Citrix ADC

Release Notes for Citrix ADC 13.1-33.54 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.1-33.54.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 13.1-33.47 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX463706.
  • Build 33.54 replaces build 33.52, build 33.49, and build 33.47.
  • Build 33.54 includes fixes for the following issues: NSHELP-33250, NSHELP-33345, and NSHELP-33063.
  • Build 33.52 included a fix for the following issue: NSHELP-32907.
  • Build 33.49 included fixes for the following issues: NSHELP-32709, NSHELP-32697, NSHELP-32410, NSHELP-31790, NSHELP-31478, and NSCONFIG-7098.

What’s New

The enhancements and changes that are available in Build 13.1-33.54.

Bot Management

  • New BOT related expressions

    The following expressions are added and can be used when the BOT profile is configured in logging mode:

    • HTTP.REQ.BOT.IS_SUSPECTED - Returns true if the client is suspected as a BOT.
    • HTTP.REQ.BOT.TYPE.EQ(<bot type>) - Returns true if the client BOT type is the same as the argument. Possible values of BOT types: GOOD, BAD, and UNKNOWN.
    • HTTP.REQ.BOT.TYPE.NE(<bot type>) - Returns true if the client BOT type is not the same as the argument. Possible values of BOT types: GOOD, BAD, and UNKNOWN.
    • HTTP.REQ.BOT.TYPE.ENUM_NAME - Returns the BOT type as a string. For example, GOOD, BAD, UNKNOWN.
    • HTTP.REQ.BOT.DETECTION_METHODS - List of the detection techniques using which a client is detected as a BOT.

    [ NSBOT-842 ]

Citrix Gateway

  • When SmartControl is configured, session reliability is supported even if the corresponding authentication, authorization, and auditing session does not exist. The reconnect request which is received by the Citrix ADC appliance from client device post recovery from network disruption is served even if the corresponding Authentication, authorization, and auditing session does not exist.

    [ CGOP-21040 ]

Citrix Web App Firewall

  • New default Web App Firewall profile

    A new default profile, called core, is now available with core WAF protections. The following checks are enabled in the core profile:

    • Grammar-based SQL injection
    • Grammar-based CMD injection
    • XSS
    • BOF
    • Block expressions

    [ NSWAF-9133 ]

  • Custom keyword support for JSON payload

    You can add keywords of your choice and check if these configured keywords are present in the JSON payload. If the configured keywords are detected in the incoming requests, you can configure the Citrix ADC appliance to block the requests, update the logs, or increment the log counters.

    The advantage is that you can add keywords that are not covered in the SQL injection and command injection checks and therefore reduce the false positives.

    [ NSWAF-9076 ]

Platform

  • Handle dynamic NIC removal in Azure accelerated networking

    A Citrix ADC VPX instance can now seamlessly handle dynamic NIC removals and reattachment of the removed NICs in Azure accelerated networking.

    Azure can remove single root I/O virtualization (SR-IOV) virtual function (VF) NIC of accelerated networking for their host maintenance activities. Whenever a NIC is removed from Azure VM, the Citrix ADC VPX instance shows the interface status as Link Down and the traffic goes through the virtual interface only. After the removed NIC is reattached, the VPX instances use the reattached SR-IOV VF NIC. This process happens seamlessly and does not require any configuration.

    [ NSPLAT-23300 ]

  • Support for Python 3.7

    The Citrix ADC appliance now supports Python 3.7 because Python 2.7 is deprecated.

    You must upgrade your current Python scripts to be compatible with Python 3.7.

    [ NSPLAT-20832 ]

SSL

  • Support for recurrent notifications until certificate expiry

    The Citrix ADC appliance now sends one notification per day until the certificate expires. Earlier, only one notification was sent a set number of days before the certificate expired.

    [ NSSSL-11874 ]

  • Increased length for email address in a Create Certificate Request

    On a Citrix ADC appliance, the limit for email address in a Create Certificate Request is now increased to 255 characters. Earlier the limit was 39 characters.

    [ NSSSL-10917 ]

  • Support for Thales Luna HSM on Intel Coleto and Intel Lewisburg based platforms

    Thales Luna HSM is now supported on Citrix ADC Intel Coleto and Intel Lewisburg SSL chip based platforms.

    The following appliances ship with Intel Coleto chips:

    • MPX 5900
    • MPX/SDX 8900
    • MPX/SDX 15000
    • MPX/SDX 15000-50G
    • MPX/SDX 26000
    • MPX/SDX 26000-50S
    • MPX/SDX 26000-100G

    The following platforms ship with Intel Lewisburg chips:

    • MPX 9100
    • SDX 9100

    [ NSSSL-9707 ]

System

  • New parameter added in HTTP profile

    A new parameter passProtocolUpgrade is added to the HTTP profile to prevent attacks on the back-end servers. Depending on the state of this parameter, the upgrade header is passed in the request sent to the back-end server or deleted before sending the request.

    • If the passProtocolUpgrade parameter is enabled, then the upgrade header is passed to the back end. The server accepts the upgrade request and notifies it in its response.
    • If this parameter is disabled, then the upgrade header is deleted and the remaining request is sent to the back end.

    The passProtocolUpgrade parameter is added to the following profiles:

    • nshttp_default_profile ENABLED by default
    • nshttp_default_strict_validation DISABLED by default
    • nshttp_default_internal_apps DISABLED by default
    • nshttp_default_http_quic_profile ENABLED by default

    Citrix recommends that this parameter be disabled by default. For more details, see the Citrix ADC Secure Deployment Guide.

