Release Notes for Citrix ADC 12.1-54.16 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 12.1-54.16.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

Fixed Issues

The issues that are addressed in Build 12.1-54.16.

Authentication, authorization, and auditing

  • A Citrix ADC appliance configured as a SAML Service Provider (SP) on traffic management virtual server does not send post body response to the back-end server after SAML login.

    [ NSHELP-20348 ]
  • A Citrix ADC appliance configured as SAML Service Provider (SP) might fail to validate assertions sent by certain IdPs if the namespace of SAML is not defined completely.

    [ NSHELP-20307 ]
  • A Citrix Gateway appliance might occasionally fail if users try to log in when taking VPX snapshot.

    [ NSHELP-20292 ]
  • A Citrix ADC appliance might crash when you use a SAML IdP on a FIPS appliance.

    [ NSHELP-20282 ]
  • A Citrix Gateway appliance might fail if the following conditions are met:

    • When a user logs out of a session.
    • The appliance is deployed in an HDX platform.
    • SAML authentication is used in Citrix Gateway.
    [ NSHELP-20206 ]
  • A Citrix ADC appliance configured as SAML Identity Provider (IdP) truncates relaystate from Service Provider (SP) if it contains quotes.

    [ NSHELP-20131 ]
  • In an OpenID-Connect mechanism, OAuth Relying Party (RP) does not encode username or password properties while making password grant API call.

    [ NSHELP-19987 ]
  • The SAML attribute value in the SAML response includes multiple SAML AttributeValue lines, instead of one.

    [ NSHELP-19961 ]
  • A Citrix ADC appliance sends a negative value if the maximum age value for HSTS header is set above 2,147,483,647.

    [ NSHELP-19945 ]
  • A Citrix ADC appliance processes unauthenticated HTTP requests with OPTIONS method received from authentication, authorization, and auditing traffic management virtual server. At this point, the appliance responds with a corresponding HTTP 401 error message.

    [ NSHELP-19916 ]
  • A 500 error message is observed if the following conditions are met:

    • Authentication, authorization, and auditing enabled traffic management virtual server gets post request without the cookie.
    • The post body contains newline characters.
    [ NSHELP-19852 ]
  • If user group extraction is done during an administrator login, the memory usage of Citrix ADC Authentication, authorization, and auditing increases gradually.

    [ NSHELP-19671 ]
  • If the URL contains ";" special character, the TASS cookie encodes the URL redirect at the time of login.

    [ NSHELP-19634 ]
  • If a dialogue cookie in the client request is processed before checking for any existing sessions, a Citrix ADC appliance sends a change password page to the client.

    [ NSHELP-19528 ]
  • The base64 decoding fails if a digital signature has HTML entity encoded characters.

    [ NSHELP-19410 ]
  • In some cases, the Citrix Gateway appliance sets invalid cookie while processing the unauthenticated requests.

    [ NSHELP-19403 ]
  • If you set "Import Metadata URL" and later edit it by providing the redirect URL from Citrix ADC GUI, the Redirect URL is set but the Import Metadata URL is not unset. Because of this, the Citrix ADC appliance uses the metadata URL.

    [ NSHELP-19202 ]
  • A Citrix ADC appliance fails to obtain Kerberos tickets through a constrained delegation, if one of the following conditions are met:

    • The enterprise realm parameter is configured for the user.
    • The domain name in the keytab parameter is in lower case.
    [ NSHELP-18946 ]
  • When upgrading Citrix ADC cluster setup that is on release 10.5 to a higher version, the system login to a non-CCO node on the higher version fails.

    [ NSHELP-18511, NSAUTH-5561 ]
  • The following behavior is observed in the Citrix ADC GUI:

    • You cannot edit the OAuth Policies.
    • You can edit only OAuth Actions.
    • The OAuth Policies option must only be under Advanced Policies not under Basic Policies.
    [ NSHELP-2131 ]
  • A Citrix ADC appliance might crash upon updating the user data certificate by using update ssl certkey command.

    [ NSAUTH-5554 ]

Citrix ADC SDX Appliance

  • After you have configured a VLAN from the allowed VLAN list (AVL) on a VPX instance running on an SDX appliance, the instance fails to restart automatically. As a result, communication between the VPX instance and AVL stops.

    [ NSSVM-135 ]
  • On an SDX appliance, when you restore a VPX instance provisioned with burst throughput, the restore might fail.

    [ NSHELP-20013 ]
  • If the backup file name has any special character, restoring the SDX appliance to that backup fails. With the fix, an error message appears if the backup file has any special character.

    [ NSHELP-19951 ]
  • SNMP alarm on SDX device does not work for disk, memory, or temperature parameters but works only for CPU.

    [ NSHELP-19713 ]

Citrix Gateway

  • The VPN plug-in unblocks all TCP traffic until captive portal authentication if both of the following conditions are met:
    The client machine is in configured for AlwaysOn, onlyToGateway mode.
    The client machine is connected to a captive portal network.

    [ NSHELP-20360 ]
  • A client machine fails to reconnect to a Citrix Gateway appliance because the appliance sends an incorrect STA ticket upon STA refresh.

