Release Notes for Citrix ADC 12.1-65.39 Build

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 12.1-65.39.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 12.1-65.39 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX584986.
  • Build 12.1-65.39 replaces Build 12.1-65.37.
  • This build includes one enhancement in addition to the enhancements and fixed issues that existed in the previous Citrix ADC 12.1 release build: NSBASE-18564.

What's New

The enhancements and changes that are available in Build 12.1-65.39.

System

  • Limit the number of HTTP/2 RESET frames received on a connection in a minute

    You can now limit the number of HTTP/2 RESET frames received on an HTTP/2 connection in a minute. If the number of RESET frames exceeds the configured limit, Citrix ADC silently drops the packets on that connection.

    With this enhancement, you can mitigate the HTTP/2 DoS attack when an attacker opens several HTTP/2 streams and immediately cancels these streams by sending RESET STREAM frames.

    For more information, see HTTP/2 DoS mitigation.

    [ NSBASE-18564 ]
  • New parameter added in HTTP profile

    A new parameter passProtocolUpgrade is added to the HTTP profile to prevent attacks on the back-end servers. Depending on the state of this parameter, the upgrade header is passed in the request sent to the back-end server or deleted before sending the request.

    • If the passProtocolUpgrade parameter is enabled, then the upgrade header is passed to the back end. The server accepts the upgrade request and notifies it in its response.
    • If this parameter is disabled, then the upgrade header is deleted and the remaining request is sent to the back end.

    The passProtocolUpgrade parameter is added to the following profiles:

    • nshttp_default_profile ENABLED by default
    • nshttp_default_strict_validation DISABLED by default
    • nshttp_default_internal_apps DISABLED by default
    • nshttp_default_http_quic_profile ENABLED by default

    Citrix recommends that this parameter be disabled by default. For more details, see the Citrix ADC Secure Deployment Guide.

    [ NSBASE-17423 ]

Fixed Issues

The issues that are addressed in Build 12.1-65.39.

Analytics Infrastructure

  • The REST collector is down even when the AppFlow parameter "TimeSeriesOverNSIP" is enabled.

    [ NSHELP-30759 ]
  • A second request on the same client connection fails if the following conditions are met:

    • clientSideMeasurements is enabled.
    • HEAD request is received.
    [ NSHELP-29353 ]
  • The Citrix ADC appliance might incorrectly add an IPv4 address to an AppFlow record related to an IPv6 transaction.

    [ NSHELP-29261 ]
  • The Citrix ADC VPX instance might crash if responder policies are configured, and you add some rewrite policies that lead to header corruption.

    [ NSHELP-28512, NSHELP-30415 ]

Authentication, authorization, and auditing

  • The Citrix ADC appliance might crash due to large memory allocation because of a missing target URL in the OAuth configuration.

    [ NSHELP-30963 ]
  • The Citrix ADC appliance might crash if there is an error while updating SSL certificate-key pair being used in SAML configuration. To fix this issue, you can unbind the certificate, update and then bind the certificate again.

    [ NSHELP-30270 ]
  • A Citrix ADC appliance might fail to respond when SAML authentication is in progress and X.509 certificates of size 1800 bytes or more are used in the SAML authentication.

    [ NSHELP-28608, NSHELP-29913 ]
  • Sometimes, authentication might fail when Authentication, authorization, and auditing.LOGIN.PASSWORD is used.

    [ NSHELP-28101 ]
  • SameSite cookie attributes are not added to the authentication cookies if a Citrix ADC appliance is configured for 401-based authentication.

    [ NSHELP-27764 ]
  • When a user performs a SAML logout, the log out does not happen immediately and the following error message is displayed:

    "Unsupported mechanisms found in Assertion; Please contact your administrator."

    This error is seen because the IDP that the customer configured uses a different URL encoding technique to encode the signature algorithm parameter in the response. This fix now supports encoding the signature algorithm parameter in a SAML response using multiple URL encoding techniques.

    [ NSHELP-27621 ]
  • Sometimes, if nFactor is configured, incorrect IP address is logged in the logout message.

    [ NSHELP-26692 ]
  • The Citrix ADC appliance crashes if both of the following conditions are met.

