- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
Authentication, authorization, and auditing
- A Citrix ADC appliance might crash during audit logging if the user authentication is prompted with an extra sign-in request such as a password change or a RADIUS challenge.[ NSHELP-21703 ]
- When Citrix ADC is deployed as IdP for Citrix Workspace, users are not able to log on to Citrix Workspace.[ NSHELP-21324 ]
- A Citrix ADC appliance might crash during authentication, authorization, and auditing when a packet engine generates a duplicate session removal response.[ NSHELP-21172 ]
- If Citrix ADC is configured for forms based SSO, and name-value pairs are specified in the configuration, these values are ignored if the values are absent in the form.[ NSHELP-21139 ]
- The SAML metadataURL parameter does not work after a Citrix ADC appliance is restarted.[ NSHELP-21006 ]
- In rare cases, the Citrix Gateway appliance might fail when users are challenged for a one-time code.[ NSHELP-20967 ]
- In rare cases, a Citrix ADC appliance might crash while serving VPN traffic.[ NSHELP-20751 ]
- A Citrix ADC appliance might fail to authenticate the Microsoft Outlook 2016 users if the password contains Umlaut characters.[ NSHELP-20682 ]
- A Citrix ADC appliance might fail in the following circumstances:
[ NSHELP-20646 ]
- Citrix ADC appliance configured with OAuth or SAML IdP actions along with refreshing metadata information from an external source.
- The configuration is changed while data is fetched from the external source or if authentication is in progress. The same issue is observed when you run a clear config command.
- You cannot unbind multiple certificates using the Citrix ADC GUI interface.[ NSHELP-20598 ]
- An FQDN in the SSL certificate might crash in a Citrix ADC appliance because of a buffer overflow.[ NSHELP-20476 ]
- The Citrix ADC appliance crashes after an upgrade to version 13.0 because of a buffer overflow condition.[ NSHELP-20416, NSAUTH-6770 ]
- A Citrix ADC appliance configured as a SAML Service Provider (SP) on traffic management virtual server does not send post body response to the back-end server after SAML login.[ NSHELP-20348 ]
- A Citrix ADC appliance configured as SAML Service Provider (SP) might fail to validate assertions sent by certain IdPs if the namespace of SAML is not defined completely.[ NSHELP-20307 ]
- You cannot unbind an authorization policy using the Citrix ADC GUI interface.[ NSHELP-20298 ]
- A Citrix Gateway appliance might occasionally fail if users try to log in when taking VPX snapshot.[ NSHELP-20292 ]
- A Citrix ADC appliance might crash when you use a SAML IdP on a FIPS appliance.[ NSHELP-20282 ]
- A Citrix Gateway appliance might fail if the following conditions are met:
[ NSHELP-20206 ]
- When a user logs out of a session.
- The appliance is deployed in an HDX platform.
- SAML authentication is used in Citrix Gateway.
In rare cases, authentication fails if the connection to the LDAP server is over HTTPS.[ NSHELP-20181 ]
- If you do not configure RfWebUI portal theme on a Citrix ADC appliance, you might observe the following changes:
[ NSHELP-20144 ]
- The displayed OTP management pages appear differently or OTP management might not work.
- The appliance shows unexpected behavior.
- A Citrix ADC appliance configured as SAML Identity Provider (IdP) truncates relaystate from Service Provider (SP) if it contains quotes.[ NSHELP-20131 ]
- A Citrix ADC appliance might drop the connection if the /cgi/samlauth request comes from an authenticated connection without a cookie header.[ NSHELP-20059 ]
- In an OpenID-Connect mechanism, OAuth Relying Party (RP) does not encode username or password properties while making password grant API call.[ NSHELP-19987 ]
- The SAML attribute value in the SAML response includes multiple SAML AttributeValue lines, instead of one.[ NSHELP-19961 ]
- A Memory leak is observed in a Citrix ADC appliance when the mail attribute is extracted during the LDAP login.[ NSHELP-19955 ]
- A Citrix ADC appliance sends a negative value if the maximum age value for HSTS header is set above 2,147,483,647.[ NSHELP-19945 ]
- A Citrix ADC appliance processes unauthenticated HTTP requests with OPTIONS method received from authentication, authorization, and auditing traffic management virtual server. At this point, the appliance responds with a corresponding HTTP 401 error message.[ NSHELP-19916 ]
- A 500 error message is observed if the following conditions are met:
[ NSHELP-19852 ]
- Authentication, authorization, and auditing enabled traffic management virtual server gets post request without the cookie.
- The post body contains newline characters.
- In some cases, a Citrix ADC appliance dumps core when "show aaa group -loggedIn" command is issued.[ NSHELP-19793 ]
- A Citrix ADC appliance might crash in OTP manage flow if the following conditions are met:
[ NSHELP-19759 ]
- OTP login schema is used as the first factor.
- Email authentication is used as the second factor.
- Authentication might fail when a Citrix ADC appliance configured as SAML with WS-Fed protocol contains a special character & in the password.[ NSHELP-19740 ]
- If user group extraction is done during an administrator login, the memory usage of Citrix ADC Authentication, authorization, and auditing increases gradually.[ NSHELP-19671 ]
- If the URL contains ";" special character, the TASS cookie encodes the URL redirect at the time of login.[ NSHELP-19634 ]
- If a dialogue cookie in the client request is processed before checking for any existing sessions, a Citrix ADC appliance sends a change password page to the client.[ NSHELP-19528 ]
- The base64 decoding fails if a digital signature has HTML entity encoded characters.[ NSHELP-19410 ]
- In some cases, the Citrix Gateway appliance sets invalid cookie while processing the unauthenticated requests.[ NSHELP-19403 ]
- If you set "Import Metadata URL" and later edit it by providing the redirect URL from Citrix ADC GUI, the Redirect URL is set but the Import Metadata URL is not unset. Because of this, the Citrix ADC appliance uses the metadata URL.[ NSHELP-19202 ]
- A Citrix ADC appliance fails to obtain Kerberos tickets through a constrained delegation, if one of the following conditions are met:
[ NSHELP-18946 ]
- The enterprise realm parameter is configured for the user.
- The domain name in the keytab parameter is in lower case.
- When upgrading Citrix ADC cluster setup that is on release 10.5 to a higher version, the system login to a non-CCO node on the higher version fails.[ NSHELP-18511, NSAUTH-5561 ]
- The following behavior is observed in the Citrix ADC GUI:
[ NSHELP-2131 ]
- You cannot edit the OAuth Policies.
- You can edit only OAuth Actions.
- The OAuth Policies option must only be under Advanced Policies not under Basic Policies.
Support for SameSite attributeFor Citrix Gateway and Citrix ADC Authentication, authorization, and auditing deployments, support is now added to configure the SameSite cookie attribute. This attribute helps prevent issues that might occur because of certain browsers upgrade, such as Google Chrome 80. The SameSite attribute can now be set to None, Lax or Strict, as per the requirement.
