Citrix ADC

Release Notes for Citrix ADC 13.1-37.38 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.1-37.38.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • The Citrix ADC SDX bundle build 13.1-37.39 replaces build 13.1-37.38.

What’s New

The enhancements and changes that are available in Build 13.1-37.38.

Citrix ADC SDX Appliance

  • Enhancement in the upgrade process

    In a Citrix ADC SDX appliance, the upgrade process now requires a single reboot instead of two reboots.

    [ NSSVM-5299 ]

  • Removal of third-party instances support from SDX UI

    A Citrix ADC SDX appliance no longer supports third-party instances from the UI interface. The Third-Party Instances view is removed from the Configuration tab in the SDX UI interface.

    Workaround: If you still want to use the third-party instances in the Management Service, use the following procedure.

    1. Log on to the Management Service shell.
    2. Create a file “.thirdPartyVM” in the “/mpsconfig” directory.
    3. Restart the Management Service by running the svmd restart command in the Management Service shell.

    [ NSSVM-5229 ]

Citrix Gateway

  • Support for HttpOnly flag on authentication cookies

    The HttpOnly flag is now supported on the authentication cookies of VPN scenarios that is, NSC_Authentication, authorization, and auditingC and NSC_TMAS cookies. The NSC_TMAS authentication cookie is used during the nFactor authentication and the NSC_Authentication, authorization, and auditingC cookie is used for the authenticated session. The HttpOnlyflag on a cookie restricts the cookie access using the JavaScript document cookie option. This helps in preventing cookie theft due to cross-site scripting.

    [ CGOP-14004 ]

Load Balancing

  • Configure auto delayed TROFS state

    You can configure graceful movement of members in a service group to the TROFS state when IP addresses are removed from the DNS response. When auto delayed TROFS is enabled, Citrix ADC waits for the highest response timeout across all monitors attached to the service group before moving the members to the TROFS state.

    For more information, refer Configure automatic domain based service group scaling.

    [ NSLB-9371 ]

Networking

  • DPDK support for Citrix ADC BLX appliances on AMD processor-based Linux hosts

    Citrix ADC BLX appliances on AMD processor-based Linux hosts now support DPDK. The appliance automatically detects the specified DPDK-compatible NIC ports on the Linux host. The appliance then initializes them in DPDK mode. After starting the Citrix ADC BLX appliance, the DPDK ports are added as dedicated ports to the appliance.

    Instead of specifying one or more DPDK-compatible NIC ports in the “blx.conf” file, you must specify all the DPDK-compatible NIC ports that are part of the same IOMMU group. Otherwise, the DPDK-compatible NIC ports are added as non-DPDK dedicated ports to the Citrix ADC BLX appliance.

    [ NSNET-19219 ]

Platform

  • Improved performance for shared-core instances in GCP

    In a Citrix ADC VPX instance, the CPU yield parameter is enabled by default for the shared-core instances in GCP. This provides a better performance in GCP for the shared-core instances. For more information on shared-core machine types on GCP, see Google cloud documentation.

    In an ADC HA setup with shared-core instances in GCP, you see the following warning message on login:

    For high performance and high availability, we recommend moving away from a shared-core machine to a general purpose or compute/memory-optimized instance types on Google Cloud Platform.

    [ NSPLAT-23748 ]

  • Support for Citrix ADC VPX instance on Azure Dv5-series

    The Citrix ADC VPX instance on Azure cloud can now run on the Azure Dv5-series virtual machines.

    [ NSPLAT-22730 ]

  • Support for Citrix ADC MPX 16000 platform

    This release supports the Citrix ADC MPX 16000 platform. This platform has two 16-core processors and 128 GB (16 x 8 GB DIMM) of memory. The appliance provides a total of eight 25G SFP+ ports and four 100G QSFP28 Ethernet ports.
    For more information, see https://docs.citrix.com/en-us/citrix-hardware-platforms/mpx/netscaler-hardware-platforms/mpx-16000.html.

    [ NSPLAT-25436 ]

  • Support for Citrix ADC SDX 16000 platform

    This release supports the Citrix ADC SDX 16000 platform. This platform has two 16-core processors and 256 GB (16 x 16 GB DIMM) of memory. The appliance provides a total of eight 25G SFP+ ports and four 100G QSFP28 Ethernet ports.
    For more information, see https://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-16000.html.

