, the service group is identified by an IP address or a DBS name and port. The question mark (?) is used as a separator. The Citrix ADC sends the trap with the question mark (?). The format appears the same in the Citrix ADM GUI. This is the expected behavior.

[ NSHELP-28080 ]

In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.

[ NSHELP-21196 ]


When a forced synchronization takes place in a high availability setup, the appliance runs the set urlfiltering parameter command in the secondary node. As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the TimeOfDayToUpdateDB parameter.

[ NSSWG-849 ]

AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.

[ NSHELP-31836 ]

A Citrix ADC appliance might restart because of management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

[ NSHELP-22409 ]


In a Citrix ADC BLX appliance with DPDK support, tagged VLANs are not supported for DPDK Intel i350 NIC ports. This is observed as it is a known issue present on the DPDK driver.

[ NSNET-25299 ]

A Citrix ADC BLX appliance with DPDK might fail to restart if all of the following conditions are met:

  • The Citrix ADC BLX appliance is allocated with a low number of hugepages. For example, 1G.
  • The Citrix ADC BLX appliance is allocated with a high number of worker-process. For example, 28.

The issue is logged as an error message in /var/log/ns.log:

  • BLX-DPDK:DPDK Mempool could Not be Initialized for PE-x

Note: x is a number <= number of worker-processes.


Allocate a high number of hugepages and then restart the appliance.

[ NSNET-25173 ]

A Citrix ADC BLX appliance in DPDK mode might take a little longer to restart because of the DPDK easiness functionality.

[ NSNET-24449 ]

The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a Citrix ADC BLX appliance with DPDK:

  • Disable
  • Enable
  • Reset

[ NSNET-16559 ]

Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable


Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

  • dpkg –add-architecture i386
  • apt-get update
  • apt-get dist-upgrade
  • apt-get install libc6:i386

[ NSNET-14602 ]

In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

[ NSNET-5233 ]

When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

[ NSHELP-21082 ]


When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:

  • 13.1-4.x
  • 13.0–82.31 and later
  • 12.1–62.21 and later

The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:

  • Any 11.1 build
  • 12.1–62.21 and earlier
  • 13.0-81.x and earlier

[ NSPLAT-21691 ]

In a cluster setup on a Citrix ADC SDX appliance, there is a CLAG MAC mismatch on the second node and CLIP if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You add another VPX instance to the cluster and CLAG setup.

As a result, traffic to the VPX instance stops.

[ NSPLAT-21049 ]

In a cluster setup on a Citrix ADC SDX appliance, the first node goes DOWN because of a MAC address mismatch on CLIP and MAC table, if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You remove the second node from the cluster.

[ NSPLAT-21042 ]

When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the rm cloudprofile command to delete the profile.

[ NSPLAT-4520 ]

In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears. Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile must be always configured on the primary node.

[ NSPLAT-4451 ]


Connections might hang if the size of processing data is more than the configured default TCP buffer size.Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

[ NSPOLICY-1267 ]


On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.


  1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
  2. Save the configuration.

[ NSSSL-9572 ]

You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

[ NSSSL-6478 ]

You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

[ NSSSL-6213 ]

The following incorrect error message appears when you remove an HSM key without specifying Key Vault as the HSM type. ERROR: crl refresh disabled

[ NSSSL-6106 ]

Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

[ NSSSL-4427 ]

An incorrect warning message, Warning: No usable ciphers configured on the SSL vserver/service, appears if you try to change the SSL protocol or cipher in the SSL profile.

[ NSSSL-4001 ]

An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover. [ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]

After upgrading a Citrix ADC SDX appliance to release 13.1 build 21.50 or later, SSL decryption and MAC comparison might fail. As a result, you might see SSL handshake failures, VPX status flapping, unavailability of the VPX instance GUI, and virtual servers and application going down.

Note: This issue is observed on the SDX 8900, SDX 15000, SDX 15000-50G, SDX 26000, and SDX 26000-50S platforms.

[ NSHELP-31672 ]


The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

[ NSHELP-21240 ]

The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

[ NSHELP-10972 ]

In a cluster deployment, if you run force cluster sync command on a non-CCO node, the ns.log file contains duplicate log entries. [ NSBASE-16304, NSGI-1293 ]

When you install Citrix ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.

Workaround: Reboot the Management pod.

[ NSBASE-15556 ]

Client IP and Server IP are inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

[ NSBASE-8506 ]

The Citrix ADC appliance configured with an SSL service crashes when the appliance receives a TCP FIN control packet followed by a TCP RESET control packet.

[ NSHELP-31656 ]

User Interface

For the MQTT Rewrite feature, you cannot delete an expression using the Expression Editor in the GUI.


Use the add or edit action command of type MQTT through the CLI.

[ NSUI-18049 ]

In Citrix ADC GUI, the Help link present under the Dashboard tab is broken.

[ NSUI-14752 ]

Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.


Configure cloudbridge connectors by adding IPsec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

[ NSUI-13024 ]

If you create an ECDSA key by using the GUI, the type of curve is not displayed.

[ NSUI-6838 ]

In a high availability setup, VPN user sessions get disconnected if the following condition is met:

  • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.


Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

[ NSHELP-25598 ]

In a high availability setup of Citrix ADC BLX appliances, the primary node might become unresponsive blocking any CLI or API request.


Restart the primary node.

[ NSCONFIG-6601 ]

If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

  1. Upgrade the Citrix ADC appliance to one of the builds:

    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build
  2. Add a system user, or change the password of an existing system user, and save the configuration.
  3. Downgrade the Citrix ADC appliance to any older build.

To display the list of these system users by using the CLI:

At the command prompt, type:

query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]


To fix this issue, use one of the following independent options:

  • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
  • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
  • If none of the above options work, a system administrator can reset the system user passwords.

For more information, see

[ NSCONFIG-3188 ]

Release Notes for Citrix ADC 13.1–30.52 Release