    [ NSBASE-17423 ]

  • Multiple time-series profile support

    The Citrix ADC appliance now supports up to three time-series profile configurations.
    You can configure each time-series profile to have the following:

    • Its collector
    • schema file that contains the required set of counters to be exported by metrics collector
    • The data format in which the metrics can be exported.
    • The option to enable or disable metrics, audit logs, and events.

    With the multiple time-series profile support, the metrics collector can simultaneously export a different set (based on the schema file configured) of metrics to different collectors in different formats (AVRO, Prometheus, Influx).

    For more information, see Configuring the AppFlow feature.

    [ NSBASE-16809 ]

  • The syslog is not exported over TCP at a specific interval of time. Due to this condition, the syslog remains indefinitely in the audit buffer giving a perception of missing logs. This syslog is sent only when the buffer is full.

    With this fix, the syslog is exported over TCP when the audit buffer is full, or at an interval of every 20 seconds, whichever happens first.

    [ NSBASE-16698 ]

  • Crypto offload support for QUIC

    The Citrix ADC appliance now supports offloading the crypto processing from software to hardware which accelerates the QUIC transactions. The Citrix ADC appliance is equipped with SSL hardware chips which does the crypto acceleration transparently.

    For more information, see QUIC.

    [ NSBASE-12046 ]

User Interface

  • Secure RPC communication based on the TLS 1.2 setting for the internal services

    After you upgrade a Citrix ADC appliance to release 13.1 build 33.x or later from one of the following builds, the “secure” option for the RPC node is enabled or disabled on the basis of the TLS 1.2 setting (enabled or disabled) present for the internal RPCS and KRPCS services.

    • Release 13.0 build 64.35 or earlier
    • Release 12.1 build 61.18 or earlier

    The RPC communication is encrypted between the Citrix ADC nodes of the following setups if the “Secure” option is enabled:

    • High availability
    • Cluster
    • GSLB

    The “secure” option uses secure protocol TLS1.2 and port numbers 3008 and 3009 for the RPC connection between the Citrix ADC nodes.

    For ensuring secure RPC communication, Citrix recommends performing the following operations before upgrading these setups:

    • TLS 1.2 must be enabled for the internal RPCS and KRPCS services:
      • nsrpcs-127.0.0.1-3008
      • nskrpcs-127.0.0.1-3009
      • nsrpcs-::1l-3008
    • 3008 and 3009 must be unblocked in firewalls between the Citrix ADC nodes.

    You can enable or disable the secure option using the Citrix ADC CLI or the GUI.

    [ NSCONFIG-6485 ]

  • Support for Citrix ADC CPX license aggregator

    Now, you can use Citrix ADC CPX license aggregator, a new Kubernetes micro service provided by Citrix, to obtain licenses for Citrix ADC CPX. When you start Citrix ADC CPX, you should configure the environment variable CLA with the IP address or domain name of the Citrix ADC CPX license aggregator. If the environment variable is configured, Citrix ADC CPX license aggregator checks out the aggregate licenses for all the connected Citrix ADC CPXs.

    [ NSCONFIG-6394 ]

  • Asynchronous option support for the install NITRO API
    A new option “async has been introduced to the “install NITRO API. The “async option returns the install operation job id, which can be used in the “nsjob NITRO API call to retrive the status details of the install operation.

    Example:

    In the following example of a curl request, the install NITRO API is used with the async option. The response payload contains the job Id as 2.

    Curl request:
    “curl -v -X POST -H “Content-Type: application/json” -u nsroot:examplepassword http://192.0.0.33/nitro/v1/config/install?warning=yes -d ‘{“install”: {“url”: “https://example-repo.citrite.net/build-13.1-36.11_nc_64.tgz”, “async”:”1”}}’”

    Response payload:

    ”{ “install”:{ “url”: "<file path>", “y”: false, “l”: false, “a”: false, “enhancedupgrade”: false, “resizeswapvar”: false, “async”: true, “id”: “2” }”

    In the following example of a curl request, the “nsjob NITRO API is used to retrieve the status details of the job id 2, which is the id for the install operation.

    Curl request:
    “curl -v -X GET -H “Content-Type: application/json” -u nsroot:examplepassword http://192.0.0.33/nitro/v1/config/nsjob/2

    Response payload:

    ”{ “errorcode”: 0, “message”: “Done”, “severity”: “NONE”, “nsjob”: [

    { “name”: “install”, “id”: “2”, “status”: “Success”, “progress”: “nInstallation has completed.nnReboot is required for configuration changes to take effect.Installation succeeded. Reboot required.n”, “timeelapsed”: 148, “errorcode”: “5221”, “message”: “The configuration changes will not take effect until the system is rebootedn” }

    ]}”

    [ NSCONFIG-5870 ]

Fixed Issues

The issues that are addressed in Build 13.1-33.54.

Authentication, authorization, and auditing

  • The Citrix ADC appliance stops processing requests because of a memory leak in the MEM_SSLVPN module.

    [ NSHELP-32646 ]

  • The Citrix Gateway Duo authentication logon page does not load with nonRfWebUI themes.

    [ NSHELP-32463 ]

  • While registering your device with the Citrix Gateway appliance, the “Push registration failed” message appears for the Citrix Secure Access (Citrix SSO).

