Release Notes for Citrix ADC 12.1-64.17 Release

System

• When processing large streams of gRPC traffic, the TCP advertised window increases exponentially leading to high memory usage.

  [ NSBASE-15447 ]

Authentication, authorization, and auditing

• The Authentication, authorization, and auditing.USER.ATTRIBUTE expression might give an empty value in multi-core Citrix ADC appliance when user password is changed on expiry.

  [ NSHELP-28419 ]

• When you log in to the Citrix ADC appliance, a blank password field appears when both the following conditions are met.

  • Duo two-factor authentication is configured
  • RfWebuI portal theme is used
  [ NSHELP-27868 ]

• When SAML metadata is configured, memory leak is observed with SSL certificates.

  [ NSHELP-27846, NSHELP-25020 ]

• The Citrix ADC appliance might crash during active directory group extraction if the distinguished name of an extracted group is NULL.

  [ NSHELP-26899 ]

• Admins cannot use the LDAP or RADIUS connectivity tool if the password contains a certain special character or if the arguments have a space in it.

  [ NSAUTH-11322 ]

Citrix ADC SDX Appliance

• An incorrect message appears when clean install fails because the factory partition doesn't have enough space.

  [ NSHELP-30136 ]

• On a Citrix ADC SDX appliance, the Management Service does not send syslog or email notifications if the power supply, voltage, or disk failures occur more than once.

  [ NSHELP-29443 ]

• On the Citrix ADC SDX 14000-40G, 15000, and 15000-50G platforms, setting the interface speed using the CLI fails.

  [ NSHELP-29388 ]

• When you change the profile on an ADC instance hosted on the Citrix ADC SDX platform, you might notice some extra entries for the "save config" command in the log file.

  [ NSHELP-29343 ]

• On a Citrix ADC SDX appliance, an interface that is part of a management channel is displayed along with the management channel if the following sequence of conditions is met:

  1. The VPX instance is part of a cluster.
  2. The management channel is created.
  [ NSHELP-27487 ]

Citrix Gateway

• EPA scan for checking the antivirus last full system scan fails on macOS.

  [ NSHELP-29571 ]

• In a high availability setup with TCP SYSLOG configuration, a node might crash during HA failover or during clear config operation.

  [ NSHELP-29251 ]

• The Citrix ADC appliance might crash during the VPN logon if an AppFlow policy with the HTTP rule is bound to a Citrix Gateway.

  [ NSHELP-28705 ]

• The Citrix Gateway appliance crashes while processing STA in DTLS Audio because the allocated memory is not reset.

  [ NSHELP-28432, NSHELP-29796 ]

• The directory /var/netscaler/logon/LogonPoint/custom/ is not created after an upgrade if the directory was was not present initially.

  [ NSHELP-28223 ]

• You might see an extra line for NS_AUDITLOG_STR* logs in the ns_aaa_json.c file.

  [ NSHELP-28160 ]

• When accessing the Citrix Gateway appliance using the clientless VPN, core dump might be generated.

  [ NSHELP-27653 ]

• The Citrix Gateway appliance might crash when reconnecting to an existing ICA session.

  [ NSHELP-27441 ]

• The Citrix Gateway portal localization does not work with the Internet Explorer browser.

  [ NSHELP-26822, NSHELP-27604 ]

• The Citrix Gateway appliance crashes when using UDP audio while accessing the Virtual Desktop.

  [ NSHELP-23514 ]

• The UDP/ICMP/DNS based authorization policy denials for VPN do not show up in the ns.log file.

  [ NSHELP-23410 ]

• The Citrix Gateway portal enterprise bookmark feature supports only the following protocols. All other bookmarks are blocked. http://, https://, rdp://, and ftp://.

  [ CGOP-19543 ]

Citrix Web App Firewall

• In a Citrix ADC cluster setup, one of the nodes crashes if one or more nodes are upgraded from Citrix ADC version 12.0, 12.1, or 13.0 build 52.x or earlier builds. The crash occurs because of an incompatibility in the Web App Firewall cookie format and size.

  [ NSWAF-7689 ]

• The Web App Firewall log message displays, "BAD URL" for Cross-Site Scripting (XSS) URL attribute violations, and the term "Bad URL" is not clear as to which category it belongs (such as tag, pattern, or attribute).

