Release Notes for Build 50.31 of Citrix ADC 12.1 Release

Additional Changes/Fixes Available in Replacement Builds

Additional Changes/Fixes Available in Versions

Points to Note

Citrix ADC GUI

• PHP upgraded from version 7.0.13 to 7.2.9

  PHP has been upgraded from version 7.0.13 to version 7.2.9 on the Citrix ADC appliance.
  [# NSUI-1097, NSHELP-4600, NSUI-8796, NSUI-8979, NSUI-8987, NSUI-8993, ENH0698131]

What's New?

• Support for validating end-to-end RADIUS authentication

  Citrix ADC appliance can now validate end-to-end RADIUS authentication through Citrix ADC GUI. A new “test” button is introduced in Citrix ADC GUI to validate this feature. A Citrix ADC administrator can use this feature to achieve the following benefits:

  - Consolidates the complete flow (packet engine – AAA daemon – external server) to provide better analysis.

  - Reduces time on validating and troubleshooting issues related to individual scenarios.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/configure-aaa-policies/ns-aaa-setup-policies-authntcn-tsk/ns-aaa-setup-policies-auth-radius-tsk.html#support-for-validating-end-to-end-radius-authentication
  [# NSAUTH-1097, ENH0713160]

• Metadata reading and generation support for SAML SP and IdP configuration

  Citrix ADC appliance now supports metadata files as means of configuration entities for both SAML Service Provider (SP) and Identity Provider (IdP). The metadata file is a structured XML file that describes the configuration of an entity. The metadata files for SP and IdP are separate. Based on deployment, and at times, one SP or IdP entity can have multiple metadata files.

  As an administrator, you can export and import (SAML SP and IdP) metadata files on Citrix ADC.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/saml-authentication.html#metadata-reading-and-generation-support-for-saml-sp-and-idp-configuration
  [# NSAUTH-4008, NSHELP-595, ENH0689985]

• Support for self-service password reset

  Citrix ADC appliance now supports self-service password reset. Self-service password reset is a web-based password management solution that eliminates the user dependency for administrator(s) assistance to change or reset the password. It is available on both in Citrix ADC as an authentication, authorization, and auditing feature and in Citrix Gateway.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/sspr-support.html.
  [# NSAUTH-4204, ENH0703743]

• Support for noAuth authentication

  Citrix ADC appliance now supports noAuth authentication capability that enables the customer to configure a defaultAuthenticationGroup parameter in noAuthAction command, when a user handles this policy. The administrator can verify for the presence of this group in a users group to determine user’s navigation through noAuth policy.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/authentication-virtual-server/ns-aaa-setup-auth-vserver-tsk.html.
  [# NSAUTH-540, BUG0711009]

• Setting NSC_TMAS cookie for HTTPS

  Citrix ADC appliance sets only secure cookie (NSC_TMAS) for secure or HTTPS traffic management servers.
  [# NSHELP-8493, 700291]

Citrix ADC SDX Appliance

• Support for new SNMP traps

  The following new SNMP traps are now supported:

  deviceBooted

  deviceRebooted

  inventoryPassed

  logicalDrivePassed

  For more information about how to configure SNMP traps, see https://docs.citrix.com/en-us/sdx/12-1/manage-monitor-appliance-network-configuration/configuring-snmp-trap-destination.html.
  [# 714140]

• Severity column for SNMP alarms

  You can now view severity level for SNMP alarms. To view, log on to the Citrix ADC user interface and navigate to System Alarms. Check the levels under the Severity column.
  [# 714827]

Citrix ADC SDX appliance

• Severity column for SNMP alarms

  You can now view severity level for SNMP alarms. To view, log on to the Citrix ADC user interface and navigate to System Alarms. Check the levels under the Severity column.
  [# NSHELP-12401, 714827]

• Support for new SNMP traps

  The following new SNMP traps are now supported:

  deviceBooted

  deviceRebooted

  inventoryPassed

  logicalDrivePassed

  For more information about how to configure SNMP traps, see https://docs.citrix.com/en-us/sdx/12-1/manage-monitor-appliance-network-configuration/configuring-snmp-trap-destination.html.
  [# NSHELP-13543, 714140]

Citrix ADC VPX Appliance

• Support for Citrix ADC VPX instance on Google Cloud Platform

  You can deploy a Citrix ADC VPX instance on Google Cloud Platform (GCP). A VPX instance in GCP enables you to leverage cloud computing capabilities of GCP and use Citrix load balancing and traffic management features for your business needs. You can deploy VPX instances in GCP as standalone instances. Both single NIC and multi NIC configurations are supported.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-vpx-google-cloud.html.
  [# NSPLAT-2006, ENH0709691]

• Citrix ADC VPX support for AWS China region

  Now Citrix ADC VPX deployment (both standalone and high availability) is supported in AWS China region.
  [# NSPLAT-2237, ENH0518744]

• Support for RHEL 7.5

  Now RHEL version 7.5 is supported for Citrix ADC VPX instance deployment on Linux KVM. For more information, see https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/supported-hypervisors-features-limitations.html.
  [# NSPLAT-3755, ENH0714623]

Citrix Gateway

• Device Certificate in nFactor as an EPA component

  You can configure Device Certificate in nFactor as an EPA component.

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12-1/device-certificate-in-nfactor-as-an-epa-component.html
  [# CGOP-5758, ENH0701170]

• Advanced Clientless VPN access

  Outlook Web Access 2016 and SharePoint 2016 are supported for Clientless access. SharePoint no longer needs to use the default folder for rewriting URLs.

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12-1/vpn-user-config/cvpn-overview/ng-connect-cvpn-policies-how-work-con/advanced-clientless-access.html.
  [# CGOP-6174, ENH0671584]

Citrix Secure Web Gateway

• Integration with IPS or NGFW as inline devices

  A Citrix Secure Web Gateway (SWG) appliance can now integrate with inline security devices, such as Intrusion Prevention System (IPS) and Next Generation Firewall (NGFW). This integration helps in protecting servers and users from web bound threats hidden in encrypted packets.

  The Citrix SWG appliance offloads TLS/SSL processing from inline devices. If there are multiple inline devices, the appliance also load balances the traffic to these devices.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/security-configuration/integration-with-ips-or-ngfw-as-inline-devices.html.
  [# NSBASE-2703, ENH0659611]

• Performing an explicit subdomain match

  You can now perform an explicit subdomain match for an imported URL set. To do this, a new parameter, "subdomainExactMatch" is added to the “import policy URLset” command. When you enable the parameter, the URL Filtering algorithm performs an explicit subdomain match. For example, if the incoming URL is "news.example.com" and if the entry in the URL set is "example.com", the algorithm does not match the URLs.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/url-filtering/url-list.html
  [# NSSWG-686, ENH0711662]

• Displaying imported URL sets

  You can now display imported URL sets in addition to added URL sets. To do this, a new parameter “imported” is added to the “show urlset” command. If you enable this option, the appliance displays all imported URL sets and distinguishes the imported URL sets from the added URL sets.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/url-filtering/url-list.html
  [# NSUI-1191, ENH0714076]

• Configuring seed database path and cloud server name

  You can now configure the seed database path and cloud lookup server name for manually setting of the cloud lookup server name and the seed database path. To do this, two new parameters, “CloudHost” and “SeedDBPath”, are added to the URL filtering parameter command.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/url-filtering/url-categorization.html
  [# NSUI-1210, ENH0715434]

Citrix Web App Firewall

• Rebranding Citrix ADC App Firewall to Citrix Web App Firewall

  According to Citrix rebranding guidelines, the Citrix ADC App Firewall feature is now renamed as Citrix Web App Firewall in Citrix ADC GUI.
  [# NSUI-1219, ENH0715820]

GSLB

• GSLB supports multi-IP virtual servers

  GSLB now supports multi-IP virtual servers. In cloud deployments, for autoscaling of Citrix ADC instances, you can use IPset if Citrix ADC is used for GSLB as well as autoscaling load balancing end points.

  The statistics and the state of the virtual server are collected irrespective of the IP address provided to the GSLB service.

  Parent child topology is supported with IPset. Communication between the parent and the child sites is always using public IP address and the public port of the GSLB service. Also, site persistence works irrespective of the IP addresses associated with the GSLB service.

  Only one IP address is associated with a GSLB service. You cannot associate an IPset with a GSLB service.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/load-balancing/load-balancing-customizing/multi-ip-virtual-servers.html.
  [# NSLB-424, ENH0710454]

• Gracefully aborting the GSLB configuration synchronization when the master and slave nodes are on different Citrix ADC versions

  The Citrix ADC appliance now checks for the firmware version on master and slave nodes before initiating synchronization. If the master and the slave nodes run different versions, the synchronization is aborted for that remote site to avoid pushing any incompatible changes across the versions. Also, an error message displaying the site details on which the synchronization aborted appears.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/global-server-load-balancing/synchronizing-configuration-in-gslb-setup.html.
  [# NSLB-780, BUG0711371]

Load Balancing

• Increase in Citrix ADC system limit for unique load balancing monitors

  The Citrix ADC system limit for unique load balancing monitors is now increased to 16360.
  [# 693776]

• Getting location details from user IP address using geo database

  Citrix ADC appliance performs geo location (policy-based) user authorization. When there is a user request from a particular location, the appliance uses the IP address to retrieve the user’s location details from a geo database. The appliance evaluates the location details using geo location (responder and rewrite) policies. The appliance also logs the location details (optional) using the audit logging mechanism.

  After policy evaluation, based on Citrix ADC configuration, the appliance or the back-end server sends a suitable response.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/load-balancing/load-balancing-advanced-settings/retrieve-location-details-using-ip-address-from-geolocation-database.html.
  [# NSLB-325, NSHELP-3740, ENH0688198]

• Creating negative session when PCRF is down

  If the PCRF server is down, the Citrix ADC appliance creates negative sessions for the pending or incoming Gx subscriber requests.

  When the PCRF server is back up again, the Citrix ADC appliance prevents a storm of requests by waiting for the negative sessions to expire before performing the specific subscriber requests.
  [# NSLB-519, BUG0713709]

Load balancing

• Increase in Citrix ADC system limit for unique load balancing monitors

  The Citrix ADC system limit for unique load balancing monitors is now increased to 16360.
  [# NSHELP-18135, 693776]

NITRO

• Retrieving LOM Port firmware version

  The nshardware NITRO API resource now supports retrieving the LOM port’s firmware version of a Citrix ADC appliance.

  For more information, see https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/ns/nshardware/
  [# NSHELP-4797, ENH0695712]

Networking

• BGP ECMP support for route paths in multiple autonomous systems

  The BGP protocol in a Citrix ADC appliance now supports load balancing route traffic across equal-cost BGP neighbors in different autonomous systems.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/networking/ip-routing/configuring-dynamic-routes/configuring-bgp.html.
  [# NSHELP-329, ENH0710330]

• Support to configure HTTP and HTTPS management ports

  In a single-IP mode deployment of a Citrix ADC appliance, a single IP address is used as NSIP, SNIP, and VIP addresses. This single IP address uses different port numbers to function as NSIP, SNIP, and VIP addresses.

  Port numbers 80 and 443 are well-known ports for HTTP and HTTPS services. Earlier, port 80 and 443 of Citrix ADC IP address (NSIP) were dedicated ports for internal HTTP and HTTPS management services. Because these ports were reserved for internal services, you cannot use these well-known ports for providing HTTP and HTTPS data services from a VIP address, which has the same address as the NSIP address in a single-IP mode deployment.

  To address this requirement, you can now configure ports for internal HTTP and HTTPS management services (of the NSIP address) other than port 80 and 443.

  The following lists the default port numbers for internal HTTP and HTTPS management services in Citrix ADC MPX, VPX, and CPX appliances:

  - Citrix ADC MPX and VPX appliances: 80 (HTTP) and 443 (HTTPS)

  - Citrix ADC CPX appliances: 9080 (HTTP) and 9443 (HTTPS)

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/basic-operations/configure-http-https-management-ports.html.
  [# NSNET-1630, BUG0708735]

• Support for IPv4 VIP route health injection and BGP dynamic routing protocol in a Citrix ADC CPX appliance

  The Citrix ADC CPX appliance now supports route health injection of IPv4 VIP addresses to its routing table and advertisement of these VIP routes to neighbor routers/networking devices using BGP dynamic routing protocol.
  [# NSNET-2897, ENH0709944]

Platform

• Support for Citrix ADC MPX 15000-50G platform

  This release supports the Citrix ADC MPX 15000-50G platform. It includes MPX 15020-50G, MPX15030-50G, MPX 15040-50G, MPX 15060-50G, MPX 15080-50G, and MPX 15100-50G models.

  For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-15000-50g.html.
  [# NSPLAT-4724, 637170]

• Support for Citrix ADC MPX 26000 platform

  This release supports the Citrix ADC MPX 26000 platform. It includes MPX 26100, MPX 26160, and MPX 26200 models.

  For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000.html.
  [# NSPLAT-4909, NSPLAT-3127, NSPLAT-4087, TSK0637172]

• Support for Citrix ADC MPX 26000-100G platform

  This release now supports the Citrix ADC MPX 26000-100G and Citrix ADC MPX 26000T-100G platforms. For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-100g-26000T-100g.html.
  [# NSPLAT-6288, NSPLAT-3076, ENH0648922]

• Support for Citrix ADC MPX 15000 platform

  This release supports the Citrix ADC MPX 15000 platform. It includes MPX 15020, MPX 15030, MPX 15040, MPX 15060, MPX 15080, and MPX 15100 models.

  For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-15000.html.
  [# NSPLAT-7566, ENH0688399]

• Support for Citrix ADC MPX 26000-50S Platform

  This release supports the MPX 26000-50S platform.

  For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-50s.html.
  [# NSPLAT-7606, NSPLAT-4122, NSPLAT-3133, NSPLAT-4047, 662685]

• Support for Citrix ADC MPX 26000-50S platform

  This release supports the Citrix ADC MPX 26000-50S platform. It includes MPX 26100-50S, MPX 26160-50S, MPX 26200-50S models. For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-50s.html.
  [# NSSSL-1855, NSSSL-2056, ENH0682991]

Policies

• API support to fetch TCP or SSL related info in the extension

  Citrix ADC appliance now supports API-based protocol extension for fetching TCP or SSL-related data in the extension.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-extensions/api-reference.html#ssl-context.
  [# NSEXT-280, ENH0715744]

• API support for modifying traffic

  Citrix ADC appliance now supports API-based protocol extensions for modifying TCP stream data.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-extensions/netscaler-protocol-extensions/use-cases.html#modify-traffic.
  [# NSEXT-281, ENH0715180]

• API support in protocol extension to send data to the client and server

  Citrix ADC appliance now supports a ns.send() API to send data from extension code to client and origin server. To send or receive data directly with the client, from client context, you must use ctxt.client as the target. To send or receive data directly with the server from server context, you must use ctxt.server as the target. The data in the payload can be a TCP stream or a Lua string.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-extensions/netscaler-protocol-extensions/use-cases.html#originate-traffic-to-client-or-server.
  [# NSEXT-283, ENH0715743]

SSL

• Support for KEK encryption in private key

  The password of the private key used while adding an SSL certificate-key pair is now saved using a unique encryption key for each Citrix ADC appliance.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/config-ssloffloading.html#add-or-update-a-certificate-key-pair.
  [# 671714]

• Support for KEK encryption in private key

  The password of the private key used while adding an SSL certificate-key pair is now saved using a unique encryption key for each Citrix ADC appliance.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/config-ssloffloading.html#add-or-update-a-certificate-key-pair.
  [# NSHELP-14911, 671714]

• Support for PKCS#8 format in RSA, DSA, and ECDSA keys

  You can now create an RSA, DSA, or ECDSA key in PKCS#8 format. Earlier, the Citrix ADC appliance did not support this format, and you had to convert the key to a supported format, such as PKCS#12, before using it on the appliance. Also, you can now create certificate signing requests and add certificate-key pairs with PKCS#8 keys.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-certificates/obtain-cert-frm-cert-auth.html and https://docs.citrix.com/en-us/netscaler/12-1/ssl/ciphers-available-on-the-citrix-ADC-appliances/ecdsa-cipher-suite-support-on-mpx-appliances.html.
  [# NSHELP-4891, ENH0673657]

• Support for DTLSv1.0 protocol on additional Citrix ADC MPX appliances

  DTLSv1.0 protocol is now supported on the following additional MPX appliances.

  - MPX 5900

  - MPX/SDX 8900

  - MPX/SDX 26000-100G

  - MPX/SDX 15000-50G

  Note: Enlightened Data Transport (EDT) is not supported on these platforms.
  [# NSSSL-1943, ENH0705163]

• Software-only support for TLSv1.3 protocol on additional Citrix ADC MPX appliances

  TLSv1.3 protocol (RFC 8446) is now supported on SSL virtual servers configured on the following additional Citrix ADC MPX appliances:

  - MPX 5900

  - MPX/SDX 8900

  - MPX/SDX 26000-100G

  - MPX/SDX 15000-50G

  This release includes software-only implementation of TLSv1.3 and does not support hardware acceleration for cryptographic operations.
  [# NSSSL-1966, ENH0715273]

• SSL action to select the list of CAs based on SNI for client authentication

  Typically, multiple CA certificates are bound to SSL virtual servers. These CA certificates are used to verify the client certificate during client authentication. Earlier, the list of all the CAs bound to an SSL virtual server were sent in the client certificate request from the Citrix ADC appliance to the client. With this enhancement, only the list of CA certificates is sent based on SNI (domain) in the client certificate request.

  Note: This feature is not supported on TLSv1.3 and DTLS connections.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-actions-and-policies/config-built-in-ssl-actions.html#ssl-action-to-selectively-pick-cas-based-on-sni-for-client-authentication.
  [# NSSSL-504, ENH0709142]

Security

• ICAP support for Citrix ADC

  A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and send back responses to the appliance as modified messages. The adapted messages are either an HTTP or HTTPS response or request.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
  [# NSBASE-825, 702971]

System

• Maximum limit for name attribute is set to 64 characters

  In rate limiting, the maximum limit for name attribute is now increased to 64 characters.
  [# 710289]

• Inline device integration with Citrix ADC

  You can now integrate a Citrix ADC appliance with inline security devices such as Intrusion Prevention System (IPS) and Next Generation Firewall (NGFW). This integration prevents security threats and provides advanced security protection.

