Release Notes for Citrix ADC 12.1-60.19 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 12.1-60.19.


  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 12.1-60.19 replaces 12.1-60.17.
  • This build adds an enhancement in DTLS to eliminate the susceptibility to DDoS style attack as described in

What's New

The enhancements and changes that are available in Build 12.1-60.19.

Citrix ADC SDX Appliance

  • Users cannot configure a tagged VLAN on the 50G and 100G interfaces of an ADC instance without explicitly specifying the allowed VLAN list on the interface from the Management Service. The issue is seen if the ADC instance is provisioned on one of the following Citrix ADC SDX platforms:

    • SDX 15000-50G
    • SDX 26000
    • SDX 26000-50S
    • SDX 26000-100G
    [ NSSVM-3697 ]
  • After deleting an interface or a channel from an ADC instance, the instance might be unreachable from the Management Service. With this change, if your Citrix ADC SDX appliance is running release 13.0 build 71.x and later or release 12.1 build 60.x and later, you cannot delete the interface or channel on an ADC instance from the Management Service.

    [ NSSVM-3442 ]

User Interface

  • Next/Previous navigation option for Web App Firewall Profile GUI page

    In Citrix ADC GUI, the Web App Firewall Profiles page now displays the Next/Previous navigation option to view more than 25 profiles in the list pane.

    Navigation: Security->Citrix Web App Firewall->Profiles

    [ NSUI-16487 ]

Fixed Issues

The issues that are addressed in Build 12.1-60.19.

Authentication, authorization, and auditing

  • Sometimes, a Citrix ADC appliance might becomes unresponsive when a user authentication times out at the client side during a multi-factor (nFactor) authentication.

    [ NSHELP-25251 ]
  • In some cases, a Citrix ADC appliance might crash if the client closes the TCP connection before finishing the Email OTP authentication.

    [ NSHELP-25154 ]
  • In some cases, a Citrix ADC appliance crashes during the Citrix ADC Authentication, authorization, and auditing session removal on the secondary node.

    [ NSHELP-25075 ]
  • When a Citrix ADC appliance is configured for nFactor, RADIUS authentication failures are reported as LDAP authentication failures in the Citrix ADM appliance.

    [ NSHELP-24597 ]
  • In some cases, the Email OTP validation fails when the OTP request is sent by a core and the validation request is received by another core.

    [ NSHELP-24442 ]
  • LDAP authentication fails in a Citrix ADC appliance when a user's group length exceeds the defined limit.

    [ NSHELP-24373 ]
  • The Citrix ADC appliance denies log on requests from mobile clients because the login schema validation fails. You must use the OAuthToken_Username_password.xml schema in your configuration.

    [ NSHELP-24318 ]
  • The login to a Citrix ADC appliance fails if the following conditions are met.

    • The appliance is configured for nFactor.
    • The login schema policy is bound to an authentication virtual server and authentication schema is set to "noschema".
    [ NSHELP-24259 ]
  • In some cases, the SAML assertion breaks when the attribute values have XML tags. This results in the failure of attribute extraction.

    [ NSHELP-23940 ]
  • In some cases, a Citrix ADC appliance becomes unresponsive while it is doing some background tasks related to user authentication.

    [ NSHELP-23883 ]
  • In some cases, a Citrix ADC appliance becomes unresponsive when single sign-on is attempted.

    [ NSHELP-23632 ]
  • When trying to log on to the Citrix Gateway appliance, a user does not see a response if the log on attempt fails.

    [ NSHELP-23155 ]
  • A Citrix ADC appliance fails to extract all the groups in an LDAP scenario for an AD user when the number of groups the user belongs to exceeds the limit of the group size.

    [ NSHELP-22959 ]
  • The session establishment fails when accessed from the Citrix Workspace app using Webview if preauthentication EPA is configured along with nFactor authentication.