    • Email OTP is configured
    • Email server does not respond or there is a network issue with the email server

    [ NSHELP-26137, NSHELP-27824 ]
  • In a high availability setup, the Citrix ADC appliance crashes when a forced synchronization is initiated.

    [ NSAUTH-11876 ]

CallHome

  • CallHome registration might fail for Citrix ADC MPX appliances using pooled licensing. The registration fails because CallHome uses an incorrect serial number for registering the appliances with the Citrix Support Server.

    [ NSHELP-28667 ]

Citrix ADC SDX Appliance

  • The data in ADC events table can now be sorted across pages if the total number of data records is less than 5000.

    [ NSHELP-29170 ]

Citrix Gateway

  • The PCoIP Apps and Desktops launch fails when launched from a browser and the error message "VMware client missing" is displayed. This issue occurs because the "vmware-view" protocol is not added to the list of allowed protocols.

    [ NSHELP-30062 ]
  • The Active Users Session page does not display all the active user sessions unless the numbers of entries is changed to 2000 per page.

    With this fix, a new link "All user session" (Citrix gateway -> Monitor Connections > All user session) is added in the admin UI that lists all the user sessions and connections.

    [ NSHELP-29151 ]
  • You might notice some Citrix internal IP addresses in the rdx.js file.

    [ NSHELP-28682 ]
  • Access to StoreFront through a VPN virtual server fails if StoreFront is accessed through a backup load balancing virtual server.

    [ NSHELP-27852 ]

Citrix Web App Firewall

  • An upgrade to XML library version 2.9.12 causes the WAF signature-related XML files to break during parsing.

    [ NSWAF-8662 ]

Load Balancing

  • A partitioned Citrix ADC appliance might dump core while processing a DNS request packet with an additional header (EDNS).

    [ NSHELP-30796 ]
  • In rare cases, the location database configuration might be missing from the configuration (ns.conf) file.

    [ NSHELP-28570 ]

Miscellaneous

  • After upgrading a Citrix ADC appliance, the RDP proxy URLs become inaccessible and the error message "Http/1.1 Object Not Found" appears. This issue occurs when the custom parameters of the RDP URLs contain spaces.

    [ NSHELP-33333 ]
  • In an ICA DTLS setup, the Citrix Gateway appliance crashes when processing the STA ticket.

    [ NSHELP-31211 ]
  • In a Citrix ADC GSLB and SSL VPN setup, memory leak is observed while handling a DTLS ICA connection. As a result, the connection drops and memory builds up.

    [ NSHELP-30182 ]
  • Memory leak is observed in a Citrix ADC appliance when clearing the allocated memory for Intrusion Prevention System (IPS) resources.

    [ NSHELP-29992 ]
  • A Citrix ADC appliance might crash when replaying a chunked response from the ICAP-module to the client.

    [ NSHELP-28788 ]

Networking

  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • LSN filtering and mapping entries are not present in the appliance.
    [ NSHELP-30225 ]
  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • Session reference count is not zero while deleting a filtering entry.
    [ NSHELP-29348 ]
  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • Filtering and mapping reference counts are non-zero for the LSN module in the appliance.
    [ NSHELP-28842 ]

Platform

  • The serial console of a Citrix ADC VPX instance hosted on the Azure cloud is not accessible when the virtual machine is in the early stages of booting.

    [ NSPLAT-23010 ]

SSL

  • A Citrix ADC appliance crashes if the following steps are followed:

    1. A monitor of type SSL is added.
    2. A certificate-key pair is bound to the monitor.
    3. The monitor is removed.
    4. Another monitor with the same name is added.
    5. The certificate-key pair is updated.
    [ NSHELP-28666, NSCXLCM-478, NSHELP-29784, NSHELP-31183 ]
  • The Citrix ADC appliance might crash during a reboot if you change the casing in the name of the built-in certificate ("ns-server-certificate") in the configuration file.

    [ NSHELP-26858 ]

System

  • In a Citrix ADC appliance, latency issue is observed in HTTP/2 transactions if the following conditions are met:

    • HTTP/2 SSL configuration is enabled on the back-end service
    • Service does not support HTTP/2 protocol.
    [ NSHELP-30020 ]
  • In some scenarios, a Citrix ADC appliance might crash under the following conditions:

    • TCP jumbo frames are used.
    • Persistence is configured on a TCP load balancing virtual server.
    [ NSHELP-29162 ]
  • A Citrix ADC appliance resets a connection if the HTTP pipeline (one or multiple requests) size exceeds 128 KB. The issue occurs because the pipeline size is hard limited to 128 KB.