    [ NSPLAT-21608 ]

SSL

  • Support for recurrent notifications until certificate expiry

    The Citrix ADC appliance now sends one notification per day until the certificate expires. Earlier, only one notification was sent a set number of days before the certificate expired.

    [ NSSSL-11874 ]

System

  • SNMP alarm for alerting syslog connection failure

    A new SNMP alarm “syslogConnectionDropped” has been introduced to the Citrix ADC appliance for alerting about network connection failure to an external syslog server.

    [ NSBASE-16823 ]

User Interface

  • When you upload one or more license files with different Subscription Advantage dates, Citrix ADM cannot merge them into a single pool. As a result, a Citrix ADC instance cannot check out the capacity if it exceeds the limit of any license file.

    [ NSCONFIG-6590, NSHELP-30854 ]

Fixed Issues

The issues that are addressed in Build 13.1-37.38.

AppFlow

  • With AppFlow configured, the Citrix ADC appliance resets a TCP connection if the appliance receives an empty HTTP chunked response from the back-end server.

    This issue occurs when the “clientSideMeasurements” parameter is enabled for the related AppFlow action.

    [ NSHELP-32250 ]

Authentication, authorization, and auditing

  • The NO_AUTHN authentication action does not persist after a Citrix ADC appliance is rebooted if the appliance has the Standard Edition license.

    [ NSHELP-32522 ]

  • In a Citrix Gateway GSLB setup, a proxy connection looping between the GSLB sites might be detected if the following conditions are met:

    • All the GSLB sites are not on the same version.
    • Citrix Gateway is configured with advanced authentication.

    [ NSHELP-32487 ]

  • The Citrix ADC appliance drops the charset suffix in Content-Type header and sends Content-Type: application/x-www-form-urlencoded if you have configured both of the following.

    • SSO form based authentication
    • nsapimgr knob - nsapimgr_wr.sh -ys call=ns_formsso_use_ctype_simple_enable knob

    [ NSHELP-31977 ]

  • You might experience issues during logout if SAML authentication is configured.

    [ NSHELP-31962 ]

  • Single sign-on (SSO) fails if SSO is enabled for the traffic that does not have the required bearer token to handle SSO.

    [ NSHELP-31362 ]

Caching

  • A Citrix ADC appliance crashes when the cached content is served to the clients.

    [ NSHELP-31760 ]

  • A Citrix ADC appliance might crash if the “Max_age” and “s_maxage” parameter values are not set dynamic in the cache control block.

    [ NSHELP-27758 ]

Citrix ADC SDX Appliance

  • In a Citrix ADC SDX appliance GUI, when a user adds a failure object for an event rule, the input fields were susceptible to cross-site scripting attacks and made the page security vulnerable to stored cross-site scripting. To prevent this issue, the input fields are now sanitized to ensure that the user input is valid.

    [ NSHELP-32600 ]

Citrix Gateway

  • The Citrix ADC appliance crashes if either or both Gateway Insight and Web Insight features are enabled.

    [ NSHELP-33345, NSHELP-33347 ]

  • Sometimes, RDP proxy does not work in the presence of a connection broker.

    [ NSHELP-33063 ]

  • Applications might fail to launch through Citrix Gateway because of port exhaustion in the Citrix Gateway appliance.

    [ NSHELP-32418 ]

  • The Citrix Gateway appliance configured for clientless VPN access might crash while processing a dummy session.

    [ NSHELP-32399 ]

  • The Citrix Gateway appliance might crash if HDX Insight is enabled.

    [ NSHELP-32120 ]

  • When UDP sessions are launched, stale connections appear to exist even after closing the sessions. However, these are not actual stale connections but an issue with the counter.

    [ NSHELP-32009 ]

  • When a user logs on to the Citrix ADC appliance and if Citrix Workspace is not installed, the link to download Citrix Workspace incorrectly points to Citrix Receiver.

    [ NSHELP-31877 ]

  • Gateway Insight authentication failure records display the user name as “Anonymous” when NOAUTH is configured as the first factor and second factor authentication fails due to invalid credentials. This issue occurs only if the configuration is performed by using the nFactor visualizer because the first factor is configured as NOAUTH, by design in nFactor visualizer.