For details, see https://docs.citrix.com/en-us/citrix-gateway/12-1/configure-samesite-attribute-for-citrix-gateway.html
https://docs.citrix.com/en-us/citrix-adc/12-1/aaa-tm/configure-samesite-for-aaa-deployments.html[ NSAUTH-7531 ]
- In a Citrix ADC high availability and cluster setup, the appliance might crash when you upgrade the appliance from release 12.1 build 55.13 to release 12.1 build 55.18. The crash occurs if either Citrix Gateway or authentication, authorization, and auditing features are enabled on the appliance.[ NSAUTH-7153 ]
A Citrix ADC appliance might crash upon updating the user data certificate by using update ssl certkey command.[ NSAUTH-5554 ]
Citrix ADC SDX Appliance
New values for SDX minimum bandwidth and minimum instancesThe minimum bandwidth and minimum instances values for SDX appliances that support Citrix ADC pooled capacity have changed. For more information, see:
https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/license-server/adc-pooled-capacity.html[ NSSVM-2770 ]
- After you have configured a VLAN from the allowed VLAN list (AVL) on a VPX instance running on an SDX appliance, the instance fails to restart automatically. As a result, communication between the VPX instance and AVL stops.[ NSSVM-135 ]
When configuring pooled licensing in SDX 14000 FIPS appliance, the minimum instances you could check out was 25. With this fix, the minimum instances you can check out is two. For more information, see the Citrix ADC pooled capacity document:
https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/license-server/adc-pooled-capacity.html[ NSHELP-20305 ]
On an SDX appliance, when you restore a VPX instance provisioned with burst throughput, the restore might fail.[ NSHELP-20013 ]
- If the backup file name has any special character, restoring the SDX appliance to that backup fails. With the fix, an error message appears if the backup file has any special character.[ NSHELP-19951 ]
- On SDX 22XXX and 24XXX appliances, during system health monitoring, the SDX Management Service raises false alerts.[ NSHELP-19795 ]
- SNMP alarm on SDX device does not work for disk, memory, or temperature parameters but works only for CPU.[ NSHELP-19713 ]
- Channel information for ADC instances might be lost if multiple instances are rebooted or shutdown simultaneously from the Management service.[ NSHELP-19610 ]
- After upgrading an SDX appliance, the LA channel and VLAN configuration on the appliance might be lost.[ NSHELP-19392, NSHELP-19610, NSHELP-22334 ]
- The Citrix Gateway logon page becomes unresponsive if RfWebUI based custom themes or nFactor with custom themes are used.[ NSHELP-21763 ]
In some cases, Citrix Gateway dumps core if the following conditions are met:
[ NSHELP-21296 ]
- EDT Insight functionality is enabled for the Citrix Gateway appliance.
- The appliance receives an out of order CGP BINDRESP packet from VDA.
In a Citrix Gateway high availability setup, the secondary node crashes during high availability synchronization if logging is enabled on Citrix Web App Firewall global.[ NSHELP-21254 ]
- In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.[ NSHELP-21184 ]
- In a Citrix Gateway high availability setup, the secondary node crashes if a syslog policy is bound globally to Citrix Web App Firewall and one of the following conditions is met:
[ NSHELP-21167 ]
- You perform a force failover.
- You clear the configuration.
- The Citrix ADC appliance might become unresponsive if the appliance is configured for proxy EDT connections and there is a low memory condition.[ NSHELP-20761 ]
- The Citrix ADC appliance might become unresponsive if HDX Insight is enabled and there is a low memory condition.[ NSHELP-20707 ]
- In rare cases, the Citrix Gateway appliance crashes if Authentication, authorization, and auditing user session is transferred and Intranet IP is enabled.[ NSHELP-20680 ]
- A Citrix ADC appliance fails to decode rewritten URLs for clientless VPN if the URLs contain "%2E" in the FQDN.[ NSHELP-20603 ]
- The EPA process crashes if both of the following conditions are met:
[ NSHELP-20543 ]
- A network adapter does not have an IP address or MAC address assigned.
- Only a device certificate is used as an EPA check.
- Citrix Windows plug-in is unable to connect to Citrix Gateway using Mozilla Firefox 68.0.[ NSHELP-20503 ]
- You might experience a delay in the keyboard and mouse responses to your actions in a launched desktop if DTSL is enabled.[ NSHELP-20447 ]
- A memory leak is observed in a Citrix ADC appliance if the following conditions are met:
[ NSHELP-20390 ]
- A second factor is configured as pass-through.
- Buffer is not freed up.
- The VPN plug-in unblocks all TCP traffic until captive portal authentication if both of the following conditions are met:
The client machine is in configured for AlwaysOn, onlyToGateway mode.
The client machine is connected to a captive portal network.[ NSHELP-20360 ]
- Users are unable to add client-less access policies from the policy manager by using the Citrix Gateway GUI.[ NSHELP-20333 ]
- EPA scans are not completed and become unresponsive.[ NSHELP-20319 ]
A client machine fails to reconnect to a Citrix Gateway appliance because the appliance sends an incorrect STA ticket upon STA refresh.[ NSHELP-20285 ]
- The Citrix ADC appliance might become unresponsive if HDX Insight is enabled.[ NSHELP-20280 ]
- The login schema profile of the secondary node does not correctly display the labels on the Configure Authentication Login Schema GUI page.[ NSHELP-20234 ]
- In a high availability setup, the secondary node crashes whenever an authentication, authorization, and auditing session or a VPN session containing SAML related information is propagated to the primary node.[ NSHELP-20230, NSHELP-24495 ]
- Finding URLs to rewrite for advanced clientless VPN processing results in high CPU usage. As a results, the system slows down.[ NSHELP-20122 ]
- Audio clarity for VOIP applications is negatively impacted when multiple applications or connections are tunneled over the VPN.[ NSHELP-20097 ]
- In rare cases, the Citrix Gateway crashes while GSLB updates VPN services statistics.[ NSHELP-19992 ]
- A Citrix Gateway appliance might restart when RDP server profile is updated for the virtual server.[ NSHELP-19960 ]
Windows Intune enrollment check cannot be disabled on the client machines. The check is enabled by default.
With this fix, Windows Intune enrollment check can be disabled.
To disable the check, set the following registry entry to 1:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\DisableIntuneDeviceEnrollment[ NSHELP-19942 ]
- If ICA insight is enabled for EDT sessions, you might experience a frozen screen or a delay in the application screen operations.[ NSHELP-19934 ]
In some cases EPA scan fails on Windows machines.[ NSHELP-19865 ]
- If an authentication factor hosted in Azure is used in Citrix MFA, logon to Citrix Gateway using Windows plug-in fails. This happens because the MFA HTTP timeout value is lesser than the Citrix Gateway Windows plug-in timeout value.