    [ NSHELP-22845 ]
  • Single Sign-On (SSO) with the following authentication methods does not work if the SSO configuration in Citrix ADC and Citrix Gateway is enabled only at global level and not at per traffic level.

    • CitrixAGBasic authentication
    • Kerberos authentication
    • OAuth bearer authentication
    [ NSAUTH-9166 ]
  • During IdP session creation on an authentication virtual server, any configuration made to the login schema profile associated with the first factor of authentication is not honored. If the login schema profile is configured to use the first factor credentials for the SSO functionality, the configuration is not honored.

    [ NSAUTH-8712 ]
  • In some cases, the Citrix ADC appliance crashes if any expired Authentication, authorization, and auditing session exists during the configuration clean-up.

    [ NSAUTH-7767 ]

Citrix ADC SDX Appliance

  • On a Citrix ADC SDX appliance running software version 13.0 build 64.x or 12.1 build 58.x, a user cannot download the backup of the appliance.

    [ NSSVM-3952 ]
  • The Citrix ADC SDX appliance upgrade fails if the Citrix Hypervisor consumes more than 90% of the disk space.

    [ NSHELP-24873 ]
  • The SDX GUI might not be accessible after upgrading a Citrix ADC SDX appliance on which management LA and CLAGs are configured.

    [ NSHELP-24671 ]
  • The SNMP user details are not modified if you change the device profile of an ADC instance provisioned on a Citrix ADC SDX appliance.

    [ NSHELP-24488 ]
  • On the Citrix ADC SDX 8900, SDX 15000, and SDX 15000-50G platforms, a high CPU usage can be noticed on ADC instances after upgrading the SDX appliance from release 11.1 to release 12.1, or from release 11.1 to release 13.0.

    [ NSHELP-24031 ]
  • On a Citrix ADC SDX appliance, link aggregation information of ADC instances might be lost due to a race condition between concurrent rediscoveries of ADC instances.

    [ NSHELP-23849 ]

Citrix Gateway

  • The Citrix Gateway appliance might crash during a session logout if the appliance tries to remove the connection twice from the session.

    [ NSHELP-25443 ]
  • The Citrix Gateway appliance crashes during Transfer Login if the request lands on a core where the previous session has timed out.

    [ NSHELP-25322 ]
  • In rare cases, the Citrix Gateway appliance might crash during session synchronization with the secondary appliance or during Intranet IP assignment.

    [ NSHELP-25221 ]
  • Citrix Gateway plug-in for Windows does not resolvedomains with "Intranet IP DNS Suffix" on the appliance irrespective of the split DNS configuration.

    [ NSHELP-25003 ]
  • If ICA smart policy is enabled and there is some residual AppFlow configuration, you might observe a high latency connection.

    [ NSHELP-24908 ]
  • The Citrix ADC appliance might crash when UDP audio is enabled and the internal malloc system call returns an error.

    [ NSHELP-24890 ]
  • EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.

    [ NSHELP-24848 ]
  • In rare cases, a Citrix Gateway appliance crashes when the syslog transport type is modified due to a memory corruption.

    [ NSHELP-24794 ]
  • In a rare case, the Citrix ADC appliance crashes while printing debug logs if the server initiated connection session is already freed.

    [ NSHELP-24581 ]
  • The Citrix ADC appliance might crash when configured for clientless VPN.

    [ NSHELP-24430 ]
  • You cannot use Scandinavian letters in the EULA after upgrading the Citrix ADC appliance from release 11.1 to 12.1.

    [ NSHELP-24394 ]
  • The Citrix Gateway appliance might reboot if the RDP server profile bound to the VPN virtual server does not have the RDP IP address configured and the same port is used by the RDP server profile and the VPN virtual server.

    [ NSHELP-24199 ]
  • In rare cases, the Citrix Gateway appliance might crash if intranet IP (IIP) addressis enabled and there are server-initiated connections to the IIP address.