    [ NSHELP-32461 ]

  • If both LDAP and SAML authentication are configured in cascade, an error page is displayed during log on.

    [ NSHELP-32378 ]

  • Sometimes, authentication to gateway using the Citrix Workspace app does not succeed.

    [ NSHELP-32333 ]

  • SAML authentication fails if the Content Security Policy (CSP) feature is enabled on the Citrix ADC appliance.

    [ NSHELP-32203 ]

Caching

  • A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

    [ NSHELP-22942 ]

Citrix ADC SDX Appliance

  • In a Citrix ADC SDX appliance, the Clean Install option does not work when you downgrade from release 13.1 build 30.52 to any lower release or build.

    [ NSSVM-5419 ]

  • A few redundant Hardware Security Module (HSM) config files are also backed up when Citrix ADC VPX instances are backed up using SDX and ADM.

    [ NSHELP-32539 ]

  • The Management Service syslog in the Citrix ADC SDX appliance incorrectly displays the date twice.

    [ NSHELP-32311 ]

Citrix Gateway

  • The Citrix ADC appliance crashes if either or both Gateway Insight and Web Insight features are enabled.

    [ NSHELP-33345 ]

  • Sometimes, RDP proxy does not work in the presence of a connection broker.

    [ NSHELP-33063 ]

  • The Citrix Gateway appliance might crash if HDX Insight is enabled and a user logs in to StoreFront immediately after logging out.

    [ NSHELP-32907, NSHELP-33079, NSHELP-33289 ]

  • Patset based MAC address EPA scan does not work along with device certificate scan in the same factor.

    [ NSHELP-32760 ]

  • The Citrix ADC appliance drops any HTTP packet with unknown authentication method used for authentication traffic. The unknown authentication method breaks the deployment by causing issues with load balancing operations if authentication and authorization virtual servers are used for authentication traffic. Unknown authentication method is disabled, by default.

    [ NSHELP-32709 ]

  • The “Transfer Login” dialog box does not display Transfer button.

    [ NSHELP-32614 ]

  • The Citrix ADC appliance crashes while handling the logout request POST /CitrixAuthService/AuthService.asmx from StoreFront server when callback URL is configured on StoreFront.

    [ NSHELP-32207 ]

  • In a Citrix Gateway appliance, the global VPN parameters do not take effect if the VPN parameters are not set at the session action level.

    Before you upgrade your high availability setup, ensure that you manually disable HA sync on the secondary appliance. For details, see https://docs.citrix.com/en-us/citrix-adc/current-release/upgrade-downgrade-citrix-adc-appliance/upgrade-downgrade-ha-pair.html

    [ NSHELP-31478, CGOP-21737 ]

  • The Citrix Gateway logon page title and the portal themes are not displayed correctly.

    [ NSHELP-29202 ]

  • While configuring the IIP pool (IP address and mask), if the IP address doesn’t match the first IP address in the range, the Citrix ADC CLI and GUI displays only one block and not all.

    Example:
    bind vpn vserver vpn_ssl -intranetIP 172.168.1.1 255.255.255.0
    bind vpn vserver vpn_ssl -intranetIP 172.168.2.1 255.255.255.0

    In this case, the CLI or the GUI while showing vpn vserver vpn_ssl only displays 172.168.2.1 pool and not 172.168.2.2.

    [ NSHELP-29084 ]

Citrix Web App Firewall

  • A standalone Citrix ADC appliance or the secondary mode in an HA setup might crash if you configure a signature object for Citrix Web App Firewall on the following software versions:

    • 13.0 build 88.5 and later
    • 13.1 build 33.41 and later

    [ NSHELP-33250 ]

  • A WAF signature update fails when a proxy server and a proxy port are configured. During the signature auto-update process hourly run, the ADC appliance contacts the auto-update host for downloading the updated files instead of going through the configured proxy server and proxy port. As a result, an update failure is seen when the auto-update host is not reachable.

    [ NSHELP-32613 ]

  • The Citrix ADC appliance might crash if the following conditions are met:

    • There is a high load on the appliance.
    • Configuration changes are being done.
    • Signature deletion takes a long time.

    [ NSHELP-32454 ]

  • Bot device fingerprint session replay attacks are logged rather than dropped.

    [ NSHELP-31949 ]

Load Balancing

  • Any changes to the service group result in cookie hash changes when useencryptedPersistenceCookie option is enabled in the set lb param command.

    [ NSHELP-32697 ]

  • In rare cases, a Citrix ADC appliance might crash and generate a core dump when SSL session ID based persistence and SSL session ticket based processing are enabled on a content switching virtual server.

    [ NSHELP-32228 ]

  • The LDAP monitor status remains up even if the configured attributes are not present on the server.

    [ NSHELP-32025 ]

Miscellaneous

  • A cluster node goes into a packet loop when the following conditions are met:

    • A UDP packet with a destination IP address as CLIP is sent to a cluster node.
    • The CCO has changed from one node to another during the lifespan of the cluster instance.

    [ NSHELP-30804 ]

Networking

  • Citrix ADC CPX fails to recover the default route configuration after a crash when you use the file-based startup configuration with ConfigMaps. This behavior results in losing connectivity.

    [ NSNET-27124 ]

  • The Citrix ADC appliance might add an incorrect IP checksum to the IP header of the UDP packets.