    [ NSHELP-20285 ]
  • In a high availability setup, the secondary node crashes whenever an authentication, authorization, and auditing session or a VPN session containing SAML related information is propagated to the primary node.

    [ NSHELP-20230, NSHELP-24495 ]
  • Finding URLs to rewrite for advanced clientless VPN processing results in high CPU usage. As a results, the system slows down.

    [ NSHELP-20122 ]
  • Audio clarity for VOIP applications is negatively impacted when multiple applications or connections are tunneled over the VPN.

    [ NSHELP-20097 ]
  • In rare cases, the Citrix Gateway crashes while GSLB updates VPN services statistics.

    [ NSHELP-19992 ]
  • Windows Intune enrollment check cannot be disabled on the client machines. The check is enabled by default.

    With this fix, Windows Intune enrollment check can be disabled.

    To disable the check, set the following registry entry to 1:

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\DisableIntuneDeviceEnrollment

    [ NSHELP-19942 ]
  • In some cases EPA scan fails on Windows machines.

    [ NSHELP-19865 ]
  • If an authentication factor hosted in Azure is used in Citrix MFA, logon to Citrix Gateway using Windows plug-in fails. This happens because the MFA HTTP timeout value is lesser than the Citrix Gateway Windows plug-in timeout value.

    With this fix, Citrix Gateway Windows plug-in timeout value is increased to avoid logon failure. Also, the HTTP timeout value can now be configured by setting the below registry value (in seconds):
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\HttpTimeout

    [ NSHELP-19848 ]
  • The Endpoint Analysis (EPA) scan failed to validate 4096 bit key device certificate.

    [ NSHELP-19697 ]
  • A Citrix Gateway does not recognize the logon expression policy in a Windows plug-in during nFactor authentication.

    [ NSHELP-19640 ]
  • Audio clarity for Skype calls is negatively affected when multiple applications/connections are tunneled over the VPN. This happens because of an improper memory management.

    [ NSHELP-19630, NSHELP-24619 ]
  • The Citrix Gateway plug-in for macOS cannot resolve internal host names if the Local LAN Access option is enabled on a Citrix ADC appliance.

    [ NSHELP-19543 ]
  • Citrix ADC appliances deployed in a high availability (HA) setup crash if both of the following conditions are met:

    • AppFlow is enabled
    • There is a high availability synchronization failure.
    [ NSHELP-19490 ]
  • In some cases, a Citrix ADC appliance might dump core during a user logout session.

    [ NSHELP-19470 ]
  • In some cases, the Citrix Gateway appliance dumps core if the appliance is accessed in
    the Full VPN tunnel mode.

    [ NSHELP-19444 ]
  • The following message incorrectly appears when Citrix Gateway is accessed from the Microsoft Edge browser, and EPA or VPN is not used.
    "Full VPN and EPA are not supported in Edge browser. Please use different browser for a better experience."

    [ NSHELP-19367 ]
  • In a high availability (HA) setup, the primary node might crash if AppFlow is enabled and there is a failover.

    [ NSHELP-19363 ]
  • Encapsulating Security Payload (ESP) packets in transit are dropped if LSN configuration is not enabled on the Citrix ADC appliance.

    [ NSHELP-18502 ]
  • With the repackaged Citrix Workspace app, if RFWebUI theme is used, the following message is displayed to the clients:
    "You must whitelist the ID of Citrix Receiver in Storefront."

    [ NSHELP-18341 ]

Citrix Web App Firewall

  • A Citrix ADC appliance might crash when processing signature file regex patterns and if bigstack is unavailable.

    [ NSHELP-20359 ]
  • A Citrix ADC appliance fails, if the following conditions are observed:

    • Web App Firewall policies use HTTP body based rule, for example, HTTP.REQ.BODY(..)),
    • Web App Firewall feature is disabled.
    [ NSHELP-19879 ]
  • Web Requests with many query parameters might receive no response if the field consistency protection parameter is enabled.

    [ NSHELP-19811 ]
  • A Citrix ADC appliance might crash when CONNECT requests are received. The issue occurs if you set the default profile settings to any value other than APPFW_BYPASS, APPFW_RESET, APPFW_DROP, APPFW_BLOCK.

    [ NSHELP-19603 ]
  • A Citrix ADC appliance might crash when processing large form bodies and if the field consistency parameter is enabled on the Citrix Web App Firewall profile.

    [ NSHELP-19299 ]
  • A Citrix ADC appliance might crash if there is high memory usage and memory values are not freed up because of an application failure.

    [ NSHELP-18863 ]
  • When a command is set to netsvc and if the secondary node takes more than 15 secs to respond, the setsvc command logs or increments the propagation failure counter. If the secondary node takes more than 10 secs to respond, some failure is logged at the secondary configd and the corresponding timer is updated with an SNMP trap.

    [ NSHELP-18834 ]

Load Balancing

  • You might run out of disk space on a Citrix ADC VPX appliance because the appliance generates multiple temporary files. When an rsync operation occurs for a particular location file, a temporary file is created for that location file. These files fill up the /var directory.