With this fix, Citrix Gateway Windows plug-in timeout value is increased to avoid logon failure. Also, the HTTP timeout value can now be configured by setting the below registry value (in seconds):
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\HttpTimeout[ NSHELP-19848 ]
- The issue is from Linux receivers, where Encryption module (ICA_MODULE_PD) is not received from Receiver in PACKET_INIT_RESPONSE during ICA handshake, and hence there is a null encryption handler in ADC which is leading to crash. ADC to skip pares the connection when there is no encryption parameters received from Receiver.[ NSHELP-19758 ]
- The Endpoint Analysis (EPA) scan failed to validate 4096 bit key device certificate.[ NSHELP-19697 ]
- A Citrix Gateway does not recognize the logon expression policy in a Windows plug-in during nFactor authentication.[ NSHELP-19640 ]
- Audio clarity for Skype calls is negatively affected when multiple applications/connections are tunneled over the VPN. This happens because of an improper memory management.[ NSHELP-19630, NSHELP-24619 ]
- The DTLS service on a VPN virtual server functions with a default set of ciphers that cannot be modified through the bind or unbind cipher commands using CLI.[ NSHELP-19561 ]
- In an HA pair setup, the persistent sessions on the primary node are not cleared because of an issue with the session sync code in the VPN server.[ NSHELP-19557 ]
- The Citrix Gateway plug-in for macOS cannot resolve internal host names if the Local LAN Access option is enabled on a Citrix ADC appliance.[ NSHELP-19543 ]
- Citrix ADC appliances deployed in a high availability (HA) setup crash if both of the following conditions are met:
[ NSHELP-19490 ]
- AppFlow is enabled
- There is a high availability synchronization failure.
In some cases, a Citrix ADC appliance might dump core during a user logout session.[ NSHELP-19470 ]
In some cases, the Citrix Gateway appliance dumps core if the appliance is accessed in
the Full VPN tunnel mode.[ NSHELP-19444 ]
- The following message incorrectly appears when Citrix Gateway is accessed from the Microsoft Edge browser, and EPA or VPN is not used.
"Full VPN and EPA are not supported in Edge browser. Please use different browser for a better experience."[ NSHELP-19367 ]
- In a high availability (HA) setup, the primary node might crash if AppFlow is enabled and there is a failover.[ NSHELP-19363 ]
- In some cases, a Citrix ADC appliance dumps core if UDP channel for audio is enabled for an app or a desktop launch and the STA server responds after the client side DTLS channel is closed.[ NSHELP-19303 ]
- Encapsulating Security Payload (ESP) packets in transit are dropped if LSN configuration is not enabled on the Citrix ADC appliance.[ NSHELP-18502 ]
- With the repackaged Citrix Workspace app, if RFWebUI theme is used, the following message is displayed to the clients:
"You must whitelist the ID of Citrix Receiver in Storefront."[ NSHELP-18341 ]
Citrix Web App Firewall
- Requests coming from Tor proxy IP addresses are not blocked by the IP reputation Tor proxy category using CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(PROXY) policy expression.[ NSWAF-3611 ]
- A Citrix ADC appliance might crash if a Web App Firewall profile uses APPFW_DROP and APPFW_RESET policy actions.[ NSHELP-21283 ]
- A Citrix ADC appliance might crash when APPFW_DROP and APPFW_RESET are used as Web App Firewall policy actions.[ NSHELP-21220 ]
- A Citrix ADC appliance might crash if the signature feature is enabled and a specific request pattern is detected.[ NSHELP-20884, NSHELP-19583 ]
- A Citrix ADC appliance might crash when processing signature file regex patterns and if bigstack is unavailable.[ NSHELP-20359 ]
- After an upgrade, if you bind a signature to the Web App Firewall profile, the appliance silently drops an incoming request.[ NSHELP-20201 ]
- A Citrix ADC appliance might crash if there is an internal communication error with the sqlite library.[ NSHELP-20173 ]
- A Citrix ADC appliance fails, if the following conditions are observed:
[ NSHELP-19879 ]
- Web App Firewall policies use HTTP body based rule, for example, HTTP.REQ.BODY(..)),
- Web App Firewall feature is disabled.
- Web Requests with many query parameters might receive no response if the field consistency protection parameter is enabled.[ NSHELP-19811 ]
- A Citrix ADC appliance might crash when CONNECT requests are received. The issue occurs if you set the default profile settings to any value other than APPFW_BYPASS, APPFW_RESET, APPFW_DROP, APPFW_BLOCK.[ NSHELP-19603 ]
- A Citrix ADC appliance might crash when processing large form bodies and if the field consistency parameter is enabled on the Citrix Web App Firewall profile.[ NSHELP-19299 ]
- A Citrix ADC appliance might crash if the following features are enabled in the Web App Firewall profile.
[ NSHELP-18869, NSHELP-21691 ]
- XML processing.
- Security insight.
A Citrix ADC appliance might crash if there is high memory usage and memory values are not freed up because of an application failure.[ NSHELP-18863 ]
- When a command is set to netsvc and if the secondary node takes more than 15 secs to respond, the setsvc command logs or increments the propagation failure counter. If the secondary node takes more than 10 secs to respond, some failure is logged at the secondary configd and the corresponding timer is updated with an SNMP trap.[ NSHELP-18834 ]
Support to configure the ADC generated cookie attributes
For Citrix ADC deployments, support is now added to insert additional cookie attributes to the cookies generated by Citrix ADC appliance. These additional cookie attributes help in enforcing the required policies for the ADC generated cookies based on the application access pattern.
This feature can be used to prevent issues that can occur because of the Google Chrome upgrade (Google Chrome 80).
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/load-balancing/insert-cookie-attributes.html[ NSLB-6068 ]
The Citrix ADC appliance might crash when both the following conditions are met:
Rule-based persistence is configured on the appliance.
Multiple IPv6 servers respond with the same values for the parameters configured in the rule-based persistence.[ NSHELP-20490 ]
You might run out of disk space on a Citrix ADC VPX appliance because the appliance generates multiple temporary files. When an rsync operation occurs for a particular location file, a temporary file is created for that location file. These files fill up the /var directory.[ NSHELP-20020 ]
- A Citrix ADC VPX instance running on an SDX appliance might crash if an invalid DNS request is received on a Jumbo enabled interface.[ NSHELP-19854 ]
- When LRTM is enabled on a monitor bound to a service group, response time is not shown.[ NSHELP-12689 ]
- The Citrix ADC appliance might become unresponsive if you remove the AppFlow action while traffic is flowing through the appliance.[ NSHELP-20523 ]
- The first login using NITRO API fails for a partition user. However, the subsequent login succeeds.[ NSHELP-20159, NSCONFIG-2054 ]
- A Citrix ADC appliance restarts by itself if the following conditions are observed:
[ NSHELP-19428 ]
- Front end optimization feature is enabled.
- Cached objects are re-optimized.