    [ NSHELP-32587 ]

  • In a Citrix ADC BLX cluster setup, VTYSH might fail to start if the following condition is met:

    • The Linux host is restarted causing order looping of the Citrix ADC BLX Route Health Injection (RHI) process.

    [ NSHELP-32473 ]

  • When you remove a virtual server, the Citrix ADC appliance incorrectly sets the related VIP RHI state to DOWN if the following conditions are met:

    • The virtual server has backup virtual servers.
    • The virtual server is in DOWN state and at least one backup virtual server is in UP state.

    [ NSHELP-29972 ]

Platform

  • A Citrix ADC appliance running on an AMD processor might crash during boot up, when you upgrade the software version to release 13.1 build 30.x.

    [ NSPLAT-24968, NSHELP-32808 ]

  • The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:

    1. During the first boot of the Citrix ADC appliance, you do not save the prompted password.
    2. Subsequently, you reboot the Citrix ADC appliance.

    [ NSPLAT-22013 ]

  • When a Citrix ADC SDX appliance containing Mellanox NICs is upgraded from a build where VLAN filtering is disabled and the Management Service tries to disable VLAN filtering as part of the upgrade, the operation fails. As a result, VLAN filtering is enabled for all the interfaces and channels.

    [ NSHELP-32759 ]

Policies

  • A Citrix ADC appliance might crash during policy addition with patset when the following condition is met:

    • The flag associated with NSB is set in the wrong order for Rewrite TCP scenario.

    [ NSHELP-31064 ]

SSL

  • When a virtual server receives a TLS 1.3 record with invalid padding, it sends a fatal “decode_error” alert instead of an “unexpected_message” alert.

    [ NSSSL-11890 ]

  • On Citrix ADC MPX and SDX platforms with Intel QAT-enabled crypto acceleration hardware, the SOURCEIP persistence type is applied inconsistently to requests sent to virtual servers over TLS 1.3 connections. That is, requests sent from a single source IP address might be distributed to multiple different back-end servers.

    [ NSHELP-32410, NSHELP-32895, NSHELP-32572, NSHELP-32688 ]

  • A Citrix ADC appliance containing a Cavium SSL card might crash while sending a DTLS ALERT message to the client.

    [ NSHELP-32031 ]

  • A Citrix ADC appliance might crash if the certificate authentication rule is evaluated and triggered twice on the same request.

    [ NSHELP-31785 ]

System

  • You can enable AppFlow feature in the admin partition only after enabling ULFD mode in the default partition.

    [ NSHELP-32670 ]

  • The Citrix ADC appliance might treat an HTTP request as an invalid request when a partial HTTP request method is present in an incoming TCP segment.

    [ NSHELP-32462 ]

  • A Citrix ADC appliance might crash if the following condition is met:

    • During high memory usage combinations of HTTP2 and SSL, the Citrix ADC appliance fails to allocate memory.

    [ NSHELP-32255 ]

  • A Citrix ADC appliance crashes in a VPN setup when the nstrace packet capture is started with IP or PORT filters.

    [ NSHELP-31790 ]

  • A gRPC client fails to parse the gRPC status header, when the following condition is met:

    • The gRPC status header is added both in the leading header and the trailing header instead of adding only in the trailing header.

    [ NSHELP-31640 ]

  • With SACK enabled, the Citrix ADC appliance does not retransmit the last one byte TCP segment in the retransmission list because of the following reason: the appliance uses the last one byte TCP segment as a dummy segment to mark the end of the retransmission list.

    [ NSHELP-28778 ]

User Interface

  • You cannot bind a GSLB service to a GSLB virtual server using the Citrix ADC GUI as the GSLB services list under GSLB Service Group Binding> GSLB Service Binding > GSLB Services shows empty.

    [ NSHELP-32236 ]

  • Modifying a static route by using the Citrix ADC GUI (system > network > routes) might incorrectly fail with the following error message:

    • “Required argument missing [gateway]”

    [ NSHELP-32024 ]

  • In an HA / Cluster setup, configuration synchronization fails if you have configured SSH keys other than RSA. For example, ECDSA or DSA keys.

    [ NSHELP-31675 ]

  • In the Citrix ADC GUI, if there is an existing SNMP trap destination under System>SNMP>Traps, editing that destination fails with the following error message:

    • “Error in retrieving SNMP trap”

    [ NSHELP-31661 ]

  • The Citrix ADC appliance GUI does not display the correct count of the configured SAML and OAuth IDP policies.

    [ NSHELP-31480 ]

  • In a Citrix ADC appliance, while using the GUI interface, the following issue is seen on the responder policy page:

    • The custom created responder policies might be displayed under the built-in responder policies.

    [ NSHELP-31428 ]

  • In a Citrix ADC HA setup, the following issue is observed in the Citrix ADC GUI after saving a configuration and clicking the refresh button:

    • The GUI incorrectly shows the orange dot on the Save button even when no unsaved configuration changes are present on the appliance.

    [ NSHELP-30031 ]

  • GSLB virtual server statistics are not available in admin partition mode.

    [ NSHELP-28524 ]

  • A Citrix ADC appliance that has checked out licenses from Citrix ADM goes to grace period when the appliance disconnects from ADM. The appliance appears unlicensed in ADM and continues in the grace period even after it reconnects to ADM.

    [ NSCONFIG-7098 ]

Known Issues

The issues that exist in release 13.1-33.54.

AppFlow

  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.