    [ NSHELP-20020 ]
  • A Citrix ADC VPX instance running on an SDX appliance might crash if an invalid DNS request is received on a Jumbo enabled interface.

    [ NSHELP-19854 ]
  • When LRTM is enabled on a monitor bound to a service group, response time is not shown.

    [ NSHELP-12689 ]

Miscellaneous

  • The first login using NITRO API fails for a partition user. However, the subsequent login succeeds.

    [ NSHELP-20159, NSCONFIG-2054 ]
  • A Citrix ADC appliance restarts by itself if the following conditions are observed:

    • Front end optimization feature is enabled.
    • Cached objects are re-optimized.
    [ NSHELP-19428 ]

Networking

  • In a cluster setup, you might observe continuous failure logs that indicate connection failure between ZebOS dynamic routing IMI daemon and internal cluster daemon. This issue occurs when either the ZebOS dynamic routing IMI daemon or internal cluster daemon is restarted.

    [ NSNET-10655 ]
  • The SNMP manager configuration is lost when you restart a cluster node. The issue occurs when the "add snmp manager" command fails during reboot

    [ NSNET-10355 ]
  • The Citrix ADC trace filter might not work for IP addresses if they were not part of any IP address mappings used on the Citrix ADC appliance. For example, multicast IP addresses. The generated trace file might be blank when these IP addresses are used in the trace filter.

    [ NSNET-8930 ]
  • Assurance of a listener service for processing a FTP data connection request

    In a Citrix ADC appliance, if a packet engine receives an FTP data connection request before a listener service is added, then the packet engine sends an 8212 reset code to the FTP client.

    The FTP client interprets this code as a "connection refused" message and closes the connection.

    Now, the Citrix ADC appliance assures to add a listener service on the packet engine before the packet engine processes the received FTP data connection request.

    [ NSNET-2848, NSHELP-106, NSHELP-19983 ]
  • SNMPWalk gets query response from a subnet IP (SNIP) address even if SNMP feature is disabled.

    [ NSHELP-20254 ]
  • On restart, the Citrix ADC appliance establishes BGP session with the peer devices before assigning a subnet IP (SNIP) address on the interface resulting in next-hop validation failure. Because of this issue, the Citrix ADC appliance might not learn the routes advertised from these peer devices.

    [ NSHELP-20211 ]
  • The Citrix ADC appliance might crash if you add a listen policy that has a dependency for a certain internal FTP service lookup.

    [ NSHELP-20002 ]
  • The ADC appliance might not update the ECMP routes in an optimised way when an associated interface is disabled, or an associated IP address is deleted.

    [ NSHELP-19891 ]
  • The BGP process might fail due to memory corruption if it receives bgp updates with multiple 4-byte AS numbers in the path.

    [ NSHELP-19860 ]
  • In a cluster setup, the cluster propagation might fail if one of the following condition is met:

    • Connection fails between cluster daemon and configuration daemon.
    • Increase in memory usage in cluster daemon.
    [ NSHELP-19771 ]
  • The Citrix ADC appliance allows configuration through NITRO APIs even before the protocol modules are not completely initialised. Because of this reason, the write memory command fail with the following error message:

    save config denied modules not ready

    [ NSHELP-19431 ]
  • The stat system memory command might display an incorrect value for Free Memory (MB) field, whenever the Citrix ADC appliance reaches 100% memory usage in default partition.

    [ NSHELP-19239 ]

Platform

  • You might not be able to access a VPX instance by using the management IP if the instance has a vCPU license. The issue is seen in all VPX instances, on-premises and cloud. If the VPX instance is running on an SDX appliance, you can access the instance from the SDX Management Service GUI.

    [ NSPLAT-10710 ]
  • On an SDX appliance, the No additional MACs available for members of interface 10/1 error message appears when all the following conditions are met:

    • You instantiate 19 VPX instances on the SDX appliance, all with the same network interface
    • Then add MAC addresses to the 20th VPX instance that uses the same network interface as the previous instances.
    • The number of MAC address on the 20th VPX instance is twice as great as the MAC addresses added to the 1st VPX
    [ NSHELP-20158 ]
  • On the following Citrix ADC SDX platforms, connectivity to a VPX instance might fail if it receives heavy multicast traffic when a management port is not assigned to a VPX instance and instance management is done through the data ports.

    • SDX 8900
    • SDX 14000-40G
    • SDX 14000-40S
    • SDX 15000-50G
    • SDX 25000-40G
    • SDX 25000T
    • SDX 25000T-40G
    [ NSHELP-19861 ]
  • SDX 8900 appliances might crash while you are applying the SSL configuration to set client certificate verification to optional with policy-based client authentication.

    [ NSHELP-19297 ]
  • In a VPX HA setup running on SDX appliances, when one of the switches in the virtual port channel (VPC) goes down, all the interfaces that are part of the LACP flap. This triggers HA failover.

    [ NSHELP-19095 ]
  • Ifhighspeed SNMP OID for a 50G interface shows a value of zero if the speed of the interface is set to AUTO.