    [ NSHELP-28846 ]
  • The header-only gRPC response from the Citrix ADC appliance to the clients does not contain the gRPC status and gRPC message.

    [ NSBASE-17802 ]

User Interface

  • When binding the AppFW profile to the log expression, the state parameter is set to enabled by default. However, when the system is upgraded, the parameter is reset to disabled.

    [ NSHELP-34187 ]
  • When a user binds a traffic policy to a content switching or a load balancing virtual server, the binding details do not appear in the GUI.

    [ NSHELP-32751, NSCXLCM-299, NSCXLCM-442 ]
  • Reconnection to the Citrix ADC appliance fails with the following error when "CTRL+C" is entered while running the "show run" command in the CLI interface:

    • "Invalid username or password"

    This issue happens if the characters in the key and password are the same.

    [ NSHELP-30817, NSHELP-36271, NSCXLCM-1846 ]
  • In some cases, you might not be able to load SSL keys from the SSL keys tab in the Citrix ADC GUI.

    [ NSHELP-28870 ]
  • The API response for a NITRO GET request with filter might contain additional information even if it is not mentioned in the filter.

    [ NSHELP-28598 ]
  • ping or ping6 command with interface (-I) option might fail with the following error:

    • "interface option not supported"
    [ NSHELP-26962 ]
  • In a Citrix ADC VPX appliance, a set capacity operation might fail after adding a license server. The issue occurs because the Flexera related components take a longer time to initialize because of the large number of supported licenses of type check-in and check-out (CICO)

    [ NSHELP-23310 ]
  • Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

    [ NSHELP-20988 ]

Known Issues

The issues that exist in release 12.1-65.39.

Analytics Infrastructure

  • A Citrix ADC appliance with the client-side measurement configuration might corrupt a variable resulting in the page load failure under the following condition:

    • The HTTP response contains a javascript variable that is greater than 2000 bytes.
    [ NSHELP-30026 ]
  • A Citrix ADC appliance is unable to trace an ICA connection. The reason for this issue is, during the packet capture, "nstrace" excludes some packets when IP or PORT filters are used with "start nstrace".

    [ NSHELP-29009 ]
  • The connection chaining TCP option gets added to the Citrix ADC RPC connections. The issue causes an interoperability issue with GSLB sites communication.

    [ NSHELP-27417 ]
  • For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output. For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.

    [ NSHELP-22684 ]

AppFlow

  • With AppFlow configured, the Citrix ADC appliance resets a TCP connection if the appliance receives an empty HTTP chunked response from the back-end server.

    This issue occurs when the "clientSideMeasurements" parameter is enabled for the related AppFlow action.

    [ NSHELP-32250 ]

Authentication, authorization, and auditing

  • The Citrix ADC appliance's Authentication, authorization, and auditingD module might crash due to a missing or incorrect incoming password length from the packet engine to the Authentication, authorization, and auditingD.

    [ NSHELP-30911 ]
  • Citrix ADC might crash if one of the following authentication methods is used as a second factor and there are subsequent factors that are configured and require user interaction in an nFactor flow.

    • SAML
    • OAuth
    • Client certificate
    [ NSHELP-29573, NSCXLCM-2904, NSCXLCM-492, NSCXLCM-872, NSCXLCM-1216, NSHELP-32631, NSHELP-32765 ]
  • A Citrix ADC appliance configured to authenticate using OAuth Service Provider, cannot be configured with 'client-secrete_post" to authenticate with IDP tokenEndPoint.

    With this fix, the authentication method "client_secret_basic" is added to the OAuth service provider feature of ADC when it communicates with the token endpoint of the IDP.

    [ NSHELP-28945 ]
  • While sending an AS_REQ request for a delegated user, which is part of KCD SSO, the Citrix ADC appliance selects an encryption type with the following priority when domain controller (DC) publishes all encryption types.