    [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

  • Gateway authentication via CWA client or native VPN clients might fail because of missing strings in the ns_aaa_relaystate_param_whitelist patset.

    Workaround:

    bind policy patset ns_aaa_relaystate_param_whitelist "citrixauthwebviewdone://" -index 1 -charset ASCII

    bind policy patset ns_aaa_relaystate_param_whitelist "citrixsso://" -index 2 -charset ASCII

    bind policy patset ns_aaa_relaystate_param_whitelist "citrixng://" -index 3 -charset ASCII

    [ NSHELP-33054 ]

  • The Citrix ADC appliance drops the charset suffix in Content-Type header and sends Content-Type: application/x-www-form-urlencoded if you have configured both of the following.

    • SSO form based authentication
    • nsapimgr knob - nsapimgr_wr.sh -ys call=ns_formsso_use_ctype_simple_enable knob

    [ NSHELP-31977 ]

  • You might experience issues during logout if SAML authentication is configured.

    [ NSHELP-31962 ]

  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

    [ NSHELP-563 ]

  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    show adfsproxyprofile <profile name>

    Workaround: Connect to the primary active Citrix ADC in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

    [ NSAUTH-5916 ]

  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

    • The Test LDAP Reachability option is opened.
    • Invalid login credentials are populated and submitted.
    • Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.

    [ NSAUTH-2147 ]

Caching

  • A Citrix ADC appliance crashes when the cached content is served to the clients.

    [ NSHELP-31760 ]

  • A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

    [ NSHELP-22942 ]

Citrix ADC SDX Appliance

  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

    • Throughput allocation mode is burst.
    • There is a large difference between the throughput and the maximum burst capacity.

    [ NSHELP-21992 ]

Citrix Gateway

  • The Citrix Secure Access client, version 21.7.1.2 and later, fails to upgrade to later versions for users with no administrative privileges. This issue is applicable only if the Citrix Secure Access client upgrade is done from a Citrix ADC appliance.

    [ NSHELP-32793 ]

  • When users click the Home Page tab on the Citrix Secure Access screen for Windows, the page displays the connection refused error.

    [ NSHELP-32510 ]

  • On a Mac device using Chrome, the VPN extension crashes while accessing two FQDNs.

    [ NSHELP-32144 ]

  • Users cannot log on to VPN because of intermittent EPA failures.

    [ NSHELP-32138 ]

  • nFactor authentication with an optional client certificate fails when there are no appropriate client certificates on the device.

    [ NSHELP-32127 ]

  • The Citrix Gateway appliance might crash if HDX Insight is enabled.

    [ NSHELP-32120 ]

  • In a cluster setup, the Citrix ADC appliance crashes while sending the CGP_FINISH_REQUEST request to the client.

    [ NSHELP-32029 ]

  • When UDP sessions are launched, stale connections appear to exist even after closing the sessions. However, these are not actual stale connections but an issue with the counter.

    [ NSHELP-32009 ]

  • In some cases, empty proxy settings in Citrix Gateway release 13.0 or 13.1 causes Citrix SSO to create improper proxy settings.

    [ NSHELP-31970 ]

  • Debug logging control for Citrix Secure Access client is now independent of Citrix Gateway and it can be enabled or disabled from the plug-in UI for both machine and user tunnel.

    [ NSHELP-31968 ]

  • The Home Page link on the Citrix Secure Access UI does not work if Microsoft Edge is the default browser.

    [ NSHELP-31894 ]

  • When a user logs on to the Citrix ADC appliance and if Citrix Workspace is not installed, the link to download Citrix Workspace incorrectly points to Citrix Receiver.

    [ NSHELP-31877 ]

  • Gateway Insight authentication failure records display the user name as “Anonymous” when NOAUTH is configured as the first factor and second factor authentication fails due to invalid credentials. This issue occurs only if the configuration is performed by using the nFactor visualizer because the first factor is configured as NOAUTH, by design in nFactor visualizer.

    [ NSHELP-31795 ]

  • Direct connections to the resources outside of the tunnel established by Citrix Secure Access might fail if there is a significant delay or congestion.

    [ NSHELP-31598 ]

  • Customized EPA failure log message is not displayed on the Citrix Gateway portal. Instead, the message “internal error” is displayed.

    [ NSHELP-31434 ]

  • Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always-On service mode. The machine tunnel does not transition to the user tunnel and the message “Connecting…” is displayed in the VPN plug-in UI.

    [ NSHELP-31357, CGOP-21192 ]

  • The policy-based routing (PBR) policies do not take effect for DNS traffic over VPN.

    [ NSHELP-31123 ]

  • When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.

    [ NSHELP-30662 ]

  • Users cannot connect to the Citrix Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.

    [ NSHELP-30236 ]

  • The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully. To fix this issue, the following registry value is introduced.

    HKLMSoftwareCitrixSecure Access ClientSecureChannelResetTimeoutSeconds
    Type: DWORD

    By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).

    [ NSHELP-30189 ]

  • The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.

    [ NSHELP-29675 ]

  • While configuring the IIP pool (IP address and mask), if the IP address doesn’t match the first IP address in the range, the Citrix ADC CLI and GUI displays only one block and not all.

    Example:
    bind vpn vserver vpn_ssl -intranetIP 172.168.1.1 255.255.255.0
    bind vpn vserver vpn_ssl -intranetIP 172.168.2.1 255.255.255.0

    In this case, the CLI or the GUI while showing vpn vserver vpn_ssl only displays 172.168.2.1 pool and not 172.168.2.2.

