Release Notes for Citrix ADC 12.1-57.18 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 12.1-57.18.


  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 12.1-57.18 and later builds address the security vulnerabilities described in
  • The RISE feature is deprecated from Citrix ADC release 12.1 build 57.x. If you have been using the RISE feature or functionality, Citrix recommends you not to upgrade the Citrix ADC appliance to the latest build.
  • Citrix ADC refers to the product formerly known as NetScaler.
  • For Citrix ADC MPX and VPX instances, and Citrix Gateway appliance, the Citrix ADM service connect feature has been introduced as part of release 12.1 build 57.18. It is enabled by default. For for information, see and
  • From Citrix ADC release 12.1 build 57.18 and higher, the Citrix ADM built-in agent available on Citrix ADC instances communicates with ADM service without the need for manual initialization on the respective ADC instance. For more information, see
  • The internal high availability version number has been changed in Citrix ADC 12.1-57.x build. During an upgrade process in a high availability setup to Citrix ADC build 12.1-57.x or later, the following functionalities are disabled because of the different HA version number in the upgraded Citrix ADC build:

    • HA config synchronization
    • HA command propagation
    • HA synchronization of states services information
    • Connection mirroring (connection failover) of sessions
    • HA synchronization of persistence sessions information

    However, after both the nodes are upgraded to the same Citrix ADC build, these functionalities are enabled automatically.

Fixed Issues

The issues that are addressed in Build 12.1-57.18.


  • A Citrix ADC appliance might crash if there is active traffic while enabling the AppFlow feature.
    [ NSHELP-22361 ]

Authentication, authorization, and auditing

  • In rare cases, the counter for "vpnusers" parameter with value 0 is incorrectly decremented. This decrement resets the counter to a very high value, resulting in the license check failure.
    [ NSHELP-22558 ]
  • In extremely rare cases, a Citrix ADC appliance configured as Identity Provider (IdP) to a load balancing virtual server might crash after successful authentication.
    [ NSHELP-22528 ]
  • In some cases, a Citrix ADC appliance dumps core because of memory corruption while performing form-based SSO authentication.
    [ NSHELP-22488 ]
  • In rare cases, when metadataUrl parameter is used in samlIdPProfile command, a Citrix ADC appliance dumps core while releasing the client connection.
    [ NSHELP-22440 ]
  • A Citrix ADC appliance dumps core if the following conditions are met.
    * The appliance is configured for form-based SSO.
    * The appliance memory runs out for the AppSecure pool.
    [ NSHELP-22096 ]
  • In some cases, a Citrix ADC appliance dumps core if the following conditions are met:
    * The appliance is configured for nFactor authentication.
    * Dialogue mode authentication is configured as second factor or later. 
    [ NSHELP-22068 ]
  • Citrix ADC deployed as SAML SP might show a local logout page after user initiates the logout process.
    [ NSHELP-22067 ]
  • In some cases, a Citrix ADC appliance dumps core because SYN packets going towards TACACS server are filled with wrong partition values.
    [ NSHELP-22030 ]
  • A Citrix ADC appliance skips the user to consider further groups in the following conditions:
    - A user is a direct member of the nested group.
    - A user is already a member of previous level groups.
    [ NSHELP-21945 ]
  • In a Citrix ADC high availability and cluster setup, a delay in freeing the memory space leads to piling up the memory.
    [ NSHELP-21917 ]
  • A Citrix ADC appliance might dump core upon receiving a RESET command from the client while the appliance is handling VPN traffic requests.
    [ NSHELP-21817 ]
  • Form based SSO fails if the FORMSSO policies contain empty name-value pair for DYNAMIC FORMSSO.
    [ NSHELP-21753 ]
  • A Citrix ADC appliance might crash with StoreFront AuthAction if the following conditions are met:
    - Password is changed post the expiry date.
    - Authentication is attempted from non-nFactor old VPN clients.
    [ NSHELP-21555 ]
  • A Citrix ADC appliance might crash during authentication, authorization, and auditing when a packet engine generates a duplicate session removal response.
    [ NSHELP-21172 ]
  • Full VPN does not work if the following conditions are met:

    - A Citrix ADC appliance is configured for nFactor authentication with SAML authentication being the last factor of authentication.
    - The appliance is bound to the RfWebUI portal theme.
    [ NSHELP-21157 ]
  • RBA access to cluster nodes gets interrupted because of DHT operation issue. Additional counters are added to handle this scenario.
    [ NSHELP-20028 ]

Citrix ADC SDX Appliance

  • In some cases, upgrading a Citrix ADC SDX appliance to release 13.0 might fail because of an internal error.
    [ NSSVM-3377 ]
  • Upgrade on a Citrix ADC SDX appliance might fail if pooled licensing server is configured.
    [ NSHELP-22064 ]
  • You cannot modify the VPX instance name on the following platforms when the number of cores assigned to that VPX is greater than the number of free cores available on the appliance.
    - SDX 8900
    - SDX 14xxx-40G
    - SDX 14xxx-40S
    - SDX 14xxx FIPS
    - SDX 15xxx-25G
    - SDX 15xxx-50G
    - SDX 25xxx
    - SDX 26xxx
    - SDX 26xxx-50S
    - SDX 26xxx-100G
    [ NSHELP-22048 ]
  • On Citrix ADC SDX 15xxx and SDX 26xxx platforms, you cannot provision multiple VPX instances in L2 mode.
    [ NSHELP-21367 ]

Citrix Gateway

  • In a Citrix Gateway deployment, the DHCP server route is added, by default. If your deployment does not require a DHCP server route, perform one of the following.