    [ NSHELP-31795 ]

  • The “show vpn icaconnection” command does not display the serial numbers of the ICA connections correctly. This issue occurs because the serial number is reset arbitrarily when the “show vpn icaconnection” command is run.

    [ CGOP-22205 ]

Citrix Web App Firewall

  • A standalone Citrix ADC appliance or the secondary mode in an HA setup might crash if you configure a signature object for Citrix Web App Firewall on the following software versions:

    • 13.0 build 88.5 and later
    • 13.1 build 33.41 and later

    [ NSHELP-33250 ]

  • Memory leak occurs in a Citrix ADC appliance when you set cookieHijackingAction to block, log, or stats.

    [ NSHELP-33187 ]

  • In Citrix Web App Firewall, when you provide the content-type header with a protocol (application/pkcs7-signature), it incorrectly parses the header. As a result, the firewall blocks the valid requests.

    [ NSHELP-32844 ]

  • Some of the relaxation rules are not imported while restoring a WAF profile.

    [ NSHELP-32729 ]

  • Sometimes, Citrix Web App Firewall takes a long time to detect the command injection. As a result, Pitboss restarts the Citrix ADC appliance.

    [ NSHELP-32654 ]

  • Legitimate cookies are placed in the log while displaying duplicate cookie violation logs.

    [ NSHELP-32369 ]

Load Balancing

  • In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.

    [ NSHELP-21196 ]

Miscellaneous

  • The Citrix ADC appliance sets the buffer size for the web server logging feature to an incorrect default value of 3MB instead of 16MB.

    [ NSHELP-32429 ]

Networking

  • In a Citrix BLX cluster setup, the following operations fail without any error message:

    • Clearing the configuration at force basic level (“clear config -force basic”)
    • Clearing the configuration at force extended level (“clear config -force extended”)
    • Clearing the configuration at force extended+ level (“clear config -force extended+”)

    [ NSNET-27132 ]

  • In a high availability setup, the primary node might crash due to memory corruption while clearing a large number of LSN sessions.

    [ NSHELP-32467 ]

  • The Citrix ADC appliance might crash if all of the following conditions are met:

    • TTL-based ACL times out
    • The Citrix ADC appliance has a large number of ACLs configured.

    [ NSHELP-31307 ]

Platform

  • When you disable the Mellanox interface on a Citrix ADC MPX appliance, the peer switch that is linked to the interface is shown in Link Up state instead of being in Link Down state.

    [ NSPLAT-24422 ]

  • The Citrix ADC VPX instance drops packets from a client if both of the following conditions are met:

    • The VPX instance is hosted on VMware Cloud on AWS using a VMXNET3 adapter.
    • The VMXNET3 adapter fails to generate the RSS hash for the packet.

    [ NSHELP-33150 ]

Policies

  • In a Citrix ADC appliance, the content switching policies that are migrated from classic policies to advanced policies using the NSPEPI tool might not work when the following conditions are met:

    • The policies are bound to the content switching vserver.
    • The “caseSensitive” parameter is set to OFF.

    [ NSHELP-31951 ]

SSL

  • A Citrix ADC appliance might crash during a TLS 1.3 handshake when a virtual server is configured to use private keys stored in Azure Key Vault.

    [ NSHELP-32451 ]

  • A Citrix ADC appliance crashes if the following conditions are met:

    • A client sends another client hello before the handshake is complete.
    • The request contains some special set of ciphers in the first client hello.

    [ NSHELP-32422 ]

  • The Citrix ADC GUI, accessed through a Cluster IP (CLIP) address, does not display server certificate bindings to an SSL virtual server.

    [ NSHELP-31602 ]

  • OCSP response verification might fail during SSL interception if a valid CA certificate is not present in the default certificate bundle. The failure happens because the OCSP response verification was incorrectly done using the default certificate bundle instead of the configured certificate bundle.

    [ NSHELP-30594 ]

System

  • When a Citrix ADM server receives large HTTP traffic with unique URLs, it consumes high memory. As a result, the Citrix ADM server becomes inaccessible.