    [ NSHELP-18707 ]
  • The SDX 14000 FIPS appliance might crash and restart while configuring a FIPS HSM partition.

    [ NSHELP-18503 ]
  • Sometimes, the LCD on the front panel of a Citrix ADC appliance might display 99% memory usage when actual memory usage is less

    [ NSHELP-18483 ]

Policies

  • After an upgrade, the rewrite policy does not work for CVPN homepage2.html

    [ NSHELP-19481 ]

SSL

  • The Citrix ADC appliance might crash and dump core when it tries to access the deleted default DTLS profile while configuring a new DTLS virtual server or service.

    [ NSSSL-6886 ]
  • When TLS 1.3 and SNI are both enabled on a front-end virtual server, the appliance crashes during the TLS handshake if the following sequence of events occur:

    1. A TLS 1.3 client includes the server_name extension in its initial ClientHello message.
    2. The server responds with a HelloRetryRequest message.
    3. The client responds with an illegal ClientHello message that omits the server_name extension.

    [ NSHELP-20245 ]
  • If you add a certificate with an AIA extension on a cluster IP (CLIP) address, the following error message appears when you try to remove the certificate from the CLIP:
    'Internal Error'.

    [ NSHELP-19924 ]
  • The following appliances might crash if they receive the ChangeCipherSpec message from a client but not the Finished message:

    • MPX 5900/8900
    • MPX 15000-50G
    • MPX 26000-100G
    [ NSHELP-19856 ]
  • The handshake fails on a Citrix ADC SDX appliance with N2 chips, because ECDSA ciphers are not supported on this platform. With this fix, ECDSA ciphers are not advertised on this platform.

    [ NSHELP-19614, NSHELP-20630 ]
  • A Citrix ADC appliance might crash intermittently if both of the following conditions are met:

    • OCSP check and SSL interception are enabled on an SSL profile.
    • The SSL profile is bound to a content switching virtual server of type PROXY.
    [ NSHELP-19194 ]
  • If the client and CA certificates have different encoding, the client certificate is incorrectly rejected when -clientAuthUseBoundCAChain is ENABLED, even though the client and server certificates are issued by the same CA.

    [ NSHELP-19077 ]
  • The DTLS handshake might fail if DTLS records of different message types are received out of order. For example, a Server Hello Done message is received before a Server Hello message.

    [ NSHELP-18512 ]
  • Safenet directory is missing when you install a VPX instance on Citrix XenServer, VMware ESX, or Linux-KVM platform.

    [ NSHELP-14582 ]

System

  • A Citrix ADC appliance initiates an HTTP/1.1 connection instead of an HTTP/2 connection if the complete request body is not received for a POST request.

    [ NSHELP-20289 ]
  • The Citrix ADC appliance might crash if a retransmitted TCP segment is received on an interface with MTU > 1500 bytes as:

    • Jumbo frames or
    • Set of IP fragments.
    [ NSHELP-19920, NSHELP-20273 ]
  • In a Citrix ADC appliance, if you unbind default advanced global policies and save the configuration, the changes are not reflected on the next reboot.

    [ NSHELP-19867 ]
  • In rare cases, a cluster node might crash when a client or server sends an out-of-order packet followed by an in-sequence packet with the FIN message.

    [ NSHELP-19824 ]
  • In some cases, you will see a delay or timeout in connecting to the backend server. This happens because the appliance has freed the connection and released the port. When the appliance reuses the same port to establish a new connection with the server there is a delay or timeout because the connection is in TIME_WAIT state on the server.

    [ NSHELP-19772 ]
  • The policy evaluation might fail if the following conditions are met:

    • 256 policy expressions have reference to a same custom header.
    • Custom header reference counter wraps to 0 (8 bits counter).
    [ NSHELP-19082 ]
  • Memory issue occurs in a Citrix ADC appliance if closed connections are not flushed completely.

    [ NSHELP-18891, NSHELP-20778 ]
  • A Citrix ADC appliance crashes if the current_tcp_profile and current_adtcp_profile are not set.

    [ NSHELP-18889 ]
  • A transaction on HTTP/2 stream does not get terminated correctly if the client sends a "te: traielrs" header in the request to a virtual server with Transform policy bound to it.

    [ NSHELP-18805 ]
  • High memory issue occurs in partitioned Citrix ADC appliance.

    [ NSBASE-8780, NSBASE-8763 ]

User Interface

  • Due to some technical issues in the framework, all service groups are not displayed in the ADC GUI.

    [ NSUI-13754 ]
  • After upgrading an MPX perpetual license to Pooled Capacity license, the ADM GUI prompts to save the config and restart the instance. With this fix, the GUI prompts only to restart the instance.

    [ NSHELP-20137 ]
  • In a cluster setup, the Citrix ADC GUI fails to upload an SSL certificate in the following conditions:
    Commands are executed from the CLIP.
    sh partition command responds with an invalid response.

    [ NSHELP-19905 ]
  • An error message appears when you assign a DH parameter file to an SSL profile in an admin partition setup.

    [ NSHELP-19838 ]
  • In a cluster setup, if you add a cipher group from advanced settings using the GUI, the cipher group does not appear in the main page.