    Set the client side registry NoDHCPRoute to 1 in the path : HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client
    From the Citrix ADC appliance, create a new file named pluginCustomization.json with the value \{ "NoDHCPRoute" : true } in the folders /netscaler/ns_gui/vpn and /var/netscaler/gui/vpn.
    [ NSHELP-23029 ]
  • The intranet IP deregistration does not occur after the VPN is logged off, if the Intranet IP had taken more than 15 seconds for registration.
    [ NSHELP-23021 ]
  • If the proxy server's URL length is greater than 32 bytes, then the VPN plug-in's API that is exposed crashes.
    [ NSHELP-22977 ]
  • Reports sent by a Citrix Gateway appliance to Citrix ADM are discarded after you upgrade the appliance, and if nFactor authentication is configured.
    [ NSHELP-22858 ]
  • When you restart the client machine after upgrading the Citrix Gateway appliance from release 12.0 build 59.8 to release 13.0 build 47.24, Always On cannot establish a seamless VPN connection.
    [ NSHELP-22700 ]
  • The Citrix Gateway appliance might crash if advanced authorization policies with HTTP callouts are bound to the user or user group in a full VPN mode.
    [ NSHELP-22683 ]
  • The Citrix Gateway appliance crashes when the backend server opens an FTP connection to an intranet IP on port 21 and sends an FTP command 234 to initiate secure FTP.
    [ NSHELP-22672 ]
  • The Citrix Gateway appliance might crash while copying the session information between CPUs in a VPN setup.
    [ NSHELP-22665 ]
  • The Citrix Gateway appliance crashes when handling a server-initiated connection because of an error in connection linking.
    [ NSHELP-22598 ]
  • The Citrix Gateway appliance might intermittently crash if the following conditions are met.
    - If a server initiated UDP connection to an intranet IP address is assigned to a user.
    - The server does not send UDP packets for a long time after the first packet is sent.
    [ NSHELP-22583 ]
  • The Citrix Gateway appliance crashes when accessing the DNS server configuration if RDP Proxy is configured and DNS resolution is attempted after WINS resolution.
    [ NSHELP-22577 ]
  • During a transfer logon, the Citrix Gateway appliance might crash when trying to store an invalid connection and then dereferencing the invalid connection.
    [ NSHELP-22568 ]
  • The Citrix ADC appliance might crash when configured for classic clientless VPN.
    [ NSHELP-22559 ]
  • After you upgrade your Citrix Gateway appliance to build, log on to the Citrix Gateway from VMware Horizon Client version 5.2 and later fails.
    [ NSHELP-22541 ]
  • In rare cases, the Citrix Gateway appliance might crash if DTLS is enabled.
    [ NSHELP-22520 ]
  • If HTTP 2.0 is enabled on the server and client, Always On service fails to establish the machine tunnel.
    [ NSHELP-22423 ]
  • In some cases, the Citrix ADC appliance crashes because the core receives a packet to send to the client but the IIP information is not yet available. in NSHELP-21522 we fix in ns_iip6.c, this is add fix in ns_iip.c
    [ NSHELP-22411 ]
  • In rare cases, for a server initiated connection, the session for the user is not available on the core. As a result, NULL values are populated for some fields that cause the Citrix Gateway appliance to crash.
    [ NSHELP-22379 ]
  • Sometimes, Citrix Gateway allows macOS clients to access internal resources even if the EPA scan fails on the client machine.
    This issue occurs only in n-core machines containing the following configuration:
    - A session policy is created with the "clientSecurityGroup" parameter.
    - A responder policy is created to perform some action on the users who are part of this client security group.
    [ NSHELP-22262 ]
  • Soft phones that have the "keep-alive" UDP server initiated connection mechanism might intermittently drop the calls.
    [ NSHELP-22231 ]
  • The Citrix Gateway appliance might crash if you attempt to print over full VPN tunnel when Intranet IP address is assigned.
    This issue is observed in HP printers that use hp-status and WSDAPI protocols.
    [ NSHELP-22191 ]
  • If SAML authentication is configured on the Citrix Gateway and a user tries to log on via the VPN plug-in, the browser displays a blank screen.
    [ NSHELP-22185 ]
  • When you deploy a new Citrix ADC VPX appliance using XVA image on a Citrix Hypervisor or any other server, the Citrix Gateway plug-in packages for Windows are not found in the respective location.
    [ NSHELP-22157 ]
  • The logon to the PCoIP enabled Citrix Gateway appliance fails if the password contains special characters such as "&"(ampersand), "<" (less than angle bracket), and ">"(greater than angle bracket). 
    [ NSHELP-22129 ]
  • In a full tunnel setup and classic client certificate authentication with RfWebUI, the appliance responds with a blank page or "Client not capable" error after login.
    [ NSHELP-22084 ]
  • Sometimes, the PCoIP app or desktop might fail to launch.
    [ NSHELP-22041 ]
  • In a Citrix Gateway high availability setup, the secondary node might crash during core-to-core communication.
    [ NSHELP-21991 ]
  • The Windows VPN plug-in crashes if the plug-in client’s language is set to Chinese.
    [ NSHELP-21946 ]
  • When EPA is configured in nFactor mode, messages related to EPA plug-in installation are not displayed in the VPN plug-in window.
    [ NSHELP-21939 ]
  • If you are using McAfee LiveSafe, the EPA check does not succeed. As a result, the detection of Chinese product names does not work for OPSWAT. However, for other languages, it works as intended.
    [ NSHELP-21938 ]
  • The Citrix ADC appliance might crash when configured for Advanced Clientless VPN.
    [ NSHELP-21819 ]
  • The Enterprise Web apps might display an error if the cookies were set and expire at the same time.
    [ NSHELP-21772 ]
  • The Citrix Gateway logon page becomes unresponsive if RfWebUI based custom themes or nFactor with custom themes are used.
    [ NSHELP-21763 ]
  • The Citrix Gateway appliance might crash if there are multiple cores and Intranet IP address is enabled with RfWebUI theme.
    [ NSHELP-21722 ]
  • You might intermittently see a 403 access forbidden error for portal files.
    [ NSHELP-21620 ]
  • In a Citrix Gateway with nFactor authentication, EPA as a factor might sometimes fail.
    [ NSHELP-21557 ]
  • Sometimes, the Citrix ADC appliance might crash while handling server initiated connection.
    [ NSHELP-21532 ]
  • In some cases, the Citrix ADC appliance crashes because the core receives a packet to send to the client but the IIP information is not yet available.
    [ NSHELP-21522 ]
  • The VPN plug-in retains DNS suffixes that are added on Wi-Fi or Ethernet adapter while over the VPN connection.
    [ NSHELP-21492 ]
  • The Citrix Gateway appliance configured for global server load balancing does not work as intended in a parent-child topology.
    [ NSHELP-21381 ]
  • App enumeration does not occur if the number of desktops is lesser than the number of apps.
    [ NSHELP-21377 ]
  • In a Citrix Gateway high availability setup, the secondary node crashes during high availability synchronization if logging is enabled on Citrix Web App Firewall global.
    [ NSHELP-21254 ]
  • If two or more client machines try to establish a VPN tunnel connection to the same gateway, the ping connectivity from one client machine to another machine fails.
    [ NSHELP-21169 ]
  • In a multicore processor setup, the Citrix Gateway appliance crashes if the Gateway Insight feature is enabled and a request is received on a non-owner core.
    [ NSHELP-21089 ]
  • The Citrix Gateway appliance might crash if the following conditions are met:
    - The client or server connection has a dangling pointer instead of a link.
    - The linked connection is already freed.
    - The appliance tries to flush the connection to free the link.
    [ NSHELP-20901 ]
  • A Citrix Gateway appliance configured for ICA Proxy might sometimes crash.
    [ NSHELP-20478 ]
  • In rare cases, Citrix ADC appliances deployed in a high availability (HA) setup might crash resulting in frequent HA failover, if both of the following conditions are met:
    - Gateway Insight is enabled.
    - SSO fails.
    [ NSHELP-19922 ]
  • In rare cases, the Citrix ADC appliance might crash when a client plug-in sends data to another client plug-in.
    [ NSHELP-19002 ]
  • In some cases, in a high availability setup, the secondary appliance reboots if there is a CLI sync mismatch during the PCOIP session sync process.
    [ NSHELP-18740 ]