    [ NSHELP-23819 ]
  • The Windows plug-in displays the Gateway not reachable message if the client machine has multiple instances of the Hyper-V and WiFi direct access virtual adapters.

    [ NSHELP-23794 ]
  • Packet drops are observed when a UDP application server sends packets that are larger than MTU and if the packets are fragmented.

    [ NSHELP-23770 ]
  • The Citrix ADC appliance might crash during a Authentication, authorization, and auditing session logout if the user logs in from Citrix Workspace.

    [ NSHELP-23623 ]
  • Feature: Citrix Gateway

    You can now configure the RfWebUI parameters such as loginFormTimeout and Session timeout by editing the plugins.xml.

    [ NSHELP-19221 ]
  • Support for CredSSP protocol version 2 is removed. Only CredSSP protocol versions 5 and 6 are supported on the Windows operating systems.

    [ CGOP-14308 ]

Citrix Web App Firewall

  • File Descriptor leak in aslearn when displaying some XML learn data.

    [ NSWAF-6648 ]
  • Support for "cs7" in CEF log messages

    The Citrix Web App Firewall Common Event Format (CEF) log messages now include one more parameter, "cs7" for audit log expression name.

    [ NSWAF-6593 ]
  • A Citrix ADC appliance might crash if the response side or XML security checks are enabled and log expressions are configured in a Web App Firewall profile.

    [ NSWAF-6466 ]
  • In a cluster configuration, an error message, "Communication error with aslearn" appears when the learning engine tries to view and reset the learned data.

    [ NSHELP-24584 ]
  • A Citrix ADC appliance might crash because of the null streaming context in XML processing and if the "multipleHeaderAction" parameter is set as "log".

    [ NSHELP-24549 ]
  • A Citrix ADC appliance removes the status code from the response if the following issues are observed:

    • The reason phrase is missing and
    • The status code is not followed by a space.
    [ NSHELP-24489 ]
  • Soap envelope validation might fail for XML data.

    [ NSHELP-24412 ]

Load Balancing

  • If connection mirroring does not synchronize PCB parameters, it might lead to loss of TCP options such as Maximum Segment Size (MSS) and Window Scaling.

    [ NSHELP-23990 ]
  • When you upgrade the Citrix ADC appliance to release 12.0 build 63.13, you might see some duplicate configuration entries for load balancing persistence groups. For example, the "show running config" command might display the "add lb group" command multiple times. This is only a display issue and does not impact the functionality. However, the "show running config" command might take slightly more time to execute than usual.

    [ NSHELP-23050 ]
  • For DNS UDP requests the subscriber session is created based on the destination IP address instead of the source IP address, if both a subscriber expression and a DNS expression are used in the same policy.

    [ NSHELP-22521 ]
  • Feature: High Availability

    In a high availability (HA) setup, when the secondary node restarts, the primary node might crash during connection mirroring of sessions to the secondary node.

    [ NSHELP-21715 ]
  • Feature: Load Balancing

    In a cluster setup, when you execute the "unset lb vserver test -redirectFromPort" command, the HTTP redirect port for load balancing virtual server does not get cleared from the database.

    [ NSHELP-20518 ]


  • If you run the set appflow command in a cluster setup, you might not be able to form a cluster.

    [ NSHELP-24220 ]
  • After entering and exiting the VTYSH shell in a Citrix ADC appliance, the symlink for '/nsconfig/syslog.conf' in '/etc/syslog.conf' might be removed. As a result, the changes in '/nsconfig/syslog.conf' are not reflected in '/etc/syslog.conf'.

    [ NSHELP-23200 ]
  • A Citrix ADC appliance might crash during deployment if the following conditions are observed:

    • Multipath TCP (MPTCP) is enabled with MBF and PMTUD
    • MPTCP traffic is received and the response causes ICMP Fragmentation Needed error.
    [ NSHELP-22418 ]
  • In a cluster setup, a Citrix ADC appliance might crash when it receives a node-to-node steered ICMP error message from the server. The crash occurs because the received packet does not contain the interface-related information.

