Release Notes for Citrix ADC 12.1-65.25 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 12.1-65.25.


  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 12.1-65.25 and later builds address the security vulnerabilities described in
  • Build 65.25 replaces Build 65.21.

What's New

The enhancements and changes that are available in Build 12.1-65.25.


  • New parameter added in HTTP profile

    A new parameter passProtocolUpgrade is added to the HTTP profile to prevent attacks on the back-end servers. Depending on the state of this parameter, the upgrade header is passed in the request sent to the back-end server or deleted before sending the request.

    • If the passProtocolUpgrade parameter is enabled, then the upgrade header is passed to the back end. The server accepts the upgrade request and notifies it in its response.
    • If this parameter is disabled, then the upgrade header is deleted and the remaining request is sent to the back end.

    The passProtocolUpgrade parameter is added to the following profiles:

    • nshttp_default_profile ENABLED by default
    • nshttp_default_strict_validation DISABLED by default
    • nshttp_default_internal_apps DISABLED by default
    • nshttp_default_http_quic_profile ENABLED by default

    Citrix recommends that this parameter be disabled by default. For more details, see the Citrix ADC Secure Deployment Guide.

    [ NSBASE-17423 ]

Fixed Issues

The issues that are addressed in Build 12.1-65.25.

Authentication, authorization, and auditing

  • The Citrix ADC appliance might crash due to large memory allocation because of a missing target URL in the OAuth configuration.

    [ NSHELP-30963 ]
  • The Citrix ADC appliance might crash if there is an error while updating SSL certificate-key pair being used in SAML configuration. To fix this issue, you can unbind the certificate, update and then bind the certificate again.

    [ NSHELP-30270 ]
  • A Citrix ADC appliance might fail to respond when SAML authentication is in progress and X.509 certificates of size 1800 bytes or more are used in the SAML authentication.

    [ NSHELP-28608, NSHELP-29913 ]
  • Sometimes, authentication might fail when Authentication, authorization, and auditing.LOGIN.PASSWORD is used.

    [ NSHELP-28101 ]
  • SameSite cookie attributes are not added to the authentication cookies if a Citrix ADC appliance is configured for 401-based authentication.

    [ NSHELP-27764 ]
  • When a user performs a SAML logout, the log out does not happen immediately and the following error message is displayed:

    "Unsupported mechanisms found in Assertion; Please contact your administrator."

    This error is seen because the IDP that the customer configured uses a different URL encoding technique to encode the signature algorithm parameter in the response. This fix now supports encoding the signature algorithm parameter in a SAML response using multiple URL encoding techniques.

    [ NSHELP-27621 ]
  • Sometimes, if nFactor is configured, incorrect IP address is logged in the logout message.

    [ NSHELP-26692 ]
  • The Citrix ADC appliance crashes if both of the following conditions are met.

    • Email OTP is configured
    • Email server does not respond or there is a network issue with the email server

    [ NSHELP-26137, NSHELP-27824 ]
  • In a high availability setup, the Citrix ADC appliance crashes when a forced synchronization is initiated.

    [ NSAUTH-11876 ]


  • CallHome registration might fail for Citrix ADC MPX appliances using pooled licensing. The registration fails because CallHome uses an incorrect serial number for registering the appliances with the Citrix Support Server.

    [ NSHELP-28667 ]

Citrix ADC SDX Appliance

  • The data in ADC events table can now be sorted across pages if the total number of data records is less than 5000.

    [ NSHELP-29170 ]

Citrix Gateway

  • In an ICA DTLS setup, the Citrix Gateway appliance crashes when processing the STA ticket.

    [ NSHELP-31211 ]
  • Users cannot launch the EPA plug-in or the VPN plug-in after an upgrade to Chrome 98 or Edge 98 browser versions. To fix this issue, perform the following:
    1. For the VPN plug-in upgrade, end users must connect using VPN client for the first time to get the fix on their machines. In the subsequent login attempts, users can choose the browser or the plug-in to connect.
    2. For EPA only use case, the end users will not have the VPN client to connect to gateway. In this case, perform the following:

    1. Connect to the gateway using a browser.
    2. Wait for the download page to appear and download the nsepa_setup.exe.
    3. After downloading, close the browser and install the nsepa_setup.exe file.
    4. Restart the client.
    [ NSHELP-30641 ]
  • In a Citrix ADC GSLB and SSL VPN setup, memory leak is observed while handling a DTLS ICA connection. As a result, the connection drops and memory builds up.