  [ NSHELP-29358 ]

• A Citrix ADC appliance might crash if the following modules are enabled:

  • Web App Firewall with advanced security checks.
  • Appqoe.
  [ NSHELP-28251 ]

Load Balancing

• If a ZONE type DNS record is available for the parent domain, query for the child domain with an existing NS record results in parent domain SOA record instead of child domain NS record.

  [ NSHELP-28793 ]

• A Citrix ADC appliance might fail when handling monitor probe for mysql type of monitor, which eventually leads to a system reboot.

  [ NSHELP-27953 ]

• The configured state of the default monitor shows as disabled even when the default monitor is bound to a service.

  [ NSHELP-27669 ]

• The Citrix ADC appliance might crash if the following conditions are met:

  • The data array size is odd, such as 3, 5, 7, 9 and so on.
  • The static function local variable is not set to zero before using for a session ID.
  [ NSHELP-26312, NSHELP-29512 ]

Miscellaneous

• The following issue occurs after upgrading the appliance to Citrix ADC version 12.1 build 63.22:

  • The Extension Find API might not work after the upgrade.
  [ NSHELP-29860 ]

• When MAC-based forwarding (MBF) is enabled for VXLAN, the stateful TCP session was not getting established.

  [ NSHELP-27125 ]

Networking

• The Citrix ADC appliance might crash while creating a monitor probe for the related service if the following conditions are met:

  • A net profile with an IP set that has at least one IPv4 address and no IPv6 address. The net profile is bound to a monitor, which is set to an IPv6 service.

  • A net profile with an IP set that has at least one IPv6 address and no IPv4 address. The net profile is bound to a monitor, which is set to an IPv4 service.
  [ NSHELP-29382 ]

• In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • The LSN module does not find the service while decrementing the reference count or deleting the service.
  [ NSHELP-29134 ]

• In a Large scale NAT44 deployment, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • The LSN module accessed the memory location of an already deleted service.
  [ NSHELP-28815 ]

• In a high availability setup, in the case of HA version mismatch between both the nodes, dynamic routes are not synched to the secondary node. The secondary node is not reachable if its accessibility is dependent on the dynamic routes.

  As a fix, dynamic routes are synchronized to the secondary node even in case of HA version mismatch.

  [ NSHELP-28326 ]

• The Citrix ADC appliance might not generate "coldStart" SNMP trap messages after a cold restart.

  [ NSHELP-27917 ]

• In a high availability setup, HA synchronization might fail for WAF profile and location file configurations.

  [ NSHELP-27546 ]

• Packet loops are observed in a load balancing configuration if all of the following conditions are met:

  • The virtual server is configured to listen on port 80 and the connection failover ("connfailover") parameter is set to stateless.
  • The virtual server receives two request packets that have:
    • Source port = 80
    • Destination port = number other than 80
    • Destination IP address = IP address (VIP) of the virtual server
  [ NSHELP-22431 ]

Platform

• On the Citrix ADC MPX 14000 FIPS platform, with pooled capacity licensing, the ECC performance numbers are lower than the published numbers when Hybrid ECC mode is enabled.

  [ NSHELP-27482 ]

• The Citrix ADC appliance generates false packets per second (PPS) rate-limit alerts even before the Citrix ADC appliance reaches its PPS limit for the license.

  [ NSHELP-26935 ]

SSL

• In rare cases, you might see a crash during DTLS processing on the following platforms:

  • MPX 5900
  • MPX/SDX 8900
  • MPX/SDX 15000
  • MPX/SDX 15000-50G
  • MPX/SDX 26000
  • MPX/SDX 26000-50S
  • MPX/SDX 26000-100G
  [ NSHELP-29538 ]

• A Citrix ADC appliance crashes while processing an HTTP request if the policy action is set to "Forward" for a policy that is already bound at the request bind point.

  [ NSHELP-29115 ]

• SSL handshake fails if you use DH ciphers with an external HSM.