Citrix Web App Firewall

  • NITRO does not allow SDK customers to configure WAF if the XML security check "xmlmaxnodescheck" option is enabled.
    [ NSHELP-22111 ]
  • A Citrix ADC appliance might crash if the incoming request has many form fields and field consistency protection enabled in the Web App Firewall profile.
    [ NSHELP-21856 ]
  • A memory leak is observed on a Citrix ADC appliance if you enable StartURL Closure protection check.
    [ NSHELP-21472 ]
  • After an upgrade, a Citrix ADC appliance might crash because of high memory usage.
    [ NSHELP-21410 ]
  • XML validation fails if the XML content has nested reference to "APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT" parameter.
    [ NSHELP-21128 ]
  • A Citrix ADC appliance might crash if an error case was handled incorrectly for the credit card verification process.
    [ NSHELP-20562 ]
  • A Citrix ADC appliance might crash if there is high memory usage and memory values are not freed up because of an application failure.
    [ NSHELP-18863 ]
  • A Citrix ADC appliance might crash if you enable the XML Wellformedness protection check in log mode.
    [ NSHELP-18737 ]
  • A Citrix ADC appliance might crash if you use a slow FTP/HTTP server to download signatures and if the download time is more than 10 minutes.
    [ NSHELP-18331 ]