    [ NSHELP-30182 ]
  • The PCoIP Apps and Desktops launch fails when launched from a browser and the error message "VMware client missing" is displayed. This issue occurs because the "vmware-view" protocol is not added to the list of allowed protocols.

    [ NSHELP-30062 ]
  • The Active Users Session page does not display all the active user sessions unless the numbers of entries is changed to 2000 per page.

    With this fix, a new link "All user session" (Citrix gateway -> Monitor Connections > All user session) is added in the admin UI that lists all the user sessions and connections.

    [ NSHELP-29151 ]
  • Access to StoreFront through a VPN virtual server fails if StoreFront is accessed through a backup load balancing virtual server.

    [ NSHELP-27852 ]

Citrix Web App Firewall

  • An upgrade to XML library version 2.9.12 causes the WAF signature-related XML files to break during parsing.

    [ NSWAF-8662 ]

Load Balancing

  • A partitioned Citrix ADC appliance might dump core while processing a DNS request packet with an additional header (EDNS).

    [ NSHELP-30796 ]
  • In rare cases, the location database configuration might be missing from the configuration (ns.conf) file.

    [ NSHELP-28570 ]


  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • LSN filtering and mapping entries are not present in the appliance.
    [ NSHELP-30225 ]
  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • Session reference count is not zero while deleting a filtering entry.
    [ NSHELP-29348 ]
  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • Filtering and mapping reference counts are non-zero for the LSN module in the appliance.
    [ NSHELP-28842 ]


  • The serial console of a Citrix ADC VPX instance hosted on the Azure cloud is not accessible when the virtual machine is in the early stages of booting.

    [ NSPLAT-23010 ]


  • A Citrix ADC appliance crashes if the following steps are followed:

    1. A monitor of type SSL is added.
    2. A certificate-key pair is bound to the monitor.
    3. The monitor is removed.
    4. Another monitor with the same name is added.
    5. The certificate-key pair is updated.
    [ NSHELP-28666, NSHELP-29784, NSHELP-31183 ]
  • The Citrix ADC appliance might crash during a reboot if you change the casing in the name of the built-in certificate ("ns-server-certificate") in the configuration file.

    [ NSHELP-26858 ]


  • The REST collector is down even when the AppFlow parameter "TimeSeriesOverNSIP" is enabled.

    [ NSHELP-30759 ]
  • In a Citrix ADC appliance, latency issue is observed in HTTP/2 transactions if the following conditions are met:

    • HTTP/2 SSL configuration is enabled on the back-end service
    • Service does not support HTTP/2 protocol.
    [ NSHELP-30020 ]
  • Memory leak is observed in a Citrix ADC appliance when clearing the allocated memory for Intrusion Prevention System (IPS) resources.

    [ NSHELP-29992 ]
  • A second request on the same client connection fails if the following conditions are met:

    • clientSideMeasurements is enabled.
    • HEAD request is received.
    [ NSHELP-29353 ]
  • The Citrix ADC appliance might incorrectly add an IPv4 address to an AppFlow record related to an IPv6 transaction.

    [ NSHELP-29261 ]
  • In some scenarios, a Citrix ADC appliance might crash under the following conditions:

    • TCP jumbo frames are used.
    • Persistence is configured on a TCP load balancing virtual server.
    [ NSHELP-29162 ]
  • A Citrix ADC appliance resets a connection if the HTTP pipeline (one or multiple requests) size exceeds 128 KB. The issue occurs because the pipeline size is hard limited to 128 KB.

    [ NSHELP-28846 ]
  • A Citrix ADC appliance might crash when replaying a chunked response from the ICAP-module to the client.

    [ NSHELP-28788 ]
  • The Citrix ADC VPX instance might crash if responder policies are configured, and you add some rewrite policies that lead to header corruption.

    [ NSHELP-28512, NSHELP-30415 ]

User Interface

  • Reconnection to the Citrix ADC appliance fails with the following error when "CTRL+C" is entered while running the "show run" command in the CLI interface:

    • "Invalid username or password"

    This issue happens if the characters in the key and password are the same.

    [ NSHELP-30817 ]
  • In some cases, you might not be able to load SSL keys from the SSL keys tab in the Citrix ADC GUI.

    [ NSHELP-28870 ]
  • The API response for a NITRO GET request with filter might contain additional information even if it is not mentioned in the filter.