  [ NSHELP-25307 ]

• On a Citrix ADC appliance, running the "force failover" command or the "clear config" command might cause a crash if Admin partitions are configured with one of the following entities:

  • Transparent virtual servers.
  • Dynamic services.
  [ NSHELP-23321 ]

System

• When a Citrix ADC appliance receives an HTTP/2 GOWAY frame from a client, it incorrectly resets all streams with stream ID greater than promised ID (last peer initiated stream identifier).

  [ NSHELP-29328 ]

• A Citrix ADC appliance crashes if the following conditions are met:

  • The client-side measurements option is enabled on the AppFlow action.
  • The chunk headers fall on the packet boundary.
  [ NSHELP-29049 ]

• When a client resets a connection with multiple TCP streams, the server-side transaction record is not sent which results in L4 records missing for those data streams.

  [ NSHELP-28281 ]

• If ADM has pending transactions in the queue, it reports randomly a critical alert for high memory usage.

  [ NSHELP-27913 ]

• In a TCP connection, the Citrix ADC appliance might drop a FIN packet, received from a server, instead of forwarding it to the client if all of the following conditions are met:

  • TCP buffering is enabled.
  • The server sends the FIN packet and the data packet separately.
  [ NSHELP-27274 ]

• Pitboss failure occurs when looping a large number of packets in the retransmission queue.

  [ NSHELP-26071 ]

• In a rare case, a Citrix ADC appliance might send incorrect TCP SACK sequence numbers to the client when forwarding it from the backend server. The issue occurs if the TCP Selective ACK (SACK) option is enabled in a TCP Profile.

  [ NSHELP-24875 ]

• In a cluster setup, the "set ratecontrol" command works only after restarting the Citrix ADC appliance.

  [ NSHELP-21811 ]

• In case of a reset connection, the TCP simulate function in the Cache module might not yield the CPU in time for responding to the "pitboss" heartbeats.

  [ NSBASE-15367, NSBASE-14538, NSHELP-29578 ]

• In a cluster configuration, a node with CCO priority gets disconnected from Open vSwitch (OVS) because of network issues. After the node rejoins to the cluster configuration, it does not receive the latest SYN cookie.

  [ NSBASE-14419 ]

User Interface

• You can accidentally unlink an SSL certificate because there is no prompt for confirmation. With this fix, when the user clicks on a linked certificate, it will prompt for a confirmation before unlinking a certificate.

  [ NSUI-17897 ]

• For a RPC node configuration, with the "Secure" option disabled, the configure RPC node dialog box in the Citrix ADC GUI incorrectly displays the "Secure" option as enabled.

  [ NSHELP-30887 ]

• ADC instances in a cluster mode configured with pooled capacity go down. This issue happens when a hostname is configured in the cluster nodes and if the nodes take more time in connecting to the ADM license server on bootup.

  [ NSHELP-28613 ]

• While configuring or checking SSL certificates using the Citrix ADC GUI, the error "Directory doesn't exist" might appear. This issue occurs when a filename with two consecutive dots ("..") exists in the SSL folder "/nsconfig/ssl".

  [ NSHELP-28589 ]

• In a high availability setup, HA synchronization might fail for a built-in policy pattern set binding, if the built-in policy pattern set was modified on the primary node.

  [ NSHELP-28460 ]

• When you deselect the secure option for RPC node in the ADC GUI, the following error message appears:

  Argument pre-requisite missing [validateCert, secure==YES]

  [ NSHELP-28239 ]

• When the user tries to change the page size of a list in the side panel views, the page gets distorted.

  [ NSHELP-28220 ]

AppFlow

• HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
  [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

• A Citrix ADC appliance configured to authenticate using OAuth Service Provider, cannot be configured with 'client-secrete_post" to authenticate with IDP tokenEndPoint.

  With this fix, the authentication method "client_secret_basic" is added to the OAuth service provider feature of ADC when it communicates with the token endpoint of the IDP.

  [ NSHELP-28945 ]

• Sometimes, authentication might fail when Authentication, authorization, and auditing.LOGIN.PASSWORD is used.

  [ NSHELP-28101 ]

• Access to a service is denied if the following conditions are met:

  • The service is bound to an authentication virtual server.
  • 401 authentication is configured on the service and the virtual server that the service is bound to.
  [ NSHELP-26903 ]

• In rare cases, a Citrix Gateway appliance dumps core upon using the OAuth authentication method to access the appliance.