    1. ETYPE_ARCFOUR_HMAC_MD5
    2. ETYPE_AES128_CTS_HMAC_SHA1_96
    3. ETYPE_AES256_CTS_HMAC_SHA1_96

    Instead of

    1. ETYPE_AES256_CTS_HMAC_SHA1_96
    2. ETYPE_AES128_CTS_HMAC_SHA1_96
    3. ETYPE_ARCFOUR_HMAC_MD5
    [ NSHELP-28681 ]
  • Access to a service is denied if the following conditions are met:

    • The service is bound to an authentication virtual server.
    • 401 authentication is configured on the service and the virtual server that the service is bound to.
    [ NSHELP-26903 ]
  • In rare cases, a Citrix Gateway appliance dumps core upon using the OAuth authentication method to access the appliance.

    [ NSHELP-26745 ]
  • The "timeout" parameter for emailAction command is deprecated . The default value for timeout is 180 seconds.

    [ NSHELP-26424 ]
  • When a Citrix ADC appliance performs a nested LDAP group search, some of the groups information from the active directory is missed because of an invalid behavior of the Citrix ADC appliance. The ADC appliance takes an incorrect value even when the `groupSearchSubAttribute` parameter is configured appropriately.

    [ NSHELP-26316 ]
  • You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.

    [ NSHELP-26199 ]
  • SSO to StoreFront using Citrix ADC fails if the following conditions are met:
    • The Citrix ADC appliance is configured for multi-factor authentication.
    • Citrix ADC session times out before examining the configured authentication factors.
    [ NSHELP-21466 ]
  • Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.
    [ NSHELP-18844 ]
  • A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.
    [ NSHELP-18751 ]
  • Administrators cannot perform custom logging for authentication failures that happen due to invalid credentials. This issue occurs because the Citrix ADC responder policies fail to detect errors for login failures.

    [ NSAUTH-11151 ]
  • If you edit the authentication virtual server using the "End-to-end login test or Test End User Connection options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
    Workaround: To edit the authentication virtual server by using the Citrix ADC GUI, navigate to Security > Authentication, authorization, and auditing Application Traffic > Authentication Virtual Servers.
    [ NSAUTH-6339 ]
  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:
    • The Test LDAP Reachability option is opened.
    • Invalid login credentials are populated and submitted.
    • Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.

    [ NSAUTH-2147 ]

Citrix ADC SDX Appliance

  • On a Citrix ADC SDX appliance with Mellanox NICs, modifying the throughput of a VPX instance having Mellanox NICs reboots the VPX instance.

    [ NSHELP-31305 ]
  • In a Citrix ADC SDX appliance, higher memory usage is detected due to high volume of SNMP data processing.

    [ NSHELP-30222 ]
  • The Management Service on a Citrix ADC SDX appliance displays the interface speed for SNMP managers in Kbps/Mbps instead of bits per second.

    [ NSHELP-28724 ]
  • On the Citrix ADC SDX 8400/8600 platform, health monitoring might display crypto errors.

    [ NSHELP-26500 ]
  • SNMPv3 queries work only for a few minutes after changing the password.
    [ NSHELP-19313 ]
  • SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).
    [ NSHELP-18541, NSHELP-19313 ]

Citrix Gateway

  • Sometimes, when you establish a VPN connection through Citrix Gateway, you are redirected to the home page with incorrect text in the URL. This issue occurs when Citrix ADC is configured with the RfWebUI portal theme.

    [ NSHELP-30097, NSCXLCM-481 ]
  • The Citrix ADC appliance incorrectly logs the "UDPFLOWSTAT" message that indicates traffic as "Allowed" for UDP traffic denied by an authorization policy.

    [ NSHELP-29542 ]
  • While configuring the IIP pool (IP address and mask), if the IP address doesn't match the first IP address in the range, the Citrix ADC CLI and GUI displays only one block and not all.

    Example:
    bind vpn vserver vpn_ssl -intranetIP 172.168.1.1 255.255.255.0
    bind vpn vserver vpn_ssl -intranetIP 172.168.2.1 255.255.255.0

    In this case, the CLI or the GUI while showing vpn vserver vpn_ssl only displays 172.168.2.1 pool and not 172.168.2.2.

    Workaround : Use the first IP address in the range to configure the IIP blocks.

    Example:

    bind vpn vserver vpn_ssl -intranetIP 172.168.1.0 255.255.255.0
    bind vpn vserver vpn_ssl -intranetIP 172.168.2.0 255.255.255.0

    [ NSHELP-29084 ]
  • In the Citrix Gateway portal page, RDP proxy link icon does not change with RfWebUI portal theme.