  The Citrix ADC appliance performs TLS/SSL processing and offloads the data to the inline device for high volume content inspection. If there are multiple inline devices, the appliance load balances the devices for traffic distribution.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/inline-device-integration-with-citrix-adc.html
  [# NSBASE-4049, BUG0713041]

• Enabling TCP timestamp option

  In certain scenarios, transactions might be slow or incomplete, if you enable the TCP timestamp option on a Citrix ADC appliance.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/TCP_Congestion_Control_and_Optimization_General.html
  [# NSBASE-843, BUG0710224]

• Maximum limit for name attribute is set to 64 characters

  In rate limiting, the maximum limit for name attribute is now increased to 64 characters.
  [# NSHELP-11115, 710289]

• Ability to upload MAS collector bundle to CIS directly

  You can now upload the technical support files to Citrix Insight Services (CIS) website by running a script on the ADM console.
  [# NSHELP-6278, 707188]

Telco

• AppFlow support for Gx messages

  The Citrix ADC appliance now supports Gx message reporting capability that enables the customer to maintain a log of subscriber session status. All received Credit-Control and Re-Auth Request diameter messages are logged through Appflow/Logstream infrastructure.

  The reported records include:

  - diameter message information, for example, type and response code.

  - essential pre-selected Attribute-Value Pairs (AVPs), for example, session-id and MSISDN

  - information up to five customers defined AVPs
  [# NSBASE-1752, ENH0699467]

• Support of Gx session information in subscriber awareness AppFlow records

  The Citrix ADC subscriber awareness functionality for L4 and L7 Appflow records have been extended to include subscriber session id along with the last Gx/diameter message time stamp information. This allows easier correlation of data-plane logs with the newly introduced Gx reporting records.
  [# NSBASE-2154, ENH0697881]

URLFiltering

• Configuring seed database path and cloud server name

  Feature: Citrix Secure Web Gateway

  You can now manually configure the seed database path and cloud lookup server name details. To do this, two new parameters, “CloudHost” and “SeedDBPath”, are added to the URL filtering parameter command.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/url-filtering/url-categorization.html
  [# NSSWG-399, NSSWG-475, ENH0713975]

Fixed Issues

• Support for displaying Citrix ADC instances in high availability in Web Insight reports

  The Citrix ADM analytics reports now display reports for ADC instances that are deployed in high availability mode. Aggregated reports for instances in high availability mode is supported in all analytics. For example, in HDX insight reports, both total session launch count and total application count is displayed as a combined report instead of individual reports for each instance in the group.

  Note:

  All data previously collected before you upgraded to Citrix ADM 12.1 build 50.x continues to be displayed as independent reports for the period of time until the data persists.
  [# NSADM-17899, NSHELP-5502, 714281]

• Support for EDT sessions in HDX Insight reports

  The HDX Insight displays now displays the number of EDT sessions and non-EDT sessions as part of the active sessions report. The Users table displays a detailed report of all the users in the system. Also, a new donut chart has been introduced to allow you to see bandwidth consumed by the user and also the total number of bytes based on the type of protocol used by the users.
  [# NSADM-17937, 709971]

• NetScaler MAS upgrade from 12.0 to 12.1 fails for this scenario: the database summarization configuration (days to persist hourly data) is set for more than ten days (default is one day) for Analytics.
  [# NSADM-18443, NSADM-15903, 710501]

• In some cases, the Citrix Gateway appliance dumps core during the authentication if the following conditions are met:

  - The Citrix ADC appliance is configured for nFactor authentication.

  - The Gateway Insight feature is enabled for the appliance.
  [# NSHELP-5271, TSK0713011]

• NetScaler MAS analytics might not show web insight reports consistently. Delay in accessing GeoMap location sometimes delays the aggregation of analytics reports for web insight.
  [# NSHELP-5405, NSHELP-5500, 713648]

• When SSL Insight is enabled in an instance for multiple HTTP transactions over a single SSL connection, the instance exports SSL information for only the first transaction and sends a null value for the other transactions. As a result, NetScaler MAS reports NA on the dashboard.
  [# NSHELP-5429, 715493]

• If Citrix ADM is configured to receive traffic from ADC instance through the IPFIX protocol, then there is memory leak observed in mas_afdecoder process. If the mas_afdecoder process memory consumption continues for a longer period of time, it might affect the overall system performance.
  [# NSHELP-6352, 714125]

• The mas_afdecoder process was not working due to memory corruption. With this fix, the problem has been fixed.
  [# NSHELP-6378, 714480]

• If you are a user with "read-only" permissions, you cannot see the diagnostic related icons in any of the analytics pages.
  [# NSHELP-6407, 715785]

AppExpert

• If you bind a rewrite policy to a load balancing or content switching virtual server and save the configuration, the policy binding does not apply on the appliance after a reboot. This issue occurs if the policy bindings do not contain the request or response type saved in the nsconfig file.
  [# 715617]

Citrix Web App Firewall

• A high availability setup that has an application firewall profile with starurl closure enabled, experiences high CPU usage and system failover. The issue occurs if response pages contain many URLs.
  [# 706088, 706156, 713509]

• The functionality for importing Citrix Web App Firewall profile configuration fails, if the profile contains user-defined field types and if the field types are used in multiple relaxation rules.
  [# 706747]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [# 709465, 710841, 713841, 716249]

• Citrix Web App Firewall Cookie proxying feature is not working in Cluster 12.1 deployment.
  [# 710139]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [# 710596]

• In a rare case, when Citrix Web App Firewall Learning option is enabled, the resulting aslearn.log file can consume a high amount of hard disk space, starving other disk users.
  [# 712139]

• A high availability setup that has an application firewall profile with starurl closure enabled, experiences high CPU usage and system failover. The issue occurs if response pages contain many URLs.
  [# NSHELP-16694, 706088]

• The functionality for importing Citrix Web App Firewall profile configuration fails, if the profile contains user-defined field types and if the field types are used in multiple relaxation rules.
  [# NSHELP-17851, 706747]

• In a rare case, when Citrix Web App Firewall Learning option is enabled, the resulting aslearn.log file can consume a high amount of hard disk space, starving other disk users.
  [# NSHELP-18083, 712139]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [# NSHELP-2820, BUG0710596]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [# NSHELP-2851, NSHELP-2760, NSHELP-2770, NSWAF-446, TSK0709465]

• Citrix Web App Firewall Cookie proxying feature is not working in Cluster 12.1 deployment.
  [# NSWAF-628, BUG0710139]

Applications

• NetScaler MAS does not display the number of transactions and the data flow volume for GSLB applications on the application dashboard.
  [# NSHELP-5442, 716878]

• NetScaler MAS doesn't display any information for virtual servers related to applications created on ADC instances deployed in high availability.
  [# NSHELP-5637, 716906]

• If a GSLB virtual server is part of any custom application, Citrix ADM doesn't display the statistics correctly for the newly added GSLB server.
  [# NSHELP-5648, 715639]

Authentication, authorization, and auditing

• A Citrix ADC appliance becomes unresponsive because of memory corruption when it handles jumbo frames.
  [# 705972, 712490, 711718, 698974, 714419, 712489, 715399]

• The Citrix ADC appliance might fail to establish an SSO connection to a back-end server, if the form-SSO has a hidden value containing special characters such as &, <, >, and ‘.
  [# 707018]

• A Citrix ADC appliance might crash if there is a memory corruption due to a buffer overflow.
  [# 710433]

• If you configure "add kcdaccount xxx -keytab yyy" on release 12.1 build 49.x, the Citrix ADC appliance might become unresponsive.
  [# 712411, 713603, 713300, 710862]

• A Citrix ADC authentication, authorization, and auditing session observe an accounting error on the logout method.
  [# 712813]

• A Citrix ADC appliance crashes if a replay packet is received once authentication is already generated a response.
  [# 714057, 715858]

• In a rare case, a Citrix ADC appliance restarts if it tries to access a memory that was previously freed.
  [# 714441, 715848, 715865, 715201]

• A Citrix ADC appliance with two factor SAML authentication might eternally cause authentication loop.
  [# 714523, 714736]

• CPU utilization increases and the DNS data packet keeps looping if Citrix ADC authentication, authorization, and auditing uses port 3000 to send a DNS query to an LDAP or a RADIUS server. With this fix, Citrix ADC authentication, authorization, and auditing use source port 10000 and above to send DNS queries to LDAP or RADIUS servers.
  [# 714739]

• A Citrix ADC appliance configured for SAML IdP might not perform Cross-site scripting (XSS) checks on the incoming RelayState parameter.
  [# 714801]

• A Citrix ADC appliance configured as SAML Service Provider (SP) with artifact bindings occasionally return assertion replay when there is no replay.
  [# 714920]

• A Syslog message reports the client IP and server IP in a reverse hexadecimal format.
  [# 715098]

• A Citrix ADC appliance might become unresponsive if the function specifies a wrong async handler.
  [# 715443]

• A Citrix ADC traffic management virtual server enabled for authentication might result in access failures, if the following conditions are met:

  - An unauthenticated URL contains special characters.

  - Back-end server receives a decoded URL request.
  [# 716958]

• A gradual memory leak is observed on a Citrix ADC appliance for the following occurrences:

  - nFactor authentication is used.

  - There are no default or true authentication policies used.
  [# 717322]

• An SSO to Office 365 fails if objectGUID of a user contains a NULL character.
  [# 717549]

• A gradual memory leak is observed on a Citrix ADC appliance for the following occurrences:

  - nFactor authentication is used.

  - There are no default or true authentication policies used.
  [# NSHELP-1642, TSK0717322]

• The AAAD daemon might crash because of a memory corruption if the following conditions are met:

  - The nested group extraction is enabled on an active directory.

  - The extracted group length is between 52-56 bytes.
  [# NSHELP-18239, NSHELP-18258, NSHELP-18306]

• A Citrix ADC appliance configured as SAML Service Provider (SP) with artifact bindings occasionally return assertion replay when there is no replay.
  [# NSHELP-2132, TSK0714920]

• A Citrix ADC appliance becomes unresponsive because of memory corruption when it handles jumbo frames.
  [# NSHELP-445, NSHELP-515, NSHELP-579, TSK0705972]

• In a rare case, a Citrix ADC appliance restarts if it tries to access a memory that was previously freed.
  [# NSHELP-449, NSHELP-432, NSHELP-587, NSHELP-589, TSK0714441]

• A Citrix ADC appliance configured for SAML IdP might not perform Cross-site scripting (XSS) checks on an incoming RelayState parameter.
  [# NSHELP-453, BUG0714801]

• An SSO to Office 365 fails if objectGUID of a user contains a NULL character.
  [# NSHELP-455, TSK0717549]

• If you configure "add kcdaccount xxx -keytab yyy" on release 12.1 build 49.x, the Citrix ADC appliance might become unresponsive.
  [# NSHELP-618, NSAUTH-1854, NSHELP-2276, NSHELP-2306, TSK0712411]

• A Citrix ADC appliance with two factor SAML authentication might eternally cause authentication loop.
  [# NSHELP-644, NSHELP-575, TSK0714523]

• A Syslog message reports the client IP and server IP in a reverse hexadecimal format.
  [# NSHELP-663, TSK0715098]

• CPU utilization increases and the DNS data packet keeps looping if Citrix ADC AAA uses port 3000 to send a DNS query to an LDAP or a RADIUS server. With this fix, Citrix ADC AAA uses source port 10000 and above to send DNS queries to LDAP or RADIUS servers.
  [# NSHELP-8416, 714739]

• A Citrix ADC appliance might become unresponsive if the function specifies a wrong async handler.
  [# NSHELP-8440, 715443]

• A Citrix ADC appliance might crash if the following conditions are met:

  - Changes in metadata URL.

  - The existing user session is disconnected.
  [# NSHELP-8504, 717465]

• A Citrix ADC appliance might crash if there is a memory corruption due to a buffer overflow.
  [# NSHELP-8537, 710433]

• The Citrix ADC appliance might fail to establish an SSO connection to a back-end server, if the form-SSO has a hidden value containing special characters such as &, <, >, and ‘.
  [# NSHELP-939, TSK0707018]

• A Citrix ADC AAA session observes an accounting error on the logout method.
  [# NSHELP-979, BUG0712813]

• A Citrix ADC appliance might crash if a replay packet is received after authentication has generated a response.
  [# NSHELP-982, NSHELP-676, TSK0714057]

• When a Citrix ADC appliance configured for SAML SP sends a request to SAML IdP, the following issues are identified:

  - URL is decoded sent from the traffic management virtual server.

  - Incorrect URL is displayed when authentication is complete.
  [# NSHELP-995, TSK0716958]

CLI

• If a user tries to log on to a Citrix ADC appliance through any console, the system displays a log message with an incorrect client type. For example, if the user logs on to the appliance through the XenServer console, the system displays the log message as follows:

  "Apr 9 12:27:02 <local0.info> 10.102.201.11 04/09/2018:06:57:02 GMT 0-PPE-0 : d

  efault UI CMD_EXECUTED 502 0 : User nsroot - Remote_ip 127.0.0.1 - Command "log

  in nsroot "********"" - Status "Success"
  [# 701582]

• If a user tries to log on to a Citrix ADC appliance through any console, the system displays a log message with an incorrect client type. For example, if the user logs on to the appliance through the XenServer console, the system displays the log message as follows:

  "Apr 9 12:27:02 <local0.info> 10.102.201.11 04/09/2018:06:57:02 GMT 0-PPE-0 : d

  efault UI CMD_EXECUTED 502 0 : User nsroot - Remote_ip 127.0.0.1 - Command "log

  in nsroot "********"" - Status "Success"
  [# NSHELP-4864, TSK0701582]

Cache

• A Citrix ADC appliance crashes if the following conditions are met:

  - The cache contentgroup's memory limit exceeds the threshold.

  - The PINNED option is enabled on the cache contentgroup.
  [# NSHELP-3629, TSK0714583]

Citrix ADC SDX Appliance

• The VPX instance restarts by itself in the following case.

  - You change the admin profile associated with a Citrix ADC VPX instance with channel configuration; and

  - The Citrix ADC VPX instance is running on Citrix ADC SDX 26XXX and 15XXX appliances.
  [# 714041]

• The VPX instance restarts by itself in the following case.

  - You change the admin profile associated with a Citrix ADC VPX instance with channel configuration; and

  - The Citrix ADC VPX instance is running on Citrix ADC SDX 26XXX and 15XXX appliances.
  [# NSHELP-12377, 714041]

• In an SDX appliance, after a clean installation from any older version to 12.1 50.x, you might be unable to recover the network configuration and fail to access to SDX appliance (Dom0 and Management Service).
  [# NSSVM-452, 714118]

Citrix ADC VPX Appliance

• If vCPUs are more than 12, password-based authentication does not work in Citrix ADC VPX instances running in Azure and AWS. However, you can log on by using ssh private key.
  [# 712146, 714490]

• In a hypervised environment, the management CPU usages could appear high if the hypervisor schedules the management CPUs incorrectly.
  [# 714691]

• The SNS topic required for AWS back-end auto scale feature to work is not updated automatically.
  [# 715919]

• The VPX instance removes two servers instead of one when the following conditions are met:

  - The remove 1 server parameter is set in the scale down policy of the EC2 auto scaling group.

  - Back-end auto scale feature is configured on the VPX instance.
  [# 716006]

• The Citrix ADC VPX instance, configured with AWS back- end auto scaling feature, removes the EC2 auto scale group alarm.
  [# 716030]

• In a multizone cluster deployment, the Citrix ADC VPX instance configured with AWS back-end auto-scaling fails to create multiple SNS topics.
  [# 716031]

• The Citrix ADC VPX instance configured with AWS back-end auto-scaling does not detect the back-end servers bound to the EC2 auto scaling group, and the following error message appears.

  "Your AutoScaling Group:<autoscalegroup> can't have more than 10 topics"
  [# 716101]

• The first-time user screen appears even on subsequent logons or every time the logon page is refreshed. By design, the first-time user screen should appear only when the user logs on to the VPX instance for the first time.
  [# 716714]

• In a hypervised environment, the management CPU usages could appear high if the hypervisor schedules the management CPUs incorrectly.
  [# NSHELP-18184, 714691]

• The VPX instance removes two servers instead of one when the following conditions are met:

  - The remove 1 server parameter is set in the scale down policy of the EC2 auto scaling group.

  - Back-end auto scale feature is configured on the VPX instance.
  [# NSPLAT-1554, BUG0716006]

• The Citrix ADC VPX instance, configured with AWS back- end auto scaling feature, removes the EC2 auto scale group alarm.
  [# NSPLAT-1587, BUG0716030]

• In a multizone cluster deployment, the Citrix ADC VPX instance configured with AWS back-end auto-scaling fails to create multiple SNS topics.
  [# NSPLAT-1622, BUG0716031]

• The Citrix ADC VPX instance configured with AWS back-end auto scaling does not detect the back-end servers bound to the EC2 auto scaling group, and the following error message appears.

  "Your AutoScaling Group:<autoscalegroup> can't have more than 10 topics"
  [# NSPLAT-1652, BUG0716101]

• The first-time user screen appears even on subsequent logons or every time the logon page is refreshed. By design, the first-time user screen should appear only when the user logs on to the VPX instance for the first time.
  [# NSPLAT-1710, BUG0716714]

• The SNS topic required for AWS back-end auto scale feature to work is not updated automatically.
  [# NSPLAT-1818, BUG0715919]

• If vCPUs are more than 12, password-based authentication does not work in Citrix ADC VPX instances running in Azure and AWS. However, you can log on by using ssh private key.
  [# NSPLAT-4781, BUG0712146]

• Tagged VLAN traffic might fail after upgrading a VPX instance to release 12.1 50.28, running on the following Citrix ADC SDX platforms:

  11500,13500, 14500, 16500, 18500, 20500, 11515, 11520, 11530, 11540, 11542,

  17500, 19500, 21500, 17550, 19550, 20550, 21550, 8400, 8600, 8010, 8015, 22040, 22060, 22080, 22100, 22120, 22040, 22060, 22080, 22100, 22120, 24100, 24150, 14020, 14030, 14040, 14060, 14080, 14100, 14020 FIPS, 14030 FIPS, 14060 FIPS, 14080 FIPS
  [# NSPLAT-7863]

Citrix Gateway

• In a Citrix Gateway deployment, the log out operation for Outlook Web Access (OWA) application intermittently fails.
  [# 708643, 710636, 709652, 710570]

• When IPv6 is disabled globally, the connection reset is mandated, if the IPv6 packet arrives on MUX channel.
  [# 709903]

• If StoreFront is load balanced using an internal load balanced virtual server, IPv6 clients is not evenly load balanced.
  [# 710351]

• URLs are not rewritten if SharePoint is configured with IT folder. Also, URLs with Unicode encoding for the following special character “\” are broken and hence are not rewritten.
  [# 710577]

• Authentication fails when Citrix Gateway is configured with advanced policies, that is nFactor, and the client is configured only for certificate authentication.
  [# 710801]

• EPA fails when Citrix Gateway is configured for nFactor authentication.
  [# 713291]

• In some cases, when Citrix Gateway is configured for nFactor authentication, quarantine group is not evaluated during post authentication EPA.
  [# 713466]

• User initiated password change request using the Citrix Gateway user interface fails .
  [# 715566]

• A client machine that has Chrome or Firefox set as default browser does not fall back to ICA proxy mode after the post authentication EPA scan fails.
  [# 715872]

• A Citrix Gateway appliance fails to process a SAML response on an existing connection.
  [# 715920]

• In some cases, Citrix Gateway appliance dumps core during freeing up the VPN session.
  [# 715925]

• User initiated password change request using the Citrix Gateway user interface fails .
  [# NSAUTH-4502, 715566]

• In a Citrix Gateway deployment, the log out operation for Outlook Web Access (OWA) application intermittently fails.
  [# NSHELP-1054, NSHELP-1429, NSHELP-3235, NSHELP-559, TSK0708643]

• All admin UI calls are now allowed.

