Citrix ADC

Release Notes for Citrix ADC 13.1–4.43 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.1–4.43.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • The fixed issues section lists the fixes after release 13.0-82.x.

What’s New

The enhancements and changes that are available in Build 13.1–4.43.

Authentication, authorization, and auditing

Traversal from Root domain to Tree domain for Kerberos SSO authentication is supported

Traversal from Root domain to Tree domain is now supported during Kerberos SSO authentication for back-end server from Citrix ADC appliance. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/single-sign-on-types/kerberos-single-sign-on/setup-citrix-adc-single-sign-on.html

[ NSAUTH-9836 ]

Bot Management

Verbose logging for Citrix ADC bot management

If incoming traffic is identified as a bot, the Citrix ADC appliance now enables you to configure the bot verbose logging functionality for logging additional HTTP header details, such as domain address, URL, user-agent header, and cookie header. The log details are then sent to the ADM server for monitoring and troubleshooting purpose. The verbose log message is not stored in the ns.log file.

For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html

[ NSBOT-273 ]

Citrix ADC SDX Appliance

Enhancements to the cluster formation page on a Citrix ADC SDX appliance

The following changes are made in the GUI in the Add Node to Cluster page. The system now prompts the user to add a SNIP address while adding a new node to a cluster. These enhancements address the security issues on strict source IP address check.

  • An optional field for SNIP is now provided.
  • An Add button is also provided to create SNIPs dynamically while adding a node to the cluster IP address (CLIP).

[ NSSVM-4170 ]

A Citrix ADC SDX admin can now unlock a user before the lockout interval expires. Lockout is not applicable if a user logs in to the Management Service via the console. The lockout interval is also changed from seconds to minutes. Minimum value = 1 minute. Maximum value = 30 minutes.

To unlock a user using the GUI:

  1. Navigate to Configuration > System > User Administration > Users.
  2. Select the user to unlock.
  3. Click Unlock.To unlock a user using the CLI:

At the command prompt, type:

set systemuser id=<ID> unlock=true
<!--NeedCopy-->

[ NSSVM-4144 ]

Citrix Gateway

Additional language support

The Citrix Gateway user portal is now available in the Russian, Korean, and Chinese (Traditional) languages.

[ CGOP-17095 ]

OAuth-OpenID Connect authentication support for Gateway Insight

The Citrix Gateway Insight now reports OAuth-OpenID Connect authentication related events (successful and failure user logons).

[ CGOP-16907 ]

Citrix Web App Firewall

Client IP address extraction using an advanced policy expression

The Citrix ADC appliance uses an advanced policy expression to extract the client IP address from an HTTP request header, request body, request URL. The extracted value is then sent to the ADM server for audit logging, security insights, and computing the client geolocation.

For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html

[ NSWAF-7260 ]

Enable option for BOT TPS Detection Mechanism

Enable option is now available for each TPS bot detection rule in the bot profile configuration. By default, the value is ON. ;

For more information, see [https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html] ; [ NSHELP-25777 ]

Load Balancing

Support for HTTP to HTTPS redirection on content switching virtual servers

The content switching virtual servers of service type SSL now support redirection of HTTP traffic. Two new parameters: HttpsRedirectUrl and RedirectFromPort are added to the add cs vserver command. All HTTP traffic arriving at the port specified in the RedirectFromPort parameter is redirected to the URL specified in the HttpsRedirectUrl parameter. If HttpsRedirectUrl is not configured, then the HTTP traffic is redirected to the value of the host header in the incoming HTTP request.

For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/ssl/how-to-articles/ssl-config-https-vserver-to-accept-http-traffic.html

[ NSLB-8224 ]

Support to synchronize save config command to remote GSLB sites

You can now synchronize the save ns config command to remote GSLB sites. To enable this functionality, a new parameter GSLBSyncSaveConfigCommand is added to the set gslb parameter command. After you enable the GSLBSyncSaveConfigCommand, the save ns config command is treated as another GSLB command and is synchronized to remote GSLB sites. You must enable the AutomaticConfigSync option to synchronize the save ns config command.