    [ NSHELP-32922 ]

  • In a Citrix ADC appliance, the header modification framework results in memory corruption. This condition occurs when the cookies that are to be consumed by the Citrix ADC appliance are deleted in a particular sequence before it is forwarded.

    [ NSHELP-32799 ]

  • VPN authentication fails when PATCH method is used in the HTTP request. This issue occurs because the HTTP PATCH method is recognized as an unknown method for authentication.

    [ NSHELP-32214 ]

  • When using the content inspection feature, the Rewrite header insertion with payload might not work correctly.

    [ NSHELP-30088 ]

User Interface

  • The Management Service license page does not refresh the pooled license information when you visit the license node or refresh it. Instead, the pooled license information is refreshed only when you log out and log in again.

    [ NSHELP-33203 ]

  • When a user views the binding on a content switching policy, the content switching virtual server details are not displayed in the same row under Show Bindings.

    [ NSHELP-33149 ]

  • When a user binds a traffic policy to a content switching or a load balancing virtual server, the binding details do not appear in the GUI.

    [ NSHELP-32751 ]

  • Upgrading or downgrading a Citrix ADC appliance to one of the following builds by using the Citrix ADC GUI might fail:

    • Release 13.1 build 30.52
    • Release 13.1 build 27.59

    [ NSHELP-32673 ]

  • The following error is displayed while creating or editing a virtual server with DNS and DNS_TCP protocol hosted on a custom partition using the Citrix ADC GUI:

    Error: Invalid object name [lbvserver_scpolicy_binding]

    [ NSHELP-32534 ]

  • The following issues are seen in the Citrix ADC GUI:

    • Using the Citrix ADC GUI, if a server certificate is bound to an SSL virtual server, the certificate binding does not appear in the GUI. The CA certificate bindings appear as usual on the GUI.
    • Clicking the hide button for the built-in responder policies also hides the manually created responder policies.

    In a cluster setup, the following additional issues are seen in the Citrix ADC GUI:

    • Binding a cipher group to an internal service fails with an error.
    • The built-in rewrite actions are not hidden in the GUI.

    [ NSHELP-32499 ]

  • In a Citrix ADC appliance with admin partitions, the “ns” parameter setting inside the partition is lost after a reboot. This condition occurs due to the wrong built-in configuration.

    [ NSHELP-32486 ]

  • The Citrix ADC appliance login page might not display the valid user name after the user has logged in.

    [ NSHELP-31759 ]

  • In a high availability setup, the encrypted configurations are lost on the secondary node after HA configuration synchronization.

    [ NSHELP-30897 ]

Known Issues

The issues that exist in release 13.1-37.38.

AppFlow

  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.

    [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

    [ NSHELP-563 ]

  • DUO authentication fails if the Content Security Policy (CSP) feature is enabled on the Citrix ADC appliance.

    [ NSAUTH-12687 ]

  • Administrators cannot perform custom logging for authentication failures that happen due to invalid credentials. This issue occurs because the Citrix ADC responder policies fail to detect errors for login failures.

    [ NSAUTH-11151 ]

  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    show adfsproxyprofile <profile name>

    Workaround: Connect to the primary active Citrix ADC in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

    [ NSAUTH-5916 ]

  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

    • The Test LDAP Reachability option is opened.
    • Invalid login credentials are populated and submitted.
    • Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.

    [ NSAUTH-2147 ]

Citrix ADC SDX Appliance

  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

    • Throughput allocation mode is burst.
    • There is a large difference between the throughput and the maximum burst capacity.

    [ NSHELP-21992 ]

Citrix Gateway

  • The Citrix Secure Access client, version 21.7.1.2 and later, fails to upgrade to later versions for users with no administrative privileges. This issue is applicable only if the Citrix Secure Access client upgrade is done from a Citrix ADC appliance.

    [ NSHELP-32793 ]

  • When users click the Home Page tab on the Citrix Secure Access screen for Windows, the page displays the connection refused error.

    [ NSHELP-32510 ]

  • On a Mac device using Chrome, the VPN extension crashes while accessing two FQDNs.

    [ NSHELP-32144 ]

  • In some cases, empty proxy settings in Citrix Gateway release 13.0 or 13.1 causes Citrix SSO to create improper proxy settings.