  Earlier, some of these calls were blocked because of a deny rule in the httpd.conf file.
  [# NSHELP-1478, 689278]

• When IPv6 is disabled globally, the connection reset is mandated, if the IPv6 packet arrives on MUX channel.
  [# NSHELP-1606, TSK0709903]

• If you click an RDP bookmark, a .rdp file is downloaded.

  Earlier, when the RDP bookmark was clicked, it opened in a new tab.
  [# NSHELP-18140, 718864]

• Authentication fails when Citrix Gateway is configured with advanced policies, that is nFactor, and the client is configured only for certificate authentication.
  [# NSHELP-598, BUG0710801]

• A client machine that has Chrome or Firefox set as default browser does not fall back to ICA proxy mode after the post authentication EPA scan fails.
  [# NSHELP-6692, 715872]

• A Citrix Gateway appliance fails to process a SAML response on an existing connection.
  [# NSHELP-670, BUG0715920]

• URLs are not rewritten if SharePoint is configured with IT folder. Also, URLs with Unicode encoding for the following special character “\” are broken and hence are not rewritten.
  [# NSHELP-6709, 710577]

• In some cases, when Citrix Gateway is configured for nFactor authentication, quarantine group is not evaluated during post authentication EPA.
  [# NSHELP-6843, 713466]

• If StoreFront is load balanced using an internal load balanced virtual server, IPv6 clients is not evenly load balanced.
  [# NSHELP-8597, 710351]

• EPA fails when Citrix Gateway is configured for nFactor authentication.
  [# NSHELP-8642, 713291]

• In some cases, Citrix Gateway appliance dumps core during freeing up the VPN session.
  [# NSHELP-8664, 715925]

Clustering

• In a Citrix ADC cluster setup, you might find some inconsistencies in the server state in the database and in the packet engine, if you perform the following tasks in a sequence:

  1. Add a server in DISABLED state.

  2. Enable the server.

  If you use this server when executing the “bind servicegroup” command, the servicegroup members are added in OUT OF SERVICE state.
  [# 715328, 716644]

• In a Citrix ADC cluster setup, you might find some inconsistencies in the server state in the database and in the packet engine, if you perform the following tasks in a sequence:

  1. Add a server in DISABLED state.

  2. Enable the server.

  If you use this server when executing the “bind servicegroup” command, the servicegroup members are added in OUT OF SERVICE state.
  [# NSHELP-10943, 715328]

DNS

• A Citrix ADC appliance crashes when negative responses for root domain are cached.
  [# 710624]

• The Citrix ADC appliance might fail for proactive update DNS queries if there is an ICMP error.
  [# 712811]

• A Citrix ADC appliance crashes when negative responses for root domain are cached.
  [# NSHELP-12589, 710624]

• The Citrix ADC appliance might fail for proactive update DNS queries if there is an ICMP error.
  [# NSHELP-18132, 712811]

EPA

• Customer will experience loop when using nfactor authn: SAML + epa
  [# NSHELP-2137, TSK0715167]

GSLB

• GSLB configuration synchronization failed because the "set ssl servicegroup"command was also synchronized. With this fix, the command is not synchronized. As a result, the GSLB configuration is synchronized successfully.
  [# 709722, 718076]

• The Citrix ADC appliance might stop responding in the following case:

  - There are cached DNS records

  - The show gslb domain command is executed
  [# 712678, 713411, 713844]

• You might find GSLB service state inconsistencies among the cores when the MEP connection goes DOWN and the connection is back UP within a short time.
  [# 712842, 712454]

• In a GSLB cluster setup, when a parent site is removed, the corresponding child site and its services are also removed.
  [# 713908]

• You might find GSLB service state inconsistencies among the cores when the MEP connection goes DOWN and the connection is back UP within a short time.
  [# NSHELP-11872, 712842]

• The Citrix ADC appliance might stop responding in the following case:

  - There are cached DNS records

  - The show gslb domain command is executed
  [# NSHELP-18131, 712678]

• GSLB configuration synchronization failed because the "set ssl servicegroup"command was also synchronized. With this fix, the command is not synchronized. As a result, the GSLB configuration is synchronized successfully.
  [# NSHELP-4058, NSHELP-3090, TSK0709722]

• In a GSLB cluster setup, when a parent site is removed, the corresponding child site and its services are also removed.
  [# NSLB-880, BUG0713908]

GUI

• A time zone setting ("set timezone” command) in a Citrix ADC appliance running release 11.1 might get lost after you upgrade it to a later release.
  [# 692565, 683168]

• After you upgrade a Citric ADC appliance when a non-shell access user creates a certificate signing request (CSR), the appliance adds a "\" (backslash) appears before a " "(space) for organization name, locality name, etc.
  [# 713382]

• A time zone setting ("set timezone” command) in a Citrix ADC appliance running release 11.1 might get lost after you upgrade it to a later release.
  [# NSHELP-11550, 692565]

• After you upgrade a Citric ADC appliance when a non-shell access user creates a certificate signing request (CSR), the appliance adds a "\" (backslash) appears before a " "(space) for organization name, locality name, etc.
  [# NSHELP-4521, BUG0713382]

Gateway Insight

• Receivers which are not white-listed fail to launch apps using Citrix Gateway with HDX Insight feature enabled.
  [# 710678, 712929]

• Receivers which are not white-listed fail to launch apps using Citrix Gateway with HDX Insight feature enabled.
  [# NSHELP-5260, TSK0710678]

High availability

• When you upgrade NetScaler MAS from 12.1 release 49.31 build to 49.34 build, database streaming might stop syncing between the NetScaler MAS nodes that are deployed in high availability.
  [# NSHELP-5685, 717049]

• When a pair of Citrix ADC instances in high availability are discovered, the SNIP of the pair was set in the management_ip field of the primary node of the instances in high availability in NetScaler MAS.

  This fix sets the floating IP address in the management_ip field in both primary and secondary instances.
  [# NSHELP-6439, 715287]

Integrated Caching

• A Citrix ADC appliance crashes if the following conditions are met:

  - The cache contentgroup's memory limit exceeds the threshold.

  - The PINNED option is enabled on the cache contentgroup.
  [# 714583]

Licensing

• When the connection between a Citrix ADC appliance (MPX, SDX, or VPX) and the NetScaler MAS licensing server is lost, the Citrix ADC appliance revokes the licensing capacity immediately. As a result, the throughput drops.

  After the connection with the MAS licensing server is established, you must manually reconfigure the license to restore.
  [# 712434]

• Support for pooled licensing for Citrix ADM license servers deployed in high availability

  You can now assign the same license to both Citrix ADM license servers that are deployed in high availability. This is possible because the host id of the primary server is configured as the virtual host id of the secondary server whenever failover happens. Therefore, the license recognizes the same host id on both servers and gets assigned to both servers.
  [# NSADM-18208, NSADM-14406, 707979]

• When the connection between a Citrix ADC appliance (MPX, SDX, or VPX) and the NetScaler MAS licensing server is lost, the Citrix ADC appliance revokes the licensing capacity immediately. As a result, the throughput drops.

  After the connection with the MAS licensing server is established, you must manually reconfigure the license to restore.
  [# NSHELP-4804, TSK0712434]

• When you log on, NetScaler MAS displays alerts for licensing of those virtual servers that are discovered in NetScaler MAS but are not managed.

  Note: NetScaler MAS displays alerts only when auto selection of virtual servers is enabled and only if the number of discovered virtual servers is more than 30.
  [# NSHELP-5614, NSADM-15893, 713763]

Load Balancing

• If a wildcard TCP-based virtual server is moved to a wildcard HTTP-based virtual server or vice versa, there might be a possibility of linking TCP and HTTP sessions resulting in an unexpected behavior.
  [# 714154]

• Memory can build up on a Citrix ADC appliance, if the following conditions are met:

  - You have added a UDP nameserver (but no TCP nameserver).

  - You have configured a DNS autoscale servicegroup.

  - The truncated bit is set in the DNS response.

  Because the truncated bit and there is no TCP nameserver configured, the DNS resolution is tried over UDP and some memory is allocated for each IP address sent as part of UDP responses. The cycle continues and results in memory buildup.
  [# 714694]

• A Citrix ADC appliance might crash in the following case:

  A new HTTP request is received when changing the persistence type from COOKIEINSERT to other type.
  [# 714710]

• In a Citrix ADC GSLB parent-site topology setup, the appliance might crash, if the following conditions are observed:

  1. A child site has requested some information from a parent site because of site persistence.

  2. A client connection is terminated at the child site before the parent sends the response.

  3. An MEP connection is terminated after step 2.
  [# 716318]

• If a wildcard TCP-based virtual server is moved to a wildcard HTTP-based virtual server or vice versa, there might be a possibility of linking TCP and HTTP sessions resulting in an unexpected behavior.
  [# NSHELP-10014, 714154]

• Memory can build up on a Citrix ADC appliance, if the following conditions are met:

  - You have added a UDP nameserver (but no TCP nameserver).

  - You have configured a DNS autoscale servicegroup.

  - The truncated bit is set in the DNS response.

  Because the truncated bit and there is no TCP nameserver configured, the DNS resolution is tried over UDP and some memory is allocated for each IP address sent as part of UDP responses. The cycle continues and results in memory buildup.
  [# NSHELP-10053, 714694]

• A Citrix ADC appliance might crash in the following case:

  A new HTTP request is received when changing the persistence type from COOKIEINSERT to other type.
  [# NSHELP-10921, 714710]

• In a Citrix ADC GSLB parent-site topology setup, the appliance might crash, if the following conditions are observed:

  1. A child site has requested some information from a parent site because of site persistence.

  2. A client connection is terminated at the child site before the parent sends the response.

  3. An MEP connection is terminated after step 2.
  [# NSHELP-18129, 716318]

NITRO

• System login API fails with "Invalid username or password" error if the login account password has ‘=‘ character.
  [# NSHELP-4801, TSK0714487]

• Firing curl command "curl -u nsroot:nsroot http://<IP_Address>/nitro/v1/config/" causing httpd to crash.
  [# NSUI-7739, BUG0714963]

Citrix ADC GUI

• In rare cases, a Citrix ADC appliance displays an ‘Error in retrieving Certificate-key pair. Unable to get property match of undefined or null reference’ error message if you update certkey from the Certificates tab.
  [# 706444, 715207]

• In rare cases, a Citrix ADC appliance displays an ‘Error in retrieving Certificate-key pair. Unable to get property match of undefined or null reference’ error message if you update certkey from the Certificates tab.
  [# NSUI-6885, NSHELP-5180, BUG0706444]

Citrix Gateway

• The users connected to the Citrix Gateway appliance are unable to ping each other using the Intranet IP (IIP).
  [# 470679, 565941]

• Citrix Gateway appliance dumps core upon freeing the NSB memory twice.
  [# 701843]

• After an upgrade to version 11.1, the Citrix Gateway logon page does not appear on the Citrix ADC GUI.
  [# 702580]

• The Citrix Gateway appliance dumps core if the following conditions are met:

  • HTTP websites are accessed.

  • Memory allocation is low.

  • Memory allocation for code compression feature fails.
  [# 706402]

• In some cases, the Citrix Gateway appliance dumps core if the following conditions are met:

  - The Citrix Gateway appliance hosts connections to Citrix XenDesktop 7.16 and above the supports UDT.

  - A DTLS service with the same IP:PORT as the VDA is added.
  [# 708188]

• POST request has some non-required fields.
  [# 709243]

• In case of network errors, cached client certificates were removed, prompting user to select the certificate from the drop-down menu manually.
  [# 709689]

• VPN tunneling is ceased because Windows firewall on Citrix virtual adapter drops the packets. The packet drop is caused because of cross firewall profile switch (profile switch from domain to public) for any inbound connection.
  [# 710165, 707791, 704144, 716197]

• The VPN plug-in for Citrix Gateway becomes unresponsive once the client machine moves to active mode from standby mode.
  [# 711434, 710161, 716058]

• In a multi-core environment, device certificate failed intermittently due to syncing issues.
  [# 711654]

• Pre-authentication EPA check fails when total length of single EPA expression (not separated by any logical operators) is greater than 1024 characters.
  [# 711678]

• In some cases, the Citrix Gateway appliance with multiple cores crashes if the HDX Insight feature is enabled, during a session reconnect.
  [# 711720, 712124, 712553, 714141, 714351, 714721, 715556, 715557, 716043, 714261, 715482, 716653, 718681, 718673]

• Allowed login groups parameters in session action do not take effect with advanced session policies.
  [# 712705]

• The Citrix Gateway appliance displays incorrect http content for STA ticket refresh request.
  [# 713473]

• In rare cases, the Citrix Gateway appliance dumps core when a proxy server is configured.
  [# 713474]

• For a non-admin user, Citrix Gateway service is not able to get the admin privileges.
  [# 714332]

• In some cases, performing certificate related operations after changing the RDP listeners by setting and unsetting RDP ServerProfile result in a crash.
  [# 714720]

• A Citrix Gateway appliance configured for nFactor authentication becomes unresponsive when the following conditions are met.

  - SAML is configured as the first factor of authentication.

  - EPA is configured as the last factor of authentication.
  [# 715167]

• Windows can add a best route for any On-link interface to route traffic. The addition of a new route for the internal network address on the virtual adapter's interface results in connectivity issues over VPN connection.
  [# 715217]

• In some cases, the Citrix Gateway appliance dumps core based on a particular sequence of events, if the appliance is configured for EDT proxy.
  [# 715713]

• In some cases, applications accessed using Citrix Gateway become unresponsive because excessive logon redirects causes memory build up in the appliance.
  [# 717351, 718406]

• In a multi-core environment, device certificate failed intermittently due to syncing issues.
  [# CGOP-3666, BUG0711654]

• The users connected to the Citrix Gateway appliance are unable to ping each other using the Intranet IP (IIP).
  [# CGOP-878, BUG0470679]

• Citrix Gateway now supports a new version of NetworkAccessControl (NAC) checks using Microsoft Enterprise Mobility (Microsoft Intune) suite. This variant uses a signed device information of the end client for validation. To use this feature, you need a compatible version of the Citrix SSO app.
  [# NSAUTH-4239, BUG0716353]

• Windows can add a best route for any On-link interface to route traffic. The addition of a new route for the internal network address on the virtual adapter's interface results in connectivity issues over VPN connection.
  [# NSHELP-1479, TSK0715217]

• In some cases, the Citrix Gateway appliance with multiple cores crashes if the HDX Insight feature is enabled, during a session reconnect.
  [# NSHELP-15792, NSHELP-15687, NSHELP-15689, NSHELP-17901, 711720]

• In rare cases, the Citrix Gateway appliance dumps core when a proxy server is configured.
  [# NSHELP-1616, TSK0713474]

• In some cases, the Citrix Gateway appliance dumps core if the following conditions are met:

  - The Citrix Gateway appliance hosts connections to Citrix XenDesktop 7.16 and above the supports UDT.

  - A DTLS service with the same IP:PORT as the VDA is added.
  [# NSHELP-1692, TSK0708188]

• The Citrix Gateway appliance displays incorrect http content for STA ticket refresh request.
  [# NSHELP-1721, TSK0713473]

• Allowed login groups parameters in session action do not take effect with advanced session policies.
  [# NSHELP-1728, TSK0712705]

• Citrix Gateway appliance dumps core upon freeing the NSB memory twice.
  [# NSHELP-1790, TSK0701843]

• VPN tunneling is ceased because Windows firewall on Citrix virtual adapter drops the packets. The packet drop is caused because of cross firewall profile switch (profile switch from domain to public) for any inbound connection.
  [# NSHELP-1975, NSHELP-1138, NSHELP-1398, NSHELP-2089, TSK0710165]

• For a non-admin user, Citrix Gateway service is not able to get the admin privileges.
  [# NSHELP-2040, BUG0714332]

• In some cases, the Citrix Gateway appliance dumps core based on a particular sequence of events, if the appliance is configured for EDT proxy.
  [# NSHELP-2134, TSK0715713]

• In some cases, applications accessed using Citrix Gateway become unresponsive because excessive logon redirects causes memory build up in the appliance.
  [# NSHELP-2138, TSK0717351]

• In case of network errors, cached client certificates were removed, prompting user to select the certificate from the drop-down menu manually.
  [# NSHELP-423, TSK0709689]

• POST request has some non-required fields.
  [# NSHELP-428, TSK0709243]

• The Citrix Gateway appliance dumps core if the following conditions are met:

  • HTTP websites are accessed.

  • Memory allocation is low.