For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/global-server-load-balancing/synchronizing-configuration-in-gslb-setup/real-time-synchronization.html

[ NSLB-7831 ]

Support to secure script arguments for user monitors

A new parameter, -secureargs, is added to the add lb monitor command. This parameter stores the script arguments in an encrypted format instead of plain text format. You can secure sensitive data related to the scripts for user monitor using this parameter, for example, user name and password. Citrix recommends you to use -secureargs parameter instead of the -scriptargs parameter for any sensitive data related to the scripts. If you choose to use both the parameters together, the script specified in -scriptname must accept the arguments in the order: <scriptargs> <secureargs>. That is, you need to specify the first few parameters in <scriptargs> and the rest of the parameters in <secureargs> by maintaining the order defined for the arguments. Secure arguments are applicable only for the internal dispatcher.

For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-custom-monitors/configure-user-monitor.html

[ NSLB-6314 ]

Networking

Number type dataset support for extended ACLs

The Citrix ADC appliance now supports the number type dataset for the extended ACLs. You can use the number type dataset for specifying the source port or the destination port or both for an extended ACL rule.

[ NSNET-20235 ]

RHI support for a VIP address bound to an IP set

A Citrix ADC appliance advertises a VIP address bound to an IP set as a kernel route if all of the following conditions are met:

  • The VIP address has the host route option enabled.
  • The IPset is bound to a configuration, for example, multi-IP load balancing virtual servers.

[ NSNET-20209 ]

Support for Citrix ADC CPX registration with ADM using volume mounts

Citrix ADC CPX now supports registration with Citrix ADM by using volume mounts through Kubernetes ConfigMaps and Secret. Citrix ADC CPX initiates registration with the ADM agent with the configuration details derived from the volume mounts which are located in the file-system of Citrix ADC CPX.

[ NSNET-19058 ]

Platform

VMware ESX 7.0 update 2a support on Citrix ADC VPX instance

The Citrix ADC VPX instance now supports the VMware ESX version 7.0 update 2a (Build 17867351).

For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/deploying-vpx/supported-hypervisors-features-limitations.html

[ NSPLAT-20104 ]

AMD processor support for Citrix ADC VPX instance on ESXi

The Citrix ADC VPX instance on the VMware ESXi hypervisor now supports AMD processors. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/deploying-vpx/install-vpx-on-xenserver.html

[ NSPLAT-17853 ]

Support for Citrix ADC VPX 5000 subscription on Azure Marketplace

The Citrix ADC VPX 5000 subscription plan is now supported on Azure Marketplace. This subscription-based plan offers the following licenses:

  • Standard
  • Advanced
  • Premium

For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/deploying-vpx/deploy-vpx-on-azure.html#citrix-adc-vpx-licensing

[ NSPLAT-13663 ]

Policies

Support for IP Header Fields in Advanced Policy Expression

The Advanced policy expression now enables you to fetch the following header fields from an IP packet.

  • DSCP
  • ECN
  • TTL
  • Version
  • Identification
  • Header length
  • Header checksum
  • Options
  • Payload

[ NSPOLICY-2441 ]

Removal of deprecated features from Citrix ADC version 13.1 onwards

Numerous deprecated features are now removed and are no longer configurable on a Citrix ADC appliance.

These include:

  • The Filter feature (also known as Content Filtering or CF) - actions, policies, and binding.
  • The SPDY, sure connect (SC), priority queuing (PQ), HTTP Denial of Service (DoS), and HTML Injection features.
  • Classic policies for SSL, content switching, cache redirection, compression, and application firewall.
  • The url and domain parameters in content switching policies.
  • Classic expressions in load balancing persistence rules.
  • The pattern parameter in Rewrite actions.
  • The bypassSafetyCheck parameter in Rewrite actions.
  • SYS.EVAL\_CLASSIC\_EXPR in Advanced expressions.
  • The patclass configuration entity.
  • The HTTP.REQ.BODY with no argument in Advanced expressions.
  • Q and S prefixes in Advanced expressions.
  • The policyType parameter for the cmp parameter setting. (CLI command set cmp parameter.)

As already documented, you can use the nspepi tool for the conversion. You must run the tool on a Citrix ADC appliance version 13.0 or 12.1.

For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/appexpert/policies-and-expressions/introduction-to-policies-and-exp/classic-policy-deprecation-faq.html

Also, to use the latest version of the tools to migrate from classic to advanced configuration, and from traffic domains to admin partitions, see https://github.com/citrix/ADC-scripts

[ NSPOLICY-186 ]

System

View statistics for QUIC bridge

The QUIC bridge stat command now provides a detailed summary of QUIC bridge statistics.