    [ NSHELP-19704 ]
  • A configuration loss occurs every time a high availability configuration synchronization happens along with a high availability failure.

    [ NSHELP-19210 ]
  • The GSLB site backup parent list configuration is lost if both of the following conditions are met:

    • The triggerMonitor option is set to either MEPDOWN or MEPDOWN_SVCDOWN.
    • The Citrix ADC appliance is restarted.
    [ NSCONFIG-1760 ]
  • The Citrix ADC appliance responds with an internal error message for show routerdynamicrouting NITRO API call.

    [ NSCONFIG-1325 ]

Known Issues

The issues that exist in release 12.1-54.16.

AppFlow

  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.

    [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

  • A Citrix ADC appliance configured to authenticate using OAuth Service Provider, cannot be configured with 'client-secrete_post" to authenticate with IDP tokenEndPoint.

    With this fix, the authentication method "client_secret_basic" is added to the OAuth service provider feature of ADC when it communicates with the token endpoint of the IDP.

    [ NSHELP-28945 ]
  • While sending an AS_REQ request for a delegated user, which is part of KCD SSO, the Citrix ADC appliance selects an encryption type with the following priority when domain controller (DC) publishes all encryption types.

    1. ETYPE_ARCFOUR_HMAC_MD5
    2. ETYPE_AES128_CTS_HMAC_SHA1_96
    3. ETYPE_AES256_CTS_HMAC_SHA1_96

    Instead of

    1. ETYPE_AES256_CTS_HMAC_SHA1_96
    2. ETYPE_AES128_CTS_HMAC_SHA1_96
    3. ETYPE_ARCFOUR_HMAC_MD5
    [ NSHELP-28681 ]
  • Access to a service is denied if the following conditions are met:

    • The service is bound to an authentication virtual server.
    • 401 authentication is configured on the service and the virtual server that the service is bound to.
    [ NSHELP-26903 ]
  • The Citrix ADC appliance might crash when the synchronization of the session and key configuration happens between the primary to the secondary controller card.

    [ NSHELP-26891 ]
  • In rare cases, a Citrix Gateway appliance dumps core upon using the OAuth authentication method to access the appliance.

    [ NSHELP-26745 ]
  • The "timeout" parameter for emailAction command is deprecated . The default value for timeout is 180 seconds.

    [ NSHELP-26424 ]
  • In rare cases, the OAuth authentication fails if a Citrix ADC appliance configured as OAuth IdP does not send a JWT token in the specified format.

    [ NSHELP-26323 ]
  • When a Citrix ADC appliance performs a nested LDAP group search, some of the groups information from the active directory is missed because of an invalid behavior of the Citrix ADC appliance. The ADC appliance takes an incorrect value even when the `groupSearchSubAttribute` parameter is configured appropriately.

    [ NSHELP-26316 ]
  • In some cases, addition of multiple EPA related authentication policies results in high management CPU.

    [ NSHELP-26281 ]
  • You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.

    [ NSHELP-26199 ]
  • In some cases, a Citrix ADC appliance crashes because a default action is bound to a policy that has no login schema.

    [ NSHELP-26192 ]
  • In some cases, attributes such as "Secure" and "Domain" present in Samesite cookie are not separated by a comma but are displayed as one attribute.

    [ NSHELP-25825 ]
  • A Citrix ADC appliance might crash if the following issues are observed:

    • Invalid memory allocation.
    • Web App Firewall is configured with form-based SSO authentication.
    [ NSHELP-24551 ]
  • SSO to StoreFront using Citrix ADC fails if the following conditions are met:

    • The Citrix ADC appliance is configured for multi-factor authentication.
    • Citrix ADC session times out before examining the configured authentication factors.
    [ NSHELP-21466 ]
  • Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.

    [ NSHELP-18844 ]
  • A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.

    [ NSHELP-18751 ]
  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

    [ NSHELP-563 ]
  • If you edit the authentication virtual server using the "End-to-end login test or Test End User Connection options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
    Workaround: To edit the authentication virtual server by using the Citrix ADC GUI, navigate to Security > Authentication, authorization, and auditing Application Traffic > Authentication Virtual Servers.

    [ NSAUTH-6339 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

    [ NSAUTH-6106 ]
  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

    • The Test LDAP Reachability option is opened.
    • Invalid login credentials are populated and submitted.
    • Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.

    [ NSAUTH-2147 ]

Citrix ADC SDX Appliance

  • The Management Service on a Citrix ADC SDX appliance displays the interface speed for SNMP managers in Kbps/Mbps instead of bits per second.

    [ NSHELP-28724 ]
  • On the Citrix ADC SDX 8400/8600 platform, health monitoring might display crypto errors.

    [ NSHELP-26500 ]
  • In some cases, a Citrix ADC SDX appliance might create core dumps while taking a backup.

    [ NSHELP-26345 ]
  • On a Citrix ADC SDX appliance, the "geodb" details in the ADC instances are not collected when you take a backup of the appliance.