  • Memory allocation for code compression feature fails.
  [# NSHELP-5747, TSK0706402]

• In some cases, performing certificate related operations after changing the RDP listeners by setting and unsetting RDP ServerProfile result in a crash.
  [# NSHELP-5756, TSK0714720]

• After an upgrade to version 11.1, the Citrix Gateway logon page does not appear on the Citrix ADC GUI.
  [# NSHELP-6458, 702580]

• Pre-authentication EPA check fails when total length of single EPA expression (not separated by any logical operators) is greater than 1024 characters.
  [# NSHELP-6835, 711678]

• The VPN plug-in for Citrix Gateway becomes unresponsive once the client machine moves to active mode from standby mode.
  [# NSHELP-8015, 711434]

NetScaler Insight Center

• When Citrix Gateway appliance is used with NSAP enabled for VDAs (7.16 and above) and if HDX Insight is configured, the Citrix Gateway might fail.
  [# 710363, 704912]

• In certain scenarios, if SR-HA feature is enabled for ICA AppFlow, the secondary Citrix ADC appliance in the high-availability deployment might fail.
  [# 713607]

• When Session Reliability on Citrix ADC high availability pair is enabled. The output throughput on the primary Citrix ADC appliance is comparatively higher than the input throughput of the appliance.
  [# 714250]

• A Citrix ADC appliance might become unresponsive in a multi-core environment if ICA AppFlow or SmartControl feature is enabled.
  [# 716479]

• In certain scenarios, if SR-HA feature is enabled for ICA AppFlow, the secondary Citrix ADC appliance in the high-availability deployment might fail.
  [# NSHELP-15811, 713607]

• A Citrix ADC appliance might become unresponsive in a multi-core environment if ICA AppFlow or SmartControl feature is enabled.
  [# NSHELP-15834, 716479]

• When Citrix Gateway appliance is used with NSAP enabled for VDAs (7.16 and above) and if HDX Insight is configured, the Citrix Gateway might fail.
  [# NSHELP-5259, NSINSIGHT-1192, TSK0710363]

• When Session Reliability on Citrix ADC high availability pair is enabled. The output throughput on the primary Citrix ADC appliance is comparatively higher than the input throughput of the appliance.
  [# NSHELP-5261, BUG0714250]

Citrix ADC MPX Appliance

• In a Citrix ADC MPX appliance, the GUI and command interface is unable to distinguish between Mellanox 100G and 50G interfaces. As a result, the interfaces allow you to set 50G on 100G interface.
  [# 707811]

• In a Citrix ADC MPX appliance, the GUI and command interface is unable to distinguish between Mellanox 100G and 50G interfaces. As a result, the interfaces allow you to set 50G on 100G interface.
  [# NSHELP-14761, 707811]

Citrix ADC SDX Appliance

• When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.
  [# 600152, 697276, 704954]

• The management IP (NSIP) of a Citrix ADC VPX instance running on SDX 14000 platform becomes unreachable when the following conditions are met:

  - An LACP channel comprising 10G or 40G interfaces is assigned as VPX management NIC.

  - One of the member interfaces in the LACP channel goes down.
  [# 707600]

• The virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work on SDX 26000 and SDX 15000-50G platforms.
  [# 709182]

• On Citrix ADC SDX 26000 and SDX 15000-50G platforms, the virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work if any one of the following conditions is met:

  - The VPX instance configured with the VRID restarts.

  - The SDX appliance on which the VPX instance is running restarts.
  [# 710320]

• The management IP (NSIP) of a Citrix ADC VPX instance running on SDX 14000 platform becomes unreachable when the following conditions are met:

  - An LACP channel comprising 10G or 40G interfaces is assigned as VPX management NIC.

  - One of the member interfaces in the LACP channel goes down.
  [# NSHELP-13895, 707600]

• On Citrix ADC SDX 26000 and SDX 15000-50G platforms, the virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work if any one of the following conditions is met:

  - The VPX instance configured with the VRID restarts.

  - The SDX appliance on which the VPX instance is running restarts.
  [# NSPLAT-4076, BUG0710320]

• The virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work on SDX 26000 and SDX 15000-50G platforms.
  [# NSPLAT-7364, BUG0709182]

Citrix ADC VPX Appliance

• A Citrix ADC VPX instance configured with VMXNET3 interfaces and running on VMware ESX server might crash if the ESX server sends a zero-length packet through these interfaces.
  [# 695358, 706660, 707542]

• The cloud profile configuration for Azure autoscale shows the load balancing protocol as HTTP irrespective of the protocol selected while configuring the cloud profile. This issue appears both in GUI and CLI.
  [# 705295, 689807]

• A Citrix ADC VPX instance configured with VMXNET3 interfaces and running on VMware ESX server might crash if the ESX server sends a zero-length packet through these interfaces.
  [# NSHELP-2647, NSHELP-2393, NSHELP-2394, TSK0695358]

• The cloud profile configuration for Azure autoscale shows the load balancing protocol as HTTP irrespective of the protocol selected while configuring the cloud profile. This issue appears both in GUI and CLI.
  [# NSPLAT-4343, NSPLAT-4216, BUG0705295]

Networking

• A Citrix ADC appliance does not allow traffic domain configuration inside admin partition context.
  [# 647744]

• In a high availability setup, the Citrix ADC appliance does not send jumbo frames on interfaces that are Jumbo enabled. This issue cause the state of the LACP channels and interfaces to flap, which in turn results in repetitive HA failover in the setup.
  [# 708050]

• The Citrix ADC appliance might not remove monitors, which have a netprofile bound to a route, during a clear config extended+ operation. These monitors point to the associated netprofile, which was removed during the during a clear config extended+ operation, causing the Citrix ADC appliance to crash.
  [# 710015]

• In a cluster setup, a node has the following entities in the same traffic domain:

  - a VIP address and,

  - a load balancing virtual server with the same VIP address.

  When the traffic domain is removed, virtual server configuration is removed but the VIP address is not removed. The node crashes when it sends out a GARP message for this VIP address.
  [# 710326, 711605]

• UDP applications (for example, DNS, TFTP, Radius, DTLS) might not work in Citrix VPX instances running on a VMware ESX server with VMXNET3 network interfaces.
  [# 711445, 713549, 715567, 716984, 718232]

• The Citrix ADC appliance might not completely remove the RNAT global configuration during a clear config operation.
  [# 712215]

• In a cluster setup, appliances might fail in unbinding NAT rules, with 32-bit netmask, from a netprofile.
  [# 715128]

• In a high availability setup, the Citrix ADC appliance does not send jumbo frames on interfaces that are Jumbo enabled. This issue cause the state of the LACP channels and interfaces to flap, which in turn results in repetitive HA failover in the setup.
  [# NSHELP-16172, 708050]

• In a Citrix Gateway appliance, responder and rewrite policies bound to VPN virtual servers might not process the packets that matched the policy rules.
  [# NSHELP-18311]

• Enabling secure access (secureonly) to Citrix ADC GUI on the NSIP or SNIP addresses fails to disable HTTP (insecure) GUI access.
  [# NSHELP-18353]

• In a high availability configuration in INC mode, dynamic routing parameters might not get set properly because of the conversion errors.
  [# NSHELP-253, BUG0708496]

• The Citrix ADC appliance might not remove monitors, which have a netprofile bound to a route, during a clear config extended+ operation. These monitors point to the associated netprofile, which was removed during the during a clear config extended+ operation, causing the Citrix ADC appliance to crash.
  [# NSHELP-80, BUG0710015]

• In a cluster setup, a node has the following entities in the same traffic domain:

  - a VIP address and,

  - a load balancing virtual server with the same VIP address.

  When the traffic domain is removed, virtual server configuration is removed but the VIP address is not removed. The node crashes when it sends out a GARP message for this VIP address.
  [# NSHELP-81, NSNET-553, TSK0710326]

• Trivial File Transfer Protocol (TFTP) might not work in Citrix VPX instances running on VMware ESX server with VMXNET3 network interfaces.
  [# NSHELP-85, NSHELP-107, NSHELP-3633, NSHELP-452, TSK0711445]

• The Citrix ADC appliance might not completely remove the RNAT global configuration during a clear config operation.
  [# NSHELP-86, TSK0712215]

• The appliance might fail in unbinding NAT rules, with 32-bit netmask, from a netprofile.
  [# NSHELP-93, TSK0715128]

• A Citrix ADC appliance does not allow traffic domain configuration inside admin partition context.
  [# NSNET-4562, BUG0647744]

Networks

• Support for the autoscaling of Citrix ADC instances deployed in AWS

  The Citrix ADM autoscaling feature now supports provisioning and autoscaling of Citrix ADC instances in AWS. The Citrix ADM collects statistics (CPU usage, memory usage, throughput) from the autoscale provisioned clusters. These statistics are evaluated against the customer-configured value. Depending on whether the statistics exceed the maximum threshold or are operating below the minimum threshold, scale-out or scale-in is triggered respectively.

  The advantages of the autoscaling features are:

  - Ensures that the application is up and running all the time irrespective of traffic demands.

  - Citrix ADC instances are added and removed dynamically making to a zero-touch manual configuration.

  - DNS management is automatic.

  - Enables better cost management.

  To use the autoscale feature, you must create a site, an agent, autoscale groups and then deploy the application using StyleBooks.
  [# NSADM-17998, 708449]

• Auto-rollback in NetScaler MAS doesn't happen when you run wrong commands. For example, "rm" commands. You get a "null" if rollback command is not available.
  [# NSHELP-5621, 713923]

• If you use the name of an existing configuration template as the name of the configuration job, you might not be able to edit the job later.
  [# NSHELP-5622, NSHELP-5556, 713926]

• When you are creating an event rule, you can add new trap destinations. But if yo modify the newly added trap destination, it might get removed from the list.
  [# NSHELP-5625, 715024]

• Citrix ADM performance subsystem crashes every few hours and this has an impact on the network reporting.
  [# NSHELP-5628, NSADM-15847, NSHELP-5519, NSHELP-5522, 715483]

• Statistics of virtual servers are not displayed if the virtual servers are part of Citrix ADC instances that are deployed in high availability.
  [# NSHELP-5650, 715243]

• Syslog messages are displayed in multiple pages in Citrix ADM. When you search for Syslog messages in one page by entering a keyword, the same search results are not retained when you move to another page. You have to search again by entering the same keyword. With this fix, Citrix ADM displays the result of the search in all pages.
  [# NSHELP-5652, 715671]

• If you add a Citrix ADC SDX of version that is of 11.0 or lesser release in NetScaler MAS, then the dashboard of SDX from NetScaler MAS UI displays an error.
  [# NSHELP-5653, 715803]

• Intermittently, Citrix ADM might miss collecting data points. This might affect the daily, weekly or monthly reports.
  [# NSHELP-5856, 716778]

• When you navigate to Networks > Events, the events are not displayed in the order for the first time. If you click the Date column header, the events appear chronologically sorted.
  [# NSHELP-6213, 716615]

• NetScaler MAS performance subsystem reports high CPU utilization that might impact the data points in network reporting dashboard.
  [# NSHELP-6481, 716235]

Orchestration

• Deploying OpenStack LBaaS configurations through StyleBooks

  In the OpenStack orchestration workflow, NetScaler MAS now uses the "os-cs-lb-mon" StyleBook to deploy LBaaS configurations on Citrix ADC instances allotted to the OpenStack tenant. Using StyleBooks for configuration in OpenStack workflow provides the following benefits:

  • better visualization by providing the ability to view all the configuration objects

  • reliability through rollback

  • support for various Citrix ADC instance types (Citrix ADC HA, partitions, VPX, MPX, and others)

  • customization by using your own StyleBooks to deploy configuration for OpenStack tenants

  For more details, see https://docs.citrix.com/en-us/netscaler-mas/12-1/orchestration/integrate-with-openstack-platform/provisioning-adc-vpx-instance-on-openstack-using-stylebooks.html
  [# NSADM-16326, NSADM-14509, 702345]

• NetScaler MAS displays an unknown system error when a service package is created for the first time for OpenStack. This error occurs when tenants are being assigned to the service package.
  [# NSADM-19539, 709947]

• When you add an extra management IP (floating public IP) address during Citrix ADC VPX high availability deployment, you had to perform a forced failover and then rediscover the instances from NetScaler MAS. With this fix, a forced failover and rediscovering the instances is not necessary and you can deploy configurations on OpenStack.
  [# NSHELP-5686, 715363]

• OpenStack does not concurrently process multiple requests from multiple tenants.
  [# NSHELP-5695, NSHELP-5564, 715153]

Platform

• Support for Citrix ADC MPX 26000-50S Platform

  This release supports the MPX 26000-50S platform.

  For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-50s.html.
  [# 662685, 703784, 688397, 648918]

• You might see a Tx stall issue on MPX platforms that contain Intel XL710 NICs.
  [# 712779]

• In some cases, packets can be corrupted on the MPX-26000-100G and MPX-26000T-100G appliances.
  [# 714851]

• You might see a Tx stall issue on MPX platforms that contain Intel XL710 NICs.
  [# NSHELP-14786, 712779]

• In some cases, packets can be corrupted on the MPX-26000-100G and MPX-26000T-100G appliances.
  [# NSHELP-14823, 714851]

Rewrite

• Policy Bindings for LB VServer of types TCP, SIP UDP, MYSQL, MSSQL, ORACLE, NAT, DIAMETER, RADIUS, SIP TCP, DNS, and SSL do not contain the REQUEST or RESPONSE type within saved configuration. A workaround is to manually issue the bind command with proper REQUEST or RESPONSE binding type. Another workaround is to place the corrected bind commands in file /nsconfig/nsafter.sh. However, those commands need to be updated if any change is made to the policy bindings as well. Those commands must be removed once the system is upgraded to a build containing the fix.
  [# NSHELP-471, TSK0715617]

SNMP

• When configuring entity-Down and entity-Up traps, the entity state alarms do not work as expected. This issue is observed if you add an extra suffix (_UP or _DOWN) to the entity name "varbind" when configuring the UP and DOWN traps.
  [# 715922]

• When configuring entity-Down and entity-Up traps, the entity state alarms do not work as expected. This issue is observed if an extra suffix (_UP or _DOWN) is added to the entity name "varbind" for configuring the UP and DOWN traps.
  [# NSHELP-16607, 715922]

• SNMP code was setting some device flags wrongly from the beginning, recent fixes from NS-aggregator exposed this gaps which turned into this problem scenario.
  [# NSHELP-359, NSHELP-400, TSK0713612]

SSL

• In a cluster setup, cipher suites bound to a custom cipher group are lost from the CLIP node after you upgrade the setup.
  [# 707738, 708168]

• GSLB virtual servers are not accessible if you make any changes to the enabled default SSL profile.

  With this fix, any change to the SSL profile does not affect the state of the GSLB virtual servers.
  [# 710207, 710428]

• Ciphers bound to an SSL service group are not included in the running config if the following commands are run in a sequence:

  1. set ssl servicegroup <servicegroup name> -sslprofile <profile name>

  2. bind ssl servicegroup <servicegroup name> -ciphername <profile name>

  As a result, after you save the config and restart your appliance, the ciphers are not bound to the service group.

  With this fix, the commands are included in the running config. However, you must run the bind command once after upgrading your appliance to include the command in the running and saved configuration files.
  [# 710573]

• In rare cases, an attempt to install a new certificate on an MPX 9700/10500/12500/15500 appliance might fail with the “bad pkcs error” counter incremented if the private key “CRT Params” size is not equal to the maximum size allowed.
  [# 711066, 706981]

• If you configure an MPX/SDX 14000 FIPS appliance for the first time, the appliance restarts after you run the "reset fips" command.
  [# 713370]

• ECC curve bindings to a DTLS virtual server are not saved in the configuration (ns.conf) after you enable the SSL default profile in the the global SSL parameter.
  [# 713913]

• On a Citrix ADC VPX appliance, memory leak is observed when policy-based renegotiation happens.
  [# 714186, 706370, 716543]

• On an SDX 14000 FIPS appliance, the FIPS card resets if all of the following conditions are met:

  - You created a partition in release 11.x.

  - The partition name is greater than 12 characters.

  - You upgrade the appliance to release 12.x.
  [# 714338]

• A memory leak is observed if all of the following conditions are met:

  - TLSv1.3 protocol and certificate-based client authentication are enabled on the same virtual server.

  - TLSv1.3 is negotiated for a connection.

  - Client sends a `CertificateVerify` message.
  [# 715127]

• Memory allocation might fail leading to memory leak in a heavy traffic scenario.
  [# 715348]

• The server now aborts the handshake by sending a fatal 'inappropriate_fallback' alert if the following conditions are met:

  - Both TLSv1.2 and TLSv1.3 are enabled on an SSL virtual server.

  - The client sends a TLSv1.2 ClientHello with TLS_FALLBACK_SCSV.

  Earlier, the server proceeded with a TLSv1.2 handshake. This issue caused the maximum SSL Labs rating for a TLSv1.3 virtual server to drop from A+ to A. The rating dropped because the scanner detected that the server did not appear to support TLS_FALLBACK_SCSV in all cases.
  [# 715561]

• You can directly upgrade from build 11.1-48.x or earlier to build 11.1-60.x and to build 12.1-50.x without losing the PFX certificate-key pairs.

  For earlier builds, you must upgrade incrementally as follows:

  11.1-48.10 --> 11.1-50.10 --> 11.1-59.10

  OR

  11.1-48.10 --> 11.1-50.10 --> 12.1-49.23
  [# 716272]

• On a Citrix ADC VPX appliance, memory leak is observed when policy-based renegotiation happens.
  [# NSHELP-13294, NSHELP-17903, 714186]

• You can directly upgrade from build 11.1-48.x or earlier to build 11.1-60.x and to build 12.1-50.x without losing the PFX certificate-key pairs.

  For earlier builds, you must upgrade incrementally as follows:

  11.1-48.10 --> 11.1-50.10 --> 11.1-59.10

  OR

  11.1-48.10 --> 11.1-50.10 --> 12.1-49.23
  [# NSHELP-13337, 716272]

• In rare cases, an attempt to install a new certificate on an MPX 9700/10500/12500/15500 appliance might fail with the “bad pkcs error” counter incremented if the private key “CRT Params” size is not equal to the maximum size allowed.
  [# NSHELP-14157, 711066]

• Memory allocation might fail leading to memory leak in a heavy traffic scenario.
  [# NSHELP-14606, 715348]

• Ciphers bound to an SSL service group are not included in the running config if the following commands are run in a sequence:

  1. set ssl servicegroup <servicegroup name> -sslprofile <profile name>

  2. bind ssl servicegroup <servicegroup name> -ciphername <profile name>

  As a result, after you save the config and restart your appliance, the ciphers are not bound to the service group.

  With this fix, the commands are included in the running config. However, you must run the bind command once after upgrading your appliance to include the command in the running and saved configuration files.
  [# NSHELP-5052, TSK0710573]

• In a cluster setup, cipher suites bound to a custom cipher group are lost from the CLIP node after you upgrade the setup.
  [# NSHELP-5056, NSSSL-1679, BUG0707738]

• GSLB virtual servers are not accessible if you make any changes to the enabled default SSL profile.

  With this fix, any change to the SSL profile does not affect the state of the GSLB virtual servers.
  [# NSHELP-5077, NSHELP-3801, TSK0710207]

• On an SDX 14000 FIPS appliance, the FIPS card resets if all of the following conditions are met:

  - You created a partition in release 11.x.

  - The partition name is greater than 12 characters.

  - You upgrade the appliance to release 12.x.
  [# NSHELP-5101, BUG0714338]

• A memory leak is observed if all of the following conditions are met:

  - TLS 1.3 protocol and certificate-based client authentication are enabled on the same virtual server.

  - TLS 1.3 is negotiated for a connection.