[ NSBASE-13883 ]

Removal of deprecated features in Citrix ADC 13.1 onwards

The following deprecated features and their configurations are no longer supported and are removed from the Citrix ADC appliance:

  • Sure Connect (SC)
  • Priority Queueing (PQ)
  • HTTP DoS Protection (HDOSP)
  • HTMLInjection

As an alternative, Citrix recommends you to use AppQoE for Sure Connect, Priority Queueing, and HTTP DoS Protection and use Client-Side measurements for HTMLInjection.

For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/appexpert/policies-and-expressions/introduction-to-policies-and-exp/classic-policy-deprecation-faq.html

[ NSBASE-13780 ]

User Interface

Batch API support for NITRO calls

Citrix ADC appliance now supports batchapi API. The batchapi API can handle multiple NITRO calls in a single request and thereby minimize network traffic. You can perform the following operations using the batchapi:

  • You can use the batch API to create, update, and delete multiple heterogenous resources simultaneously.
  • You can use the batch API to get multiple heterogenous resources.

[ NSCONFIG-4061 ]

Fixed Issues

The issues that are addressed in Build 13.1–4.43.

Authentication, authorization, and auditing

When you bind an LDAP monitor to a service, the monitor goes down because the Citrix ADC appliance sends an incorrect password to the active directory.

[ NSHELP-27961 ]

In a multiple cascade AD, an account for a user does not get locked, if a user is not found in the last cascade.

[ NSHELP-27948 ]

When a Citrix ADC appliance is configured for SAML authentication, the appliance dumps core upon using a certificate other than RSA.

[ NSHELP-27813 ]

In some cases, a Citrix ADC appliance might crash while handling certain user’s authentication request when role-based access is configured.

[ NSHELP-27655 ]

Users are unable to log in through Citrix Workspace app if Azure AD is configured as an OAuth IdP at Citrix ADC authentication virtual server.

[ NSHELP-27462 ]

In some cases, SAML authentication fails with the Workspace app if the app is accessed using StoreFront.

[ NSHELP-27338 ]

In some cases, an HTTP POST request to an Authentication, authorization, and auditing-TM virtual server is processed incorrectly if the request does not have an authentication cookie. The POST body gets lost during processing.

[ NSHELP-27227 ]

The Citrix ADC appliance crashes frequently while processing Authentication, authorization, and auditing-TM and 401 LB-based traffic.

[ NSHELP-27094 ]

In some cases, a Citrix ADC appliance crashes while performing user authentication for Citrix Gateway and Authentication, authorization, and auditing - traffic managed deployment.

[ NSHELP-26555 ]

Upon entering an incorrect OTP, an error message Email Auth failed. No further action to continue is displayed.

[ NSHELP-26400 ]

In certain scenarios, the Bind Authentication, authorization, and auditing group command might fail if policy name is longer than intranet application name.

[ NSHELP-25971 ]

A Citrix ADC appliance configured as SAML Identity Provider (IdP) truncates the relaystate from Service Provider (SP) if it contains quotes. [ NSHELP-20131 ]

Network connectivity test check fails because of a password decryption issue. However, the authentication functionality works fine.

[ NSAUTH-10216 ]

Bot Management

In the Transaction Per Second (TPS) bot detection mechanism, the back-end application server returns a 304 response during the response retrieval post CAPTCHA challenge.

[ NSBOT-626 ]

Caching

In a high availability setup, HA synchronization fails for the memLimit cache parameter setting during an HA failover.

[ NSHELP-28428 ]

In a high availability setup, the primary node crashes after it accesses a NULL pointer instead of a cached object.

[ NSHELP-26967 ]

Citrix ADC SDX Appliance

On a Citrix ADC SDX appliance, instance restore might fail if the instance was created with software version 13.0-76.x or earlier.

[ NSHELP-28429 ]

In a Citrix ADC SDX appliance, the Management Service reports incorrect data usage of ADC instances.

[ NSHELP-28208 ]

On a Citrix ADC SDX appliance, you cannot change the CLI prompt in the Management Service console.

[ NSHELP-28030 ]

On a Citrix ADC SDX appliance, the Management Service might report a high memory usage of around 80% due to increased jobs and schedulers running in inventory.

[ NSHELP-27805 ]

On a Citrix ADC SDX appliance, upgrade might fail if the system files (snmpd.conf and ntp.conf) contain carriage return characters.