    [ NSHELP-28974 ]
  • The Citrix ADC appliance might crash if EPA is configured and sufficient memory is not available.

    [ NSHELP-28329 ]
  • You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.

    With this fix, you can now unbind the authorization policy by using the GUI.

    [ NSHELP-27064 ]
  • The Citrix Gateway appliance might crash if forwardSession is configured for a back-end subnet and a server in the same subnet is accessed over the VPN tunnel.

    [ NSHELP-27037 ]
  • Sometimes, during transfer login, Intranet IP subnets are incorrectly displayed on the client side.

    [ NSHELP-26904 ]
  • The Citrix Gateway GUI displays the message "Invalid IP or Port" when editing a VPN session profile.

    [ NSHELP-26722 ]
  • While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:

    • A default pre-shared key (PSK) is configured.
    • You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
    [ NSHELP-25694 ]
  • The Citrix Gateway login page does not load on deleting an admin partition, if configured.

    [ NSHELP-25538 ]
  • Citrix Gateway crashes while decoding the CVPNv2 packet because of incorrect string termination.

    [ NSHELP-24718 ]
  • A new, optimized pattern set, "ns_cvpn_v2_fast_regex_light_ver", is introduced for high CPU alerts. If a spike in CPU is intermittently observed with the default pattern set "ns_cvpn_v2_fast_regex", you can switch to the new pattern set.

    [ NSHELP-24085 ]
  • The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.

    Example:

    New output:

    > show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0

    Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
    Priority: 1
    Global bindpoint: REQ_DEFAULT

    Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
    Priority: 100
    Global bindpoint: RES_DEFAULT
    Done
    >

    Previous output:

    > show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0 Disabled

    Advanced Policies:

    Global bindpoint: REQ_DEFAULT
    Number of bound policies: 1

    Done

    [ NSHELP-23496 ]
  • In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.

    [ NSHELP-22349 ]
  • A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:
    • SplitTunnel is set to ON.
    • IP address pool (Intranet IP) option is set to NoSpillOver.
    [ NSHELP-20584 ]
  • In some cases, a Citrix ADC appliance might dump core during a user logout session.

    [ NSHELP-19470 ]
  • An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.
    [ NSHELP-7872 ]
  • When you create a EULA entity, the text appears as a single line on the RfWebUI portal theme of Citrix Gateway. This issue occurs because of the HTML "<br>" line break tag. All the HTML tags along with "<br>" are temporarily disabled in the EULA text. You can try adding line breaks by using "\n".

    [ CGOP-24534 ]
  • To use Always On VPN before Windows Logon functionality, it is recommended that you upgrade your Citrix Gateway to 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

    [ CGOP-19355 ]
  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]

Citrix Web App Firewall

  • The Web App Firewall signature ID 1048 blocks the Citrix Gateway page from loading.

    [ NSHELP-29113 ]
  • In the Citrix Web App Firewall module, the Distributed Hash Table (DHT) entries are not freed up on the primary node. This issue occurs if application firewall sessions have a shorter timeout and are created at a higher rate.

    [ NSHELP-26570 ]
  • Some requests with security violations are not blocked by HTML cross-site scripting security check.

    [ NSHELP-24762 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]
  • An SNMP alert is generated even if the bandwidth usage is within the configured limit. This issue occurs when comparing two different data types and one of the parameters wraps around when incrementing.

    [ NSHELP-32509 ]
  • The LDAP monitor status remains up even if the configured attributes are not present on the server.

    [ NSHELP-32025 ]
  • Citrix ADC appliance crashes during removal of nameserver if the following conditions are met:

    • DNS server and name server are configured on the same IP address and port.
    • Listen policy is set on the DNS server.
    [ NSHELP-31142 ]
  • A Citrix ADC appliance with connection mirroring set up crashes when the jumbo packets are sent.

    [ NSHELP-31072, NSCXLCM-321 ]
  • A Citrix ADC appliance might crash during clear configuration if persistence entries are present, and a large number of dummy load balancing virtual servers and group virtual servers are configured.