    Workaround : Use the first IP address in the range to configure the IIP blocks.

    Example:

    bind vpn vserver vpn_ssl -intranetIP 172.168.1.0 255.255.255.0
    bind vpn vserver vpn_ssl -intranetIP 172.168.2.0 255.255.255.0

    [ NSHELP-29084 ]

  • In some cases, the server validation code fails when the server certificate is trusted. As a result, end users cannot access the gateway.

    [ NSHELP-28942 ]

  • You might notice some Citrix internal IP addresses in the rdx.js file.

    [ NSHELP-28682 ]

  • Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

    [ NSHELP-28551 ]

  • Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

    [ NSHELP-28404 ]

  • EPA plug-in for Windows does not use local machine’s configured proxy and connects directly to the gateway server.

    [ NSHELP-24848 ]

  • VPN plug-in doesn’t establish tunnel after Windows logon, if the following conditions are met:

    • Citrix Gateway appliance is configured for Always On feature
    • The appliance is configured for certificate based authentication with two factor authentication “off”

    [ NSHELP-23584 ]

  • Sometimes while browsing through schemas, the error message “Cannot read property ‘type’ of undefined” appears.

    [ NSHELP-21897 ]

  • The “show vpn icaconnection” command does not display the serial numbers of the ICA connections correctly. This issue occurs because the serial number is reset arbitrarily when the “show vpn icaconnection” command is run.

    [ CGOP-22205 ]

  • If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

    [ CGOP-19355 ]

  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

    [ CGOP-13621 ]

  • The Gateway Insight report incorrectly displays the value “Local” instead of “SAML” in the Authentication Type field for SAML error failures.

    [ CGOP-13584 ]

  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ CGOP-13511 ]

  • When an ICA connection is launched from a MAC receiver version 19.6.0.32 or Citrix Virtual Apps and Desktops version 7.18, HDX Insight feature is disabled.

    [ CGOP-13494 ]

  • When EDT Insight feature is enabled, sometimes audio channels might fail during network discrepancy.

    [ CGOP-13493 ]

  • While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

    [ CGOP-13050 ]

  • The text “Home Page” in the Citrix SSO app > Home page is truncated for some languages.

    [ CGOP-13049 ]

  • An error message appears when you add or edit a session policy from the Citrix ADC GUI.

    [ CGOP-11830 ]

  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]

Citrix Web App Firewall

  • Sometimes, Citrix Web App Firewall takes a long time to detect the command injection. As a result, Pitboss restarts the Citrix ADC appliance.

    [ NSHELP-32654 ]

  • Bot device fingerprint session replay attacks are logged rather than dropped.

    [ NSHELP-31949 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]

  • The Citrix ADC appliance does not respond with the correct service IP address for GSLB domain query if the following settings are configured on the GSLB virtual server:

    1. ECS option is enabled.
    2. Static proximity is configured as the load balancing method.

    [ NSHELP-32879 ]

  • A Citrix ADC appliance might crash and dump core if the user monitor script returns a response with more than 1024 bytes.

    [ NSHELP-32097 ]

  • The LDAP monitor status remains up even if the configured attributes are not present on the server.

    [ NSHELP-32025 ]

  • Due to a rare race condition, there might be inconsistencies between the local site and the remote site. This inconsistency might be due to the remote site not learning the dynamic member from the local site.

    The removal of dynamic members on the remote site might be unsuccessful due to an issue while communicating between packet engines.

    [ NSHELP-31982 ]

  • SNMP WALK requests corresponding to the vserverAdvanceSslConfigTable OID result in a core dump when the priority order of virtual servers is configured.

    [ NSHELP-31704 ]

  • The serviceGroupName format in the entityofs trap for the service group is as follows:
    <service(group)name>?<ip/DBS>?<port>

    In the trap format, the service group is identified by an IP address or a DBS name and port. The question mark (“?”) is used as a separator. The Citrix ADC sends the trap with the question mark (“?”). The format appears the same in the Citrix ADM GUI. This is the expected behavior.

    [ NSHELP-28080 ]

  • In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.

    [ NSHELP-21196 ]

Miscellaneous

  • When a forced synchronization takes place in a high availability setup, the appliance executes the “set urlfiltering parameter” command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the “TimeOfDayToUpdateDB” parameter.

    [ NSSWG-849 ]

  • AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.

    [ NSHELP-31836 ]

  • A cluster node goes into a packet loop when the following conditions are met:

    • A UDP packet with a destination IP address as CLIP is sent to a cluster node.
    • The CCO has changed from one node to another during the lifespan of the cluster instance.

    Workaround: You can avoid or terminate this packet loop by applying a drop ACL for that specific UDP packet with the destination IP address as the CLIP address.

    [ NSHELP-30804 ]

  • A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

    [ NSHELP-22409 ]

Networking

  • In a Citrix ADC BLX appliance with DPDK support, tagged VLANs are not supported for DPDK Intel i350 NIC ports. This is observed as it is a known issue present on the DPDK driver.

    [ NSNET-25299 ]

  • A Citrix ADC BLX appliance with DPDK might fail to restart if all of the following conditions are met:

    • The Citrix ADC BLX appliance is allocated with a low number of “hugepages”. For example, 1G.
    • The Citrix ADC BLX appliance is allocated with a high number of worker-process. For example, 28.