[ NSHELP-27713 ]

On a Citrix ADC SDX appliance, the Management Service might report a high memory usage of around 80% due to increased jobs and schedulers running in inventory.

[ NSHELP-27396 ]

Citrix Gateway

An error message appears when you try to edit the CSS attributes in a custom theme.

[ NSHELP-28648 ]

The logon to Citrix Workspace fails if responder policies that can get into a blocked state during evaluation are bound to the virtual server.

[ NSHELP-27819 ]

When accessing the Citrix Gateway appliance using the clientless VPN, core dump might be generated.

[ NSHELP-27653 ]

The Citrix Gateway appliance might crash while processing server-initiated UDP traffic.

[ NSHELP-27611 ]

Users can see the mailboxes of other users when they log in to Microsoft Outlook. As a workaround, disable multiplexing.

[ NSHELP-27538 ]

A Citrix ADC appliance might crash if the EDT related commands, such as clearconfig, kill ica connection, or stop dtls listener are processed by the appliance.

[ NSHELP-27398 ]

The Citrix Gateway appliance might crash while processing UDP traffic.

[ NSHELP-27317 ]

The Citrix Gateway appliance crashes when a syslog policy is bound to a virtual server, and the corresponding syslog action is modified.

[ NSHELP-27171 ]

The Citrix ADC logs might be flooded with the log message GwInsight: Func=ns\_sslvpn\_send\_app\_launch\_fail\_record Appflow policy evaluation has failed when Gateway Insight is enabled.

[ NSHELP-26750 ]

The Citrix Gateway appliance crashes when you try to clear the configuration if both of the following conditions are met:

  • An SSL profile and certificate-key pair are bound to the default TCP monitor.
  • The same default TCP monitor is bound to a syslog action.

[ NSHELP-26685 ]

When you enter the FQDN as the proxy in the Create Citrix Gateway Traffic Profile page, the message Invalid Proxy Value appears.

[ NSHELP-26613 ]

While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:

  • A default pre-shared key (PSK) is configured.
  • You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.

[ NSHELP-25694 ]

The SNMP OID sends an incorrect set of current connections to the VPN virtual server.

[ NSHELP-25596 ]

If you rename a VPN virtual server that is bound to an STA server, the status of the STA server appears DOWN when you run the show command.

[ NSHELP-24714 ]

In rare cases, the Citrix Gateway appliance might crash if the intranet IP (IIP) address is enabled and there are server-initiated connections to the IIP address.

[ NSHELP-23819 ]

The show tunnel global command output includes advanced policy names. Previously, the output did not display the advanced policy names.

Example:

New output:

show tunnel global Policy Name: ns_tunnel_nocmp Priority: 0

Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy Priority: 1 Global bindpoint: REQ_DEFAULT

Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy Priority: 100 Global bindpoint: RES_DEFAULT Done

Previous output:

show tunnel global Policy Name: ns_tunnel_nocmp Priority: 0 Disabled

Advanced Policies:

Global bindpoint: REQ_DEFAULT Number of bound policies: 1

Done

[ NSHELP-23496 ]

If you have configured RADIUS accounting for the ICA start/stop event, the session ID in the RADIUS accounting request for ICA start is displayed as all zeroes.

[ NSHELP-22576 ]

Citrix Web App Firewall

In a Citrix ADC cluster setup, one of the nodes crashes if one or more nodes are upgraded from Citrix ADC version 12.0, 12.1, or 13.0 build 52.x or earlier builds. The crash occurs because of an incompatibility in the Web App Firewall cookie format and size.

[ NSWAF-7689 ]

In Web App Firewall, the Cookie-transformation parameter splits the response-side cookie values if it has a comma as the delimiter.

[ NSHELP-28411 ]

A Citrix ADC appliance might crash if command injection violations are observed in a specific order and if the following conditions are met:

  • Multiple cookies are present in the request
  • URLDecodeRequestCookies feature is turned off

[ NSHELP-28365 ]

A Citrix ADC appliance might show high memory usage when parsing HTTP responses having the Samesite attribute and Web Application Firewall feature enabled.

[ NSHELP-27722 ]

The cookie hijacking feature has limited support for the Internet Explorer browser because Internet Explorer browsers do not reuse the SSL connections. Because of the limitation, multiple redirects are sent for a request eventually leading to a MAX REDIRECTS EXCEEDED error in the Internet Explorer browser.