The CLI of a Citrix ADC appliance displays unwanted debug messages when the appliance processes IPv6 fragmented packets.[ NSNET-12704, NSHELP-20990 ]
In a cluster setup, you might observe continuous failure logs that indicate connection failure between ZebOS dynamic routing IMI daemon and internal cluster daemon. This issue occurs when either the ZebOS dynamic routing IMI daemon or internal cluster daemon is restarted.[ NSNET-10655 ]
- The SNMP manager configuration is lost when you restart a cluster node. The issue occurs when the "add snmp manager" command fails during reboot[ NSNET-10355 ]
The Citrix ADC trace filter might not work for IP addresses if they were not part of any IP address mappings used on the Citrix ADC appliance. For example, multicast IP addresses. The generated trace file might be blank when these IP addresses are used in the trace filter.[ NSNET-8930 ]
Assurance of a listener service for processing a FTP data connection request
In a Citrix ADC appliance, if a packet engine receives an FTP data connection request before a listener service is added, then the packet engine sends an 8212 reset code to the FTP client.
The FTP client interprets this code as a "connection refused" message and closes the connection.
Now, the Citrix ADC appliance assures to add a listener service on the packet engine before the packet engine processes the received FTP data connection request.[ NSNET-2848, NSHELP-106, NSHELP-19983 ]
ACL6 list of type DFD might be corrupted when you add ACLs in descending order and delete any one of the ACL6 entry.[ NSHELP-20587 ]
A Citrix ADC appliance might crash if it receives IPv6 traffic that matches both of the following conditions:
[ NSHELP-20548 ]
- Source MAC address of IPv6 traffic matches the MAC address of a service bound to a virtual server with type ANY and redirection mode set to MAC based forwarding (-m MAC)
- The IPv6 traffic matches an RNAT6 rule with TCP proxy option enabled
- 32-bit ASN values appear as negative values in the sh ip bgp summary command output.[ NSHELP-20540 ]
- SNMPWalk gets query response from a subnet IP (SNIP) address even if SNMP feature is disabled.[ NSHELP-20254 ]
- User authentication to Citrix ADC GUI fails if an issue is observed in VAR file rollover mechanism.[ NSHELP-20229 ]
On restart, the Citrix ADC appliance establishes BGP session with the peer devices before assigning a subnet IP (SNIP) address on the interface resulting in next-hop validation failure. Because of this issue, the Citrix ADC appliance might not learn the routes advertised from these peer devices.[ NSHELP-20211 ]
- The Citrix ADC appliance might skip Policy-based routes (PBR) rules for outgoing monitor packets of type UDP and ICMP.[ NSHELP-20112 ]
The Citrix ADC appliance might crash if you add a listen policy that has a dependency for a certain internal FTP service lookup.[ NSHELP-20002 ]
In a partitioned setup, DNS slows down and times out after creating an admin partition.[ NSHELP-19996 ]
The ADC appliance might not update the ECMP routes in an optimised way when an associated interface is disabled, or an associated IP address is deleted.[ NSHELP-19891 ]
The BGP process might fail due to memory corruption if it receives bgp updates with multiple 4-byte AS numbers in the path.[ NSHELP-19860 ]
- In a cluster setup, the cluster propagation might fail if one of the following condition is met:
[ NSHELP-19771 ]
- Connection fails between cluster daemon and configuration daemon.
- Increase in memory usage in cluster daemon.
A linkset-member interface or channel is added as part of a new static ND6 entry to the Citrix ADC appliance. For the Citrix ADC appliance to accept the new static ND6 entry, you must provide the linkset VLAN.[ NSHELP-19453 ]
The Citrix ADC appliance allows configuration through NITRO APIs even before the protocol modules are not completely initialised. Because of this reason, the write memory command fail with the following error message:
save config denied modules not ready[ NSHELP-19431 ]
- The stat system memory command might display an incorrect value for Free Memory (MB) field, whenever the Citrix ADC appliance reaches 100% memory usage in default partition.[ NSHELP-19239 ]
- Config wipe scripts fail on some Citrix ADC platforms. With this fix, the date code of the scripts is updated to 01/14/20 and all platforms are supported.[ NSPLAT-13498 ]
You might not be able to access a VPX instance by using the management IP if the instance has a vCPU license. The issue is seen in all VPX instances, on-premises and cloud. If the VPX instance is running on an SDX appliance, you can access the instance from the SDX Management Service GUI.
[ NSPLAT-10710 ]
- In a Citrix ADC cluster, the configuration coordinator (CCO) node does not support the set ns vpxparam -cpuyield command for controlling CPU-usage behavior.[ NSPLAT-2156 ]
On SDX platforms with Fortville interfaces, the 10G & 40G Fortville interfaces can run into TX stalls when Jumbo is enabled on them.[ NSHELP-20605 ]
- On a Citrix ADC SDX appliance, the virtual interface status shows UP even though the corresponding physical link is DOWN.[ NSHELP-20452 ]
- On an SDX appliance, the No additional MACs available for members of interface 10/1 error message appears when all the following conditions are met:
[ NSHELP-20158 ]
- You instantiate 19 VPX instances on the SDX appliance, all with the same network interface
- Then add MAC addresses to the 20th VPX instance that uses the same network interface as the previous instances.
- The number of MAC address on the 20th VPX instance is twice as great as the MAC addresses added to the 1st VPX
- On the following Citrix ADC SDX platforms, connectivity to a VPX instance might fail if it receives heavy multicast traffic when a management port is not assigned to a VPX instance and instance management is done through the data ports.
[ NSHELP-19861 ]
- SDX 8900
- SDX 14000-40G
- SDX 14000-40S
- SDX 15000-50G
- SDX 25000-40G
- SDX 25000T
- SDX 25000T-40G
- SDX 8900 appliances might crash while you are applying the SSL configuration to set client certificate verification to optional with policy-based client authentication.[ NSHELP-19297 ]
- In a VPX HA setup running on SDX appliances, when one of the switches in the virtual port channel (VPC) goes down, all the interfaces that are part of the LACP flap. This triggers HA failover.[ NSHELP-19095 ]
Ifhighspeed SNMP OID for a 50G interface shows a value of zero if the speed of the interface is set to AUTO.[ NSHELP-18707 ]
- The SDX 14000 FIPS appliance might crash and restart while configuring a FIPS HSM partition.[ NSHELP-18503 ]
- Sometimes, the LCD on the front panel of a Citrix ADC appliance might display 99% memory usage when actual memory usage is less[ NSHELP-18483 ]
- After an upgrade, the rewrite policy does not work for CVPN homepage2.html[ NSHELP-19481 ]
- The Citrix ADC appliance might crash and dump core when it tries to access the deleted default DTLS profile while configuring a new DTLS virtual server or service.[ NSSSL-6886 ]
- Policy-based client authentication with mandatory certificate verification fails if client authentication with optional client-certificate is also configured on the virtual server.[ NSHELP-21190 ]
- The DTLS handshake might fail if DTLS record fragments are received out of order.[ NSHELP-20703 ]
- A Citrix ADC VPX appliance might crash if ChaChaPoly cipher is used and the client sends a truncated record to the appliance.[ NSHELP-20684 ]
- An error message Error- File Too Large appears in both of the following cases:
[ NSHELP-20522 ]
- You first upgrade the Citrix ADC software to version 13.0 and then upgrade the FIPS firmware.