    [ NSHELP-18401 ]
  • Feature: Networking

    The output of a show channel link redundant interface set might incorrectly display the state of the member interface as inactive.

    [ NSHELP-16195 ]


  • A Citrix ADC VPX instance crashes when frequent link flaps are seen on 50G and 100G interfaces.

    [ NSPLAT-16852 ]
  • The Citrix ADC SDX 15000-50G on a reboot operation might fail to reboot completely, when all the 10G and 50G interfaces are configured as LACP channels with 9000 MTU. The 50G interfaces might also end up missing after reboot.

    [ NSHELP-23104 ]
  • NITRO API request or GUI access to a Citrix ADC appliance fails if the appliance remains idle from management activity over HTTP(S) for more than six days.

    [ NSHELP-22849 ]
  • You need to reboot a Citrix ADC SDX appliance to reset and initialize an SSL card when the card returns an error. With this fix, reboot is not required.

    [ NSHELP-22725 ]


  • The target field in the responder action of "NOOP" action type is not saved in the configuration file (ns.conf). As a result, when you restart your appliance, there is a configuration loss.

    [ NSHELP-23772 ]
  • An error message Directory does not exist" appears on the HTML Page Import ObjectGUI page after you upgrade the Citrix ADC appliance release 11.1 build 63.15.

    [ NSHELP-22826 ]
  • A Citrix ADC appliance might crash if you configure the MATCHES_LOCATION() function in a policy expression and you start nstrace using a filter expression.

    [ NSHELP-22687 ]


  • A Citrix ADC MPX/SDX 11542, MPX/SDX 14000, MPX 22000/24000/25000, or MPX/SDX 14000 FIPS appliance might crash if the following conditions are met:

    • ECDHE/ECDSA hybrid model is enabled.
    • DTLS traffic is received when the CPU utilization is already high.
    [ NSHELP-24405 ]
  • The Citrix ADC appliance crashes if NULL or RC2 ciphers are used by the SSL backend service on the following platforms:

    • MPX 5900
    • MPX 8900
    • MPX 15000
    • MPX 15000-50G
    • MPX 26000
    • MPX 26000-50S
    • MPX 26000-100G
    [ NSHELP-24308 ]
  • A Citrix ADC appliance might crash if there are a large number of OCSP cached entries and you run the clear config command.

    [ NSHELP-22695 ]
  • Feature: SSL
    A partitioned Citrix ADC appliance might not respond as expected if you perform the following actions:
    1) Create two OCSP responders in different partitions.
    2) Clear the config in one partition.
    3) Remove the OCSP responder in the other partition.

    [ NSHELP-20861 ]


  • A Citrix ADC appliance might crash because of memory corruption when the HTTP/2 feature is enabled.

    [ NSHELP-25005 ]
  • A Citrix ADC appliance might crash if AppFlow is enabled after the server-side connection is established.

    [ NSHELP-24546 ]
  • If the rewrite module or the HTTP strict transport security (HSTS) headermodifies a packet and splits it into two, the intrusion prevention system (IPS) frees the second packet. This results in corrupting the packet flow to the client and thereby allowing only a partial response forwarded to the client.

    [ NSHELP-24294 ]
  • The analytics records are not sent to the Citrix ADM if the following conditions are observed:

    -IPFIX collector is configured in the admin partition of the Citrix ADC appliance.

    -Collector is in a subnet other than SNIP address.

    [ NSHELP-24283 ]
  • In the case of TLS v1.2 session reuse protocol, the following behavior is observed in the Citrix ADC appliance:

    • The categorization information is saved in the server PCB, and the domain information is saved in the client PCB.
    • Data is sent to AppFlow only from the client PCB, hence for session reuse cases, categorization information is sent as null.
    [ NSHELP-23542 ]
  • A Citrix appliance with connection chaining parameter enabled might crash if the following conditions are met:

    • The incoming packet has TCP options of more than 20 bytes.
    • The appliance tries to insert an extra 20 bytes, which leads to TCP overflow.
    [ NSHELP-23322 ]
  • If a service, representing an inline device, is down when traffic is being inspected, a resource is not freed properly. The Citrix ADC appliance crashes when this freed resource is accessed again.