[ NSHELP-27193 ]

After an upgrade to Citrix ADC version 13.0 build 76.29 and with the File Upload feature enabled on the appliance, the following issue is observed:

  • SQL and cross-site scripting protection checks block the file upload process for all web applications.

[ NSHELP-27140 ]

Load Balancing

In a GSLB setup, the statuses of the remote services are not updated after the stats are cleared on the GSLB site. As a workaround, clear the stats again on the same GSLB site. The statuses of the remote services are then updated.

[ NSHELP-28169 ]

In a high availability setup, the secondary node might crash if the following conditions are met:

  • The amount of physical memory on both the nodes is different from each other.
  • The data sessions are not synchronized properly.

[ NSHELP-26503 ]

In a cluster setup, the GSLB service IP address is not displayed in the GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

[ NSHELP-20406 ]

Miscellaneous

A Citrix ADC appliance adds extra L2 information when a tunnel or Type of Service (TOS) virtual servers are created.

[ NSHELP-27825 ]

Networking

After a Citrix ADC BLX appliance (version 13.0 build 82.x) running on a Debian based Linux host is upgraded, SSH does not work as intended in the shared mode.

[ NSNET-23020 ]

After a Citrix ADC BLX appliance is upgraded to release 13.1 build 4.x, the web application firewall might incorrectly blocks a request that has no content type header.

[ NSNET-21415 ]

In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.

[ NSNET-18586 ]

In a Citrix ADC appliance, the internal driver layer might use an incorrect data buffer resulting in data corruption, which in turn causes the appliance to crash.

[ NSHELP-27858 ]

Fixed Issue:

Citrix ADC CPX deployed as a sidecar and connected with multiple networks was not able to choose the correct source IP address for the destination subnet.

[ NSHELP-27810 ]

In a high availability setup, HA synchronization might fail for WAF profile and location file configurations.

[ NSHELP-27546 ]

Packet loops are observed in a load balancing configuration if all of the following conditions are met:

  • The virtual server is configured to listen on port 80 and the connection failover (connfailover) parameter is set to stateless.
  • The virtual server receives two request packets that have:
    • Source port = 80
    • Destination port = number other than 80
    • Destination IP address = IP address (VIP) of the virtual server

[ NSHELP-22431 ]

Platform

Failed to create target instance error message is seen on the GCP console even when you do not create any target instances. This issue occurs when you do not have the compute.targetInstances.get IAM permission in your GCP service account. From this release, the Citrix ADC VPX creates target instances only for VMs that use the VIP Scaling feature.

[ NSPLAT-20952 ]

The Citrix ADC appliance generates false packets per second (PPS) rate-limit alerts even before the Citrix ADC appliance reaches its PPS limit for the license.

[ NSHELP-26935 ]

Policies

The NS variable with global scope does not work for HTTP/2 traffic.

[ NSHELP-27095 ]

SSL

In a cluster setup, when two installed certificates are issuers of one server certificate that has the OCSP AIA extension, the appliance becomes unreachable if you remove the server certificate.

[ NSHELP-28058 ]

In a high availability setup, CRL auto refresh fails intermittently if both of the following conditions are met:

  • Files are syncing from the primary node to the secondary node.
  • CRL file is downloading from the CRL server at the same time.

[ NSHELP-27435 ]

On a Citrix ADC appliance, a false certificate expiry notification is logged the next day when a certificate-key pair is added with -expiryMonitor enabled.

[ NSHELP-27348 ]

In a cluster database, the binding is not updated properly if you bind an SSL policy to a virtual server at the client hello bind point multiple times and with different priorities. As a result, an error appears when you remove the policy even after unbinding it from the virtual server.

[ NSHELP-27301 ]

The Citrix ADC appliance crashes during reboot if you change the name of the built-in certificate (ns-server-certificate) in the configuration file.

[ NSHELP-26858 ]

In a cluster setup, you might observe the following issues:

  • Missing command for the default certificate-key pair binding to the SSL internal services on the CLIP. However, if you upgrade from an older build you might have to bind the default certificate-key pair to the affected SSL internal services on the CLIP.
  • Configuration discrepancy between the CLIP and the nodes for the default set command to the internal services.
  • Missing default cipher bind command to the SSL entities in the output of the show running config command run on a node. The omission is only a display issue and has no functional impact. The binding can be viewed using the show ssl <entity> <name> command.