- You first upgrade the Citrix ADC software to version 13.0 and then upgrade the FIPS firmware.
- A Citrix ADC appliance might show different profiles on cluster IP (CLIP) address and Citrix ADC IP (NSIP) address if a legacy SSL profile is bound to SSL entities, and later the default (enhanced) SSL profile is enabled.[ NSHELP-20335 ]
- When TLS 1.3 and SNI are both enabled on a front-end virtual server, the appliance crashes during the TLS handshake if the following sequence of events occur:
1. A TLS 1.3 client includes the server_name extension in its initial ClientHello message.
2. The server responds with a HelloRetryRequest message.
3. The client responds with an illegal ClientHello message that omits the server_name extension.[ NSHELP-20245 ]
- If you add a certificate with an AIA extension on a cluster IP (CLIP) address, the following error message appears when you try to remove the certificate from the CLIP:
'Internal Error'.[ NSHELP-19924 ]
- The following appliances might crash if they receive the ChangeCipherSpec message from a client but not the Finished message:
[ NSHELP-19856 ]
- MPX 5900/8900
- MPX 15000-50G
- MPX 26000-100G
- The internal SSL service state appears UP even after you unbind the certificate from the service.[ NSHELP-19752 ]
- The handshake fails on a Citrix ADC SDX appliance with N2 chips, because ECDSA ciphers are not supported on this platform. With this fix, ECDSA ciphers are not advertised on this platform.[ NSHELP-19614, NSHELP-20630 ]
- A Citrix ADC appliance might crash intermittently if both of the following conditions are met:
[ NSHELP-19194 ]
- OCSP check and SSL interception are enabled on an SSL profile.
- The SSL profile is bound to a content switching virtual server of type PROXY.
- If the client and CA certificates have different encoding, the client certificate is incorrectly rejected when -clientAuthUseBoundCAChain is ENABLED, even though the client and server certificates are issued by the same CA.[ NSHELP-19077 ]
- The DTLS handshake might fail if DTLS records of different message types are received out of order. For example, a Server Hello Done message is received before a Server Hello message.[ NSHELP-18512 ]
- Safenet directory is missing when you install a VPX instance on Citrix XenServer, VMware ESX, or Linux-KVM platform.[ NSHELP-14582 ]
- In a cluster setup, if timestamp is enabled, some of the requests sent to the server might be dropped.[ NSHELP-20394 ]
- A Citrix ADC appliance initiates an HTTP/1.1 connection instead of an HTTP/2 connection if the complete request body is not received for a POST request.[ NSHELP-20289 ]
- The Citrix ADC appliance might crash if a retransmitted TCP segment is received on an interface with MTU > 1500 bytes as:
[ NSHELP-19920, NSHELP-20273 ]
- Jumbo frames or
- Set of IP fragments.
- In a Citrix ADC appliance, if you unbind default advanced global policies and save the configuration, the changes are not reflected on the next reboot.[ NSHELP-19867 ]
- In rare cases, a cluster node might crash when a client or server sends an out-of-order packet followed by an in-sequence packet with the FIN message.[ NSHELP-19824 ]
- In some cases, you will see a delay or timeout in connecting to the backend server. This happens because the appliance has freed the connection and released the port. When the appliance reuses the same port to establish a new connection with the server there is a delay or timeout because the connection is in TIME_WAIT state on the server.[ NSHELP-19772 ]
- The policy evaluation might fail if the following conditions are met:
[ NSHELP-19082 ]
- 256 policy expressions have reference to a same custom header.
- Custom header reference counter wraps to 0 (8 bits counter).
- Memory issue occurs in a Citrix ADC appliance if closed connections are not flushed completely.[ NSHELP-18891, NSHELP-20778 ]
- A Citrix ADC appliance crashes if the current_tcp_profile and current_adtcp_profile are not set.[ NSHELP-18889 ]
- A transaction on HTTP/2 stream does not get terminated correctly if the client sends a "te: traielrs" header in the request to a virtual server with Transform policy bound to it.[ NSHELP-18805 ]
- A Citrix ADC appliance might crash if appqoe policies are changed when handling traffic.[ NSHELP-18771 ]
- High memory issue occurs in partitioned Citrix ADC appliance.[ NSBASE-8780, NSBASE-8763 ]
Handling ICAP server downtime during the content inspectionFor handling ICAP server downtime during content inspection, the Citrix ADC appliance now enables you to configure the ifserverdown parameter and assign of the following actions.
CONTINUE: If the User wants to bypass the contentinspection if the remote server is down, this action can be chosen.
RESET (default): This action responds to the client by closing the connection with RST.
DROP: This action silently drop the packets without sending a response to the user.[ NSBASE-4936 ]
Implementing ICAP request timeout and response timeoutFor handling ICAP response timeout issue, you can configure the ICAP request timeout value for reqTimeout parameter in the ICAP Profile. By doing this, you can set a request timeout Action for the appliance to take any action when there is delayed ICAP response from the ICAP-Server. If the appliance does not receive any ICAP response within the configured request timeout, the appliance can perform one of the following actions according to the ReqTimeoutAction parameter configured on the Icapprofile.
ReqTimeoutAction: Possible values are BYPASS, RESET, DROP.
BYPASS: If the ICAP response with Encapsulated headers is not received within the timeout value, this Ignores the remote ICAP server's response and sends the Full request/response to Client/Server
RESET (default): Reset the client connection by closing it.
DROP: Drop the request without sending a response to the user
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/content-inspection/icap-for-remote-content-inspection.html[ NSBASE-3040, NSBASE-2264 ]
The Citrix ADC pooled capacity licensing might fail if latency is high between ADC and ADM. This issue occurs if latency is greater than 200 ms.
The Citrix ADC licensing client attempts repeatedly to check out the licenses from ADM. In a high availability and cluster setup, licensing configurations are unnecessarily reapplied whenever synchronization is triggered. Propagation and synchronization of the pooled licensing commands are disabled. Each node must be licensed independently by logging in to the NSIP of the node. You can execute only show commands on the Cluster IP.[ NSUI-14868, NSHELP-22045 ]
- A vCPU license is not applied on a warm reboot if it is configured on a Citrix ADC appliance running software versions 184.108.40.206 or 220.127.116.11.[ NSUI-14844 ]
- Due to some technical issues in the framework, all service groups are not displayed in the ADC GUI.[ NSUI-13754 ]
- A Citrix ADC appliance does not trigger the "ifserverdown" action configured in the ContentInspection action, if the ICAP server is down. This causes the client request to time out.[ NSUI-13439, NSBASE-2264 ]
Guided interaction for SSL certificatesThe Citrix ADC GUI now provides guided interaction for some common, yet detailed tasks related to creating, importing, and updating SSL certificates. It prompts you to enable the guided interaction when you boot your appliance for the first time. If enabled, you can explicitly disable it at any time by navigating to System > Settings > Change CUXIP Settings and clearing the Enable CUXIP checkbox.