Load Balancing

  •  In a high availability setup, the primary node crashes while fetching the server PCB from a server reuse pool. The crash occurs because the loop already exists and that results in a tight loop.
    [ NSHELP-22149 ]
  • In an admin partition setup, when you execute the "stat gslb site" command, the Metric Exchange or Network Metric Exchange state between two GSLB sites is shown as DOWN. This is only a display issue, and there is no impact on the functionality.
    [ NSHELP-21895 ]
  • When the configuration difference between GSLB sites is huge and the autosync is enabled, the filesystem might get full. The following error message is displayed:

    “write failed, filesystem is full.”
    [ NSHELP-21796 ]
  • In a cluster setup, the configuration for diameter identity is lost when a node is upgraded to a newer version.
    [ NSHELP-21444 ]
  • In a high availability setup, the primary node cannot find a relevant PORT after maximum attempts to establish connection to a specific core on a secondary node. Therefore, the secondary connection table is not fully synchronised with the primary connection table.
    [ NSHELP-21420 ]
  • The Citrix ADC appliance might crash during GSLB synchronization. This issue occurs when the "set gslb service" command is executed on a non-existent GSLB service.
    [ NSHELP-21304 ]
  • After you upgrade the Citrix ADC appliance from release 11.1 build 56.19 to release 12.1 build 53.12, the effective state of the GSLB service is set to DOWN even though the load balancing virtual server is UP.
    [ NSHELP-21025 ]
  • A Citrix ADC appliance crashes if the virtual server is of type ANY and spillover persistence is enabled on the virtual server.

    [ NSHELP-19540 ]


  • Memory management error is observed on clustered and high availability configurations which stop Citrix ADC GUI HTTPS access and null appflow URL filtering records.
    [ NSSWG-1220 ]
  • The URL category files do not include the latest updates from the NetSTAR database.
    [ NSSWG-1205 ]
  • The Citrix ADC appliance might crash intermittently if device watchdog request
    (DWR) probing is enabled for Policy and Charging Rules Function (PCRF), and the PCRF becomes unreachable.

    [ NSHELP-20827 ]


  • In a cluster topology, on node upgrade or downgrade, the "set snmp mib" command for non-cco nodes is failing. This results in a configuration loss.
    [ NSNET-14562 ]
  • An issue is observed if you set the GUI option as secureonly on CLIP while the issue is not observed on the NSIP address.
    The issue is observed only when you trigger the "set ns ip gui" configuration.
    [ NSNET-14364 ]
  • The Citrix ADC appliance processes any received packet, with the following properties, for active FTP data connection:
    * Protocol = TCP
    * Destination IP address = Citrix ADC IP (NSIP)
    * Source port = 20

    As a result, the Citrix ADC appliance sends the packet to the internal management module instead of the packet engine module for processing, which in turn results in some unexpected processing on the packet.
    [ NSHELP-22637 ]
  • In a high availability setup with Layer-2 mode enabled in a non-default partition, the secondary node might forward the DHCP packets it receives causing a loop in the network.
    [ NSHELP-22140 ]
  • In a Citrix ADC cluster setup with IPv4 and IPv6 policy-based backplane steering (PBS) configurations, ICMPv6 error packets might loop between the cluster nodes when all of the following conditions are true:

    - The inner IP packets of the ICMPv6 error packets have the same IP tuple as in one of the active TCP sessions.
    - A different IPv4 mapped address is present on each cluster node for the same IPv6 address.
    [ NSHELP-21815 ]
  • For no-limit admin partitions, the memory check during allocation is disabled.
    [ NSHELP-21775 ]


  • On a Citrix ADC SDX appliance, you might observe Tx stalls on a VPX instance running a software version earlier than 13.0 build 58.x, when the following conditions are met:

    - The SDX appliance contains 10G, 25G, or 40G NICs.
    - The SDX appliance is running version 13.0 build 58.x or later.

    Citrix recommends that you upgrade the software version on the VPX instance to 13.0-58.x before upgrading the SDX software to 13.0-58.x version.