[ NSHELP-25764 ]

System

A Citrix ADC appliance might crash with an ICAP OPTIONS response. The issue happens when the allowed header value contains a value other than 204.

[ NSHELP-27879 ]

In the AppFlow, the layer 4 byte count for flow records is not matching the HTTP virtual server transactions. The count value is lower than the layer 7 virtual server byte count value.

[ NSHELP-27495 ]

The tcpCurClientConn counter shows a large value if the Citrix ADC appliance is registered on the Citrix ADM.

[ NSHELP-27463 ]

A Citrix ADC appliance might crash when the AppFlow feature is disabled and enabled back.

[ NSHELP-27236 ]

In a rare case, a Citrix ADC appliance might send incorrect TCP SACK sequence numbers to the client when forwarding it from the back-end server. The issue occurs if the TCP Selective ACK (SACK) option is enabled in a TCP Profile.

[ NSHELP-24875 ]

A Citrix ADC appliance might crash when a policy with the HTTP.REQ.* expression is bound to the RESPONSE bind point of the HTTP_QUIC virtual server. The issue does not occur if you bind the same policy to an HTTP or SSL type virtual server along with the HTTP_QUIC virtual server.

[ NSBASE-14612 ]

User Interface

In the Compression Policy Manager GUI, unable to bind a compression policy to an HTTP protocol by specifying a relevant bind point and connection type.

[ NSUI-17682 ]

When you fetch the content of any file from an ADC instance by using the command show systemfile, a download failure error message appears on the ADC Console. The issue occurs if the file content starts with NULL bytes.

[ NSHELP-28227 ]

The admautoregd SYSLOG flood leads to Customer Resource Definition (CRD) misclassification and misdiagnosis because of an internal system issue (Python binary file missing).

Fix: To stop monitoring the admautoregd process after 30 min if the python binary is still missing.

[ NSHELP-28185 ]

There might be a loss in configuration if a VPX instance on AWS, configured with KEK is upgraded to Citrix ADC release 13.0 build 76.x or later. All sensitive data encrypted using KEK fails if the configuration is loaded after a reboot.

[ NSHELP-28010 ]

An additional backslash character is incorrectly introduced if special characters are used within arguments in some SSL commands, such as create ssl rsakey and create ssl cert.

[ NSHELP-27378 ]

In a high availability setup, HA synchronization or HA propagation might fail if any of the following conditions is met:

  • The RPC node password has special characters.
  • The RPC node password has 127 characters (maximum characters allowed).

[ NSHELP-27375 ]

The nsconfigaudit tool might crash if the size of the input configuration file is very large.

[ NSHELP-27263 ]

You cannot bind a service or a service group to a priority load balancing virtual server using the Citrix ADC GUI.

[ NSHELP-27252 ]

The reporting functionality might stop working if the system clock gets updated on a Citrix ADC appliance.

[ NSHELP-25435 ]

In a Citrix ADC VPX appliance, a set capacity operation might fail after adding a license server. The issue occurs because the Flexera related components take a longer time to initialize because of the large number of supported licenses of type check-in and check-out (CICO).

[ NSHELP-23310 ]

The botprofile\_logexpression\_binding NITRO API GET call returns no response if the log expression is bound to a bot profile.

[ NSCONFIG-5490 ]

In a cluster configuration, when you bind a Web App Firewall profile with the fine-grained rules and then with non-fine-graned rules to the same URL, fine-grained rules get removed in the database. As a result, only the non-fine-grained rules are displayed on the Cluster IP address.

[ NSCONFIG-5389 ]

Known Issues

The issues that exist in release 13.1–4.43.

AppFlow

HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.

[ NSINSIGHT-943 ]

Authentication, authorization, and auditing

A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

[ NSHELP-563 ]

The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of the Citrix ADC GUI.

[ NSAUTH-6106 ]

ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command. show adfsproxyprofile <profile name>

Workaround:

Connect to the primary active Citrix ADC in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

[ NSAUTH-5916 ]

The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

  • The Test LDAP Reachability option is opened.
  • Invalid login credentials are populated and submitted.
  • Valid login credentials are populated and submitted.

Workaround:

Close and open the Test LDAP Reachability option.