    [ NSHELP-28598 ]
  • ping or ping6 command with interface (-I) option might fail with the following error:

    • "interface option not supported"
    [ NSHELP-26962 ]
  • In a Citrix ADC VPX appliance, a set capacity operation might fail after adding a license server. The issue occurs because the Flexera related components take a longer time to initialize because of the large number of supported licenses of type check-in and check-out (CICO)

    [ NSHELP-23310 ]
  • Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

    [ NSHELP-20988 ]

Known Issues

The issues that exist in release 12.1-65.25.


  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
    [ NSINSIGHT-943 ]
  • With AppFlow configured, the Citrix ADC appliance resets a TCP connection if the appliance receives an empty HTTP chunked response from the back-end server.

    This issue occurs when the "clientSideMeasurements" parameter is enabled for the related AppFlow action.

    [ NSHELP-32250 ]

Authentication, authorization, and auditing

  • The Citrix ADC appliance's Authentication, authorization, and auditingD module might crash due to a missing or incorrect incoming password length from the packet engine to the Authentication, authorization, and auditingD.

    [ NSHELP-30911 ]
  • A Citrix ADC appliance configured to authenticate using OAuth Service Provider, cannot be configured with 'client-secrete_post" to authenticate with IDP tokenEndPoint.

    With this fix, the authentication method "client_secret_basic" is added to the OAuth service provider feature of ADC when it communicates with the token endpoint of the IDP.

    [ NSHELP-28945 ]
  • While sending an AS_REQ request for a delegated user, which is part of KCD SSO, the Citrix ADC appliance selects an encryption type with the following priority when domain controller (DC) publishes all encryption types.

    2. ETYPE_AES128_CTS_HMAC_SHA1_96
    3. ETYPE_AES256_CTS_HMAC_SHA1_96

    Instead of

    1. ETYPE_AES256_CTS_HMAC_SHA1_96
    2. ETYPE_AES128_CTS_HMAC_SHA1_96
    [ NSHELP-28681 ]
  • Access to a service is denied if the following conditions are met:

    • The service is bound to an authentication virtual server.
    • 401 authentication is configured on the service and the virtual server that the service is bound to.
    [ NSHELP-26903 ]
  • In rare cases, a Citrix Gateway appliance dumps core upon using the OAuth authentication method to access the appliance.

    [ NSHELP-26745 ]
  • The "timeout" parameter for emailAction command is deprecated . The default value for timeout is 180 seconds.

    [ NSHELP-26424 ]
  • When a Citrix ADC appliance performs a nested LDAP group search, some of the groups information from the active directory is missed because of an invalid behavior of the Citrix ADC appliance. The ADC appliance takes an incorrect value even when the `groupSearchSubAttribute` parameter is configured appropriately.

    [ NSHELP-26316 ]
  • You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.

    [ NSHELP-26199 ]
  • SSO to StoreFront using Citrix ADC fails if the following conditions are met:
    • The Citrix ADC appliance is configured for multi-factor authentication.
    • Citrix ADC session times out before examining the configured authentication factors.
    [ NSHELP-21466 ]
  • Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.
    [ NSHELP-18844 ]
  • A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.
    [ NSHELP-18751 ]
  • Administrators cannot perform custom logging for authentication failures that happen due to invalid credentials. This issue occurs because the Citrix ADC responder policies fail to detect errors for login failures.

    [ NSAUTH-11151 ]
  • If you edit the authentication virtual server using the "End-to-end login test or Test End User Connection options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
    Workaround: To edit the authentication virtual server by using the Citrix ADC GUI, navigate to Security > Authentication, authorization, and auditing Application Traffic > Authentication Virtual Servers.
    [ NSAUTH-6339 ]
  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:
    • The Test LDAP Reachability option is opened.
    • Invalid login credentials are populated and submitted.
    • Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.

    [ NSAUTH-2147 ]

Citrix ADC SDX Appliance

  • On a Citrix ADC SDX appliance with Mellanox NICs, modifying the throughput of a VPX instance having Mellanox NICs reboots the VPX instance.

    [ NSHELP-31305 ]
  • In a Citrix ADC SDX appliance, higher memory usage is detected due to high volume of SNMP data processing.

    [ NSHELP-30222 ]
  • The Management Service on a Citrix ADC SDX appliance displays the interface speed for SNMP managers in Kbps/Mbps instead of bits per second.

    [ NSHELP-28724 ]
  • On the Citrix ADC SDX 8400/8600 platform, health monitoring might display crypto errors.