    [ NSHELP-30051 ]
  • Extra CNAME records are seen in the running configuration when you perform the following steps using the Citrix ADC GUI:

    1. Create a GSLB virtual server with DNS record type CNAME
    2. Configure a DNS record type CNAME
    3. Save the configuration

    This issue is cosmetic and does not affect the functionality.

    [ NSHELP-29217 ]
  • The state of the service group displayed in the show and stat commands is inconsistent.

    [ NSHELP-28931 ]
  • The load balancing or GSLB domain-based Autoscale servicegroup state remains DOWN if you use a wildcard port.

    [ NSHELP-28548 ]
  • The SMPP retry messages are sent to all nodes in a cluster even when the request is successful. This scenario leads to high memory consumption on the Citrix ADC appliance.

    [ NSHELP-28332 ]
  • Sometimes in a multi-PE system, the domain-based groups doesn't recover to UP state after a few failures in the system. This issue is due to a race condition between the CLI and internal monitors.

    [ NSHELP-27965 ]
  • Creating a wildcard virtual service fails if an unresolved WIHOME configuration exists on the Citrix ADC appliance.

    [ NSHELP-25627 ]
  • When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.

    [ NSHELP-24329 ]
  • In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.

    [ NSHELP-21425 ]
  • In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.

    [ NSHELP-21196 ]
  • When you execute the "set service <servicename>" command, the following error message is displayed:
    "IP Address cannot be set on a domain based server."

    This error message is displayed when the server is configured with a name greater than 32 characters.

    [ NSHELP-20939 ]
  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

    [ NSHELP-20406 ]
  • Redirecting an HTTPS URL fails if the URL contains the % special character.

    [ NSHELP-19993 ]

Miscellaneous

  • Applications might fail to launch through Citrix Gateway because of port exhaustion in the Citrix Gateway appliance.

    [ NSHELP-32418 ]
  • A cluster node goes into a packet loop when the following conditions are met:

    • A UDP packet with a destination IP address as CLIP is sent to a cluster node.
    • The CCO has changed from one node to another during the lifespan of the cluster instance.

    Workaround: You can avoid or terminate this packet loop by applying a drop ACL for that specific UDP packet with the destination IP address as the CLIP address.

    [ NSHELP-30804 ]
  • In a cluster setup, the file auto-synchronization fails when the cluster IP address is configured in a subnet different than the subnet of the NSIP address.

    [ NSHELP-29988 ]
  • A Citrix ADC appliance adds extra L2 information when a tunnel or Type of Service (TOS) virtual servers are created.

    [ NSHELP-27825 ]
  • In a cluster setup, the command propagation might fail due to connection lost with CCO. The issue is observed if both of the following conditions are met:

    • You perform a command propagation operation in the setup.
    • The setup is in an idle state for more than two hours. A cluster setup is said to be in an idle state if there is no exchange of any CLI commands between nodes.
    [ NSHELP-26350, NSHELP-24910 ]
  • The packet engine crashes while fetching an ICA connection entry when you run the show icaconnection command. This crash happens because the ICA connection information in the ICA connection list is stale.

    [ NSHELP-25420 ]
  • In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.

    [ NSHELP-20366 ]

NetScaler Secure Web Gateway

  • A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

    [ NSHELP-22409 ]

Networking

  • A Citrix ADC appliance might crash if all of the following conditions are met:

    • A load balancing route is configured in a traffic domain on the appliance.
    • A clear config operation is performed on the appliance.
    [ NSNET-23847 ]
  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
    [ NSNET-5233 ]
  • Non-TCP traffic to the IPv6 address of NSIP (NSIP6) might fail due to a large number of port leaks.

    [ NSHELP-36764 ]
  • SNMP trap monitoring might fail to read traps when there is a mismatch between the MIB file and actual varbinds.

    [ NSHELP-35629 ]
  • In Layer-3 mode with PMTU enabled, the Citrix ADC appliance drops instead of forwarding the ICMP packets marked with "fragmentation needed but DF bit set" for ESP traffic.

    [ NSHELP-34318 ]
  • In a large scale NAT (LSN) setup, the Citrix ADC appliance might crash because of an internal issue in handling LSN queues.

    [ NSHELP-33499 ]
  • In a Citrix ADC appliance with OSPF routing configured, the default route is not installed even when the OSPF default route LSA is present.