Note: This feature is only available for SSL certificates in the Citrix ADC GUI.[ NSUI-13389 ]
- After upgrading to build 12.1-55.x, the appliance might boot up unlicensed if pool licensing is configured. As a result, all the features are disabled and any configuration that is license dependent is missing in the running configuration. Perform a warm reboot to restore the pool license and the configuration.
Caution: Do not run "save config" or force an HA failover on an unlicensed appliance.[ NSUI-7869 ]
- You cannot search for an entity using the search filter in the ADC GUI if the entity name contains a space.[ NSHELP-20506 ]
After upgrading an MPX perpetual license to Pooled Capacity license, the ADM GUI prompts to save the config and restart the instance. With this fix, the GUI prompts only to restart the instance.[ NSHELP-20137 ]
- In a cluster setup, the Citrix ADC GUI fails to upload an SSL certificate in the following conditions:
Commands are executed from the CLIP.
sh partition command responds with an invalid response.[ NSHELP-19905 ]
- An error message appears when you assign a DH parameter file to an SSL profile in an admin partition setup.[ NSHELP-19838 ]
- In a cluster setup, if you add a cipher group from advanced settings using the GUI, the cipher group does not appear in the main page.[ NSHELP-19704 ]
- If the SDX appliance is in grace period for pooled licensing, the remaining grace period shows zero instead of 30 days.[ NSHELP-19615 ]
- A configuration loss occurs every time a high availability configuration synchronization happens along with a high availability failure.[ NSHELP-19210 ]
Changing default RPC node passwordsIn HA, cluster, and GSLB deployments, a warning message appears for the nsroot and superuser login if the default RPC node password is not changed.[ NSCONFIG-2224 ]
The GSLB site backup parent list configuration is lost if both of the following conditions are met:
[ NSCONFIG-1760 ]
- The triggerMonitor option is set to either MEPDOWN or MEPDOWN_SVCDOWN.
- The Citrix ADC appliance is restarted.
The Citrix ADC appliance responds with an internal error message for show routerdynamicrouting NITRO API call.[ NSCONFIG-1325 ]
- HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.[ NSINSIGHT-943 ]
Authentication, authorization, and auditing
A Citrix ADC appliance configured to authenticate using OAuth Service Provider, cannot be configured with 'client-secrete_post" to authenticate with IDP tokenEndPoint.
With this fix, the authentication method "client_secret_basic" is added to the OAuth service provider feature of ADC when it communicates with the token endpoint of the IDP.[ NSHELP-28945 ]
While sending an AS_REQ request for a delegated user, which is part of KCD SSO, the Citrix ADC appliance selects an encryption type with the following priority when domain controller (DC) publishes all encryption types.
[ NSHELP-28681 ]
Access to a service is denied if the following conditions are met:
[ NSHELP-26903 ]
- The service is bound to an authentication virtual server.
- 401 authentication is configured on the service and the virtual server that the service is bound to.
The Citrix ADC appliance might crash when the synchronization of the session and key configuration happens between the primary to the secondary controller card.[ NSHELP-26891 ]
In rare cases, a Citrix Gateway appliance dumps core upon using the OAuth authentication method to access the appliance.[ NSHELP-26745 ]
The "timeout" parameter for emailAction command is deprecated . The default value for timeout is 180 seconds.[ NSHELP-26424 ]
In rare cases, the OAuth authentication fails if a Citrix ADC appliance configured as OAuth IdP does not send a JWT token in the specified format.[ NSHELP-26323 ]
When a Citrix ADC appliance performs a nested LDAP group search, some of the groups information from the active directory is missed because of an invalid behavior of the Citrix ADC appliance. The ADC appliance takes an incorrect value even when the `groupSearchSubAttribute` parameter is configured appropriately.[ NSHELP-26316 ]
In some cases, addition of multiple EPA related authentication policies results in high management CPU.[ NSHELP-26281 ]
You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.[ NSHELP-26199 ]
In some cases, a Citrix ADC appliance crashes because a default action is bound to a policy that has no login schema.[ NSHELP-26192 ]
In some cases, attributes such as "Secure" and "Domain" present in Samesite cookie are not separated by a comma but are displayed as one attribute.[ NSHELP-25825 ]
A Citrix ADC appliance might crash if the following issues are observed:
[ NSHELP-24551 ]
- Invalid memory allocation.
- Web App Firewall is configured with form-based SSO authentication.
- SSO to StoreFront using Citrix ADC fails if the following conditions are met:
[ NSHELP-21466 ]
- The Citrix ADC appliance is configured for multi-factor authentication.
- Citrix ADC session times out before examining the configured authentication factors.
- Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.[ NSHELP-18844 ]
- A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.[ NSHELP-18751 ]
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[ NSHELP-563 ]
- If you edit the authentication virtual server using the "End-to-end login test or Test End User Connection options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
Workaround: To edit the authentication virtual server by using the Citrix ADC GUI, navigate to Security > Authentication, authorization, and auditing Application Traffic > Authentication Virtual Servers.[ NSAUTH-6339 ]
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.[ NSAUTH-6106 ]
- The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:
- The Test LDAP Reachability option is opened.
- Invalid login credentials are populated and submitted.
- Valid login credentials are populated and submitted.
Workaround: Close and open the Test LDAP Reachability option.[ NSAUTH-2147 ]
Citrix ADC SDX Appliance
The Management Service on a Citrix ADC SDX appliance displays the interface speed for SNMP managers in Kbps/Mbps instead of bits per second.[ NSHELP-28724 ]
On the Citrix ADC SDX 8400/8600 platform, health monitoring might display crypto errors.[ NSHELP-26500 ]
In some cases, a Citrix ADC SDX appliance might create core dumps while taking a backup.[ NSHELP-26345 ]
On a Citrix ADC SDX appliance, the "geodb" details in the ADC instances are not collected when you take a backup of the appliance.[ NSHELP-26190 ]
If you initiate the deletion of a Citrix ADC instance while the instance is being provisioned, the FIPS partition entry for the deleted instance might still be present in the database.[ NSHELP-25909 ]
Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:
[ NSHELP-21992 ]
- Throughput allocation mode is burst.
- There is a large difference between the throughput and the maximum burst capacity.