    [ NSHELP-31970 ]

  • Debug logging control for Citrix Secure Access client is now independent of Citrix Gateway and it can be enabled or disabled from the plug-in UI for both machine and user tunnel.

    [ NSHELP-31968 ]

  • Direct connections to the resources outside of the tunnel established by Citrix Secure Access might fail if there is a significant delay or congestion.

    [ NSHELP-31598 ]

  • Customized EPA failure log message is not displayed on the Citrix Gateway portal. Instead, the message “internal error” is displayed.

    [ NSHELP-31434 ]

  • Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always-On service mode. The machine tunnel does not transition to the user tunnel and the message “Connecting…” is displayed in the VPN plug-in UI.

    [ NSHELP-31357, CGOP-21192 ]

  • When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.

    [ NSHELP-30662 ]

  • Users cannot connect to the Citrix Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from fullAccess to onlyToGateway.

    [ NSHELP-30236 ]

  • The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully. To fix this issue, the following registry value is introduced.

    HKLMSoftwareCitrixSecure Access ClientSecureChannelResetTimeoutSeconds
    Type: DWORD

    By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).

    [ NSHELP-30189 ]

  • The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.

    [ NSHELP-29675 ]

  • You might notice some Citrix internal IP addresses in the rdx.js file.

    [ NSHELP-28682 ]

  • Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

    [ NSHELP-28551 ]

  • Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

    [ NSHELP-28404 ]

  • EPA plug-in for Windows does not use local machine’s configured proxy and connects directly to the gateway server.

    [ NSHELP-24848 ]

  • VPN plug-in doesn’t establish tunnel after Windows logon, if the following conditions are met:

    • Citrix Gateway appliance is configured for Always On feature
    • The appliance is configured for certificate based authentication with two factor authentication “off”

    [ NSHELP-23584 ]

  • Sometimes while browsing through schemas, the error message “Cannot read property ‘type’ of undefined” appears.

    [ NSHELP-21897 ]

  • In a Citrix ADC cluster setup, HDX Insight and Gateway Insight cannot be enabled simultaneously.

    [ CGOP-22849 ]

  • If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

    [ CGOP-19355 ]

  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

    [ CGOP-13621 ]

  • The Gateway Insight report incorrectly displays the value “Local” instead of “SAML” in the Authentication Type field for SAML error failures.

    [ CGOP-13584 ]

  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ CGOP-13511 ]

  • When an ICA connection is launched from a MAC receiver version 19.6.0.32 or Citrix Virtual Apps and Desktops version 7.18, HDX Insight feature is disabled.

    [ CGOP-13494 ]

  • When EDT Insight feature is enabled, sometimes audio channels might fail during network discrepancy.

    [ CGOP-13493 ]

  • While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

    [ CGOP-13050 ]

  • The text “Home Page” in the Citrix SSO app > Home page is truncated for some languages.

    [ CGOP-13049 ]

  • An error message appears when you add or edit a session policy from the Citrix ADC GUI.

    [ CGOP-11830 ]

  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]

  • The serviceGroupName format in the entityofs trap for the service group is as follows:
    <service(group)name>?<ip/DBS>?<port>

    In the trap format, the service group is identified by an IP address or a DBS name and port. The question mark (“?”) is used as a separator. The Citrix ADC sends the trap with the question mark (“?”). The format appears the same in the Citrix ADM GUI. This is the expected behavior.

    [ NSHELP-28080 ]

Miscellaneous

  • When a forced synchronization takes place in a high availability setup, the appliance executes the “set urlfiltering parameter” command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the “TimeOfDayToUpdateDB” parameter.

    [ NSSWG-849 ]

  • AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.

    [ NSHELP-31836 ]

  • A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

    [ NSHELP-22409 ]

Networking

  • In a Citrix ADC BLX appliance with DPDK support, tagged VLANs are not supported for DPDK Intel i350 NIC ports. This is observed as it is a known issue present on the DPDK driver.

    [ NSNET-25299 ]

  • A Citrix ADC BLX appliance with DPDK might fail to restart if all of the following conditions are met:

    • The Citrix ADC BLX appliance is allocated with a low number of “hugepages”. For example, 1G.
    • The Citrix ADC BLX appliance is allocated with a high number of worker-process. For example, 28.