    [ NSHELP-23145 ]
  • A Citrix ADC appliance might crash if the following conditions are observed:

    • HTTP/2 enabled in the HTTP profile bound to load balancing virtual server of type HTTP/SSL or service.
    • Connection multiplexing option disabled in the HTTP Profile bound to load balancing virtual server or service.
    [ NSHELP-21202 ]
  • The Citrix ADC MPX 26000-100G appliance might become unresponsive if the aggregator process becomes unstable.

    [ NSBASE-11747 ]

User Interface

  • In a cluster setup, unwanted extra binding configuration gets saved in the ns.conf file.

    [ NSHELP-24636 ]
  • The Citrix ADC GUI displays less number of cached objects when compared to the command interface.

    [ NSHELP-24337 ]
  • After an upgrade to Citrix ADC 13.0 build 56.x Citrix Web App Firewall regex evaluators do not work as expected.

    [ NSHELP-24212 ]
  • The following temporary files present in the /var/tmp folder of a Citrix ADC appliance is causing memory full state.

    • sh.runn.audit.<pid> file created by nsconfigaudit tool.
    • tmp_ns.conf.<pid> file created by show run command for partition.
    [ NSHELP-24092 ]
  • In Citrix ADC GUI, the Web App Firewall Profiles page does not have the next or previous navigation options to view more than 25 profiles in the list pane.

    Navigation:Security->Citrix Web App Firewall->Profiles

    [ NSHELP-22622 ]
  • The "nsconfigaudit" config diff tool does not maintain the order of commands within the same resource group when generating the corrective commands.

    [ NSHELP-21791 ]
  • For a "routerdynamicrouting" NITRO API request, the Citrix ADC appliance might return JSON data with formatting errors if the response size is large.

    [ NSHELP-19913 ]
  • Feature: System
    A Citrix ADC appliance becomes unstable if you use the -outfilename parameter in diffnsconfig command. As a result, the diffnsconfig output is large to completely fill the root disk.

    [ NSHELP-19345 ]
  • On a Citrix ADC MPX appliance, to transition the pooled capacity license to a perpetual license, you must first remove the pooled licensing configuration and then remove the pooled capacity license.

    [ NSCONFIG-4167 ]

Known Issues

The issues that exist in release 12.1-60.19.


  • Feature: HDX Insight
    HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.

    [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

  • Feature: Authentication, authorization, and auditing
    SSO to StoreFront using Citrix ADC fails if the following conditions are met:

    • The Citrix ADC appliance is configured for multi-factor authentication.
    • Citrix ADC session times out before examining the configured authentication factors.
    [ NSHELP-21466 ]
  • Feature: Authentication, authorization, and auditing
    Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.

    [ NSHELP-18844 ]
  • Feature: Authentication, authorization, and auditing
    A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.

    [ NSHELP-18751 ]
  • Feature: Authentication, authorization, and auditing-TM
    A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

    [ NSHELP-563 ]
  • Feature: Authentication, authorization, and auditing
    If you edit the authentication virtual server using the "End-to-end login test or Test End User Connection options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
    To edit the authentication virtual server by using the Citrix ADC GUI, navigate to Security > Authentication, authorization, and auditing Application Traffic > Authentication Virtual Servers.

    [ NSAUTH-6339 ]
  • Feature: Authentication, authorization, and auditing

    The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

    [ NSAUTH-6106 ]
  • Feature: Authentication, authorization, and auditing
    The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

    • The Test LDAP Reachability option is opened.
    • Invalid login credentials are populated and submitted.
    • Valid login credentials are populated and submitted.