    [ NSHELP-33070 ]
  • In a high availability setup, the primary node might crash due to memory corruption while clearing a large number of LSN sessions.

    [ NSHELP-32467 ]
  • In a large scale NAT 64 setup, the Citrix ADC appliance might crash because of an internal packet engine mismatch issue.

    [ NSHELP-31985 ]
  • The Citrix ADC appliance might crash if all of the following conditions are met:

    • TTL-based ACL times out
    • The Citrix ADC appliance has a large number of ACLs configured.
    [ NSHELP-31307 ]
  • The Citrix ADC appliance might not generate "coldStart" SNMP trap messages after a cold restart.

    [ NSHELP-27917 ]
  • A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.

    [ NSHELP-24623 ]
  • In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:

    • A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.

    As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition

    [ NSHELP-24000 ]
  • If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.

    [ NSHELP-21288 ]
  • When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

    [ NSHELP-21082 ]

Platform

  • From Citrix ADC release 13.1 build 27.x and later, link redundancy configuration is not supported on a Citrix ADC VPX instance hosted on a Citrix ADC SDX appliance.

    [ NSPLAT-21169 ]
  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.
    [ NSPLAT-4520 ]
  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
    [ NSPLAT-4451 ]
  • You might experience transmit stalls on a Citrix ADC SDX appliance with a 10G interface when heavy traffic is sent on this interface.

    [ NSHELP-31232 ]
  • The status of SDX platform appears as UNKNOWN in the LOM console. This is only a display issue and has no functional impact.
    [ NSHELP-20009 ]

Policies

  • A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.

    [ NSPOLICY-1462 ]
  • A Citrix ADC appliance might crash during policy addition with patset when the following condition is met:

    • The flag associated with NSB is set in the wrong order for Rewrite TCP scenario.

    [ NSHELP-31064 ]
  • In some scenarios, a Citrix ADC appliance might crash when an assignment action is used with the clear operation for an AppExpert variable.

    [ NSHELP-29766, NSCXLCM-263 ]

SSL

  • When a virtual server receives a TLS 1.3 record with invalid padding, it sends a fatal "decode_error" alert instead of an "unexpected_message" alert.

    [ NSSSL-11890 ]
  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
    [ NSSSL-4001 ]
  • In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
    [ NSSSL-3402 ]
  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
    [ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]
  • You cannot bind two certificates with public keys signed by different algorithms (for example, RSA and ECDSA) to a virtual server, as an SNI certificate if the domain name is the same.
    [ NSSSL-2560 ]
  • On Citrix ADC platforms containing Coleto chips, SSL renegotiation handshake fails when the size of the handshake message is greater than the quantum size.

    [ NSHELP-33924 ]
  • You might experience momentary performance impact under heavy traffic if the total size of client, server, and CA certificates exchanged in an SSL handshake exceeds the 16K limit.

    [ NSHELP-33905 ]
  • The Citrix ADC SDX appliance crashes when crypto units are assigned to a VPX instance and jumbo config is enabled.

    [ NSHELP-30950, NSCXLCM-294, NSCXLCM-3122 ]
  • A Citrix ADC appliance crashes when all of the following conditions occur:

    • A default RSA certificate-key pair is bound to an internal service.
    • A non-RSA certificate-key pair is bound to the same service.
    • HA sync occurs.
    [ NSHELP-30084 ]
  • A Citrix ADC appliance might crash when processing SSL traffic in software mode.

    [ NSHELP-29996, NSCXLCM-482, NSCXLCM-2486 ]
  • A Citrix ADC MPX/SDX 14000 FIPS appliance might crash due to continuous use of APIs for crypto operations, by internal applications such as SAML, over a period of time.

    [ NSHELP-27952 ]
  • In a high availability setup, the certificate type is not synchronised correctly between the primary and secondary nodes.

    [ NSHELP-27589 ]
  • A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.

    [ NSHELP-24201 ]

System

  • In a TLS HTTP/2 connection, Citrix ADC does not send the HTTP/2 Goaway message when a TLS close notify message is received without a prior TCP FIN flag.

    [ NSHELP-36248 ]
  • A memory leak might occur in the Citrix ADC appliance if both the following conditions are met:

    • HTTP compression feature is enabled.
    • The connection is reset in the middle of the transaction.
    [ NSHELP-30631 ]
  • The X-Forwarder header is not added to some requests sent from the Citrix ADC appliance to the back-end server.