  - Client sends a `CertificateVerify` message.
  [# NSSSL-1152, BUG0715127]

• The server now aborts the handshake by sending a fatal 'inappropriate_fallback' alert if the following conditions are met:

  - Both TLSv1.2 and TLSv1.3 are enabled on an SSL virtual server

  - The client sends a TLSv1.2 ClientHello with TLS_FALLBACK_SCSV

  Earlier, the server proceeded with a TLSv1.2 handshake. This issue caused the maximum possible SSL Labs rating for a TLSv1.3 virtual server to drop from A+ to A, since the scanner detected that the server did not appear to support TLS_FALLBACK_SCSV in all cases.
  [# NSSSL-1226, BUG0715561]

• If you configure an MPX/SDX 14000 FIPS appliance for the first time, the appliance restarts after you run the "reset fips" command.
  [# NSSSL-2433, BUG0713370]

• ECC curve bindings to a DTLS virtual server are not saved in the configuration (ns.conf) after you enable the SSL default profile in the the global SSL parameter.
  [# NSSSL-283, BUG0713913]

• The SSL parameters do no appear correctly in the service view.
  [# NSUI-11414]

StyleBooks

• GitHub import and sync for StyleBooks

  You can now use the “Repositories” feature in Citrix ADM to directly import and sync StyleBooks from GitHub repositories. You can sync StyleBooks from multiple GitHub repositories. StyleBooks that are created in GitHub and imported from GitHub repositories are still dependent on Citrix ADM RBAC policies in the same way as StyleBooks imported manually. You can configure a GitHub repository using either GitHub username and password or an API token.
  [# NSADM-15841, NSADM-3622, 699790]

• Citrix ADM displays an error message that says "Invalid format found. Upload .yaml files" when you earlier tried to upload a valid .yaml file using Chrome or Firefox browser. This issue is fixed, and now you can upload valid .yaml files from Chrome or Firefox browser.
  [# NSADM-18097, NSADM-16828, NSHELP-5543, 716670]

• Citrix ADM displayed an error message that says "No JSON Object Decoded" when an externally authenticated user creates a custom application using StyleBooks. This issue is fixed, and an external user can now create custom applications using StyleBooks.
  [# NSHELP-5664, 716793]

System

• In a high availability setup, when the secondary node becomes the primary node, the BGP route update might fail on the new primary node because of a TCP timestamp overflow.
  [# 707067]

• The "sh audit messages" command does not display log messages in the following case:

  If you configure the log facility parameter with a value other than LOCAL0 in the "syslogparams" or "syslogaction" command.
  [# 709464]

• A weblogging client crashes, if a clustered setup on a VMware ESX platform with VMXNET3 interfaces encounters time synchronization issues.
  [# 711086]

• During a TCP handshake, if the server responds with a TCP window size of 0 bytes, the appliance keeps the connection in TCP persist mode. Later, if the server opens the TCP window, the connection remains in persist mode and is not removed. As a result, the persist and keep-alive lists get mixed up and the appliance crashes when it tries to free the connection.
  [# 711131]

• If flash cache option is enabled on a Citrix ADC appliance and also receives client requests to the same resource, the appliance resets the connection before it sends the response to the client.
  [# 711508]

• Service state synchronization is not happening in a cluster node deployment, if the following conditions are observed:

  - Cluster setup is upgraded from 11.1 builds.

  - Audit log action (SYSLOG or NSLOG) is configured with SYSLOG or NSLOG server's domain name.
  [# 711841]

• When you upgrade a Citrix ADC appliance to release 12.1, SNMP does not work as expected. Instead, it responds with the "No Such Object" error message.
  [# 713612, 714913, 718402]

• A Citrix ADC appliance crashes if invalid MP_JOIN options of MP_JOIN SYN packet are sent in an MP_CAPABLE subflow.
  [# 714030]

• When a client sends an HTTP2 request to a Citrix ADC appliance and if the MSS value is lesser than the response generated by the appliance, an internal parsing issue occurs.
  [# 714410]

• At a given time, you can configure the domain name of the server only for one SYSLOG action or NSLOG action. If you try to add another action (either an SYSLOG action or NSLOG action) with the server's domain name, the system displays an error message.

  Example:

  > add syslogaction act1 syslog.server.com -loglevel all

  Done

  > add nslogaction act2 nslog.server.com -loglevel all

  ERROR: Name conflicts with an existing service or service group member name

  > add syslogaction act3 syslog2.server.com -loglevel all

  ERROR: Name conflicts with an existing service or service group member name
  [# 715341]

• gPRC transactions fail under the following conditions:

  - If the initial client request goes to an HTTP/2 enabled virtual server and service but a response is not received.

  - If the server sends a trailer header with multiple header entries.
  [# 715863]

• If the “Stale Cache Group Table” devices reside in the SNMP AVL tree, the SNMP walk operation fails. As a result, the SNMP walk operation does not return an error message for the subsequent SNMP table counters.
  [# 716890, 717462]

• Service state synchronization is not happening in a cluster node deployment, if the following conditions are observed:

  - Cluster setup is upgraded from 11.1 builds.

  - Audit log action (SYSLOG or NSLOG) is configured with SYSLOG or NSLOG server's domain name.
  [# CGOP-6813, BUG0711841]

• At a given time, you can configure the domain name of the server only for one SYSLOG action or NSLOG action. If you try to add another action (either an SYSLOG action or NSLOG action) with the server's domain name, the system displays an error message.

  Example:

  > add syslogaction act1 syslog.server.com -loglevel all

  Done

  > add nslogaction act2 nslog.server.com -loglevel all

  ERROR: Name conflicts with an existing service or service group member name

  > add syslogaction act3 syslog2.server.com -loglevel all

  ERROR: Name conflicts with an existing service or service group member name
  [# CGOP-6838, BUG0715341]

• You cannot perform a global poll on all virtual servers and services when you have "read-only" access permission. But, Citrix ADM doesn't display any error message that says you are not authorized to perform this action until the last step in that task.
  [# NSADM-14885, 696616]

• Configuring customer identity on Citrix ADM

  Citrix proactively collects statistics on your ADM deployments to understand your deployment usage and deployment scale. The statistics collected on health, status, and usage pattern of the ADM deployment on your premises allows Citrix to provide an enhanced user experience. To utilize this feature, create a customer identity on Citrix Cloud and provide the user details on ADM.
  [# NSADM-18107, 710005]

• Renaming of Citrix ADC Management and Analytics System

  Citrix ADC Management and Analytics System (MAS) is now renamed to Citrix Application Delivery Management (ADM). This is part of the Citrix unified product portfolio.

  You might notice new names in our products and product documentation. This is a result of the expansion of the Citrix portfolio and cloud strategy. For more details about the Citrix unified portfolio, see Citrix product guide. Implementing this transition in our products and their documentation is an ongoing process.

  In-product content and documentation might still contain former names. For example, you might see instances of earlier names in console text, messages, directory/file names, screenshots, and diagrams.

  It is possible that some items (such as commands) might continue to retain their former names to prevent breaking existing customer scripts.

  Related product documentation and other resources (such as videos and blog posts) that are linked from this product’s documentation might still contain former names.
  [# NSADM-18236, 713591]

• Support to shut down Citrix ADM from the user interface

  You can navigate to System > System Administration and click on Shut Down Citrix ADM to completely shut down Citrix ADM. Note: Once you shut down Citrix ADM, be aware that you can start Citrix ADM again only from the hypervisor where you have installed it.
  [# NSADM-18372, 715121]

• The report export feature on Citrix ADM fails due to a longer loading time and back-end export service limitations.
  [# NSADM-19727, NSADM-16906, 705411]

• A weblogging client crashes, if a clustered setup on a VMware ESX platform with VMXNET3 interfaces encounters time synchronization issues.
  [# NSHELP-10850, 711086]

• A Citrix ADC appliance crashes if invalid MP_JOIN options of MP_JOIN SYN packet are sent in an MP_CAPABLE subflow.
  [# NSHELP-10986, 714030]

• When a client sends an HTTP2 request to a Citrix ADC appliance and if the MSS value is lesser than the response generated by the appliance, an internal parsing issue occurs.
  [# NSHELP-11542, 714410]

• If the “Stale Cache Group Table” devices reside in the SNMP AVL tree, the SNMP walk operation fails. As a result, the SNMP walk operation does not return an error message for the subsequent SNMP table counters.
  [# NSHELP-15094, 716890]

• If flash cache option is enabled on a Citrix ADC appliance and also receives client requests to the same resource, the appliance resets the connection before it sends the response to the client.
  [# NSHELP-3503, TSK0711508]

• Even though a new session id is used every time to access Citrix ADC VPX user interface, single-sign-on fails to open in a new window.
  [# NSHELP-5372, 699435]

• Sometimes, you might not be able to restart Citrix ADC instances from Citrix ADM. This is because some instances require more than ten minutes to restart and Citrix ADM waits only for ten minutes for the instances to restart. With this fix, you can now configure the Citrix ADM reboot time up to 30 minutes.
  [# NSHELP-5632, NSADM-15926, 716178]

• The "sh audit messages" command does not display log messages in the following case:

  If you configure the log facility parameter with a value other than LOCAL0 in the "syslogparams" or "syslogaction" command.
  [# NSHELP-5736, TSK0709464]

• In a high availability setup, when the secondary node becomes the primary node, the BGP route update might fail on the new primary node because of a TCP timestamp overflow.
  [# NSHELP-8844, 707067]

• gPRC transactions fail under the following conditions:

  - If the initial client request goes to an HTTP/2 enabled virtual server and service but a response is not received.

  - If the server sends a trailer header with multiple header entries.
  [# NSHELP-9308, 715863]

TCP

• During a TCP handshake, if the server responds with a TCP window size of 0 bytes, the appliance keeps the connection in TCP persist mode. Later, if the server opens the TCP window, the connection remains in persist mode and is not removed. As a result, the persist and keep-alive lists get mixed up and the appliance crashes when it tries to free the connection.
  [# NSHELP-5706, TSK0711131]

Telco Networking

• The data connection to the back-end server uses the client IP if the following conditions are met:

  - Global use source IP (USIP) is enabled.

  - Origin USIP on cache redirection (CR) virtual server is disabled.
  [# 627692]

• The data connection to the back-end server uses the client IP if the following conditions are met:

  - Global use source IP (USIP) is enabled.

  - Origin USIP on cache redirection (CR) virtual server is disabled.
  [# NSNET-4155, BUG0627692]

Telco Traffic Management

• GUI settings are missing in the Traffic Management page of the Citrix ADC T-series platform i.e the following ones:

  - Cache redirection

  - Subscriber

  - Service chaining

  - User

  As a workaround, one can visit MAS and configure a configuration job to run the relevant commands for the missing configuration. Please refer to the citrix documentation for exact details.
  [# 712839]

• GUI settings are missing in the Traffic Management page of the Citrix ADC T-series platform i.e the following ones:

  - Cache redirection

  - Subscriber

  - Service chaining

  - User

  As a workaround, one can visit MAS and configure a configuration job to run the relevant commands for the missing configuration. Please refer to the citrix documentation for exact details.
  [# NSUI-7265, BUG0712839]

Telco Video Optimization

• The Citrix ADC appliance might crash when it runs body detection algorithm on chunked content. This issue is fixed now. As part of the fix, boundary checks were added.
  [# 714058]

• Memory leak is observed in the SSL detected domain extraction algorithm. The issue occurs if the SSL detected domain is extracted by the server certificate. The memory leak eventually causes the Citrix ADC appliance to become unresponsive.
  [# 714470, 717711]

• Memory leak is observed in the SSL detected domain extraction algorithm. The issue occurs if the SSL detected domain is extracted by the server certificate. The memory leak eventually causes the Citrix ADC appliance to become unresponsive.
  [# NSHELP-5780, NSHELP-5787, BUG0714470]

• The Citrix ADC appliance might crash when it runs body detection algorithm on chunked content. This issue is fixed now. As part of the fix, boundary checks were added.
  [# NSVIDEOOPT-167, BUG0714058]

URL Filtering

• The “show urlset” command displays only url sets that are imported and not that are added
  [# 667361, 664119, 673476, 690227]

• The “show urlset” command displays only url sets that are imported and not that are added
  [# NSSWG-670, NSSWG-747, NSSWG-788, BUG0667361]

Web App Firewall

• A Citrix ADC appliance crashes when it attempts to access the return address of a stack frame which is not present in an XML payload.
  [# 703461, 712938, 714297]

• In a content switching deployment, the load balancing virtual server details are not captured in the AppFlow records. As a result, the Security Insight reports are generated at the content switching virtual server level and not at the load balancing virtual server level.
  [# 709737]

• The Web App Firewall profile import fails under the following conditions:

  - The WSDL file is configured in the XML message validation check under Relaxation Rules, and

  - The end-point check is set as RELATIVE.
  [# 713580]

• In a cluster setup, when you deploy a Learned Rule for HTML Cross-Site Scripting check, the Citrix ADC appliance displays an error, "The CrossSiteScripting Check is already in use".
  [# 714392, 688279]

• In a content switching deployment, the load balancing virtual server details are not captured in the AppFlow records. As a result, the Security Insight reports are generated at the content switching virtual server level and not at the load balancing virtual server level.
  [# NSHELP-17152, 709737]

• In a cluster setup, when you deploy a Learned Rule for HTML Cross-Site Scripting check, the Citrix ADC appliance displays an error, "The CrossSiteScripting Check is already in use".
  [# NSHELP-18085, 714392]

• The Web App Firewall profile import fails under the following conditions:

  - The WSDL file is configured in the XML message validation check under Relaxation Rules, and

  - The end-point check is set as RELATIVE.
  [# NSHELP-2876, TSK0713580]

• A Citrix ADC appliance crashes when it attempts to access the return address of a stack frame which is not present in an XML payload.
  [# NSWAF-112, NSHELP-2757, NSHELP-2762, BUG0703461]

Web Citrix Web App Firewall

• Memory leak is observed in a Citrix ADC appliance, if the Integrated Cache and the Web Citrix Web App Firewall features are enabled.
  [# NSHELP-17969, NSHELP-17158, 717405]

Known Issues

AppFlow

• If you have more than one AppFlow collectors associated to an AppFlow action with distribution algorithm enabled, the video detection AppFlow records are sent only to one collector. In addition, if one collector goes down, the video AppFlow records are not sent to other collectors. As a result, the records are lost.
  [# NSHELP-3493, 710881]

Citrix Web App Firewall

• In a HA environment, after an upgrade to release version 11.1 56.x, the Citrix Web App Firewall primary node fails to restart after a failover.
  [# 693905]

• A Citrix ADC application firewall appliance intermittently blocks requests for some URLs under heavy traffic loads when advance application firewall start url check is enabled.
  [# 694123]

• A Citrix ADC application firewall appliance intermittently blocks requests for some URLs under heavy traffic loads when advance application firewall start url check is enabled.
  [# NSHELP-16678, 694123]

• In a HA environment, after an upgrade to release version 11.1 56.x, the Citrix Web App Firewall primary node fails to restart after a failover.
  [# NSHELP-17644, 693905]

Authentication, authorization, and auditing

• The back end is not accessible through a clientless VPN (CVPN). The issue occurs when SSO is ON, the proxy is specified in a traffic action, and the back-end credentials are different from the logon credentials.

  Workaround:

  Create a traffic policy based on back-end URL and create a trafficAction with SSO OFF and No Proxy. The backend should be accessible.
  [# 689153]

• The LDAP authentication might fail on a Citrix Gateway appliance when a nested group extraction is configured and LDAP groups exceed 16000 bytes.
  [# 696784, 706081]

• The following behavior is observed in a Citrix ADC appliance:

  • In a high availability setup, the primary node overwrites the invalid login counters of the secondary node.

  • In a cluster setup, the invalid login counters on Cluster Management IP address (CLIP) node overwrite the invalid login counters of the cluster nodes.
  [# 708177]

• A Citrix ADC appliance might become unresponsive if there is a high CPU usage.
  [# 711351, 714426]

• The following behavior is observed in a Citrix ADC appliance:

  • In a high availability setup, the primary node overwrites the invalid login counters of the secondary node.

  • In a cluster setup, the invalid login counters on Cluster Management IP address (CLIP) node overwrite the invalid login counters of the cluster nodes.
  [# NSAUTH-1730, BUG0708177]

• If client authentication is enabled on an authentication, authorization, and auditing virtual server, you will see a cert prompt.

  Note: You need to disable the client authentication while testing LDAP connectivity 2.0 feature.
  [# NSAUTH-2091, BUG0707004]

• The self-service password reset knowledge-based question and answer validation might fail if the size of the certificate bound to VPN global is greater than 1024 bytes.

  Workaround: Use a certificate-key pair of size less than or equal to 1024 bytes.
  [# NSAUTH-5342]

• The LDAP authentication might fail on a Citrix Gateway appliance when a nested group extraction is configured and LDAP groups exceed 16000 bytes.
  [# NSHELP-18160, 696784]

• A Citrix ADC appliance might become unresponsive if there is a high CPU usage.
  [# NSHELP-8356, 711351]

• The client authentication request from a Citrix ADC AAA might become unresponsive while receiving an authentication response from the back-end server because the client has dropped the connection.
  [# NSHELP-903, NSHELP-666, 697237]

Base

• ABR video connections are throttled in nature and thus can negatively impact the correctness of Connection Quality Analytics (CQA).

  So, CQA metrics produced for ABR video transactions should be discarded.
  [# NSBASE-1116, 711964]

Changes in Citrix product names

• We are unifying our product portfolio. If you have been a Citrix customer or partner for a while, you will notice new names in our products and in the product documentation. The new product and component names stem from the expanding Citrix portfolio and Cloud strategy. For more information about the Citrix unified portfolio, see https://www.citrix.com/about/citrix-product-guide/.

  We are also making it easier to understand the value of our solutions with new names. The product documentation might still contain former names. For example, you might see instances of earlier names in console text, messages, and directory/file names. Some items, such as commands, might continue to retain their former names to prevent breaking existing customer scripts. Related product documentation and other resources (such as videos and blog posts) linked from this product's documentation might still contain former names. We appreciate your patience during this transition.
  [# NSDOC-378, 715195]

Citrix ADC VPX Appliance

• If you change the CPU yield setting in a non-default partition and save the configuration, partition-wide configuration takes precedence over node-wide configuration. Typically, configuring the CPU yield setting is allowed only in the default partition.
  [# 716489]

• If you change the CPU yield setting in a non-default partition and save the configuration, partition-wide configuration takes precedence over node-wide configuration. Typically, configuring the CPU yield setting is allowed only in the default partition.
  [# NSHELP-13946, 716489]

Citrix Gateway

• Google reCAPTCHA is not supported for Citrix Gateway plug-in for Windows.
  [# 712951]

• In some cases, logging out from Citrix Gateway is not supported.
  [# 713765]

• In a multicore environment, Citrix Gateway appliance dumps core during login transfer when intranet IP address is enabled in VPN.
  [# 714043, 716451, 716135, 717552, 718721]

• Citrix Gateway appliance dumps core when STA server closes the connection abruptly.
  [# 716179]

• Files and folders hosted under the SharePoint default folder "PublishingImages" cannot be accessed.
  [# 716394]

• Files and folders hosted under the following SharePoint default folder cannot be accessed.