- SNMPv3 queries work only for a few minutes after changing the password.[ NSHELP-19313 ]
- SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).[ NSHELP-18541, NSHELP-19313 ]
In the Citrix Gateway portal page, RDP proxy link icon does not change with RfWebUI portal theme.[ NSHELP-28974 ]
In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.[ NSHELP-28856 ]
The Citrix ADC appliance might crash if EPA is configured and sufficient memory is not available.[ NSHELP-28329 ]
The Citrix Gateway appliance might crash if forwardSession is configured for a back-end subnet and a server in the same subnet is accessed over the VPN tunnel.[ NSHELP-27037 ]
Sometimes, during transfer login, Intranet IP subnets are incorrectly displayed on the client side.[ NSHELP-26904 ]
The Citrix Gateway GUI displays the message "Invalid IP or Port" when editing a VPN session profile.[ NSHELP-26722 ]
The Citrix Receiver download URL (receiver.exe file) does not download after authentication.[ NSHELP-26600 ]
The Citrix Gateway appliance crashes when a server initiated connection sends data packets after the connection is closed.[ NSHELP-26431 ]
The Citrix ADC appliance might crash if the "rdpLinkAttribute" attribute size is greater than 64 characters.[ NSHELP-26068 ]
While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:
[ NSHELP-25694 ]
- A default pre-shared key (PSK) is configured.
- You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
The Citrix Gateway login page does not load on deleting an admin partition, if configured.[ NSHELP-25538 ]
The packet engine crashes while fetching an ICA connection entry when you run the show icaconnection command. This crash happens because the ICA connection information in the ICA connection list is stale.[ NSHELP-25420 ]
Citrix Gateway crashes while decoding the CVPNv2 packet because of incorrect string termination.[ NSHELP-24718 ]
A delay in the response from StoreFront servers might result in slow Citrix Gateway GUI related operations or "timed out at dispatch_netsvc" error messages.[ NSHELP-24437 ]
A new, optimized pattern set, "ns_cvpn_v2_fast_regex_light_ver", is introduced for high CPU alerts. If a spike in CPU is intermittently observed with the default pattern set "ns_cvpn_v2_fast_regex", you can switch to the new pattern set.[ NSHELP-24085 ]
The Gateway Insight does not display accurate information on the VPN users.[ NSHELP-23937 ]
HDX Insight data is not observed in Director for individual sessions. The issue is seen when Citrix ADC App Experience (NSAP) sessions are established.[ NSHELP-23834 ]
Packet drops are observed when a UDP application server sends packets that are larger than MTU and if the packets are fragmented.[ NSHELP-23770, NSHELP-18191 ]
VPN plug-in doesn't establish tunnel after Windows logon, if the following conditions are met:
[ NSHELP-23584 ]
- Citrix Gateway appliance is configured for Always On feature
- The appliance is configured for certificate based authentication with two factor authentication "off"
The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0
Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
Global bindpoint: REQ_DEFAULT
Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
Global bindpoint: RES_DEFAULT
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0 Disabled
Global bindpoint: REQ_DEFAULT
Number of bound policies: 1
Done[ NSHELP-23496 ]
In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.[ NSHELP-22349 ]
In a multicore processor setup, the Citrix Gateway appliance crashes if the Gateway Insight feature is enabled and a request is received on a non-owner core.[ NSHELP-21089 ]
- A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:
[ NSHELP-20584 ]
- SplitTunnel is set to ON.
- IP address pool (Intranet IP) option is set to NoSpillOver.
In some cases, a Citrix ADC appliance might dump core during a user logout session.[ NSHELP-19470 ]
- An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.[ NSHELP-7872 ]
If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.[ CGOP-19355 ]
While adding an authentication virtual server using the XenApp and XenDesktop wizard, test connectivity for that authentication server fails.[ CGOP-16792 ]
- Application launch failure due to invalid STA ticket is not reported in Gateway Insight.[ CGOP-13621 ]
- In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[ CGOP-13511 ]
In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.[ CGOP-7269 ]
- If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.[ CGOP-3359 ]
Citrix Web App Firewall
If you are using WAF signatures, after upgrading the build, you must update all the WAF signatures including the default signatures to the latest version. Then, re-enable the required signature rules.[ NSWAF-8668 ]
The Web App Firewall signature ID 1048 blocks the Citrix Gateway page from loading.[ NSHELP-29113 ]
In the Citrix Web App Firewall module, the Distributed Hash Table (DHT) entries are not freed up on the primary node. This issue occurs if application firewall sessions have a shorter timeout and are created at a higher rate.[ NSHELP-26570 ]
Some requests with security violations are not blocked by HTML cross-site scripting security check.[ NSHELP-24762 ]
In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.[ NSLB-7679 ]
The state of the service group displayed in the show and stat commands is inconsistent.[ NSHELP-28931 ]
The load balancing or GSLB domain-based Autoscale servicegroup state remains DOWN if you use a wildcard port.[ NSHELP-28548 ]
The SMPP retry messages are sent to all nodes in a cluster even when the request is successful. This scenario leads to high memory consumption on the Citrix ADC appliance.[ NSHELP-28332 ]
Sometimes in a multi-PE system, the domain-based groups doesn't recover to UP state after a few failures in the system. This issue is due to a race condition between the CLI and internal monitors.[ NSHELP-27965 ]
When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.[ NSHELP-24329 ]
In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.[ NSHELP-21425 ]
When you execute the "set service <servicename>" command, the following error message is displayed:
"IP Address cannot be set on a domain based server."
This error message is displayed when the server is configured with a name greater than 32 characters.[ NSHELP-20939 ]
In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.[ NSHELP-20406 ]
Redirecting an HTTPS URL fails if the URL contains the % special character.[ NSHELP-19993 ]
- When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.[ NSSWG-849 ]
A Citrix ADC appliance adds extra L2 information when a tunnel or Type of Service (TOS) virtual servers are created.[ NSHELP-27825 ]
In a cluster setup, the command propagation might fail due to connection lost with CCO. The issue is observed if both of the following conditions are met:
[ NSHELP-26350, NSHELP-24910 ]
- You perform a command propagation operation in the setup.
- The setup is in an idle state for more than two hours. A cluster setup is said to be in an idle state if there is no exchange of any CLI commands between nodes.
A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.[ NSHELP-22409 ]
In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.[ NSHELP-20366 ]
A Citrix ADC appliance might crash if all of the following conditions are met:
[ NSNET-23847 ]
- A load balancing route is configured in a traffic domain on the appliance.
- A clear config operation is performed on the appliance.
- In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.[ NSNET-5233 ]
In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:
[ NSHELP-30225 ]
- LSN filtering and mapping entries are not present in the appliance.
Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.[ NSHELP-25105 ]
For a PBR6 rule with no direct route to the next hop, the Citrix ADC appliance might incorrectly discard RNAT6 processed packets with an error.[ NSHELP-24632 ]
A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.[ NSHELP-24623 ]
In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:
- A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.