    [ NSPLAT-14422 ]
  • In the CPU visualizer of the SDX dashboard, CPU usage of a VPX instance displays 0 if cores from CPU 0 are allotted to the instance.
    [ NSHELP-22869 ]
  • Connectivity to a VPX instance fails if the following conditions are met:
    - The instance is configured without a management interface.
    - Only the LACP port channel is configured as a data interface.
    - The first member of the LACP channel is lost or disabled.
    For example, if interface 50/1 and 50/2 are the members of the channel and interface 50/1 is DOWN and 50/2 is UP, connectivity to the instance is lost. However, if interface 50/1 is UP and 50/2 is DOWN, VPX connectivity is available.
    This issue is specific to Mellanox NICs.
    [ NSHELP-22424 ]
  • During heavy traffic, Tx might stop working on Citrix ADC platforms containing 50G interfaces.
    [ NSHELP-22221 ]
  • In some cases, provisioning a VPX instance on a Citrix ADC SDX appliance containing Intel Coleto chips might fail because the SSL Coleto chip initialization failed.
    [ NSHELP-22033 ]
  • When multiple LA channels are configured on an SDX appliance without any management interfaces (0/1, 0/2) and if the first LA channel is disabled through the VPX CLI, the VPX appliance might be unreachable.
    [ NSHELP-21889 ]
  • On the ADC SDX 14000 and 15000 appliances, traffic loss of up to 9 seconds is observed if the following conditions are met:
    - 10G ports are connected using the LA channel to two Cisco switches that are configured in VPC setup as active or passive
    - The link to active or primary Cisco switch bounces.
    [ NSHELP-21875 ]
  • On the Citrix ADC MPX platform, a 50G port that is a member of a link aggregation group continues to be DOWN if the following actions are performed:

    1. The 50G port is disabled.
    2. The port on the peer switch is disabled.
    3. The port on the peer switch is enabled.
    4. The 50G port is enabled.

    The 50G port does not come up even after it is enabled. As a result, traffic cannot pass through the 50G port.
    [ NSHELP-20529 ]
  • A Citrix ADC appliance might crash when it runs out of memory.
    [ NSHELP-20130 ]
  • The SNMP module on a Citrix ADC MPX platform might return an incorrect value for some system properties.
    [ NSHELP-19621 ]


  • The “Current Client Est connections” and “Current client connections” counters for a load balancing virtual server display incorrect values if HTTP callout is configured on that virtual server.
    [ NSHELP-22491 ]


  • On the Citrix ADC MPX 14000 FIPS platforms, all SSL virtual servers appear as DOWN on the non-management CPUs.

    [ NSSSL-8015 ]
  • In some cases, a Citrix ADC appliance might crash while processing DTLS traffic in low memory conditions.
    [ NSHELP-22611 ]
  • The Citrix ADC appliance might crash under heavy traffic if both syslogging and DTLS are enabled on a VPN virtual server.
    [ NSHELP-22195 ]
  • SSL record decryption might fail intermittently when the Citrix ADC appliance is configured to use jumbo frames.
    [ NSHELP-21969 ]
  • The Citrix ADC appliance might crash and dump core if OCSP stapling is configured and the appliance is low on memory.
    [ NSHELP-21661 ]
  • The SSL action points to the old virtual server even after the virtual server is renamed.
    [ NSHELP-21584 ]
  • The Citrix ADC appliance might crash if the following conditions are met:
    1. Two OCSP responders are configured with the same host name.
    2. Both responders are bound to same root certificate-key pair.
    3. The request fails with the first responder.
    4. The appliance attempts to send the request to the second responder and the host name is unresolved.
    [ NSHELP-21278 ]


  • A Citrix ADC appliance might crash when processing invalid HTTP requests. 
    [ NSHELP-22462 ]
  • A Citrix ADC appliance might crash if the AppFlow configuration is deleted in the middle of a client connection.
    [ NSHELP-22389 ]
  • A Citrix ADC appliance might crash if:
    - An HTTP/2 client sends a connection reset in the middle of a download with cache enabled.
    - The back-end server closes the connection with FIN termination.
    [ NSHELP-21605 ]
  • In the ADM GUI, under Analytics > HDX Insight > Users, when you click a specific user, all the users’ active sessions and active applications are displayed instead of the sessions and applications specific to the selected user.
    [ NSHELP-21561 ]
  • In non-end point case, the Citrix ADC appliance might reset a TCP connection if sack-reneging occurs multiple times on the connection"
    [ NSHELP-21405 ]
  • In MPTCP cluster deployment, the packet loop between the cluster nodes causes high bandwidth usage.
    [ NSHELP-20675 ]
  • In a cluster setup, a Citrix ADC appliance might restart if logstream is enabled.
    [ NSHELP-20008 ]
  • A Citrix ADC appliance with connection chaining and SSL enabled might send more MTU data.
    [ NSHELP-9411 ]
  • A Citrix ADC appliance sends an incorrect HTTP/2 response on an HTTP/1.1 client connection if the appliance receives:
    * a “100 Continue” HTTP/2 response from the backend server.
    * another HTTP/2 response on the same HTTP/2 stream.
    [ NSBASE-10419 ]
  • The Citrix ADC appliance serves the connect request only on the first stream and does not process subsequent requests on other streams if the following conditions are observed on the appliance:
    - Multiple HTTP requests are received in a single HTTP/2 connection on different streams.
    - HTTP/2 is disabled on the back-end server.
    [ NSBASE-9510 ]
  • A Citrix ADC appliance might crash because of memory allocation failure in a TCP timestamp scenario. As a result, the appliance resets the client connection.
    [ NSBASE-9297 ]
  • The "observationPointId" parameter in the "set appflow param" command does not change even when you change the NSIP address using the "set ns config" command. As a result, the data is not transmitted to Citrix ADM server.
    [ NSBASE-8622 ]