    [ NSHELP-26190 ]
  • If you initiate the deletion of a Citrix ADC instance while the instance is being provisioned, the FIPS partition entry for the deleted instance might still be present in the database.

    [ NSHELP-25909 ]
  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

    • Throughput allocation mode is burst.
    • There is a large difference between the throughput and the maximum burst capacity.
    [ NSHELP-21992 ]
  • SNMPv3 queries work only for a few minutes after changing the password.

    [ NSHELP-19313 ]
  • SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).

    [ NSHELP-18541, NSHELP-19313 ]

Citrix Gateway

  • In the Citrix Gateway portal page, RDP proxy link icon does not change with RfWebUI portal theme.

    [ NSHELP-28974 ]
  • In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.

    [ NSHELP-28856 ]
  • The Citrix ADC appliance might crash if EPA is configured and sufficient memory is not available.

    [ NSHELP-28329 ]
  • The Citrix Gateway appliance might crash if forwardSession is configured for a back-end subnet and a server in the same subnet is accessed over the VPN tunnel.

    [ NSHELP-27037 ]
  • Sometimes, during transfer login, Intranet IP subnets are incorrectly displayed on the client side.

    [ NSHELP-26904 ]
  • The Citrix Gateway GUI displays the message "Invalid IP or Port" when editing a VPN session profile.

    [ NSHELP-26722 ]
  • The Citrix Receiver download URL (receiver.exe file) does not download after authentication.

    [ NSHELP-26600 ]
  • The Citrix Gateway appliance crashes when a server initiated connection sends data packets after the connection is closed.

    [ NSHELP-26431 ]
  • The Citrix ADC appliance might crash if the "rdpLinkAttribute" attribute size is greater than 64 characters.

    [ NSHELP-26068 ]
  • While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:

    • A default pre-shared key (PSK) is configured.
    • You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
    [ NSHELP-25694 ]
  • The Citrix Gateway login page does not load on deleting an admin partition, if configured.

    [ NSHELP-25538 ]
  • The packet engine crashes while fetching an ICA connection entry when you run the show icaconnection command. This crash happens because the ICA connection information in the ICA connection list is stale.

    [ NSHELP-25420 ]
  • Citrix Gateway crashes while decoding the CVPNv2 packet because of incorrect string termination.

    [ NSHELP-24718 ]
  • A delay in the response from StoreFront servers might result in slow Citrix Gateway GUI related operations or "timed out at dispatch_netsvc" error messages.

    [ NSHELP-24437 ]
  • A new, optimized pattern set, "ns_cvpn_v2_fast_regex_light_ver", is introduced for high CPU alerts. If a spike in CPU is intermittently observed with the default pattern set "ns_cvpn_v2_fast_regex", you can switch to the new pattern set.

    [ NSHELP-24085 ]
  • The Gateway Insight does not display accurate information on the VPN users.

    [ NSHELP-23937 ]
  • HDX Insight data is not observed in Director for individual sessions. The issue is seen when Citrix ADC App Experience (NSAP) sessions are established.

    [ NSHELP-23834 ]
  • Packet drops are observed when a UDP application server sends packets that are larger than MTU and if the packets are fragmented.

    [ NSHELP-23770, NSHELP-18191 ]
  • VPN plug-in doesn't establish tunnel after Windows logon, if the following conditions are met:

    • Citrix Gateway appliance is configured for Always On feature
    • The appliance is configured for certificate based authentication with two factor authentication "off"
    [ NSHELP-23584 ]
  • The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.

    Example:

    New output:

    > show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0

    Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
    Priority: 1
    Global bindpoint: REQ_DEFAULT

    Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
    Priority: 100
    Global bindpoint: RES_DEFAULT
    Done
    >

    Previous output:

    > show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0 Disabled

    Advanced Policies:

    Global bindpoint: REQ_DEFAULT
    Number of bound policies: 1

    Done

    [ NSHELP-23496 ]
  • In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.

    [ NSHELP-22349 ]
  • In a multicore processor setup, the Citrix Gateway appliance crashes if the Gateway Insight feature is enabled and a request is received on a non-owner core.

    [ NSHELP-21089 ]
  • A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:

    • SplitTunnel is set to ON.
    • IP address pool (Intranet IP) option is set to NoSpillOver.
    [ NSHELP-20584 ]
  • In some cases, a Citrix ADC appliance might dump core during a user logout session.

    [ NSHELP-19470 ]
  • An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.

    [ NSHELP-7872 ]
  • If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

    [ CGOP-19355 ]
  • While adding an authentication virtual server using the XenApp and XenDesktop wizard, test connectivity for that authentication server fails.

    [ CGOP-16792 ]
  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

    [ CGOP-13621 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ CGOP-13511 ]
  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]
  • If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.

    [ CGOP-3359 ]

Citrix Web App Firewall

  • If you are using WAF signatures, after upgrading the build, you must update all the WAF signatures including the default signatures to the latest version. Then, re-enable the required signature rules.

    [ NSWAF-8668 ]
  • The Web App Firewall signature ID 1048 blocks the Citrix Gateway page from loading.