    [ NSHELP-26500 ]
  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

    • Throughput allocation mode is burst.
    • There is a large difference between the throughput and the maximum burst capacity.
    [ NSHELP-21992 ]
  • SNMPv3 queries work only for a few minutes after changing the password.
    [ NSHELP-19313 ]
  • SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).
    [ NSHELP-18541, NSHELP-19313 ]

Citrix Gateway

  • Applications might fail to launch through Citrix Gateway because of port exhaustion in the Citrix Gateway appliance.

    [ NSHELP-32418 ]
  • Customized EPA failure log message is not displayed on the Citrix Gateway portal. Instead, the message "internal error" is displayed.

    [ NSHELP-31434 ]
  • The Citrix ADC appliance incorrectly logs the "UDPFLOWSTAT" message that indicates traffic as "Allowed" for UDP traffic denied by an authorization policy.

    [ NSHELP-29542 ]
  • While configuring the IIP pool (IP address and mask), if the IP address doesn't match the first IP address in the range, the Citrix ADC CLI and GUI displays only one block and not all.

    bind vpn vserver vpn_ssl -intranetIP
    bind vpn vserver vpn_ssl -intranetIP

    In this case, the CLI or the GUI while showing vpn vserver vpn_ssl only displays pool and not

    Workaround : Use the first IP address in the range to configure the IIP blocks.


    bind vpn vserver vpn_ssl -intranetIP
    bind vpn vserver vpn_ssl -intranetIP

    [ NSHELP-29084 ]
  • In the Citrix Gateway portal page, RDP proxy link icon does not change with RfWebUI portal theme.

    [ NSHELP-28974 ]
  • You might notice some Citrix internal IP addresses in the rdx.js file.

    [ NSHELP-28682 ]
  • The Citrix ADC appliance might crash if EPA is configured and sufficient memory is not available.

    [ NSHELP-28329 ]
  • You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.

    With this fix, you can now unbind the authorization policy by using the GUI.

    [ NSHELP-27064 ]
  • The Citrix Gateway appliance might crash if forwardSession is configured for a back-end subnet and a server in the same subnet is accessed over the VPN tunnel.

    [ NSHELP-27037 ]
  • Sometimes, during transfer login, Intranet IP subnets are incorrectly displayed on the client side.

    [ NSHELP-26904 ]
  • The Citrix Gateway GUI displays the message "Invalid IP or Port" when editing a VPN session profile.

    [ NSHELP-26722 ]
  • The Citrix Receiver download URL (receiver.exe file) does not download after authentication.

    [ NSHELP-26600 ]
  • While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:

    • A default pre-shared key (PSK) is configured.
    • You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
    [ NSHELP-25694 ]
  • The Citrix Gateway login page does not load on deleting an admin partition, if configured.

    [ NSHELP-25538 ]
  • The packet engine crashes while fetching an ICA connection entry when you run the show icaconnection command. This crash happens because the ICA connection information in the ICA connection list is stale.

    [ NSHELP-25420 ]
  • Citrix Gateway crashes while decoding the CVPNv2 packet because of incorrect string termination.

    [ NSHELP-24718 ]
  • A new, optimized pattern set, "ns_cvpn_v2_fast_regex_light_ver", is introduced for high CPU alerts. If a spike in CPU is intermittently observed with the default pattern set "ns_cvpn_v2_fast_regex", you can switch to the new pattern set.

    [ NSHELP-24085 ]
  • The Gateway Insight does not display accurate information on the VPN users.

    [ NSHELP-23937 ]
  • VPN plug-in doesn't establish tunnel after Windows logon, if the following conditions are met:

    • Citrix Gateway appliance is configured for Always On feature
    • The appliance is configured for certificate based authentication with two factor authentication "off"
    [ NSHELP-23584 ]
  • The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.


    New output:

    > show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0

    Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
    Priority: 1
    Global bindpoint: REQ_DEFAULT

    Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
    Priority: 100
    Global bindpoint: RES_DEFAULT

    Previous output:

    > show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0 Disabled

    Advanced Policies:

    Global bindpoint: REQ_DEFAULT
    Number of bound policies: 1


    [ NSHELP-23496 ]
  • In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.

    [ NSHELP-22349 ]
  • A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:
    • SplitTunnel is set to ON.
    • IP address pool (Intranet IP) option is set to NoSpillOver.
    [ NSHELP-20584 ]
  • In some cases, a Citrix ADC appliance might dump core during a user logout session.