User Interface

  • The Citrix ADC pooled capacity licensing might fail if latency is high between ADC and ADM. This issue occurs if latency is greater than 200 ms.

    The Citrix ADC licensing client attempts repeatedly to check out the licenses from ADM. In a high availability and cluster setup, licensing configurations are unnecessarily reapplied whenever synchronization is triggered. Propagation and synchronization of the pooled licensing commands are disabled. Each node must be licensed independently by logging in to the NSIP of the node. You can execute only show commands on the Cluster IP.
    [ NSUI-14868 ]
  • After upgrading to build 12.1-55.x, the appliance might boot up unlicensed if pool licensing is configured. As a result, all the features are disabled and any configuration that is license dependent is missing in the running configuration. Perform a warm reboot to restore the pool license and the configuration.
    Caution: Do not run "save config" or force an HA failover on an unlicensed appliance.
    [ NSUI-7869 ]
  • The LB Visualizer does not display the services bound to the virtual server if the services are part of the service group. However, if the service is bound individually, the service is displayed in the LB Visualizer.
    [ NSHELP-22436 ]
  • The “nsconfig” command with the “-k” option fails to create a backup file with the current Citrix ADC configuration.
    [ NSHELP-22179 ]
  • The Citrix ADC GUI displays only the first 25 content switching policies bound to a content switching virtual server even though more policies are bound to the virtual server. A scroll bar is also not available.
    [ NSHELP-21967 ]
  • When modifying a parameter, other than ring size, (for example duplex, speed, HAmon) from the GUI the following error message appears:
    Ringsize change not allowed on this NIC type
    [ NSHELP-21934 ]
  • When a node joins a cluster with the GSLB setup, if the active node goes DOWN, the Metric Exchange Protocol (MEP) might go DOWN.
    [ NSHELP-21862 ]
  • Load balancing server statistics details are misaligned in the Citrix ADC GUI dashboard.
    [ NSHELP-20752 ]
  • In certain scenarios, the user name (specified with a "%u" character) in the prompt string does not display correctly.
    [ NSHELP-19991 ]
  • In a Cluster setup, you see the following issues because VXLAN is not supported:
    * The "Create IPv6 Neighbor" GUI page displays the following error message when you try to create a IPv6 neighbor:

    "Operation not supported in Cluster"

    * On the "Create IPv6 Route" GUI page, the Create button does not respond.
    [ NSHELP-19451 ]
  • In a Citrix ADC appliance, the timezone configuration fails if there is a change in Daylight Savings Time (DST).
    [ NSHELP-19128 ]
  • Data with multiple argument values are not properly stored in the Citrix ADC configuration database.
    [ NSHELP-18633 ]

Video Optimization

  • A Citrix ADC appliance might crash because of memory corruption.
    [ NSVIDEOOPT-912 ]

Known Issues

The issues that exist in release 12.1-57.18.


  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
    [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

  • The Citrix Workspace login fails when a Citrix ADC appliance is configured as an Identity Provider (IdP) for Citrix Workspace and a custom attribute extraction error occurs. 

    [ NSHELP-23843 ]
  • In some cases, a Citrix ADC appliance becomes unresponsive when single sign-on is attempted.
    [ NSHELP-23632 ]
  • The session establishment fails when accessed from the Citrix Workspace app using Webview if preauthentication EPA is configured along with nFactor authentication.
    [ NSHELP-22845 ]
  • Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.
    [ NSHELP-18844 ]
  • A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.
    [ NSHELP-18751 ]
  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
    [ NSHELP-563 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
    [ NSAUTH-6106 ]
  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:
    - The Test LDAP Reachability option is opened.
    - Invalid login credentials are populated and submitted.
    - Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.
    [ NSAUTH-2147 ]


  • A Citrix ADC appliance might randomly crash if the following conditions are observed:
    * Integrated caching feature is enabled.
    * 100 GB or more memory is allocated for integrated caching.