    Close and open the Test LDAP Reachability option.

    [ NSAUTH-2147 ]

Citrix ADC SDX Appliance

  • If you initiate the deletion of a Citrix ADC instance while the instance is being provisioned, the FIPS partition entry for the deleted instance might still be present in the database.

    [ NSHELP-25909 ]
  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

    • Throughput allocation mode is burst.
    • There is a large difference between the throughput and the maximum burst capacity.
    [ NSHELP-21992 ]
  • Feature: System
    SNMPv3 queries work only for a few minutes after changing the password.

    [ NSHELP-19313 ]
  • Feature: System
    SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).

    [ NSHELP-18541 ]

Citrix Gateway

  • The packet engine crashes while fetching an ICA connection entry when you run the show icaconnection command. This crash happens because the ICA connection information in the ICA connection list is stale.

    [ NSHELP-25420 ]
  • The UrlName parameter is appended to the session and other policy bindings when classic VPN URL is also bound leading to configuration addition on save and reboot.

    [ NSHELP-25072 ]
  • Citrix Gateway crashes while decoding the CVPNv2 packet because of incorrect string termination.

    [ NSHELP-24718 ]
  • A delay in the response from StoreFront servers might result in slow Citrix Gateway GUI related operations or "timed out at dispatch_netsvc" error messages.

    [ NSHELP-24437 ]
  • A new, optimized pattern set, "ns_cvpn_v2_fast_regex_light_ver",is introduced for high CPU alerts. If a spike in CPU is intermittently observed with the default pattern set"ns_cvpn_v2_fast_regex", you can switch to the new pattern set.

    [ NSHELP-24085 ]
  • The Gateway Insight does not display accurate information on the VPN users.

    [ NSHELP-23937 ]
  • Citrix ADM displays incorrect bandwidth used by users when connected to VPN.

    [ NSHELP-23855 ]
  • HDX Insight data is not observed in Director for individual sessions. The issue is seen when NetScaler App Experience (NSAP) sessions are established.

    [ NSHELP-23834 ]
  • VPN plug-in doesn't establish tunnel after Windows logon, if the following conditions are met:

    • Citrix Gateway appliance is configured for Always On feature
    • The appliance is configured for certificate based authentication with two factor authentication "off"
    [ NSHELP-23584 ]
  • The UDP/ICMP/DNS based authorization policy denials for VPN do not show up in the ns.log file.

    [ NSHELP-23410 ]
  • False launch failures of applications are reported in Gateway Insight. The launch failures are reported when there are no app or desktop launches.

    [ NSHELP-23047 ]
  • In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.

    [ NSHELP-22349 ]
  • Feature: Citrix Gateway
    If reverse split tunneling is enabled, intranet routes are either added with wrong prefix values or not added at all.

    [ NSHELP-20825 ]
  • Feature: Citrix Gateway
    A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:

    • SplitTunnel is set to ON.
    • IP address pool (Intranet IP) option is set to NoSpillOver.
    [ NSHELP-20584 ]
  • In Analytics > Gateway Insight, under Authentication, it displays an incorrect Authentication Type. This issue occurs when you configure NO_AUTHN action in the ADC instance.

    [ NSHELP-20117 ]
  • Feature: System
    SYSLOG log messages get truncated after 1024 bytes.

    [ NSHELP-19484 ]
  • Feature: Citrix Gateway
    SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).
    Use an IP address for VDA.

    [ NSHELP-8549 ]
  • Feature: Citrix Gateway
    An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.

    [ NSHELP-7872 ]
  • Feature: Citrix Gateway
    Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

    [ CGOP-13621 ]
  • Feature: Citrix Gateway
    In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ CGOP-13511 ]
  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]
  • Feature: System
    In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.

    [ CGOP-6794 ]
  • Feature: Citrix Gateway
    If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.