    [ NSHELP-29113 ]
  • In the Citrix Web App Firewall module, the Distributed Hash Table (DHT) entries are not freed up on the primary node. This issue occurs if application firewall sessions have a shorter timeout and are created at a higher rate.

    [ NSHELP-26570 ]
  • Some requests with security violations are not blocked by HTML cross-site scripting security check.

    [ NSHELP-24762 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]
  • The state of the service group displayed in the show and stat commands is inconsistent.

    [ NSHELP-28931 ]
  • The load balancing or GSLB domain-based Autoscale servicegroup state remains DOWN if you use a wildcard port.

    [ NSHELP-28548 ]
  • Sometimes in a multi-PE system, the domain-based groups doesn't recover to UP state after a few failures in the system. This issue is due to a race condition between the CLI and internal monitors.

    [ NSHELP-27965 ]
  • When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.

    [ NSHELP-24329 ]
  • In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.

    [ NSHELP-21425 ]
  • When you execute the "set service <servicename>" command, the following error message is displayed:
    "IP Address cannot be set on a domain based server."

    This error message is displayed when the server is configured with a name greater than 32 characters.

    [ NSHELP-20939 ]
  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

    [ NSHELP-20406 ]
  • Redirecting an HTTPS URL fails if the URL contains the % special character.

    [ NSHELP-19993 ]

Miscellaneous

  • When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.

    [ NSSWG-849 ]
  • A Citrix ADC appliance adds extra L2 information when a tunnel or Type of Service (TOS) virtual servers are created.

    [ NSHELP-27825 ]
  • In a cluster setup, the command propagation might fail due to connection lost with CCO. The issue is observed if both of the following conditions are met:

    • You perform a command propagation operation in the setup.
    • The setup is in an idle state for more than two hours. A cluster setup is said to be in an idle state if there is no exchange of any CLI commands between nodes.

    [ NSHELP-26350, NSHELP-24910 ]
  • A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

    [ NSHELP-22409 ]
  • In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.

    [ NSHELP-20366 ]

Networking

  • A Citrix ADC appliance might crash if all of the following conditions are met:

    • A load balancing route is configured in a traffic domain on the appliance.
    • A clear config operation is performed on the appliance.
    [ NSNET-23847 ]
  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

    [ NSNET-5233 ]
  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • LSN filtering and mapping entries are not present in the appliance.
    [ NSHELP-30225 ]
  • Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.

    [ NSHELP-25105 ]
  • For a PBR6 rule with no direct route to the next hop, the Citrix ADC appliance might incorrectly discard RNAT6 processed packets with an error.

    [ NSHELP-24632 ]
  • A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.

    [ NSHELP-24623 ]
  • In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:

    • A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.

    As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition

    [ NSHELP-24000 ]
  • If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.

    [ NSHELP-21288 ]
  • When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

    [ NSHELP-21082 ]

Platform

  • A Citrix ADC VPX instance crashes when frequent link flaps are seen on 50G and 100G interfaces.

    [ NSPLAT-16852 ]
  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.

    [ NSPLAT-4520 ]
  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.

    [ NSPLAT-4451 ]
  • On a Citrix ADC SDX appliance, traffic to the ADC instance might be interrupted when the interface link flaps and interface reset occurs simultaneously.

    [ NSHELP-26307 ]
  • On a Citrix ADC SDX appliance, a VPX instance might fail to boot when provisioned with 24 interfaces due to inadequate shared memory allocation.

    [ NSHELP-25912 ]
  • On a Citrix ADC SDX 15000-50G appliance, in cases of a brief surge of data traffic not directed to any of the ADC VPX instances, the following issue might happen:

    • The LACP link on 10G ports might flap intermittently or go down permanently.

    Workaround:
    1. Find out the internal ethX port corresponding to the 10G port
    2. Run the following command on the Citrix Hypervisor shell prompt: ethtool -G ethX rx 4096 tx 512
    3. Review traffic profile to block off unwanted traffic on the switch side

    [ NSHELP-25561 ]
  • On a Citrix ADC SDX appliance, during a warm reboot of a VPX instance configured as a cluster node, the backplane LA channel might go into a PARTIAL-UP state because of a set interface command failure.

    [ NSHELP-23353 ]
  • The status of SDX platform appears as UNKNOWN in the LOM console. This is only a display issue and has no functional impact.

    [ NSHELP-20009 ]

Policies

  • A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.

    [ NSPOLICY-1462 ]
  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]
  • Policy string map might not work if UTF-8 characters are used in key text.

    [ NSHELP-25357 ]

SSL

  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]
  • In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.

    [ NSSSL-3402 ]
  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

    [ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]
  • You cannot bind two certificates with public keys signed by different algorithms (for example, RSA and ECDSA) to a virtual server, as an SNI certificate if the domain name is the same.

    [ NSSSL-2560 ]
  • In a cluster setup, when two installed certificates are issuers of one server certificate that has the OCSP AIA extension, the appliance becomes unreachable if you remove the server certificate.

    [ NSHELP-28058 ]
  • In a high availability setup, the certificate type is not synchronised correctly between the primary and secondary nodes.