[ NSAUTH-2147 ]

Caching

A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

[ NSHELP-22942 ]

Citrix ADC SDX Appliance

On a Citrix ADC SDX appliance, creating an ADC instance using software version 12.0 XVA image fails. As a result, the instance is unreachable.

[ NSHELP-28408 ]

On a Citrix ADC SDX appliance, the ADC instances do not burst to maximum capacity when you configure burst throughput allocation mode.

[ NSHELP-27477 ]

Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

  • Throughput allocation mode is burst.
  • There is a large difference between the throughput and the maximum burst capacity.

[ NSHELP-21992 ]

Citrix Gateway

EPA plug-in for Windows does not use the local machine’s configured proxy and connects directly to the gateway server.

[ NSHELP-24848 ]

The Gateway Insight does not display accurate information on the VPN users.

[ NSHELP-23937 ]

VPN plug-in doesn’t establish tunnel after Windows Logon, if the following conditions are met:

  • Citrix Gateway appliance is configured for Always On feature
  • The appliance is configured for certificate based authentication with two factor authentication off

[ NSHELP-23584 ]

Sometimes while browsing through schemas, the error message Cannot read property 'type' of undefined appears.

[ NSHELP-21897 ]

SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA). Workaround: Use an IP address for VDA.

[ NSHELP-8549 ]

Application launch failure due to an invalid STA ticket is not reported in Gateway Insight.

[ CGOP-13621 ]

The Gateway Insight report incorrectly displays the value Local instead of SAML in the Authentication Type field for SAML error failures.

[ CGOP-13584 ]

In a high availability setup, during Citrix ADC failover, the SR count increments instead of the failover count in Citrix ADM.

[ CGOP-13511 ]

While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

[ CGOP-13050 ]

The text Home Page in the Citrix SSO app > Home page is truncated for some languages.

[ CGOP-13049 ]

An error message appears when you add or edit a session policy from the Citrix ADC GUI.

[ CGOP-11830 ]

In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

[ CGOP-7269 ]

In a cluster deployment, if you run force cluster sync command on a non-CCO node, the ns.log file contains duplicate log entries.

[ CGOP-6794 ]

Load Balancing

In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

[ NSLB-7679 ]

The serviceGroupName format in the entityofs trap for the service group is as follows: <service(group)name>?<ip/DBS>?<port>

In the trap format, the service group is identified by an IP address or a DBS name and port. The question mark (?) is used as a separator. The Citrix ADC sends the trap with the question mark (?). The format appears the same in the Citrix ADM GUI. This is the expected behavior.

[ NSHELP-28080 ]

The generation of SNMP alarms might be delayed if the synchronization of configuration from the main site to subordinate sites fails.

[ NSHELP-23391 ]

Miscellaneous

When a forced synchronization takes place in a high availability setup, the appliance runs the set urlfiltering parameter command in the secondary node.

As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the TimeOfDayToUpdateDB parameter.

[ NSSWG-849 ]

A Citrix ADC appliance might restart due to management CPU stagnation if the connectivity issue occurs with the URL Filtering third party vendor.

[ NSHELP-22409 ]

Networking

A Citrix ADC BLX appliance in DPDK mode might crash if a Web Application Firewall profile is configured with advanced security protection checks.

Workaround:

Remove the Advanced security protection configuration for WAF.

[ NSNET-22654 ]

After an upgrade from Citrix ADC BLX appliance 13.0 61.x build to 13.0 64.x build, settings on the BLX configuration file are lost. The BLX configuration file is then reset to default.

[ NSNET-17625 ]

The following interface operations are not supported in a Citrix ADC BLX appliance:

  • Disable
  • Enable
  • Reset

[ NSNET-16559 ]

On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file (/etc/blx/blx.conf) settings. This issue occurs because mawk, which is present by default on Debian based Linux systems, does not run some of the awk commands present in the blx.conf file.

Workaround:

Install gawk before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install gawk:

  • apt-get install gawk

[ NSNET-14603 ]

Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable

Workaround:

Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

-  dpkg --add-architecture i386
-  apt-get update
-  apt-get dist-upgrade
-  apt-get install libc6:i386
<!--NeedCopy-->

[ NSNET-14602 ]

In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

[ NSNET-5233 ]

In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPsec ALG might not work properly if the high availability configuration has stayprimary or staysecondary option set.