    [ CGOP-3359 ]

Citrix Web App Firewall

  • The Citrix Web App Firewall cookie consistency check removes the SameSite cookie attribute in the response sent by the back-end server.

    [ NSHELP-24313 ]
  • Feature: Citrix Web App Firewall

    When aslearn configured learned data is deployed and if the field types reach a threshold, the total learned data is not displayed correctly. As a result, theField Format learned data is not as same as the exported learned data.

    [ NSHELP-18077 ]


  • Feature: Clustering

    In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.

    [ NSHELP-20366 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]
  • The Citrix ADC appliance might crash if the association between Distributed Hash Table (DHT) entry and persistence session is deleted while freeing up the persistence session.

    [ NSHELP-24213 ]
  • The packet engines (NSPPE) might crash when it receives the first RTSP data packet with an incomplete header, followed by an ACK before receiving the complete header.

    [ NSHELP-22099 ]
  • A Citrix ADC appliance might crash when DNS logging is enabled and a malformed DNS query is received.

    [ NSHELP-21959 ]
  • In a cluster setup, the set ratecontrol commandworksonlyafterrestartingthe Citrix ADC appliance.

    Use the -ys icmp_rate_threshold=<new value>command.

    [ NSHELP-21811 ]
  • Feature: Load Balancing

    In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.

    [ NSHELP-21425 ]
  • Feature: Load Balancing

    When you execute the "set service <servicename>" command, the following error message is displayed:
    "IP Address cannot be set on a domain based server."

    This error message is displayed when the server is configured with a name greater than 32 characters.

    [ NSHELP-20939 ]
  • Feature: GSLB

    In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

    [ NSHELP-20406 ]
  • Feature: Load Balancing

    Redirecting an HTTPS URL fails if the URL contains the % special character.

    [ NSHELP-19993 ]


  • Feature: SWG URL Filtering
    When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.

    [ NSSWG-849 ]
  • A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URLFiltering third party vendor.

    [ NSHELP-22409 ]


  • Feature: Networking
    In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

    [ NSNET-5233 ]
  • Feature: System

    In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or staysecondary option set.

    [ NSNET-1646 ]
  • A Citrix ADC appliance might crash, if the following conditions are present:

    • IPv6 link load balancing (LLB6) configuration has persistency option enabled.
    • Some IPv6 dummy connections are created for this LLB6 configuration
    [ NSHELP-25695 ]
  • For a PBR6 rule with no direct route to the next hop, the Citrix ADC appliance might incorrectly discard RNAT6 processed packets with an error.

    [ NSHELP-24632 ]
  • A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.

    [ NSHELP-24623 ]
  • For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.

    [ NSHELP-24034 ]
  • Feature: Networking

    If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.

    [ NSHELP-21288 ]
  • Feature: High Availability

    In a high availability (HA) setup, if Gratuitous ARP (GARP) is disabled, the upstream router might not direct the traffic to the new primary after an HA failover.

    [ NSHELP-20796 ]


  • A Citrix ADC VPX instance crashes when frequent link flaps are seen on 50G and 100G interfaces.

    [ NSPLAT-16852 ]
  • Feature: Licensing
    When NetScaler licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.

    [ NSPLAT-6417 ]
  • Feature: Citrix ADC VPX appliance
    When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the "rm cloudprofile" command to delete the profile.

    [ NSPLAT-4520 ]
  • Feature: Citrix ADC VPX appliance
    In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.

    [ NSPLAT-4451 ]
  • On a Citrix ADC SDX 15000-50G appliance, in cases of a brief surge of data traffic not directed to any of the ADC VPX instances, the following issue might happen:

    • The LACP link on 10G ports might flap intermittently or go down permanently.

    1. Find out the internal ethX port corresponding to the 10G port
    2. Run the following command on the Citrix Hypervisor shell prompt: ethtool -G ethX rx 4096 tx 512
    3. Review traffic profile to block off unwanted traffic on the switch side

    [ NSHELP-25561 ]


  • A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.