    The issue is logged as an error message in “/var/log/ns.log”:

    • “BLX-DPDK:DPDK Mempool could Not be Initialized for PE-x”

    Note: x is a number <= number of worker-processes.

    Workaround: Allocate a high number of “hugepages” and then restart the appliance.

    [ NSNET-25173 ]

  • A Citrix ADC BLX appliance in DPDK mode might take a little longer to restart because of the DPDK easiness functionality.

    [ NSNET-24449 ]

  • The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a Citrix ADC BLX appliance with DPDK:

    • Disable
    • Enable
    • Reset

    [ NSNET-16559 ]

  • Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

    “The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable”

    Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

    • dpkg –add-architecture i386
    • apt-get update
    • apt-get dist-upgrade
    • apt-get install libc6:i386

    [ NSNET-14602 ]

  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

    [ NSNET-5233 ]

  • With ECMP configured on a Citrix ADC appliance, the following issue might be observed for an SSH load balancing connection:

    • The Citrix ADC appliance sends the first packet through a different route than for the rest of the packets of the same flow.

    [ NSHELP-32089 ]

  • The Citrix ADC appliance might crash in some scenarios when the following conditions are met:

    • The Citrix ADC appliance receives multiple first fragments with different offsets.
    • The Citrix ADC appliance does not reassemble the fragments.

    [ NSHELP-32084 ]

  • In a load balancing configuration with “sessionless” option enabled on the virtual server and ECMP on the server side, the following issue might be observed:

    • The Citrix ADC appliance sends the packets to a server always through the same route.

    [ NSHELP-32061 ]

  • The Citrix ADC appliance might crash if all of the following conditions are met:

    • TTL-based ACL times out
    • The Citrix ADC appliance has a large number of ACLs configured.

    [ NSHELP-31307 ]

  • When you remove a virtual server, the Citrix ADC appliance incorrectly sets the related VIP RHI state to DOWN if the following conditions are met:

    • The virtual server has backup virtual servers.
    • The virtual server is in DOWN state and at least one backup virtual server is in UP state.

    [ NSHELP-29972 ]

  • When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

    [ NSHELP-21082 ]

Platform

  • The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:

    1. During the first boot of the Citrix ADC appliance, you do not save the prompted password.
    2. Subsequently, you reboot the Citrix ADC appliance.

    [ NSPLAT-22013 ]

  • When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:

    • 13.1-4.x
    • 13.0-82.31 and later
    • 12.1-62.21 and later

    The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:

    • Any 11.1 build
    • 12.1-62.21 and earlier
    • 13.0-81.x and earlier

    [ NSPLAT-21691 ]

  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the “rm cloudprofile” command to delete the profile.

    [ NSPLAT-4520 ]

  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.

    [ NSPLAT-4451 ]

  • On the Citrix ADC SDX 8015/8400/8600 platform, you might see increased memory consumption on Xen Server.
    Workaround: Run the following command on Xen Server, and then reboot the appliance.
    /opt/xensource/libexec/xen-cmdline –set-xen “dom0_mem=1024M,max:1024M”

    [ NSHELP-32260 ]

  • From Citrix ADC release 13.1 onwards, the Citrix ADC appliance fails to boot up in an ESXi hypervisor with more than 8 VMXNET3 network interfaces.

    [ NSHELP-31266 ]

Policies

  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]

  • In a Citrix ADC appliance, the content switching policies that are migrated from classic policies to advanced policies using the NSPEPI tool might not work when the following conditions are met:

    • The policies are bound to the content switching vserver.
    • The “caseSensitive” parameter is set to OFF.

    [ NSHELP-31951 ]

  • A Citrix ADC appliance might crash during policy addition with patset when the following condition is met:

    • The flag associated with NSB is set in the wrong order for Rewrite TCP scenario.

    [ NSHELP-31064 ]

SSL

  • On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

    Workaround:

    1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
    2. Save the configuration.

    [ NSSSL-9572 ]

  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

    [ NSSSL-6478 ]

  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

    [ NSSSL-6213 ]

  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled

    [ NSSSL-6106 ]

  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]

  • An incorrect warning message, “Warning: No usable ciphers configured on the SSL vserver/service,” appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]

  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

    [ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]

  • A Citrix ADC appliance containing a Cavium SSL card might crash while sending a DTLS ALERT message to the client.

    [ NSHELP-32031 ]

  • An SSL handshake might fail if the following sequence of conditions is met:

    1. Hello Verify Request (HVR) is enabled on DTLS.
    2. The Citrix ADC appliance sends an HVR to the client.
    3. The client does not receive the HVR.
    4. The client tries to retransmit the first client hello instead of responding to the HVR with a session cookie.

    Note: In response to the retransmitted client hello message, the ADC appliance sends the HVR to the client a maximum of three times. If a proper response is not received, the appliance fails the handshake.

    [ NSHELP-31808 ]

  • A Citrix ADC appliance might crash if the certificate authentication rule is evaluated and triggered twice on the same request.

    [ NSHELP-31785 ]

  • The Citrix ADC GUI, accessed through a Cluster IP (CLIP) address, does not display server certificate bindings to an SSL virtual server.

    [ NSHELP-31602 ]

  • OCSP response verification might fail during SSL interception if a valid CA certificate is not present in the default certificate bundle. The failure happens because the OCSP response verification was incorrectly done using the default certificate bundle instead of the configured certificate bundle.