  [ NSHELP-26745 ]

• The "timeout" parameter for emailAction command is deprecated . The default value for timeout is 180 seconds.

  [ NSHELP-26424 ]

• When a Citrix ADC appliance performs a nested LDAP group search, some of the groups information from the active directory is missed because of an invalid behavior of the Citrix ADC appliance. The ADC appliance takes an incorrect value even when the `groupSearchSubAttribute` parameter is configured appropriately.

  [ NSHELP-26316 ]

• You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.

  [ NSHELP-26199 ]

• The Citrix ADC appliance crashes if both of the following conditions are met.

  • Email OTP is configured
  • Email server does not respond or there is a network issue with the email server

  [ NSHELP-26137, NSHELP-27824 ]

• SSO to StoreFront using Citrix ADC fails if the following conditions are met:

  • The Citrix ADC appliance is configured for multi-factor authentication.
  • Citrix ADC session times out before examining the configured authentication factors.
  [ NSHELP-21466 ]

• Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.
  [ NSHELP-18844 ]

• A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.
  [ NSHELP-18751 ]

• A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
  [ NSHELP-563 ]

• If you edit the authentication virtual server using the "End-to-end login test or Test End User Connection options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
  Workaround: To edit the authentication virtual server by using the Citrix ADC GUI, navigate to Security > Authentication, authorization, and auditing Application Traffic > Authentication Virtual Servers.
  [ NSAUTH-6339 ]

• The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

  [ NSAUTH-6106 ]

• The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

  • The Test LDAP Reachability option is opened.
  • Invalid login credentials are populated and submitted.
  • Valid login credentials are populated and submitted.

  Workaround: Close and open the Test LDAP Reachability option.

  [ NSAUTH-2147 ]

Citrix ADC SDX Appliance

• The data in ADC events table can now be sorted across pages if the total number of data records is less than 5000.

  [ NSHELP-29170 ]

• The Management Service on a Citrix ADC SDX appliance displays the interface speed for SNMP managers in Kbps/Mbps instead of bits per second.

  [ NSHELP-28724 ]

• On the Citrix ADC SDX 8400/8600 platform, health monitoring might display crypto errors.

  [ NSHELP-26500 ]

• Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

  • Throughput allocation mode is burst.
  • There is a large difference between the throughput and the maximum burst capacity.
  [ NSHELP-21992 ]

• SNMPv3 queries work only for a few minutes after changing the password.
  [ NSHELP-19313 ]

• SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).
  [ NSHELP-18541, NSHELP-19313 ]

Citrix Gateway

• In a Citrix ADC GSLB and SSL VPN setup, memory leak is observed while handling a DTLS ICA connection. As a result, the connection drops and memory builds up.

  [ NSHELP-30182 ]

• If the clientCert parameter is set to 'Optional' in the SSL profile when configuring the VPN virtual server, users are prompted multiple times to select the smart card.

  [ NSHELP-30070 ]

• The PCoIP Apps and Desktops launch fails when launched from a browser and the error message "VMware client missing" is displayed. This issue occurs because the "vmware-view" protocol is not added to the list of allowed protocols.

  [ NSHELP-30062 ]

• The Citrix ADC appliance incorrectly logs the "UDPFLOWSTAT" message that indicates traffic as "Allowed" for UDP traffic denied by an authorization policy.

  [ NSHELP-29542 ]

• In the Citrix Gateway portal page, RDP proxy link icon does not change with RfWebUI portal theme.

  [ NSHELP-28974 ]

• In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.

  [ NSHELP-28856 ]

• Sometimes, after disconnecting the VPN, the DNS resolver fails to resolve the host names, because the DNS suffixes are removed during VPN disconnection.

  [ NSHELP-28848 ]

• The Windows plug-in might crash during authentication.

  [ NSHELP-28394 ]

• The Citrix ADC appliance might crash if EPA is configured and sufficient memory is not available.

  [ NSHELP-28329 ]

• You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.

  With this fix, you can now unbind the authorization policy by using the GUI.

  [ NSHELP-27064 ]

• The Citrix Gateway appliance might crash if forwardSession is configured for a back-end subnet and a server in the same subnet is accessed over the VPN tunnel.