    [ NSHELP-27589 ]
  • In a cluster setup, you might observe the following issues:

    • Missing command for the default certificate-key pair binding to the SSL internal services on the CLIP. However, if you upgrade from an older build you might have to bind the default certificate-key pair to the affected SSL internal services on the CLIP.
    • Configuration discrepancy between the CLIP and the nodes for the default set command to the internal services.
    • Missing default cipher bind command to the SSL entities in the output of the show running config command run on a node. The omission is only a display issue and has no functional impact. The binding can be viewed using the show ssl <entity> <name> command.
    [ NSHELP-25764 ]
  • A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.

    [ NSHELP-24201 ]

System

  • In certain scenarios, Citrix ADC appliance does not forward some HTTP packets to the back-end server, if the following condition is met:

    • If a Citrix ADC feature internally clones HTTP packets.

    [ NSHELP-29958 ]
  • The X-Forwarder header is not added to some requests sent from the Citrix ADC appliance to the back-end server.

    [ NSHELP-29142, NSHELP-29583 ]
  • TCP zombie timeout flushes active server or client connections because of the half-close timeout on the faster side of the connection.

    [ NSHELP-27502, NSBASE-14650 ]
  • The connection chaining TCP option gets added to the Citrix ADC RPC connections. The issue causes an interoperability issue with GSLB sites communication.

    [ NSHELP-27417 ]
  • Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.

    [ NSHELP-27410 ]
  • A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.

    [ NSHELP-27179 ]
  • A Citrix ADC appliance might crash if it receives a partially acknowledged MPTCP MP-FAIL signal on an already closed MPTCP session. The crash is applicable to virtual servers that have MPTCP enabled in the TCP profile.

    [ NSHELP-26594 ]
  • If an AppFlow collector of type Rest is used in an analytics profile, the Citrix ADC appliance might fail during the removal of the profile.

    [ NSHELP-26299 ]
  • During clear configuration, when there is no URL set in use, an error log entry corresponding to the URL set is seen in the ns.log.

    [ NSHELP-26242 ]
  • A Citrix ADC appliance might crash when the AppFlow collector is in a different subnet than the SNIP.

    [ NSHELP-26008, NSHELP-26564 ]
  • A content switching virtual server displays an incorrect request and response byte count with MPTCP traffic.

    [ NSHELP-25731 ]
  • The HTML page might not load when the AppFlow Client-Side Measurements and Rewrite features are enabled.

    [ NSHELP-24043 ]
  • For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output. For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.

    [ NSHELP-22684 ]
  • When the Intrusion Prevention System (IPS) is processing data before the cache module, the PayloadInfo variable is not cleared properly. Eventually, when the cache module accesses the variable it causes a Citrix ADC appliance to crash.

    [ NSHELP-21907 ]
  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

    [ NSHELP-21240 ]
  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

    [ NSHELP-10972 ]
  • In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.

    [ NSBASE-16304, NSGI-1293 ]
  • Segmentation errors or duplicate free might cause a Citrix ADC appliance to crash if the following conditions are met:

    • HTTP profile bound to a backend service has HTTP2 enabled and HTTP2 direct disabled.
    • Multiple HTTP CONNECT requests are sent from the client over HTTP/2 streams to a virtual server of HTTP type.
    [ NSBASE-13582 ]
  • A few AppFlow records containing IPFIX information might be abnormal.

    [ NSBASE-11686 ]
  • In a cluster setup, enabling process local support for MPTCP connections reduces the inter-node steering.

    [ NSBASE-10587 ]
  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

    [ NSBASE-8506 ]
  • ICAP support for Citrix ADC

    A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.

    For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html

    [ NSBASE-825 ]

User Interface

  • In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.

    [ NSUI-14752 ]
  • The Global Binding and Show Binding options are not working on the Content Inspection Policy GUI page. As an alternative, you can configure these parameters through the command interface.

    [ NSUI-13193, NSUI-11561 ]
  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.

    [ NSUI-6838 ]
  • In some cases, you might not be able to load SSL keys from the SSL keys tab in the Citrix ADC GUI.

    [ NSHELP-28870 ]
  • Importing a certificate in an admin partition might incorrectly fail with the following message:

    ERROR: User doesnt have permission for given Destination path

    [ NSHELP-26918 ]
  • When you configure IP reputation using advanced policy expressions, the "TOR_PROXY" threat category is missing in the Expression Editor GUI.

    [ NSHELP-25654 ]
  • Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.

    [ NSHELP-24195 ]
  • A Citrix ADC appliance might crash if the /tmp directory is full.

    [ NSHELP-21809 ]
  • Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

    [ NSHELP-20988 ]
  • A Citrix ADC appliance does not support addition of CRL files greater than 2 MB using NITRO APIs.

    [ NSHELP-20821 ]
  • The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.

    [ NSHELP-19958 ]
  • The top-level page title is missing on all security check GUI pages.

    [ NSHELP-18607 ]
  • In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:
    Trace not started

    [ NSHELP-18566, NSHELP-24796 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:

    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

    Workaround:

    To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

    [ NSCONFIG-3188 ]