    The issue is logged as an error message in “/var/log/ns.log”:

    • “BLX-DPDK:DPDK Mempool could Not be Initialized for PE-x”

    Note: x is a number <= number of worker-processes.

    Workaround: Allocate a high number of “hugepages” and then restart the appliance.

    [ NSNET-25173 ]

  • A Citrix ADC BLX appliance in DPDK mode might take a little longer to restart because of the DPDK easiness functionality.

    [ NSNET-24449 ]

  • The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a Citrix ADC BLX appliance with DPDK:

    • Disable
    • Enable
    • Reset

    [ NSNET-16559 ]

  • Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

    “The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable”

    Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

    • dpkg –add-architecture i386
    • apt-get update
    • apt-get dist-upgrade
    • apt-get install libc6:i386

    [ NSNET-14602 ]

  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

    [ NSNET-5233 ]

  • When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

    [ NSHELP-21082 ]

Platform

  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the “rm cloudprofile” command to delete the profile.

    [ NSPLAT-4520 ]

  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.

    [ NSPLAT-4451 ]

  • On the Citrix ADC SDX 8015/8400/8600 platform, you might see increased memory consumption on Xen Server.
    Workaround: Run the following command on Xen Server, and then reboot the appliance.
    /opt/xensource/libexec/xen-cmdline –set-xen “dom0_mem=1024M,max:1024M”

    [ NSHELP-32260 ]

Policies

  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]

SSL

  • On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

    Workaround:

    1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
    2. Save the configuration.

    [ NSSSL-9572 ]

  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

    [ NSSSL-6478 ]

  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

    [ NSSSL-6213 ]

  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type. ERROR: crl refresh disabled

    [ NSSSL-6106 ]

  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]

  • An incorrect warning message, “Warning: No usable ciphers configured on the SSL vserver/service,” appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]

  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

    [ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]

System

  • High RTT is observed for a TCP connection if the following condition is met:

    • a high maximum congestion window (>4 MB) is set
    • TCP NILE algorithm is enabled

    For a Citrix ADC appliance to use the NILE algorithm for congestion control, the conditions must exceed the slow start threshold, which is coupled with the maximum congestion window

    So, until the maximum configured congestion window is reached, the Citrix ADC continues to accept data and ends up with high RTT.

    [ NSHELP-31548 ]

  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

    [ NSHELP-21240 ]

  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

    [ NSHELP-10972 ]

  • In rare case scenarios, the streams that were created before HTTP/2 WebSocket stream was created might get terminated when the WebSocket’s server-side connection closes.

    This issue occurs because the Citrix ADC appliance does not support connection multiplexing for HTTP/2 WebSocket.

    Workaround: Disable connection multiplexing for the related HTTP2 profile by using the following command:

    set httpProfile <name> [-conMultiplex ( ENABLED | DISABLED )]

    [ NSBASE-17449 ]

  • In a cluster deployment, if you run “force cluster sync” command on a non-CCO node, the ns.log file contains duplicate log entries.

    [ NSBASE-16304, NSGI-1293 ]

  • When you install Citrix ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.

    Workaround : Reboot the Management pod.

    [ NSBASE-15556 ]

  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

    [ NSBASE-8506 ]

User Interface

  • For the MQTT Rewrite feature, you cannot delete an expression using the Expression Editor in the GUI.

    Workaround: Use the add or edit action command of type MQTT through the CLI.

    [ NSUI-18049 ]

  • In Citrix ADC GUI, the “Help” link present under the “Dashboard” tab is broken.

    [ NSUI-14752 ]

  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

    [ NSUI-13024 ]

  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.

    [ NSUI-6838 ]

  • In a high availability setup, VPN user sessions get disconnected if the following condition is met:

    • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.

    Workaround: Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

    [ NSHELP-25598 ]

  • In a high availability setup of Citrix ADC BLX appliances, the primary node might become unresponsive blocking any CLI or API request.

    Workaround: Restart the primary node.

    [ NSCONFIG-6601 ]

  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds
      • 13.0 52.24 build
      • 12.1 57.18 build
      • 11.1 65.10 build
    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]

    Workaround: To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see How to reset root administrator (nsroot) password.

    [ NSCONFIG-3188 ]

Release Notes for Citrix ADC 13.1-37.38 Release