    [ NSPOLICY-1462 ]
  • Feature: System
    Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]
  • Policy string map might not work if UTF-8 characters are used in key text.

    [ NSHELP-25357 ]


  • Feature: SSL
    Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]
  • Feature: SSL
    An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]
  • Feature: SSL
    In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.

    [ NSSSL-3402 ]
  • Feature: SSL
    An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

    [ NSSSL-3184 ]
  • Feature: SSL
    In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.

    [ NSSSL-3161 ]
  • Feature: SSL
    You cannot bind two certificates with public keys signed by different algorithms (for example, RSA and ECDSA) to a virtual server, as an SNI certificate if the domain name is the same.

    [ NSSSL-2560 ]
  • A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.

    [ NSHELP-24201 ]
  • In a cluster setup, an invalid "bind ssl certkey" command is added to the ns.conf file when you save the configuration. The invalid command is added if a CRL distribution point extension is part of a certificate on the Citrix ADC appliance.

    [ NSHELP-23963 ]
  • A Citrix ADC appliance might crash if the following conditions are met:

    • A certificate-key pair is added with the expiry monitor option enabled.
    • The certificate date is earlier than 01/01/1970.
    [ NSHELP-22934 ]


  • A content switching virtual server displays an incorrect request and response byte count with MPTCP traffic.

    [ NSHELP-25731 ]
  • For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output.For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.

    [ NSHELP-22684 ]
  • When the Intrusion Prevention System (IPS) is processing data before the cache module, the PayloadInfo variable is not cleared properly. Eventually, when the cache module accesses the variable it causes a Citrix ADC appliance to crash.

    [ NSHELP-21907 ]
  • Feature: System
    The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

    [ NSHELP-21240 ]
  • When a Citrix ADC appliance sends a "tcpSynFloodAttack" SNMP trap, the "unackSynCount" log message has string characters instead of integer values.

    [ NSHELP-20401 ]
  • Feature: System
    The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

    [ NSHELP-10972 ]
  • Segmentation errors or duplicate free might cause a Citrix ADC appliance to crash if the following conditions are met:

    • HTTP profilebound to a backend service has HTTP2 enabled and HTTP2 direct disabled.
    • Multiple HTTP CONNECT requests are sent from the client over HTTP/2 streams to a virtual server of HTTP type.
    [ NSBASE-13582 ]
  • Feature: AppFlow
    Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

    [ NSBASE-8506 ]
  • Feature: Security
    ICAP support for Citrix ADC
    A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.

    For more information, see

    [ NSBASE-825 ]

User Interface

  • Feature: Citrix ADC GUI

    In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.

    [ NSUI-14752 ]
  • Feature: System
    The Global Binding and Show Binding options are not working on the Content Inspection Policy GUI page. As an alternative, you can configure these parameters through the command interface.

    [ NSUI-13193 ]
  • Feature: SSL
    If you create an ECDSA key by using the GUI, the type of curve is not displayed.

    [ NSUI-6838 ]
  • Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.

    [ NSHELP-24195 ]
  • A Citrix ADC appliance might crash if the /tmp directory is full.

    [ NSHELP-21809 ]
  • Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

    [ NSHELP-20988 ]
  • Feature: System
    The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.

    [ NSHELP-19958 ]
  • Feature: Citrix ADC GUI
    The top-level page title is missing on all security check GUI pages.

    [ NSHELP-18607 ]
  • Feature: Citrix ADC GUI

    In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:
    Trace not started

    [ NSHELP-18566 ]
  • In a cluster setup, the certificate-key pair might sync to the non-CCO nodes with some delay. As a result, it is possible that the certificate-key pair is added to the CCO node but fails on the non-CCO nodes with no error message.

    [ NSHELP-12037 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:

    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword &%2391;-config <full path of the configuration file (ns.conf)>&%2393;"

    To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see

    [ NSCONFIG-3188 ]