    [ NSHELP-30594 ]

  • A Citrix ADC appliance might crash when processing SSL traffic in software mode.

    [ NSHELP-29996 ]

System

  • In a Citrix ADC appliance, the header modification framework results in memory corruption. This condition occurs when the cookies that are to be consumed by the Citrix ADC appliance are deleted in a particular sequence before it is forwarded.

    [ NSHELP-32799 ]

  • In a Citrix ADC appliance, the default value of the “maxHeaderFieldLen” parameter in the HTTP profile causes the following issue.

    • Traffic failure after upgrading to 13.0 build.

    [ NSHELP-32079 ]

  • A Citrix ADC appliance might crash when AppFlow is enabled only on the client side.

    [ NSHELP-31892 ]

  • The Citrix ADC appliance configured with an SSL service crashes when the appliance receives a TCP FIN control packet followed by a TCP RESET control packet.

    [ NSHELP-31656 ]

  • A gRPC client fails to parse the gRPC status header, when the following condition is met:

    • The gRPC status header is added both in the leading header and the trailing header instead of adding only in the trailing header.

    [ NSHELP-31640 ]

  • High RTT is observed for a TCP connection if the following condition is met:

    • a high maximum congestion window (>4 MB) is set
    • TCP NILE algorithm is enabled

    For a Citrix ADC appliance to use the NILE algorithm for congestion control, the conditions must exceed the slow start threshold, which is coupled with the maximum congestion window

    So, until the maximum configured congestion window is reached, the Citrix ADC continues to accept data and ends up with high RTT.

    [ NSHELP-31548 ]

  • In a Citrix ADC appliance, the following issue is observed when enabling the HTTP/2 configuration for a content switching or load balancing virtual IP(VIP).

    • An increase in latency of up to 100 ms while forwarding the HTTP/2 header and data frames to the website through the Citrix ADC appliance.

    [ NSHELP-30094 ]

  • When using the content inspection feature, the Rewrite header insertion with payload might not work correctly.

    [ NSHELP-30088 ]

  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

    [ NSHELP-21240 ]

  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

    [ NSHELP-10972 ]

  • In a cluster deployment, if you run “force cluster sync” command on a non-CCO node, the ns.log file contains duplicate log entries.

    [ NSBASE-16304, NSGI-1293 ]

  • When you install Citrix ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.

    Workaround : Reboot the Management pod.

    [ NSBASE-15556 ]

  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

    [ NSBASE-8506 ]

User Interface

  • For the MQTT Rewrite feature, you cannot delete an expression using the Expression Editor in the GUI.

    Workaround: Use the add or edit action command of type MQTT through the CLI.

    [ NSUI-18049 ]

  • In Citrix ADC GUI, the “Help” link present under the “Dashboard” tab is broken.

    [ NSUI-14752 ]

  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

    [ NSUI-13024 ]

  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.

    [ NSUI-6838 ]

  • After you create a profile for Citrix Web App Firewall and try to generate the configuration report of the application firewall in System > Reports, the following error appears:

    “Failed to load PDF document.”

    [ NSHELP-32469 ]

  • In a High Availability (HA) setup, while fetching the local IP address for the nsconf tool, the following issue is observed.

    • Local host connection login failure. This failure happens if the RPC node password is different for primary and secondary nodes in the HA setup.

    Workaround: In a HA setup, ensure the RPC node password for both the primary and secondary nodes are the same.

    [ NSHELP-32083 ]

  • In Citrix ADC release 13.0, the OK button on the Configure Priority Load Balancing Virtual Server Service page is grayed out.

    [ NSHELP-32007 ]

  • The Citrix ADC appliance login page might not display the valid user name after the user has logged in.

    [ NSHELP-31759 ]

  • In an HA / Cluster setup, configuration synchronization fails if you have configured SSH keys other than RSA. For example, ECDSA or DSA keys.

    [ NSHELP-31675 ]

  • In the Citrix ADC GUI, if there is an existing SNMP trap destination under System>SNMP>Traps, editing that destination fails with the following error message:

    • “Error in retrieving SNMP trap”

    [ NSHELP-31661 ]

  • The Citrix ADC appliance GUI does not display the correct count of the configured SAML and OAuth IDP policies.

    [ NSHELP-31480 ]

  • In a Citrix ADC appliance, while using the GUI interface, the following issue is seen on the responder policy page:

    • The custom created responder policies might be displayed under the built-in responder policies.

    [ NSHELP-31428 ]

  • In a Citrix ADC HA setup, the following issue is observed in the Citrix ADC GUI after saving a configuration and clicking the refresh button:

    • The GUI incorrectly shows the orange dot on the Save button even when no unsaved configuration changes are present on the appliance.

    [ NSHELP-30031 ]

  • GSLB virtual server statistics are not available in admin partition mode.

    [ NSHELP-28524 ]

  • In a high availability setup, VPN user sessions get disconnected if the following condition is met:

    • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.

    Workaround: Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

    [ NSHELP-25598 ]

  • In a high availability setup of Citrix ADC BLX appliances, the primary node might become unresponsive blocking any CLI or API request.

    Workaround: Restart the primary node.

    [ NSCONFIG-6601 ]

  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds
      • 13.0 52.24 build
      • 12.1 57.18 build
      • 11.1 65.10 build
    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]

    Workaround: To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html.

    [ NSCONFIG-3188 ]

Release Notes for Citrix ADC 13.1-33.54 Release