  - SitesPages

  - Shared Documents
  [# 717798]

• Upon attempting to bind a previously bound VPN virtual server to a CS virtual server, the following error message is displayed, "ERROR: Only one VPN vserver can be bound to a CS vserver."
  [# 718302]

• Google reCAPTCHA is not supported for Citrix Gateway plug-in for Windows.
  [# CGOP-4701, BUG0712951]

• In some cases, logging out from Citrix Gateway is not supported.
  [# NSHELP-18144, 713765]

• In a multicore environment, Citrix Gateway appliance dumps core during login transfer when intranet IP address is enabled in VPN.
  [# NSHELP-8164, NSHELP-7078, NSHELP-7082, NSHELP-17438, NSHELP-18156, NSHELP-18368, 714043]

Clustering

• The node-to-node messaging (NNM) stalls on a cluster-enabled Citrix ADC appliance.
  [# 717052, 717860]

• The node-to-node messaging (NNM) stalls on a cluster-enabled Citrix ADC appliance.
  [# NSHELP-16150, 717052]

ICAP for remote content inspection

• An incoming client request times out, if ICAP servers do not respond to an ICAP request initiated by a Citrix ADC appliance.
  [# NSBASE-4936]

Licensing

• When Citrix ADC licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.
  [# 697665]

• When Citrix ADC licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.
  [# NSPLAT-6417, 697665]

Load Balancing

• In a Citrix ADC cluster setup, you cannot add multiple subscriber profiles with the same IP address and different VLAN IDs.
  [# 711327]

• In a Citrix ADC cluster setup, you cannot add multiple subscriber profiles with the same IP address and different VLAN IDs.
  [# NSLB-1816, 711327]

MediaClassification

• A Citrix ADC appliance crashes, if the following conditions are observed:

  - Video Optimization and Content Accelerator features are enabled.

  - HTTP traffic passes through the appliance.

  Workaround: Disable Content Accelerator on the appliance.
  [# NSHELP-8797, 717261]

• A Citrix ADC appliance crashes, if the following conditions are observed:

  - Video Optimization and Content Accelerator features are enabled.

  - HTTP traffic passes through the appliance.

  Workaround: Disable Content Accelerator on the appliance.

  This issue had also observed during ICAP testing (https://issues.citrite.net/browse/NSTELCO-98), even though the Content Accelerator feature was OFF
  [# NSVIDEOOPT-770, 717965]

NITRO API

• The Citrix ADC appliance does not send a response for a NITRO API request for restarting the appliance.
  [# 708209]

• The Citrix ADC appliance does not send a response for a NITRO API request for restarting the appliance.
  [# NSHELP-9044, 708209]

NS-VideoMgmt

• A Citrix ADC appliance crashes, if the following conditions are observed:

  - Video Optimization and Content Accelerator features are enabled.

  - HTTP traffic passes through the appliance.

  Workaround: Disable Content Accelerator on the appliance.
  [# 717261, 711556]

• A Citrix ADC appliance crashes, if the following conditions are observed:

  - Video Optimization and Content Accelerator features are enabled.

  - HTTP traffic passes through the appliance.

  Workaround: Disable Content Accelerator on the appliance.
  [# 717965]

Citrix Gateway

• The global settings for the graphical user interface are not shown correctly.
  [# 603701]

• The global settings for the graphical user interface are not shown correctly.
  [# NSHELP-7740, 603701]

NetScaler Insight Center

• NetScaler Insight Center does not report an application-launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
  [# 609604]

• The appflowLog option is enabled by default in Citrix ADC Appliance version 11.1.58.x.

  Consider you have enabled the appflowLog option on a VPN virtual server and upgraded the Citrix ADC Appliance to version 11.1.58.x. The appflowLog option on the VPN virtual server is disabled when you downgrade the Citrix ADC appliance version back to version 11.1.

  Workaround: Manually enable the appflowLog option on the VPN virtual server after you downgraded from Citrix ADC Appliance version 11.1 58.x.
  [# 707744]

• During cluster upgrade, the HDX Insight records for the reconnect session is not reported if the cluster nodes have different Citrix ADC appliance build versions.
  [# 708282]

• The appflowLog option is enabled by default in Citrix ADC Appliance version 11.1.58.x.

  Consider you have enabled the appflowLog option on a VPN virtual server and upgraded the Citrix ADC Appliance to version 11.1.58.x. The appflowLog option on the VPN virtual server is disabled when you downgrade the Citrix ADC appliance version back to version 11.1.

  Workaround: Manually enable the appflowLog option on the VPN virtual server after you downgraded from Citrix ADC Appliance version 11.1 58.x.
  [# NSINSIGHT-1104, BUG0707744]

• Citrix Gateway might fail, if you use HDX Insight feature on the Citrix Gateway appliance in a cluster setup.
  [# NSINSIGHT-733, BUG0707867]

• During cluster upgrade, the HDX Insight records for the reconnect session is not reported if the cluster nodes have different Citrix ADC appliance build versions.
  [# NSINSIGHT-739, BUG0708282]

• NetScaler Insight Center does not report an application-launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
  [# NSINSIGHT-943, 609604]

Citrix ADC SDX Appliance

• When you log on to the SDX appliance as an external user by using an RADIUS, LDAP, or TACACS server, the Citrix ADC VPX instances that have not been configured under the groups for external authentication don’t appear under Citrix ADC > Instances in the SDX GUI. This happens after you’ve upgraded the Citrix ADC SDX appliance from the following releases, any build:

  - From release 10.5 to release 11.1 or 12.0

  - From release 11.0 to release 11.1 or 12.0

  Workaround: Log on to the SDX appliance by using your nsroot credentials. From the SDX GUI, go to System > User Administration > Group. Select the group and click Edit. Under Instances, move the Available instances to Configured instances. Click OK to save changes. Log out from the SDX appliance and log on back as an external user.
  [# 703323]

Citrix ADC VPX Appliance

• If a Citrix ADC VPX instance deployed on KVM hypervisor is configured with SRIOV NICs and PCI Passthrough, when you add or remove SR-IOV or PCI Passthrough interfaces, the order in which the interfaces are presented to the Citrix ADC VPX instance changes. As a result, the configurations bound to the interfaces might not work.

  Workaround: Redo the configurations manually.
  [# 690896]

• If a KVM hypervisor runs on an AMD processor-based server, the Citrix ADC VPX instance running on the KVM hypervisor restarts cyclically and then stabilizes after a few iterations.

  Workaround:

  Add the following entry in /flash/boot/loader.conf

  vm.pmap.pg_ps_enabled="0"
  [# 692177]

• Error messages appear when an SR-IOV-enabled Citrix ADC VPX instance configured with Intel X710 10G and XL710 40G NICs, running on KVM hypervisor, restarts. The error messages are harmless and can be safely ignored.
  [# 692334]

• In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.

  Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
  [# 705793]

• When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.
  [# 706104]

• When you power on the Citrix ADC VPX instance for the first time after you’ve configured an Intel XL710 NIC as a PCI Passthrough interface, the instance takes longer than normal to start. The issue is seen only the first time the system starts after the interface is configured. This happens due to a limitation of Intel XL710 NIC.
  [# 708142]

• If a Citrix ADC VPX instance deployed on KVM hypervisor is configured with SRIOV NICs and PCI Passthrough, when you add or remove SR-IOV or PCI Passthrough interfaces, the order in which the interfaces are presented to the Citrix ADC VPX instance changes. As a result, the configurations bound to the interfaces might not work.

  Workaround: Redo the configurations manually.
  [# NSPLAT-2530, BUG0690896]

• If a KVM hypervisor runs on an AMD processor-based server, the Citrix ADC VPX instance running on the KVM hypervisor restarts cyclically and then stabilizes after a few iterations.

  Workaround:

  Add the following entry in /flash/boot/loader.conf

  vm.pmap.pg_ps_enabled="0"
  [# NSPLAT-2533, BUG0692177]

• Error messages appear when an SR-IOV-enabled Citrix ADC VPX instance configured with Intel X710 10G and XL710 40G NICs, running on KVM hypervisor, restarts. The error messages are harmless and can be safely ignored.
  [# NSPLAT-3883, 692334]

• In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.

  Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
  [# NSPLAT-4451, 705793]

• When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.
  [# NSPLAT-4520, 706104]

• When you power on the Citrix ADC VPX instance for the first time after you’ve configured an Intel XL710 NIC as a PCI Passthrough interface, the instance takes longer than normal to start. The issue is seen only the first time the system starts after the interface is configured. This happens due to a limitation of Intel XL710 NIC.
  [# NSPLAT-4717, BUG0708142]

Networking

• In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
  [# 485678]

• In a high availability setup, after a failover, or warm reboot, or full reboot, the new secondary node might crash during auto-synchronization config operation.
  [# 709635, 709636]

• In some cases, when a net profile is bound to VPN virtual server, the Citrix Gateway logon page does not load and the Citrix ADC admin user interface becomes inaccessible.
  [# 715048]

• A Citrix ADC appliance might become unresponsive when Bidirectional Forwarding Detection (BFD) is configured on the appliance.
  [# NSHELP-90, 714384]

• In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
  [# NSNET-5233, 485678]

SSL

• You cannot remove an SSL log profile if it is attached to the SSL default profile and client authentication is enabled on the SSL default profile.
  [# 664622]

• In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
  [# 678175, 678522, 678526]

• An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
  [# 678176, 687205, 687098]

• An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
  [# 682859]

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
  [# 687208]

• SSL classic policy expressions are not honored.

  Workaround: Use SSL default policy expressions.
  [# 692137]

• Existing TLS 1.3 connections to a virtual server break if you update the certificate-key pair bound to that virtual server.
  [# 696241]

• If you create an ECDSA key by using the GUI, the type of curve is not displayed.
  [# 705612]

• In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
  [# 708057]

• The TLS 1.3 server sends an "internal_error" alert and breaks the connection if all of the following conditions are met:

  - TLS 1.3 is negotiated for a connection.

  - An ssl policy action is configured that causes the server to request a certificate from the client.

  - The client's response is received for the post-handshake certificate request.
  [# 713257]

• When TLS 1.3 is negotiated for a connection, policy rules that inspect TLS data received from the client (for example, rules that make use of "add ssl policy pol1 -rule client.ssl...") do not trigger the configured action. In addition, ssl policies that use the SSL control actions (for example, CLIENTAUTH or NOCLIENTAUTH) do not trigger the configured action when TLS 1.3 is negotiated.
  [# 713570]

• You might see heartbeat failures eventually leading to a high availability failover. The issue is seen when secure monitors are enabled on a Citrix ADC VPX appliance and the appliance performs DH-key exchange with the backend servers. The failures happen because some CPU intensive DH operations are performed inline.
  [# 715231]

• In a high availability configuration, the cipher binding to a service group might be lost if you force a node to failover.
  [# 715993]

• You cannot create an RSA key by using the GUI if the PEM algorithm is DES or DES3.

  Workaround: Use the CLI.
  [# 716709]

• SSL classic policy expressions are not honored.

  Workaround: Use SSL default policy expressions.
  [# NSDOC-290, 692137]

• You might see heartbeat failures eventually leading to a high availability failover. The issue is seen when secure monitors are enabled on a Citrix ADC VPX appliance and the appliance performs DH-key exchange with the backend servers. The failures happen because some CPU intensive DH operations are performed inline.
  [# NSHELP-13321, 715231]

• In a high availability configuration, the cipher binding to a service group might be lost if you force a node to failover.
  [# NSHELP-13329, 715993]

• Existing TLS 1.3 connections to a virtual server break if you update the certificate-key pair bound to that virtual server.
  [# NSSSL-1296, 696241]

• In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
  [# NSSSL-3161, NSSSL-1258, NSSSL-1264, 678175]

• An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
  [# NSSSL-3184, NSSSL-1379, NSSSL-1394, 678176]

• In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
  [# NSSSL-3402, 708057]

• An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
  [# NSSSL-4001, 682859]

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
  [# NSSSL-4427, 687208]

• The TLS 1.3 server sends an "internal_error" alert and breaks the connection if all of the following conditions are met:

  - TLS 1.3 is negotiated for a connection.

  - An ssl policy action is configured that causes the server to request a certificate from the client.

  - The client's response is received for the post-handshake certificate request.
  [# NSSSL-793, 713257]

• When TLS 1.3 is negotiated for a connection, policy rules that inspect TLS data received from the client (for example, rules that make use of "add ssl policy pol1 -rule client.ssl...") do not trigger the configured action. In addition, ssl policies that use the SSL control actions (for example, CLIENTAUTH or NOCLIENTAUTH) do not trigger the configured action when TLS 1.3 is negotiated.
  [# NSSSL-869, 713570]

• You cannot remove an SSL log profile if it is attached to the SSL default profile and client authentication is enabled on the SSL default profile.
  [# NSSSL-885, 664622]

• If you create an ECDSA key by using the GUI, the type of curve is not displayed.
  [# NSUI-6838, 705612]

Security

• ICAP support for Citrix ADC

  A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and send back responses to the appliance as modified messages. The adapted messages are either an HTTP or HTTPS response or request.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
  [# 702971]

System

• In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or “staysecondary” option set.
  [# 691283]

• In a cluster deployment, if you run "force cluster sync" command on a non-cco node, the ns.log file contains duplicate log entries.
  [# 702608]

• In a cluster deployment, the RESPONDER log messages do not appear when you run the following commands:

  - The "show audit messages" command from command line interface.

  - The "recent audit messages" command from Citrix ADC GUI.

  Workaround:

  You can locate the RESPONDER logs in /var/log/ns.log.
  [# 703928]

• Memory utilization might increase in some Citrix ADC MPX and VPX appliances running 64-bit Citrix ADC images.

  High-end platforms with large system memory are not affected.
  [# 705709]

• Connections might hang if the size of processing data is more than the configured default TCP buffer size.

  Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
  [# 707209]

• The ipFreePorts counter value is always zero.

  Workaround: Correct the counter to read proper values.
  [# 715208]

• In a high availability setup, both the primary and the secondary nodes might crash, if you use the same IP address and port for both audit logging and Citrix ADM service.

  Workaround: You must configure different servers for audit logging and Citrix ADM service.
  [# 718344]

• In a cluster deployment, if you run "force cluster sync" command on a non-cco node, the ns.log file contains duplicate log entries.
  [# CGOP-6794, NSGI-1293, 702608]

• In a cluster deployment, the RESPONDER log messages do not appear when you run the following commands:

  - The "show audit messages" command from command line interface.

  - The "recent audit messages" command from Citrix ADC GUI.

  Workaround:

  You can locate the RESPONDER logs in /var/log/ns.log.
  [# CGOP-6804, BUG0703928]

• In a high availability setup, both the primary and the secondary nodes might crash, if you use the same IP address and port for both audit logging and Citrix ADM service.

  Workaround: You must configure different servers for audit logging and Citrix ADM service.
  [# CGOP-6851, 718344]

• Memory utilization might increase in some Citrix ADC MPX and VPX appliances running 64-bit Citrix ADC images.

  High-end platforms with large system memory are not affected.
  [# NSBASE-1299, 705709]

• The ipFreePorts counter value is always zero.

  Workaround: Correct the counter to read proper values.
  [# NSHELP-16587, 715208]

• In a Citrix ADC appliance, an issue occurs when both classic auditlog policy and advanced authentication policy are globally bound to the system. As a result, the "bind system global" command is not applied successfully and if either of the following conditions is observed:

  - If you upgrade the appliance.

  - If a secondary node is added to a high availability setup.
  [# NSHELP-18119, 718688]

• In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or “staysecondary” option set.
  [# NSNET-1646, 691283]

• Connections might hang if the size of processing data is more than the configured default TCP buffer size.

  Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
  [# NSPOLICY-1267, 707209]

Telco System

• When there is an incoming client request, if you manually run the “clear subscriber sessions” command, the appliance does not restart the Subscriber Database Controller (SDC) service to clear the database. Instead, the old request is still stored in the database when a new request is triggered.
  [# 718603]

• When there is an incoming client request, if you manually run the “clear subscriber sessions” command, the appliance does not restart the Subscriber Database Controller (SDC) service to clear the database. Instead, the old request is still stored in the database when a new request is triggered.
  [# NSBASE-5156, 718603]

Telco Video Optimization

• The Citrix ADC TCP/IP processing module (also known as, Packet Processing Engine (PPE)) crashes when a TCP connection attached to a non-master TCP processing module stays open for more than 3,276 seconds.
  [# 710123]

• The ABR video detection algorithm is unable to detect videos from xvideos.com domain (vid-egc.xvideos-cdn.com)
  [# 715921]

• The Citrix ADC TCP/IP processing module (also known as, Packet Processing Engine (PPE)) crashes when a TCP connection attached to a non-master TCP processing module stays open for more than 3,276 seconds.
  [# NSHELP-8799, 710123]

• The ABR video detection algorithm is unable to detect videos from xvideos.com domain (vid-egc.xvideos-cdn.com)
  [# NSVIDEOOPT-424, 715921]

URL Categorization

• When a cloud categorization lookup failure is observed, a Citrix ADC appliance displays a generic error for level 4 logs.
  [# 705070]

• When a cloud categorization lookup failure is observed, a Citrix ADC appliance displays a generic error for level 4 logs.
  [# NSSWG-397, 705070]

URL Filtering

• If a consecutive import of URLset times out because of connectivity issues with the download server, the Comman Line tool will freeze, create a core dump, and will restart. The appliance's traffic will run as expected.

  Workaround: Download the URL set from the same server and disperse their download frequency.
  [# 712904, 711078]

• Video optimization detection policies now support DROP and RESET actions in a Citrix ADC cluster setup.
  [# 713314]

• Video optimization detection policies now support DROP and RESET actions in a Citrix ADC cluster setup.
  [# NSSWG-521, 713314]

• If a consecutive import of URLset times out because of connectivity issues with the download server, the Comman Line tool will freeze, create a core dump, and will restart. The appliance's traffic will run as expected.

  Workaround: Download the URL set from the same server and disperse their download frequency.
  [# NSSWG-656, NSHELP-4492, 712904]

Video Optimization

• The ABR video detection algorithm fails to detect some ABR videos sent from xvideos.com domain.
  [# 712170]

• The Application Flags field in AppFlow records are not correctly populated for video-paced connections. As a result, the ADM TCP Insight reports for Download Speed might display lower values. Also, external AppFlow consumers always report connections as unoptimized.
  [# 718659]

• The ABR video detection algorithm fails to detect some ABR videos sent from xvideos.com domain.
  [# NSVIDEOOPT-232, 712170]

• A Citrix ADC appliance is unable to optimize QUIC-based video traffic if pacing policies are bound to QUIC load balancing virtual server at response time.