  [ NSHELP-27037 ]

• Sometimes, during transfer login, Intranet IP subnets are incorrectly displayed on the client side.

  [ NSHELP-26904 ]

• The Citrix Gateway GUI displays the message "Invalid IP or Port" when editing a VPN session profile.

  [ NSHELP-26722 ]

• The Citrix Receiver download URL (receiver.exe file) does not download after authentication.

  [ NSHELP-26600 ]

• While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:

  • A default pre-shared key (PSK) is configured.
  • You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
  [ NSHELP-25694 ]

• The "show vpn icaConnection" command output does not display the serial numbers of the ICA connections correctly. This issue occurs because the serial number is reset arbitrarily when the "show vpn icaconnection" is run.

  [ NSHELP-25646 ]

• The Citrix Gateway login page does not load on deleting an admin partition, if configured.

  [ NSHELP-25538 ]

• The packet engine crashes while fetching an ICA connection entry when you run the show icaconnection command. This crash happens because the ICA connection information in the ICA connection list is stale.

  [ NSHELP-25420 ]

• Citrix Gateway crashes while decoding the CVPNv2 packet because of incorrect string termination.

  [ NSHELP-24718 ]

• A new, optimized pattern set, "ns_cvpn_v2_fast_regex_light_ver", is introduced for high CPU alerts. If a spike in CPU is intermittently observed with the default pattern set "ns_cvpn_v2_fast_regex", you can switch to the new pattern set.

  [ NSHELP-24085 ]

• The Gateway Insight does not display accurate information on the VPN users.

  [ NSHELP-23937 ]

• VPN plug-in doesn't establish tunnel after Windows logon, if the following conditions are met:

  • Citrix Gateway appliance is configured for Always On feature
  • The appliance is configured for certificate based authentication with two factor authentication "off"
  [ NSHELP-23584 ]

• The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.

  Example:

  New output:

  > show tunnel global
  Policy Name: ns_tunnel_nocmp Priority: 0

  Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
  Priority: 1
  Global bindpoint: REQ_DEFAULT

  Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
  Priority: 100
  Global bindpoint: RES_DEFAULT
  Done
  >

  Previous output:

  > show tunnel global
  Policy Name: ns_tunnel_nocmp Priority: 0 Disabled

  Advanced Policies:

  Global bindpoint: REQ_DEFAULT
  Number of bound policies: 1

  Done

  [ NSHELP-23496 ]

• In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.

  [ NSHELP-22349 ]

• A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:

  • SplitTunnel is set to ON.
  • IP address pool (Intranet IP) option is set to NoSpillOver.
  [ NSHELP-20584 ]

• In some cases, a Citrix ADC appliance might dump core during a user logout session.

  [ NSHELP-19470 ]

• An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.
  [ NSHELP-7872 ]

• If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

  [ CGOP-19355 ]

• Application launch failure due to invalid STA ticket is not reported in Gateway Insight.
  [ CGOP-13621 ]

• In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
  [ CGOP-13511 ]

• When an ICA connection is launched from a MAC receiver version 19.6.0.32 or Citrix Virtual Apps and Desktops version 7.18, HDX Insight feature is disabled.

  [ CGOP-13494 ]

• When EDT Insight feature is enabled, sometimes audio channels might fail during network discrepancy.

  [ CGOP-13493 ]

• In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

  [ CGOP-7269 ]

• If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.
  [ CGOP-3359 ]

Citrix Web App Firewall

• The Web App Firewall signature ID 1048 blocks the Citrix Gateway page from loading.

  [ NSHELP-29113 ]

• In the Citrix Web App Firewall module, the Distributed Hash Table (DHT) entries are not freed up on the primary node. This issue occurs if application firewall sessions have a shorter timeout and are created at a higher rate.

  [ NSHELP-26570 ]

• Some requests with security violations are not blocked by HTML cross-site scripting security check.

  [ NSHELP-24762 ]

Load Balancing

• In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

  [ NSLB-7679 ]

• The state of the service group displayed in the show and stat commands is inconsistent.