    Workaround: Allocate less than 100 GB of memory. 
    [ NSHELP-20854 ]

Citrix ADC SDX Appliance

  • On a Citrix ADC SDX appliance, an ADC instance configured with an IPv6 address cannot be modified.
    [ NSHELP-24256 ]
  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:
    - Throughput allocation mode is burst.
    - There is a large difference between the throughput and the maximum burst capacity.
    [ NSHELP-21992 ]

Citrix Gateway

  • If you log on to Citrix Gateway and access Microsoft Excel via clientless VPN SharePoint, you are logged out of the session created for Microsoft Excel.
    [ NSHELP-24074 ]
  • The Citrix Gateway appliance might go down in an EDT proxy deployment if the "kill icaconnection" command is run while an EDT connection establishment is in progress.
    [ NSHELP-23882 ]
  • The Citrix ADC appliance crashes if the "show vpn storeinfo" command is run repeatedly.
    [ NSHELP-23144 ]
  • In a Citrix Gateway double hop high availability setup, the ICA connection might be lost after an HA failover.
    Workaround: Change the FQDN to the IP address of the next hop server.
    [ NSHELP-22444 ]
  • In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.
    [ NSHELP-22349 ]
  • The Linux VPN client might crash if you download a large file (approximately 3 GB).
    [ NSHELP-22032 ]
  • If reverse split tunneling is enabled, intranet routes are either added with wrong prefix values or not added at all.
    [ NSHELP-20825 ]
  • Device certificate is not supported with Citrix SSO for macOS when it is added as part of the nFactor scans.
    [ NSHELP-20722 ]
  • The EPA plug-in screen becomes unresponsive on the second scan if Internet Explorer is used.
    [ NSHELP-20189 ]
  • SYSLOG log messages get truncated after 1024 bytes.
    [ NSHELP-19484 ]
  • You can now configure the RfWebUI parameters such as loginFormTimeout and Session timeout by editing the plugins.xml.
    [ NSHELP-19221 ]
  • SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).
    Workaround: Use an IP address for VDA.

    [ NSHELP-8549 ]
  • An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.
    [ NSHELP-7872 ]
  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.
    [ CGOP-13621 ]
  • The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
    Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.
    [ CGOP-13532 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
    [ CGOP-13511 ]
  • In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.
    [ CGOP-7269 ]
  • In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.
    [ CGOP-6794 ]

Citrix Web App Firewall

  • When aslearn configured learned data is deployed and if the field types reach a threshold, the total learned data is not displayed correctly. As a result, the Field Format learned data is not as same as the exported learned data.
    [ NSHELP-18077 ]


  • In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.
    [ NSHELP-20366 ]

Load Balancing

  • When you upgrade the Citrix ADC appliance to release 12.0 build 63.13, you might see some duplicate configuration entries for load balancing persistence groups. For example, the "show running config" command might display the "add lb group" command multiple times. This is only a display issue and does not impact the functionality. However, the "show running config" command might take slightly more time to execute than usual.
    [ NSHELP-23050 ]
  • The statistics for a stream identifier do not show any graphs.
    [ NSHELP-22753 ]
  • In a cluster setup, ACL rules with VLAN settings do not take effect resulting in packets hitting other ACL rules.

    This issue occurs when you delete a virtual server on the cluster setup resulting in the cluster nodes not adding VLAN information on the steered packets.
    [ NSHELP-22103 ]
  • The packet engines (NSPPE) might crash when it receives the first RTSP data packet with an incomplete header, followed by an ACK before receiving the complete header.
    [ NSHELP-22099 ]
  • In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.
    [ NSHELP-21425 ]
  • The Citrix ADC appliance sends a reset to the client intermittently because the MySQL virtual server is not able to select a backend server.
    [ NSHELP-20608 ]
  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.
    [ NSHELP-20406 ]


  • When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.
    [ NSSWG-849 ]
  • The Citrix ADC appliance might take more time to process and respond to the NITRO API calls in the background for GUI access. Because of this issue, you might observe latency issues in accessing the GUI.
    [ NSHELP-24065 ]
  • A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URLFiltering third party vendor.
    [ NSHELP-22409 ]
  • In a cluster setup, the “set ratecontrol” command works only after restarting the Citrix ADC appliance.

    Workaround: Use the “ -ys icmp_rate_threshold=<new value>” command.
    [ NSHELP-21811 ]


  • A partitioned Citrix ADC appliance might crash if you enable Video Optimization on a partition and later remove the partition on the appliance.
    [ NSNET-10199 ]
  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
    [ NSNET-5233 ]
  • The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
    ERROR: Operation timed out
    ERROR: Communication error with the packet engine
    [ NSNET-4312 ]
  • In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or “staysecondary” option set.
    [ NSNET-1646 ]
  • For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.
    [ NSHELP-24034 ]
  • IPv6 policy based routes (PBR6) on a Citrix AC appliance might not work as expected.
    [ NSHELP-23161 ]
  • You might observe high CPU usage on a Citrix ADC appliance when it sends fragmented IPv6 packets.