[ NSNET-1646 ]

In a high availability setup, VPN user sessions get disconnected if the following condition is met:

  • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.

Workaround:

Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

[ NSHELP-25598 ]

When an admin partition memory limit is changed in the Citrix ADC appliance, the TCP buffering memory limit gets automatically set to the admin partition new memory limit.

[ NSHELP-21082 ]

In a high availability (HA) setup, if Gratuitous ARP (GARP) is disabled, the upstream router might not direct the traffic to the new primary after an HA failover.

[ NSHELP-20796 ]

Platform

When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:

  • 13.1-4.x
  • 13.0–82.31 and later
  • 12.1–62.21 and later

The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:

  • Any 11.1 build
  • 12.1–62.21 and earlier
  • 13.0-81.x and earlier

[ NSPLAT-21691 ]

Provisioning a VPX instance with version 12.0 XVA fails on a Citrix ADC SDX appliance running version 13.1.

Only VPX versions 12.1 and later are supported. Upgrade the VPX version before upgrading the SBI to version 13.1.

[ NSPLAT-21442 ]

When NetScaler licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.

[ NSPLAT-6417 ]

When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the rm cloudprofile command to delete the profile.

[ NSPLAT-4520 ]

In a high availability setup on Azure, upon logon to the secondary node through the GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears. Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile must always be configured on the primary node.

[ NSPLAT-4451 ]

Policies

Connections might hang if the size of processing data is more than the configured default TCP buffer size.Workaround: Set the TCP buffer size to the maximum size of data that needs to be processed.

[ NSPOLICY-1267 ]

SSL

On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

Workaround:

  1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
  2. Save the configuration.

[ NSSSL-9572 ]

Update command is not available for the following add commands:

-  add azure application
-  add azure keyvault
-  add ssl certkey with hsmkey option
<!--NeedCopy-->

[ NSSSL-6484 ]

You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

[ NSSSL-6478 ]

You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

[ NSSSL-6213 ]

The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type. ERROR: crl refresh disabled

[ NSSSL-6106 ]

Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

[ NSSSL-4427 ]

An incorrect warning message, Warning: No usable ciphers configured on the SSL vserver/service, appears if you try to change the SSL protocol or cipher in the SSL profile.

[ NSSSL-4001 ]

An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

[ NSSSL-3184 ]

System

If the Citrix ADC appliance is registered on the ADM server, a memory leak is observed on the appliance even with very low traffic.

[ NSHELP-25347 ]

In a cluster setup, the set ratecontrol command works only after restarting the Citrix ADC appliance.

Workaround:

Use the nsapimgr\_wr.sh -ys icmp\_rate\_threshold=<new value> command.

[ NSHELP-21811 ]

The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

[ NSHELP-21240 ]

When a Citrix ADC appliance sends a tcpSynFloodAttack SNMP trap, the unackSynCount log message has string characters instead of integer values.

[ NSHELP-20401 ]

The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

[ NSHELP-10972 ]

Client IP and Server IP are inverted in the HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

[ NSBASE-8506 ]

ICAP support for Citrix ADC

A Citrix ADC appliance now supports the Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request. For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html

[ NSBASE-825 ]

User Interface

In Citrix ADC GUI, the Help link present under the Dashboard tab is broken.

[ NSUI-14752 ]

Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

Workaround:

Configure cloudbridge connectors by adding IPsec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

[ NSUI-13024 ]

If you create an ECDSA key by using the GUI, the type of curve is not displayed.

[ NSUI-6838 ]

Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

[ NSHELP-20988 ]

When you downgrade a Citrix ADC appliance version 13.0-71.x to an earlier build, some NITRO APIs might not work because of the file permission changes.

Workaround:

Change permission for /nsconfig/ns.conf to 644.

[ NSCONFIG-4628 ]

If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

  1. Upgrade the Citrix ADC appliance to one of the builds:
    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build
  2. Add a system user, or change the password of an existing system user, and save the configuration, and
  3. Downgrade the Citrix ADC appliance to any older build.

To display the list of these system users by using the CLI: At the command prompt, type:

query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]

Workaround:

To fix this issue, use one of the following independent options:

  • If the Citrix ADC appliance is not yet downgraded (step 3 in the earlier mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
  • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
  • If none of the above options work, a system administrator can reset the system user passwords.

For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

[ NSCONFIG-3188 ]

Release Notes for Citrix ADC 13.1–4.43 Release