  [ NSHELP-28931 ]

• The Citrix ADC appliance might fail to respond to a GSLB domain query with an expected GSLB service IP address, if the GSLB virtual server is configured as follows:
  Persistence type: Source IP address
  Load balancing algorithm: Static proximity
  Backup load balancing method: Round trip time (RTT)

  [ NSHELP-28668 ]

• The load balancing or GSLB domain-based Autoscale servicegroup state remains DOWN if you use a wildcard port.

  [ NSHELP-28548 ]

• The SMPP retry messages are sent to all nodes in a cluster even when the request is successful. This scenario leads to high memory consumption on the Citrix ADC appliance.

  [ NSHELP-28332 ]

• Sometimes in a multi-PE system, the domain-based groups doesn't recover to UP state after a few failures in the system. This issue is due to a race condition between the CLI and internal monitors.

  [ NSHELP-27965 ]

• When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.

  [ NSHELP-24329 ]

• In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.

  [ NSHELP-21425 ]

• When you execute the "set service <servicename>" command, the following error message is displayed:
  "IP Address cannot be set on a domain based server."

  This error message is displayed when the server is configured with a name greater than 32 characters.

  [ NSHELP-20939 ]

• In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

  [ NSHELP-20406 ]

• Redirecting an HTTPS URL fails if the URL contains the % special character.

  [ NSHELP-19993 ]

Miscellaneous

• When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
  As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.
  [ NSSWG-849 ]

• A Citrix ADC appliance adds extra L2 information when a tunnel or Type of Service (TOS) virtual servers are created.

  [ NSHELP-27825 ]

• In a cluster setup, the command propagation might fail due to connection lost with CCO. The issue is observed if both of the following conditions are met:

  • You perform a command propagation operation in the setup.
  • The setup is in an idle state for more than two hours. A cluster setup is said to be in an idle state if there is no exchange of any CLI commands between nodes.

  [ NSHELP-26350, NSHELP-24910 ]

• A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

  [ NSHELP-22409 ]

• In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.

  [ NSHELP-20366 ]

Networking

• A Citrix ADC appliance might crash if all of the following conditions are met:

  • A load balancing route is configured in a traffic domain on the appliance.
  • A clear config operation is performed on the appliance.
  [ NSNET-23847 ]

• In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
  [ NSNET-5233 ]

• In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • LSN filtering and mapping entries are not present in the appliance.
  [ NSHELP-30225 ]

• A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.

  [ NSHELP-24623 ]

• In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:

  • A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.

  As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition

  [ NSHELP-24000 ]

• If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.

  [ NSHELP-21288 ]

• When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

  [ NSHELP-21082 ]

Platform

• When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.
  [ NSPLAT-4520 ]

• In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
  Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
  [ NSPLAT-4451 ]

• The status of SDX platform appears as UNKNOWN in the LOM console. This is only a display issue and has no functional impact.
  [ NSHELP-20009 ]

Policies

• A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.

  [ NSPOLICY-1462 ]

• Connections might hang if the size of processing data is more than the configured default TCP buffer size.

  Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

  [ NSPOLICY-1267 ]

SSL

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
  [ NSSSL-4427 ]

• An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
  [ NSSSL-4001 ]

• In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
  [ NSSSL-3402 ]

• An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
  [ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]

• You cannot bind two certificates with public keys signed by different algorithms (for example, RSA and ECDSA) to a virtual server, as an SNI certificate if the domain name is the same.
  [ NSSSL-2560 ]

• In a cluster setup, when two installed certificates are issuers of one server certificate that has the OCSP AIA extension, the appliance becomes unreachable if you remove the server certificate.

  [ NSHELP-28058 ]

• A Citrix ADC MPX/SDX 14000 FIPS appliance might crash due to continuous use of APIs for crypto operations, by internal applications such as SAML, over a period of time.

  [ NSHELP-27952 ]

• In a high availability setup, the certificate type is not synchronised correctly between the primary and secondary nodes.

  [ NSHELP-27589 ]

• The Citrix ADC appliance might crash during a reboot if you change the casing in the name of the built-in certificate ("ns-server-certificate") in the configuration file.

  [ NSHELP-26858 ]

• A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.

  [ NSHELP-24201 ]

System

• The Citrix ADC appliance crashes if either of the following conditions occur:

  • The syslog action is configured with the domain name and you clear the configuration by using the GUI or the CLI.
  • High availability synchronization happens on the secondary node.