  Workaround: Bind the policies to the QUIC load balancing virtual server only at request time.
  [# NSVIDEOOPT-696, BUG0697461]

• The Application Flags field in AppFlow records are not correctly populated for video-paced connections. As a result, the ADM TCP Insight reports for Download Speed might display lower values. Also, external AppFlow consumers always report connections as unoptimized.
  [# NSVIDEOOPT-771, 718659]

Web App Firewall

• Web App Firewall blocks the request to Storefront if the following conditions are met:

  - You upgrade from release 12.0 build 58.15 to release 12.1 build 49.x or later.

  - The content length header is zero for an incoming request.
  [# 716783]

What's New in Previous Citrix ADC 12.1 Releases

• Securing web traffic with HTTP RFC compliance

  You can now secure your web traffic with HTTP RFC compliance by setting the RFC profile in “Block” or “Bypass” mode. By doing this, any invalid traffic (request or response) that matches the Citrix Web App Firewall profile is implicitly blocked or bypassed accordingly.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/application-firewall/profiles/enforce-http-rfc-compliance.html
  [From Build 49.37]
  [# 638547]

Citrix ADC SDX Appliance

• Support for Citrix SD-WAN VPX instance

  You can deploy a Citrix SD-WAN VPX instance on Citrix ADC SDX 14XXX and SDX 115XX appliances.

  For more information, see https://docs.citrix.com/en-us/sdx/12-1/deploy-sd-wan-vpx.html
  [From Build 49.37]
  [# 710971]

Citrix ADC VPX Appliance

• Support for vCPU-based perpetual licensing

  Virtual CPU (vCPU)-based perpetual licensing is now supported for Citrix ADC VPX instances. This licensing provides the computing power requirement of VPX on-prem and cloud customers. For each VPX model, existing Citrix ADC licensing editions apply: Citrix ADC Standard Edition, Enterprise Edition, Platinum Edition.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/licensing/netscaler-licensing-overview.html.
  [From Build 49.37]
  [# 701340]

• Support for Azure Availability Zones in a high availability deployment

  You can deploy a pair of Citrix ADC VPX appliances with multiple NICs in an active-passive high availability setup across Azure Availability Zones. For more information about Azure Availability Zones and what they offer, see Azure documentation: https://docs.microsoft.com/en-us/azure/availability-zones/az-overview

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-vpx-on-azure/configure-vpx-pair-ha-inc.html.
  [From Build 49.37]
  [# 710226, 712503]

• Support for VMware ESXi 6.7 server

  Citrix ADC VPX instances now support VMware ESXi 6.7 server.

  For more information, see table 2 in this page: https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/supported-hypervisors-features-limitations.html.
  [From Build 49.37]
  [# 710366]

Citrix Gateway

• nFactor authentication support using Windows VPN plug-in.

  nFactor authentication is now supported using a Windows VPN plug-in.
  [From Build 49.37]
  [# 647169]

• Support for USB redirection in Citrix Gateway Enabled PCoIP proxy

  USB devices connected to the client machine can be accessed from the virtual desktops and apps.

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12-1/netscaler-gateway-enabled-pcoip-proxy-support-for-vmware-horizon-view/configuring-netscaler-gateway-enabled-pcoip-proxy-for-vmware-horizon-view.html
  [From Build 49.37]
  [# 670578]

• GUI enhancements aiding STA server troubleshoot and seamless app launch

  The following GUI enhancements are made:

  - In the XA-XD wizard under StoreFront setting Test STA Connectivity button is added to test STA servers connectivity.

  - In the XA-XD dashboard page, Gateway entry list shows STA server and StoreFront server status.

  - In the Citrix Gateway Virtual Server page, you can view STA server status bound to a VPN virtual server.
  [From Build 49.37]
  [# 705538]

Citrix Secure Web Gateway

• Support for new SWG platforms

  Citrix Secure Web Gateway (SWG) is supported on Citrix SWG MPX 5900/8900 and Citrix SWG SDX 8900 platforms.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/supported-hardware-software-platforms.html.
  [From Build 49.37]
  [# 704727]

Clustering

• Cluster support for ANY type of virtual server

  The Citrix ADC appliance can now support "ANY" type of virtual server while gracefully handling of nodes in a cluster deployment.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/clustering/cluster-managing/graceful-shutdown-of-nodes.html.
  [From Build 49.37]
  [# 683859]

• GRE tunnel based steering support for L2 cluster deployments

  The Citrix ADC appliance now supports GRE tunnel based packet steering in an L2 cluster deployment.
  [From Build 49.37]
  [# 701890]

DNS

• Jumbo frame support for DNS to handle UDP responses of large sizes

  DNS now supports jumbo frames for handling UDP responses greater than 1,280 bytes. You can set the maximum UDP packet size that the appliance can handle in proxy, ADNS, and forwarder modes by configuring the Maximum UDP Packet Size parameter value.

  The maximum UDP packet size is 16,384 bytes.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/dns/jumbo-frames-support-for-dns-to-handle-responses-of-large-sizes.html.
  [From Build 49.37]
  [# 695871]

GSLB

• Support for generation of SNMP traps for GSLB configuration synchronization

  A Citrix ADC appliance now generates SNMP traps for both local and remote sites when you synchronize the GSLB configuration. SNMP traps are generated for both manual synchronization and real-time synchronization.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/global-server-load-balancing/synchronizing-configuration-in-gslb-setup/snmp-traps-for-gslb-configuration-synchronization.html.
  [From Build 49.37]
  [# 694414]

• Support for GSLB parent-child topology in Citrix ADC clusters

  The GSLB parent-child topology is now supported in Citrix ADC clusters.

  For parent and child sites to exchange aggregated statistics in metric-based load balancing methods, you must add local GSLB services on the child site.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/clustering/cluster-usage-scenarios/cluster-gslb-deploy.html.
  [From Build 49.37]
  [# 706504]

Gateway Insight

• View HDX Insight reports for EDT traffic.

  HDX Insight reports can be viewed for the EDT traffic. By default, HDX Insight and EDT feature are disabled.
  [From Build 49.37]
  [# 690033]

Load Balancing

• Support for graceful shutdown of services in Citrix ADC clusters

  The Citrix ADC clusters now support graceful shutdown of services.

  To gracefully shutdown the services, you can perform one of the following tasks.

  - Explicitly disable the service, and set a delay (in seconds) or enable graceful shutdown.

  - Add a TROFS code or string to the monitor.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/clustering/cluster-managing/graceful-shutdown-of-services.html.
  [From Build 49.37]
  [# 691848]

Networking

• USIP support on a v4-to-v6 load balancing configuration

  Earlier, in a v4-to-v6 load balancing configuration, the Citrix ADC used to include one of the configured IPv6 SNIP address as the source IP address in the translated IPv6 requests packet to the servers. The Citrix ADC used to include an IPv6 SNIP address even when the USIP option is enabled for the related load balancing services.

  Now, USIP NAT prefix parameter has been introduced for making the servers aware of the client’s IP address of the request packets. USIP NAT prefix is a global IPv6 prefix of length 96 bits (128-32=96) configured on Citrix ADC.

  For a load balancing service that has USIP enabled, the ADC translates the IPv4 request packet to an IPv6 packet and sets the source IP address of the translated IPv6 packet to a concatenation of the USIP NAT prefix [32/40/48/56/64/96 bits] and the IPv4 source address [32 bits] that was received in the request packet.

  On receiving an IPv6 response packet from the server, the ADC translates the IPv6 packet to an IPv4 packet and sets the destination IP address of the translated IPv4 packet to the last 32 bits of the destination IP address of the IPv6 packet.

  Note: This feature is not supported for gateway configuration and, content switching and cache redirection load balancing configurations.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/load-balancing/load-balancing-advanced-settings/usip-lb-v4v6.html.
  [From Build 49.37]
  [# 699605]

Policies

• New API support for reusing a server connection for other client connections in the server context

  A Citrix ADC API support is now added for reusing a server connection for other client connections in the server context. This API can be used only if an EOM event is used (in ns.send() API) to send for sending the data in the client context.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-extensions/api-reference.html and https://docs.citrix.com/en-us/netscaler/12-1/netscaler-extensions/netscaler-protocol-extensions.html.
  [From Build 49.37]
  [# 699069]

• RSA encryption with no padding policy function

  Policy-based RSA encryption now supports EY_ENCRYPT_PEM_NO_PADDING() policy function for no padding operation. The policy function works similar to the PKEY_ENCRYPT_PEM() function, except it uses the RSA_NO_PADDING method instead of RSA_PKCS1_PADDING. The pkey parameter is a text string with a PEM-encoded RSA public key. Similar to PKEY_ENCRYPT_PEM(), you can use a policy expression for the key.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/appexpert/rewrite/rewrite-action-policy-examples/example-11-policy-based-rsa-encryption-no-padding-operation.html
  [From Build 49.37]
  [# 708991]

SSL

• Support for AES-based PEM encoding

  You can now use AES256 algorithm with PEM key format to encrypt a private key on the Citrix ADC appliance. AES with 256-bit key is mathematically efficient and secure compared to the 56-bit key of DES. Select ‘aes256’ in the following CLI command.

  create ssl rsakey <keyFile> <bits> [-exponent ( 3 | F4 )] [-keyform (

  DER | PEM )] [-des | -des3 | -aes256] {-password }

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-certificates/obtain-cert-frm-cert-auth.html#create-a-private-key.
  [From Build 49.37]
  [# 275417, 710620]

• Support for DTLS protocol on the Citrix ADC MPX FIPS platform

  The MPX 14000 FIPS platform now supports the DTLS protocol end-to-end. That is, the protocol is supported on the client side and the server side. The following cipher suites are supported.

  - TLS1-AES-256-CBC-SHA

  - TLS1-AES-128-CBC-SHA

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  Note: Enlightened Data Support (EDT) is supported on the FIPS platform if all of the following conditions are met:

  - UDT MSS value set on StoreFront is 900.

  - Windows client version is 4.12 or later.

  - DTLS enabled VDA version is 7.17 or later.

  - Non-DTLS VDA version is 7.15 LTSR CU3 or later.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [From Build 49.37]
  [# 498187]

• Support for TLSv1.3 protocol on the front end of Citrix ADC VPX and select MPX appliances

  The Citrix ADC VPX and N3 chip based MPX appliances now support the TLSv1.3 protocol as specified in RFC 8446. For N3 chip based MPX appliances, the support is currently only in software. That is the processing is not offloaded to the hardware (SSL acceleration chip.) To use TLS1.3, you must use a client that conforms to the RFC 8446 specification. The following ciphers are supported on the frontend:

  - TLS1.3-AES256-GCM-SHA384 (0x1302)

  - TLS1.3_CHACHA20_POLY1305_SHA256 (0x1303)

  - TLS1.3-AES128_GCM-SHA256 (0x1301)

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/tls13-protocol-support.html.
  [From Build 49.37]
  [# 544128, 664161]

• Support for wildcard in the subject alternative name in a certificate signing request

  You can now use wildcards in the subject alternative name (SAN) entry in the certificate signing request. For example, *.example.com.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-certificates/obtain-cert-frm-cert-auth.html#support-for-subject-alternative-name-in-a-certificate-signing-request.
  [From Build 49.37]
  [# 686067]

• Support for client-hello based expressions and a new bind point

  A new bind point ‘CLIENTHELLO_REQ’ is now available to evaluate SSL policies when a client hello message is received. That is, the policy is evaluated after parsing the client hello message. A ‘FORWARD’ action is added to forward the client traffic to a target load balancing virtual server. The target load balancing virtual server can be of type SSL, SSL_BRIDGE or TCP.

  In this release, only the forward and reset actions are supported for CLIENTHELLO_REQ bind point. The following expression prefixes are available:

  - CLIENT.SSL.CLIENT_HELLO.CIPHERS.HAS_HEXCODE

  - CLIENT.SSL.CLIENT_HELLO.CLIENT_VERSION

  - CLIENT.SSL.CLIENT_HELLO.IS_RENEGOTIATE

  - CLIENT.SSL.CLIENT_HELLO.IS_REUSE

  - CLIENT.SSL.CLIENT_HELLO.IS_SCSV

  - CLIENT.SSL.CLIENT_HELLO.IS_SESSION_TICKET

  - CLIENT.SSL.CLIENT_HELLO.LENGTH

  - CLIENT.SSL.CLIENT_HELLO.SNI

  For more information about the new bind point, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-actions-and-policies/bind-ssl-policies-vserver.html.

  For more information about the new expression prefixes, see https://docs.citrix.com/en-us/netscaler/12-1/appexpert/policies-and-expressions/ns-pi-ae-parse-ssl-certs-wrapper-con.html#parse-ssl-client-hello.
  [From Build 49.37]
  [# 692432]

• Increase in the OCSP cache timeout limit

  The cache timeout limit is now increased to a maximum of 43,200 minutes (30 days). Earlier the limit was 1,440 minutes (one day). The increased limit helps reduce the lookups on the OCSP server and avoids any SSL/TLS connection failures in case the OCSP server is not reachable due to network or other problems.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/monitor-cert-status-with-ocsp.html#ocsp-response-caching.
  [From Build 49.37]
  [# 696815]

• Support for non-secure renegotiation on a DTLS service

  Non-secure renegotiation is now supported on a DTLS service (backend) on Citrix ADC MPX and VPX appliances.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [From Build 49.37]
  [# 696904]

• Support for a new SSL action to forward traffic to another virtual server

  You can now forward the traffic received on an SSL virtual server to a load balancing virtual server to avoid SSL offloading or terminating the connection on the ADC appliance. For example, if the appliance does not have a certificate or it does not support a specific cipher, instead of terminating the connection, admins can choose to forward the request to a load balancing virtual server for further action. This virtual server can be of type: SSL, TCP, or SSL_BRIDGE.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-actions-and-policies/config-built-in-ssl-actions.html#configure-an-ssl-action-to-forward-client-traffic-to-another-virtual-server.
  [From Build 49.37]
  [# 704106]

• Support for PFS on a DTLS virtual server

  The following cipher suites are now supported on a DTLS virtual server (frontend). These ciphers help achieve PFS (Perfect Forward Secrecy).

  - SSL3-EDH-RSA-DES-CBC3-SHA

  - SSL3-EDH-RSA-DES-CBC-SHA

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  - TLS1-DHE-RSA-AES-128-CBC-SHA

  - TLS1-DHE-RSA-AES-256-CBC-SHA

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [From Build 49.37]
  [# 705164, 711810]

• Support for PFS on a DTLS service

  The following cipher suites are now supported on a DTLS service (backend). These ciphers help achieve PFS (Perfect Forward Secrecy).

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1-DHE-RSA-AES-128-CBC-SHA

  - TLS1-DHE-RSA-AES-256-CBC-SHA

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [From Build 49.37]
  [# 705165]

• Clear the OCSP stapling cached response of server certificate

  You can now clear the cached response of the server certificate from the OCSP responder even before the timeout expires. Earlier, you had to wait until the configured timeout was over to clear the cached response.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-11-1-ocsp-stapling-solution.html#ocsp-response-caching-of-server-certificates.
  [From Build 49.37]
  [# 709027]

• Support for SNI on a DTLS virtual server

  SNI (Server Name Indication) is now supported on a DTLS virtual server (frontend) on Citrix ADC MPX and VPX appliances. You can bind multiple SNI certificates to a DTLS virtual server.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [From Build 49.37]
  [# 709345, 363547]

System

• Telemetry Support in CallHome

  CallHome is now enhanced to send Citrix ADC usage metrics to Citrix Insight Services (CIS) periodically. Citrix collects the data to understand how the appliance works and how to improve the product. By default, CallHome sends the metrics once in every 7 days.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/configuring-call-home.html
  [From Build 49.37]
  [# 705785]

Telco

• Support for triggering negative TTL for partial success response code 2002

  You can use the following command for triggering negative TTL for partial success response code 2002.

  set subscriber gxinterface -negativeTTLLimitedSuccess YES
  [From Build 49.37]
  [# 680136, 699466]

• IP prefix NAT support for TCP and HTTP load balancing configurations

  IP Prefix NAT feature is now supported for TCP and HTTP load balancing configurations. IP prefix NAT translates a part of the source IP address instead of the complete address of packets received on the Citrix ADC. IP prefix NAT includes changing one or more octets or bits of the source IP address.

  For more information about IP prefix NAT, see https://docs.citrix.com/en-us/netscaler/12-1/networking/ip-addressing/configuring-network-address-translation/partial-nat.html.
  [From Build 49.37]
  [# 699465]

Fixed Issues in Previous Citrix ADC 12.1 Releases

• The cluster upgrade to a 12.1 build with Citrix Web App Firewall enabled on a Citrix ADC appliance is not supported.
  [From Build 49.37]
  [# 708269]

• The leading TCP window size is rounded off when the post body limit is set to 4294967295(2^32-1). The fix ensures that the limit max TCP window set by Citrix Web App Firewall is 100 MB in non-streaming data and 20 MB for streaming data.

  As a workaround, please add the post body limit on profile to values <=512MB, preferably to value 100MB. Also when requests are of larger sizes, please ensure that the profile has streaming enabled. Enable streaming only if backend server is able to accept chunked requests.
  [From Build 49.37]
  [# 708394, 708678, 707955, 708851, 711014]

• When you use special characters in AppFW SessionCookieName, the AppFirewall policy resets website URLs. The issue is resolved, if you remove special characters and use alphabets in the cookie name.
  [From Build 49.37]
  [# 708601]

• After an upgrade to Citrix ADC 11.1 build 57.13, the URL transformation policy for cookie domains is not applied to application secure cookies.
  [From Build 49.37]
  [# 708975]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [From Build 49.37]
  [# 709465, 710841]

• Citrix Web App Firewall Cookie proxying feature is not working in Cluster 12.1 deployment.
  [From Build 49.37]
  [# 710139]

• After a software upgrade, the Citrix ADC appliance crashes with AppFW violation data record when the AppFlow feature is disabled.
  [From Build 49.37]
  [# 710491]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [From Build 49.37]
  [# 710596]

• After an upgrade, if Applicable Firewall is enabled on a Citrix ADC appliance, it causes memory leak leading to a high memory usage.
  [From Build 49.37]
  [# 712290, 711993]

Authentication, authorization, and auditing

• A Citrix ADC appliance is unable to evaluate an advanced policy expression if you either bind the policy to a virtual server or to an authentication, authorization, and auditing group.
  [From Build 49.37]
  [# 705898]

• A Citrix ADC appliance becomes unresponsive because of memory corruption when it handles jumbo frames.
  [From Build 49.37]
  [# 705972, 712490, 711718, 698974, 714419, 712489]

• The Citrix ADC appliance might fail to establish an SSO connection to a back-end server, if the form-SSO has a hidden value containing special characters such as &, <, >, and ‘.
  [From Build 49.37]
  [# 707018]

• In case of nFactor authentication, the extracted authentication, authorization, and auditing group name from certificate-factor are concatenated with the first extracted group from LDAP-factor without any delimiter.
  [From Build 49.37]
  [# 709794]

• The authentication, authorization, and auditing feature does not evaluate the advanced authorization policies that are bound to authentication, authorization, and auditing user and group entities.
  [From Build 49.37]
  [# 710288]

• The Citrix ADC appliance might become unresponsive if both of the following conditions are met:

  • Login schema policy with reset action provokes the reset function to send reset packet, and then free it later.