As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition[ NSHELP-24000 ]
If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.[ NSHELP-21288 ]
When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.[ NSHELP-21082 ]
A Citrix ADC VPX instance crashes when frequent link flaps are seen on 50G and 100G interfaces.[ NSPLAT-16852 ]
- When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.[ NSPLAT-4520 ]
- In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.[ NSPLAT-4451 ]
On a Citrix ADC SDX appliance, traffic to the ADC instance might be interrupted when the interface link flaps and interface reset occurs simultaneously.[ NSHELP-26307 ]
On a Citrix ADC SDX appliance, a VPX instance might fail to boot when provisioned with 24 interfaces due to inadequate shared memory allocation.[ NSHELP-25912 ]
On a Citrix ADC SDX 15000-50G appliance, in cases of a brief surge of data traffic not directed to any of the ADC VPX instances, the following issue might happen:
- The LACP link on 10G ports might flap intermittently or go down permanently.
1. Find out the internal ethX port corresponding to the 10G port
2. Run the following command on the Citrix Hypervisor shell prompt: ethtool -G ethX rx 4096 tx 512
3. Review traffic profile to block off unwanted traffic on the switch side[ NSHELP-25561 ]
On a Citrix ADC SDX appliance, during a warm reboot of a VPX instance configured as a cluster node, the backplane LA channel might go into a PARTIAL-UP state because of a set interface command failure.[ NSHELP-23353 ]
- The status of SDX platform appears as UNKNOWN in the LOM console. This is only a display issue and has no functional impact.[ NSHELP-20009 ]
A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.[ NSPOLICY-1462 ]
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.[ NSPOLICY-1267 ]
Policy string map might not work if UTF-8 characters are used in key text.[ NSHELP-25357 ]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[ NSSSL-4001 ]
- In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.[ NSSSL-3402 ]
- An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.[ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]
- You cannot bind two certificates with public keys signed by different algorithms (for example, RSA and ECDSA) to a virtual server, as an SNI certificate if the domain name is the same.[ NSSSL-2560 ]
In a cluster setup, when two installed certificates are issuers of one server certificate that has the OCSP AIA extension, the appliance becomes unreachable if you remove the server certificate.[ NSHELP-28058 ]
In a high availability setup, the certificate type is not synchronised correctly between the primary and secondary nodes.[ NSHELP-27589 ]
In a cluster setup, you might observe the following issues:
[ NSHELP-25764 ]
- Missing command for the default certificate-key pair binding to the SSL internal services on the CLIP. However, if you upgrade from an older build you might have to bind the default certificate-key pair to the affected SSL internal services on the CLIP.
- Configuration discrepancy between the CLIP and the nodes for the default set command to the internal services.
- Missing default cipher bind command to the SSL entities in the output of the show running config command run on a node. The omission is only a display issue and has no functional impact. The binding can be viewed using the show ssl <entity> <name> command.
A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.[ NSHELP-24201 ]
In certain scenarios, Citrix ADC appliance does not forward some HTTP packets to the back-end server, if the following condition is met:
[ NSHELP-29958 ]
- If a Citrix ADC feature internally clones HTTP packets.
The X-Forwarder header is not added to some requests sent from the Citrix ADC appliance to the back-end server.[ NSHELP-29142, NSHELP-29583 ]
TCP zombie timeout flushes active server or client connections because of the half-close timeout on the faster side of the connection.[ NSHELP-27502, NSBASE-14650 ]
The connection chaining TCP option gets added to the Citrix ADC RPC connections. The issue causes an interoperability issue with GSLB sites communication.[ NSHELP-27417 ]
Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.[ NSHELP-27410 ]
A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.[ NSHELP-27179 ]
A Citrix ADC appliance might crash if it receives a partially acknowledged MPTCP MP-FAIL signal on an already closed MPTCP session. The crash is applicable to virtual servers that have MPTCP enabled in the TCP profile.[ NSHELP-26594 ]
If an AppFlow collector of type Rest is used in an analytics profile, the Citrix ADC appliance might fail during the removal of the profile.[ NSHELP-26299 ]
During clear configuration, when there is no URL set in use, an error log entry corresponding to the URL set is seen in the ns.log.[ NSHELP-26242 ]
A Citrix ADC appliance might crash when the AppFlow collector is in a different subnet than the SNIP.[ NSHELP-26008, NSHELP-26564 ]
A content switching virtual server displays an incorrect request and response byte count with MPTCP traffic.[ NSHELP-25731 ]
The HTML page might not load when the AppFlow Client-Side Measurements and Rewrite features are enabled.[ NSHELP-24043 ]
For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output. For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.[ NSHELP-22684 ]
When the Intrusion Prevention System (IPS) is processing data before the cache module, the PayloadInfo variable is not cleared properly. Eventually, when the cache module accesses the variable it causes a Citrix ADC appliance to crash.[ NSHELP-21907 ]
- The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.[ NSHELP-21240 ]
- The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.[ NSHELP-10972 ]
- In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.[ NSBASE-16304, NSGI-1293 ]
Segmentation errors or duplicate free might cause a Citrix ADC appliance to crash if the following conditions are met:
- HTTP profile bound to a backend service has HTTP2 enabled and HTTP2 direct disabled.
[ NSBASE-13582 ]
- Multiple HTTP CONNECT requests are sent from the client over HTTP/2 streams to a virtual server of HTTP type.
A few AppFlow records containing IPFIX information might be abnormal.[ NSBASE-11686 ]
In a cluster setup, enabling process local support for MPTCP connections reduces the inter-node steering.[ NSBASE-10587 ]
- Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.[ NSBASE-8506 ]
ICAP support for Citrix ADCA Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.
For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html[ NSBASE-825 ]
In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.[ NSUI-14752 ]
- The Global Binding and Show Binding options are not working on the Content Inspection Policy GUI page. As an alternative, you can configure these parameters through the command interface.[ NSUI-13193, NSUI-11561 ]
- If you create an ECDSA key by using the GUI, the type of curve is not displayed.[ NSUI-6838 ]
In some cases, you might not be able to load SSL keys from the SSL keys tab in the Citrix ADC GUI.[ NSHELP-28870 ]
Importing a certificate in an admin partition might incorrectly fail with the following message:
ERROR: User doesnt have permission for given Destination path[ NSHELP-26918 ]
When you configure IP reputation using advanced policy expressions, the "TOR_PROXY" threat category is missing in the Expression Editor GUI.[ NSHELP-25654 ]
Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.[ NSHELP-24195 ]
A Citrix ADC appliance might crash if the /tmp directory is full.[ NSHELP-21809 ]
Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.[ NSHELP-20988 ]
A Citrix ADC appliance does not support addition of CRL files greater than 2 MB using NITRO APIs.[ NSHELP-20821 ]
- The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.[ NSHELP-19958 ]
- The top-level page title is missing on all security check GUI pages.[ NSHELP-18607 ]
In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:
Trace not started[ NSHELP-18566, NSHELP-24796 ]
If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
1. Upgrade the Citrix ADC appliance to one of the builds:
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the Citrix ADC appliance to any older build.
To display the list of these system users by using the CLI:
At the command prompt, type:
"query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"
To fix this issue, use one of the following independent options:
[ NSCONFIG-3188 ]
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.