  Workaround:

  Create syslog action with syslog server's IP address instead of syslog server's domain name.

  [ NSHELP-30987, NSHELP-28121, NSHELP-29843 ]

• The Citrix ADC appliance might incorrectly add an IPv4 address to an AppFlow record related to an IPv6 transaction.

  [ NSHELP-29261 ]

• In some scenarios, a Citrix ADC appliance might crash under the following conditions:

  • TCP jumbo frames are used.
  • Persistence is configured on a TCP load balancing virtual server.
  [ NSHELP-29162 ]

• The X-Forwarder header is not added to some requests sent from the Citrix ADC appliance to the back-end server.

  [ NSHELP-29142, NSHELP-29583 ]

• A Citrix ADC appliance resets a connection if the HTTP pipeline (one or multiple requests) size exceeds 128 KB. The issue occurs because the pipeline size is hard limited to 128 KB.

  [ NSHELP-28846 ]

• The Citrix ADC appliance reports a false SNMP alarm on the service SYN flood counters.

  [ NSHELP-28710, NSHELP-28713 ]

• TCP zombie timeout flushes active server or client connections because of the half-close timeout on the faster side of the connection.

  [ NSHELP-27502, NSBASE-14650 ]

• The connection chaining TCP option gets added to the Citrix ADC RPC connections. The issue causes an interoperability issue with GSLB sites communication.

  [ NSHELP-27417 ]

• Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.

  [ NSHELP-27410 ]

• A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.

  [ NSHELP-27179 ]

• A Citrix ADC appliance might crash if it receives a partially acknowledged MPTCP MP-FAIL signal on an already closed MPTCP session. The crash is applicable to virtual servers that have MPTCP enabled in the TCP profile.

  [ NSHELP-26594 ]

• For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output. For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.

  [ NSHELP-22684 ]

• The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.
  [ NSHELP-21240 ]

• The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.
  [ NSHELP-10972 ]

• In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.
  [ NSBASE-16304, NSGI-1293 ]

• In a cluster setup, enabling process local support for MPTCP connections reduces the inter-node steering.

  [ NSBASE-10587 ]

• Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.
  [ NSBASE-8506 ]

• ICAP support for Citrix ADC
  

  A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html

  [ NSBASE-825 ]

User Interface

• In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.

  [ NSUI-14752 ]

• The Global Binding and Show Binding options are not working on the Content Inspection Policy GUI page. As an alternative, you can configure these parameters through the command interface.
  [ NSUI-13193, NSUI-11561 ]

• If you create an ECDSA key by using the GUI, the type of curve is not displayed.
  [ NSUI-6838 ]

• The search filter is not available for the 'Name' key in the Citrix ADC GUI Manage Certificates > CSR page.

  [ NSHELP-30274 ]

• In some cases, you might not be able to load SSL keys from the SSL keys tab in the Citrix ADC GUI.

  [ NSHELP-28870 ]

• Importing a certificate in an admin partition might incorrectly fail with the following message:

  ERROR: User doesnt have permission for given Destination path

  [ NSHELP-26918 ]

• When you configure IP reputation using advanced policy expressions, the "TOR_PROXY" threat category is missing in the Expression Editor GUI.

  [ NSHELP-25654 ]

• A Citrix ADC appliance might crash if the /tmp directory is full.

  [ NSHELP-21809 ]

• Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

  [ NSHELP-20988 ]

• The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.
  [ NSHELP-19958 ]

• The top-level page title is missing on all security check GUI pages.
  [ NSHELP-18607 ]

• In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:
  Trace not started

  [ NSHELP-18566, NSHELP-24796 ]

• If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

  1. Upgrade the Citrix ADC appliance to one of the builds:

  • 13.0 52.24 build
  • 12.1 57.18 build
  • 11.1 65.10 build

  2. Add a system user, or change the password of an existing system user, and save the configuration, and
  3. Downgrade the Citrix ADC appliance to any older build.

  To display the list of these system users by using the CLI:
  At the command prompt, type:

  "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

  Workaround:

  To fix this issue, use one of the following independent options:

  • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
  • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
  • If none of the above options work, a system administrator can reset the system user passwords.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

  [ NSCONFIG-3188 ]