    [ NSHELP-29142, NSHELP-29583 ]
  • The Citrix ADC appliance reports a false SNMP alarm on the service SYN flood counters.

    [ NSHELP-28710, NSHELP-28713 ]
  • The start and stop command is treated as a configuration command and therefore prompts to save the configuration even though there are no configuration changes.

    [ NSHELP-28413 ]
  • TCP zombie timeout flushes active server or client connections because of the half-close timeout on the faster side of the connection.

    [ NSHELP-27502, NSBASE-14650 ]
  • Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.

    [ NSHELP-27410 ]
  • A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.

    [ NSHELP-27179 ]
  • A Citrix ADC appliance might crash if it receives a partially acknowledged MPTCP MP-FAIL signal on an already closed MPTCP session. The crash is applicable to virtual servers that have MPTCP enabled in the TCP profile.

    [ NSHELP-26594 ]
  • In a cluster setup, enabling process local support for MPTCP connections reduces the inter-node steering.

    [ NSBASE-10587 ]
  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.
    [ NSBASE-8506 ]

User Interface

  • In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.

    [ NSUI-14752 ]
  • The Global Binding and Show Binding options are not working on the Content Inspection Policy GUI page. As an alternative, you can configure these parameters through the command interface.
    [ NSUI-13193, NSUI-11561 ]
  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.
    [ NSUI-6838 ]
  • When you create or delete multiple partitions, duplicate partition IDs might be generated. As a result, the following error might appear when creating a partition.

    "Partition-id is already in use by another partition"

    [ NSHELP-35042 ]
  • The Citrix ADC appliance login page might not display the valid user name after the user has logged in.

    [ NSHELP-31759 ]
  • Importing a certificate in an admin partition might incorrectly fail with the following message:

    ERROR: User doesnt have permission for given Destination path

    [ NSHELP-26918 ]
  • When you configure IP reputation using advanced policy expressions, the "TOR_PROXY" threat category is missing in the Expression Editor GUI.

    [ NSHELP-25654 ]
  • Adding a net profile for a DTLS load balancing service might fail when you use the Citrix ADC GUI.

    [ NSHELP-23676 ]
  • A Citrix ADC appliance might crash if the /tmp directory is full.

    [ NSHELP-21809 ]
  • The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.
    [ NSHELP-19958 ]
  • The top-level page title is missing on all security check GUI pages.
    [ NSHELP-18607 ]
  • In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:
    Trace not started

    [ NSHELP-18566, NSHELP-24796 ]
  • Users might fail to log in to the downgraded Citrix ADC appliance if the following sequence of conditions is met:

    1. You perform one of the following steps:
    • After upgrading to the current build, you add a system user or change the password of an existing system user, and save the configuration.
    • Provision a new Citrix ADC VPX, BLX, or CPX instance with the current build.
    1. Downgrade the appliance to one of the following builds:
    • 13.1-4.x
    • 13.0-82.x or earlier
    • 12.1-62.x or earlier

    To view the list of users affected after the downgrade, at the command prompt, type:
    `query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]`
    Workaround: Reset the password of the affected users. For more information, see [How to reset root administrator (nsroot) password](https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html).
    Note: If you are downgrading a previously upgraded build, then while downgrading use the backed up configuration file (ns.conf) of the earlier build to avoid this issue.

    [ NSCONFIG-8068 ]
  • Users might fail to log in to the downgraded Citrix ADC appliance if the following sequence of conditions is met:

    1. You perform one of the following steps:
    • After upgrading to the current build, you add a system user or change the password of an existing system user, and save the configuration.
    • Provision a new VPX, BLX, or CPX instance with the current build.
    1. Downgrade the appliance to one of the following builds:
    • 13.0-47.x or earlier
    • 12.1-56.x or earlier
    • 11.1-64.x or earlier

    To view the list of users affected after the downgrade, at the command prompt, type:

    `query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]`

    Workaround: Reset the password of the affected users. For more information, see [How to reset root administrator (nsroot) password](https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html).

    Note: If you are downgrading a previously upgraded build, then while downgrading use the backed up configuration file (ns.conf) of the earlier build to avoid this issue.

    [ NSCONFIG-3188 ]