    [ NSHELP-22699 ]
  • A Citrix ADC appliance might crash during deployment if the following conditions are observed:
    - Multipath TCP (MPTCP) is enabled with MBF and PMTUD
    - MPTCP traffic is received and the response causes ICMP Fragmentation Needed error.
    [ NSHELP-22418 ]
  • In a high availability (HA) setup, if Gratuitous ARP (GARP) is disabled, the upstream router might not direct the traffic to the new primary after an HA failover.
    [ NSHELP-20796 ]
  • When you add a slave interface with jumbo MTU to link aggregation channel that is used as backplane, the following warning message incorrectly appears:

    "The MTU for a backplane interface must be large enough to handle all packets. It must be equal to the (MTU value). If recommended value is not configurable, please review MTU of jumbo interfaces."

    This is only a display issue, and there is no impact on the functionality.
    [ NSHELP-20794 ]
  • The output of a show channel link redundant interface set might incorrectly display the state of the member interface as inactive.
    [ NSHELP-16195 ]


  • When NetScaler licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.
    [ NSPLAT-6417 ]
  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the "rm cloudprofile" command to delete the profile.
    [ NSPLAT-4520 ]
  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
    [ NSPLAT-4451 ]
  • NITRO API request or GUI access to a Citrix ADC appliance fails if the appliance remains idle from management activity over HTTP(S) for more than six days.

    Workaround: Restart the HTTPD process. Run the following commands in the Citrix ADC CLI:

    - add serviceGroup mgmt_http_svc HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES

    - bind serviceGroup mgmt_http_svc 80
    [ NSHELP-22849 ]


  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
    [ NSPOLICY-1267 ]
  • A Citrix ADC appliance might crash if you configure the MATCHES_LOCATION() function in a policy expression and you start nstrace using a filter expression.
    [ NSHELP-22687 ]


  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
    [ NSSSL-4001 ]
  • In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
    [ NSSSL-3402 ]
  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
    [ NSSSL-3184 ]
  • In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
    [ NSSSL-3161 ]
  • A Citrix ADC appliance might crash if the following conditions are met:
    - A certificate-key pair is added with the expiry monitor option enabled.
    - The certificate date is earlier than 01/01/1970.
    [ NSHELP-22934 ]
  • A Citrix ADC appliance might crash if there are a large number of OCSP cached entries and you run the clear config command.
    [ NSHELP-22695 ]
  • Configuring empty CRLs for frequent updates exhausts the shared allocated memory on the Citrix ADC appliance.
    [ NSHELP-22166 ]
  • The Citrix ADC appliance might crash during an abbreviated (resumed) TLS 1.3 handshake if all of the following settings are applied to an SSL profile:

    - SNIHTTPHostMatch is set to CERT
    - TLSv1.3 is enabled
    - Session ticket is enabled.

    Workaround: Set SNIHTTPHostMatch to either STRICT or NO.
    [ NSHELP-22126 ]
  • A partitioned Citrix ADC appliance might not respond as expected if you perform the following actions:
    1) Create two OCSP responders in different partitions.
    2) Clear the config in one partition.
    3) Remove the OCSP responder in the other partition.
    [ NSHELP-20861 ]
  • In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
    [ NSHELP-13466 ]


  • A Citrix ADC appliance might not optimize and compress large objects such as Javascript or CSS if front end optimization is enabled.
    [ NSHELP-24041 ]
  • For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output. For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.
    [ NSHELP-22684 ]
  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.
    [ NSHELP-21240 ]
  • A Citrix ADC appliance might crash if the following conditions are observed:
    - HTTP/2 enabled in the HTTP profile bound to load balancing virtual server of type HTTP/SSL or service.
    - Connection multiplexing option disabled in the HTTP Profile bound to load balancing virtual server or service.
    [ NSHELP-21202 ]
  • When a Citrix ADC appliance sends a "tcpSynFloodAttack" SNMP trap, the "unackSynCount" log message has string characters instead of integer values.
    [ NSHELP-20401 ]
  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.
    [ NSHELP-10972 ]
  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.
    [ NSBASE-8506 ]
  • Title: ICAP support for Citrix ADC
    A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.

    For more information, see
    [ NSBASE-825 ]

User Interface

  • In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.
    [ NSUI-14752 ]
  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.
    [ NSUI-6838 ]
  • After executing the "saveconfig - all" command, the last saved time for the admin partitions is not accurately updated.
    [ NSHELP-23740 ]
  • After adding the vCPU license to a VPX appliance, the VPX model ID appears incorrectly in the VPX GUI under the License and CLI in “show license” command output.
    [ NSHELP-19613 ]
  • The top-level page title is missing on all security check GUI pages.
    [ NSHELP-18607 ]
  • In a cluster setup, the certificate-key pair might sync to the non-CCO nodes with some delay. As a result, it is possible that the certificate-key pair is added to the CCO node but fails on the non-CCO nodes with no error message.
    [ NSHELP-12037 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:
    * 13.0 52.24 build
    * 12.1 57.18 build
    * 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"


    To fix this issue, use one of the following independent options:
    * If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    * Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    * If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see:
    [ NSCONFIG-3188 ]