  • The same packet is freed again, resulting in a duplicate packet free condition.
  [From Build 49.37]
  [# 710993]

• The request to the back-end server fails if the following conditions are met:

  • Request URL to the back-end server is encoded prior to establishing authentication, authorization, and auditing session.

  • Citrix ADC appliance decodes the URL after log on.
  [From Build 49.37]
  [# 711287, 711806, 713423]

• If you configure "add kcdaccount xxx -keytab yyy" on release 12.1 build 49.x, the Citrix ADC appliance might become unresponsive.
  [From Build 49.37]
  [# 712411, 713603, 713300]

• A Citrix ADC appliance with two factor SAML authentication might eternally cause authentication loop.
  [From Build 49.37]
  [# 714523, 714736]

Browser-EPA

CLI

• If a user tries to log on to a Citrix ADC appliance through any console, the system displays a log message with an incorrect client type. For example, if the user logs on to the appliance through the XenServer console, the system displays the log message as follows:

  "Apr 9 12:27:02 <local0.info> 10.102.201.11 04/09/2018:06:57:02 GMT 0-PPE-0 : d

  efault UI CMD_EXECUTED 502 0 : User nsroot - Remote_ip 127.0.0.1 - Command "log

  in nsroot "********"" - Status "Success"
  [From Build 49.37]
  [# 701582]

Citrix ADC VPX Appliance

• If vCPUs are more than 12, password-based authentication does not work in Citrix ADC VPX instances running in Azure and AWS. However, you can log on by using ssh private key.
  [From Build 49.37]
  [# 712146, 714490]

• The SNS topic required for AWS back-end auto scale feature to work is not updated automatically.
  [From Build 49.37]
  [# 715919]

• The VPX instance removes two servers instead of one when the following conditions are met:

  - The remove 1 server parameter is set in the scale down policy of the EC2 auto scaling group.

  - Back-end auto scale feature is configured on the VPX instance.
  [From Build 49.37]
  [# 716006]

• The Citrix ADC VPX instance, configured with AWS back- end auto scaling feature, removes the EC2 auto scale group alarm.
  [From Build 49.37]
  [# 716030]

• In a multizone cluster deployment, the Citrix ADC VPX instance configured with AWS back-end auto scaling fails to create multiple SNS topics.
  [From Build 49.37]
  [# 716031]

• The Citrix ADC VPX instance configured with AWS back-end auto scaling does not detect the back-end servers bound to the EC2 auto scaling group, and the following error message appears.

  "Your AutoScaling Group:<autoscalegroup> can't have more than 10 topics"
  [From Build 49.37]
  [# 716101]

• The first-time user screen appears even on subsequent logons or every time the logon page is refreshed. By design, the first-time user screen should appear only when the user logs on to the VPX instance for the first time.
  [From Build 49.37]
  [# 716714]

Citrix Gateway

• In a Citrix Gateway deployment, the log out operation for Outlook Web Access (OWA) application intermittently fails.
  [From Build 49.37]
  [# 708643, 710636, 709652, 710570]

• When IPv6 is disabled globally, the connection reset is mandated, if the IPv6 packet arrives on MUX channel.
  [From Build 49.37]
  [# 709903]

• The Citrix Gateway appliance does not display the right logon form when the user clicks the "Go Back" button in the following case:

  The session initialization fails because the user does not belong to any of the groups configured on the Citrix ADC appliance.
  [From Build 49.37]
  [# 710342]

• If StoreFront is load balanced using an internal load balanced virtual server, IPv6 clients is not evenly load balanced.
  [From Build 49.37]
  [# 710351]

• Authentication fails when Citrix Gateway is configured with advanced policies, that is nFactor, and the client is configured only for certificate authentication.
  [From Build 49.37]
  [# 710801]

• The VPN plug-in for Citrix Gateway becomes unresponsive once the client machine moves to active mode from standby mode.
  [From Build 49.37]
  [# 711434, 710161, 716058]

• EPA fails when Citrix Gateway is configured for nFactor authentication.
  [From Build 49.37]
  [# 713291]

• User initiated password change request using the Citrix Gateway user interface fails.
  [From Build 49.37]
  [# 715566]

Client AG-EE

Clustering

• In a layer 3 cluster deployment, fragmented traffic steered through a GRE tunnel might cause packet loops, which result in high traffic load.
  [From Build 49.37]
  [# 692350]

Drivers-SR-IOV-PF

EPA

Export

• <ID review in progress; this description will be updated soon>

  If there is no default LB configured for a CS vserver, the client-side-measurement of appflow action may not work properly.
  [From Build 49.37]
  [# NSHELP-3488, BUG0707170]

GSLB

• In a GSLB cluster setup, when a parent site is removed, the corresponding child site and its services are also removed.
  [From Build 49.37]
  [# 713908]

GUI

• A Citrix ADC appliance might crash if some entity names in the database have quotations and if a closing quotation is found missing. The issue is resolved if you upgrade your appliance to the latest version.
  [From Build 49.37]
  [# 707993]

• <ID review in progress; this description will be updated soon>

  RADIUS Key is not been saved using the GUI.. Works from CLI though.
  [From Build 49.37]
  [# NSHELP-4771, TSK0711531]

Gateway

Gateway Insight

• Receivers which are not white-listed fail to launch apps using Citrix Gateway with HDX Insight feature enabled.
  [From Build 49.37]
  [# 710678, 712929]

ICA

Licensing

• When the connection between a Citrix ADC appliance (MPX, SDX, or VPX) and the NetScaler MAS licensing server is lost, the Citrix ADC appliance revokes the licensing capacity immediately. As a result, the throughput drops.

  After the connection with the MAS licensing server is established, you must manually reconfigure the license to restore.
  [From Build 49.37]
  [# 712434]

Load Balancing

• A Citrix ADC appliance crashes if you add a Rate-Limiting expression to a DNS responder policy.
  [From Build 49.37]
  [# 708722]

• Traffic disruptions might occur if the encoded redirect URL is greater than 2048 bytes.
  [From Build 49.37]
  [# 709311]

• If the REGISTER request processing for a specific service fails during the Session Initiation Protocol (SIP) call, the memory usage of the Citrix ADC appliance starts building up.
  [From Build 49.37]
  [# 710763]

• The “Operation not permitted” error appears when you try to execute the set operation on domain name based service group member.
  [From Build 49.37]
  [# 712840]

NS-GW-LinuxClient

NS-Gateway

Citrix Gateway

• Citrix Gateway appliance dumps core upon freeing the NSB memory twice.
  [From Build 49.37]
  [# 701843]

• In rare cases, a Citrix Gateway appliance configured for EDT becomes unresponsive because of memory corruption.
  [From Build 49.37]
  [# 706704, 709305, 709349, 706229, 705896, 710041, 710117, 707924, 709493, 709911, 710415, 710907, 710891, 711509, 711523, 710808, 712343, 715140, 715145]

• A Citrix Gateway appliance does not fallback to the LDAP policy if the following conditions are met:

  - Certificate authentication and LDAP are configured as the first factor and LDAP checks data from login Schema.

  - The certificate authentication fails.
  [From Build 49.37]
  [# 708140]

• In rare cases, the Citrix Gateway appliance dumps core when DTLS is enabled on a VPN virtual server.
  [From Build 49.37]
  [# 708703, 709315, 711421, 710131]

• POST request has some non-required fields.
  [From Build 49.37]
  [# 709243]

• Connectionlist corruption occurs if VMware horizon client reuses the same SPI for UDP connections, resulting in eventual crashes when show or kill command is executed.
  [From Build 49.37]
  [# 709325]

• In case of network errors, cached client certificates were removed, prompting user to select the certificate from the drop-down menu manually.
  [From Build 49.37]
  [# 709689]

• In rare cases, the VPN plug-in crashes.
  [From Build 49.37]
  [# 709695]

• A Citrix Gateway appliance dumps core if a Regex in a patset takes a long time to execute.
  [From Build 49.37]
  [# 709923, 710642]

• In rare cases, the Citrix Gateway appliance dumps core when a client machine tries to open more than one DTLS connection.
  [From Build 49.37]
  [# 710131]

• The session through a Citrix Gateway appliance using RfWebUI goes to unresponsive mode after you click cancel on the "Change Password" error window.
  [From Build 49.37]
  [# 710220]

• Accessing a Citrix Gateway appliance results in 404 error, if the Citrix Gateway and Authentication, Authorization, and Auditing are deployed on the same Citrix ADC appliance in the same domain but outside of Citrix Gateway domain.
  [From Build 49.37]
  [# 711330]

• Upon using the Citrix Gateway plug-in to logon to VPN, the RADIUS challenge message is displayed on Citrix Receiver instead of the Citrix Gateway plug-in.
  [From Build 49.37]
  [# 711570]

• Pre-authentication EPA check fails when total length of single EPA expression (not separated by any logical operators) is greater than 1024 characters.
  [From Build 49.37]
  [# 711678]

• Windows Gateway Plugin displays incorrect message on the user interface when the VPN virtual server with Citrix Gateway is in disabled or in out of order state.
  [From Build 49.37]
  [# 711715]

• In some cases, the Citrix Gateway appliance with multiple core crashes if the HDX Insight feature is enabled.
  [From Build 49.37]
  [# 711720, 712124, 712553, 714141, 714351, 714721]

• Allowed login groups parameters in session action do not take effect with advanced session policies.
  [From Build 49.37]
  [# 712705]

• A Citrix Gateway appliance does not allow post body expressions for relaystateRule parameter when sending SAML assertions.
  [From Build 49.37]
  [# 712790]

• While repairing the Citrix Gateway plug-in, a re-installation for the plug-in is initiated without checking if the plug-in is already installed. This creates a new virtual adapter instance.
  [From Build 49.37]
  [# 712856]

NetScaler Insight Center

• When Citrix Gateway appliance is used with NSAP enabled for VDAs (7.16 and above) and if HDX Insight is configured, the Citrix Gateway might fail.
  [From Build 49.37]
  [# 710363, 704912]

• In certain scenarios, if SR-HA feature is enabled for ICA AppFlow, the secondary Citrix ADC appliance in the high-availability deployment might fail.
  [From Build 49.37]
  [# 713607]

Citrix ADC SDX Appliance

• When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.
  [From Build 49.37]
  [# 600152, 697276, 704954]

• On Citrix ADC SDX 26000 and SDX 15000-50G platforms, the virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work if any one of the following conditions is met:

  - The VPX instance configured with the VRID restarts.

  - The SDX appliance on which the VPX instance is running restarts.
  [From Build 49.37]
  [# 710320]

• The message "Appliance license expired" appears when you log on to the Citrix ADC SDX GUI, after upgrading from any previous Citrix ADC version to 12.1 48.13/12.0-58.15. This is a harmless message and can be ignored safely.
  [From Build 49.37]
  [# 710430]

• The VPX instance restarts by itself in the following case.

  - You change the admin profile associated with a Citrix ADC VPX instance with channel configuration; and

  - The Citrix ADC VPX instance is running on Citrix ADC SDX 26XXX and 15XXX appliances.
  [From Build 49.37]
  [# 714041]

Citrix ADC VPX Appliance

• A Citrix ADC VPX instance configured with VMXNET3 interfaces and running on VMware ESX server might crash if the ESX server sends a zero-length packet through these interfaces.
  [From Build 49.37]
  [# 695358, 706660, 707542]

Networking

• In some deployments, ICMP error packets, sourced from the NSIP address and destined to 127.0.0.2 address, might go in loops within the Citrix ADC appliance causing high CPU usage in the appliance.
  [From Build 49.37]
  [# 707489]

• In a high availability configuration in INC mode, dynamic routing parameters might not get set properly because of the conversion errors.
  [From Build 49.37]
  [# 708496]

• In a Citrix ADC appliance, BGP daemon fails when a routemap, which includes a 'match ip peer' command entry, is applied to the kernel routes.
  [From Build 49.37]
  [# 709231]

• In a cluster setup, a node has the following entities in the same traffic domain:

  - a VIP address and,

  - a load balancing virtual server with the same VIP address.

  When the traffic domain is removed, virtual server configuration is removed but the VIP address is not removed. The node crashes when it sends out a GARP message for this VIP address.
  [From Build 49.37]
  [# 710326, 711605]

• HTTPS access to a SNIP address in a traffic domain fails because the appliance performs port allocation in non-default traffic domain when accessing the NSIP address internally from underlying FreeBSD operating system.
  [From Build 49.37]
  [# 710982]

• BGP IPv6 address family configuration might not get saved in a cluster setup.
  [From Build 49.37]
  [# 711033]

Policies

• An error is encountered when you convert a classic policy expression with domain option to advanced policy expression using NSPEPI tool.
  [From Build 49.37]
  [# 710610]

Portal

SDX-UI

SSL

• A Citrix ADC MPX/SDX 14000 FIPS appliance becomes unresponsive if it receives a packet of size > 18 KB from the backend server.
  [From Build 49.37]
  [# 707061]

• The symmetric operations fail because the SSL card becomes unresponsive.
  [From Build 49.37]
  [# 708375, 709406, 708978, 708923, 711264, 711404, 712257]

• A Citrix ADC appliance might crash if an OCSP responder is configured with nonce disabled and the integrated caching feature is enabled so that OCSP objects are cached.
  [From Build 49.37]
  [# 709491, 707452, 710458, 707610]

• The “No Certificates present in the certificate bundle file" error appears when you try to add a PFX file using the Citrix ADC GUI.
  [From Build 49.37]
  [# 710202]

• GSLB virtual servers are not accessible if you make any changes to the enabled default SSL profile.

  With this fix, any change to the SSL profile does not affect the state of the GSLB virtual servers.
  [From Build 49.37]
  [# 710207, 710428]

• Ciphers bound to an SSL service group are not included in the running config if the following commands are run in a sequence:

  1. set ssl servicegroup <servicegroup name> -sslprofile <profile name>

  2. bind ssl servicegroup <servicegroup name> -ciphername <profile name>

  As a result, after you save the config and restart your appliance, the ciphers are not bound to the service group.

  With this fix, the commands are included in the running config. However, you must run the bind command once after upgrading your appliance to include the command in the running and saved configuration files.
  [From Build 49.37]
  [# 710573]

• In rare cases, an attempt to install a new certificate on an MPX 9700/10500/12500/15500 appliance might fail with the “bad pkcs error” counter incremented if the private key “CRT Params” size is not equal to the maximum size allowed.
  [From Build 49.37]
  [# 711066, 706981]

• ECC curve bindings to a DTLS virtual server are not saved in the configuration (ns.conf) after you enable the SSL default profile in the the global SSL parameter.
  [From Build 49.37]
  [# 713913]

System

• For HTTP 2 streams, the stat counters does not increment correctly. For example, when a new stream of data arrives, the counts fails to increment, but decrements correctly, when the stream is closed. This incorrect operation leads to a wrong count of action performed on the HTTP2 streams.
  [From Build 49.37]
  [# 694684, 683374, 694695, 678994]

• A Citrix ADC appliance might crash if it sends messages from one processor to another processor, for deleting a steering session in some error cases.
  [From Build 49.37]
  [# 700423]

• A Citrix ADC appliance crashes because of a timer issue. The issue occurs if the stats are collected after the SYSLOGUDP connection is deleted, but before the appliance deletes the SYSLOGUDP service.
  [From Build 49.37]
  [# 705574]

• If you configure an HTTP type load balancing virtual server with HTTP/2 option enabled on the HTTP profile, the appliance fails to load balance gRPC traffic.
  [From Build 49.37]
  [# 709214]

• If the trace aggregator processor leak opens a file descriptors every time you execute the nstrace command, the Citrix ADC appliance might display the following error message: "kern.maxfiles limit exceeded".
  [From Build 49.37]
  [# 709430, 712687, 712970]

• A Citrix ADC appliance might crash if an external authentication server takes more than 20 seconds to respond.
  [From Build 49.37]
  [# 711282]

• If flash cache option is enabled on a Citrix ADC appliance and also receives client requests to the same resource, the appliance resets the connection before it sends the response to the client.
  [From Build 49.37]
  [# 711508]

• Market specific violation is caused, if you have CallHome enabled by default on a Citrix ADC 12.1 appliance. The feature should be configured as an user's opt-in feature.
  [From Build 49.37]
  [# 716240]

Telco GUI

• The libqos actions are displayed in the QOS action page of the Citrix ADC T-series platform GUI.
  [From Build 49.37]
  [# 697178]

Telco Traffic Management

• GUI settings are missing in the Traffic Management page of the Citrix ADC T-series platform i.e the following ones:

  - Cache redirection

  - Subscriber

  - Service chaining

  - User

  As a workaround, one can visit MAS and configure a configuration job to run the relevant commands for the missing configuration. Please refer to the citrix documentation for exact details.
  [From Build 49.37]
  [# 712839]

URL Categorization

• If you execute the command "show urlset <urlset_name>", the Citrix ADC appliance returns information for the requested urlset and any other urlsets added after it.
  [From Build 49.37]
  [# 709042]

URLFiltering

User Interface

• <ID review in progress; this description will be updated soon>

  Nitro login to get sessionid will not work if password contains special character like %
  [From Build 49.37]
  [# 714322, 715979]

VPX-Cloud-Platform

• <ID review in progress; this description will be updated soon>

  Customer will see the interface powered down after there is a failover. Thus traffic will not work on this interface and back to back failover will not work either.

  This issue will occur every time there is a HA failover, and it will be easily observable in single PE environment.

  The fix will not change any known behavior. This will just fix the issue as mentioned in the root cause above, and back to back failover will now work.
  [From Build 49.37]
  [# NSHELP-2631, , NSPLAT-4247, TSK0711888]

Web App Firewall

• A Citrix ADC appliance crashes when it attempts to access the return address of a stack frame which is not present in an XML payload.
  [From Build 49.37]
  [# 703461, 712938, 714297]

Release history