    [ NSHELP-19470 ]
  • An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.
    [ NSHELP-7872 ]
  • In a Citrix ADC cluster setup, HDX Insight and Gateway Insight cannot be enabled simultaneously.
    [ CGOP-22849 ]
  • If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

    [ CGOP-19355 ]
  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.
    [ CGOP-13621 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
    [ CGOP-13511 ]
  • When an ICA connection is launched from a MAC receiver version or Citrix Virtual Apps and Desktops version 7.18, HDX Insight feature is disabled.

    [ CGOP-13494 ]
  • When EDT Insight feature is enabled, sometimes audio channels might fail during network discrepancy.

    [ CGOP-13493 ]
  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]
  • If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.
    [ CGOP-3359 ]

Citrix Web App Firewall

  • The Web App Firewall signature ID 1048 blocks the Citrix Gateway page from loading.

    [ NSHELP-29113 ]
  • In the Citrix Web App Firewall module, the Distributed Hash Table (DHT) entries are not freed up on the primary node. This issue occurs if application firewall sessions have a shorter timeout and are created at a higher rate.

    [ NSHELP-26570 ]
  • Some requests with security violations are not blocked by HTML cross-site scripting security check.

    [ NSHELP-24762 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]
  • The LDAP monitor status remains up even if the configured attributes are not present on the server.

    [ NSHELP-32025 ]
  • Citrix ADC appliance crashes during removal of nameserver if the following conditions are met:

    • DNS server and name server are configured on the same IP address and port.
    • Listen policy is set on the DNS server.
    [ NSHELP-31142 ]
  • A Citrix ADC appliance might crash during clear configuration if persistence entries are present, and a large number of dummy load balancing virtual servers and group virtual servers are configured.

    [ NSHELP-30051 ]
  • The state of the service group displayed in the show and stat commands is inconsistent.

    [ NSHELP-28931 ]
  • The load balancing or GSLB domain-based Autoscale servicegroup state remains DOWN if you use a wildcard port.

    [ NSHELP-28548 ]
  • The SMPP retry messages are sent to all nodes in a cluster even when the request is successful. This scenario leads to high memory consumption on the Citrix ADC appliance.

    [ NSHELP-28332 ]
  • Sometimes in a multi-PE system, the domain-based groups doesn't recover to UP state after a few failures in the system. This issue is due to a race condition between the CLI and internal monitors.

    [ NSHELP-27965 ]
  • Creating a wildcard virtual service fails if an unresolved WIHOME configuration exists on the Citrix ADC appliance.

    [ NSHELP-25627 ]
  • When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.

    [ NSHELP-24329 ]
  • In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.

    [ NSHELP-21425 ]
  • In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.

    [ NSHELP-21196 ]
  • When you execute the "set service <servicename>" command, the following error message is displayed:
    "IP Address cannot be set on a domain based server."

    This error message is displayed when the server is configured with a name greater than 32 characters.

    [ NSHELP-20939 ]
  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

    [ NSHELP-20406 ]
  • Redirecting an HTTPS URL fails if the URL contains the % special character.

    [ NSHELP-19993 ]


  • When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.
    [ NSSWG-849 ]
  • A cluster node goes into a packet loop when the following conditions are met:

    • A UDP packet with a destination IP address as CLIP is sent to a cluster node.
    • The CCO has changed from one node to another during the lifespan of the cluster instance.

    Workaround: You can avoid or terminate this packet loop by applying a drop ACL for that specific UDP packet with the destination IP address as the CLIP address.

    [ NSHELP-30804 ]
  • A Citrix ADC appliance adds extra L2 information when a tunnel or Type of Service (TOS) virtual servers are created.

    [ NSHELP-27825 ]
  • In a cluster setup, the command propagation might fail due to connection lost with CCO. The issue is observed if both of the following conditions are met:

    • You perform a command propagation operation in the setup.
    • The setup is in an idle state for more than two hours. A cluster setup is said to be in an idle state if there is no exchange of any CLI commands between nodes.
    [ NSHELP-26350, NSHELP-24910 ]
  • A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

    [ NSHELP-22409 ]
  • In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.

    [ NSHELP-20366 ]


  • A Citrix ADC appliance might crash if all of the following conditions are met:

    • A load balancing route is configured in a traffic domain on the appliance.
    • A clear config operation is performed on the appliance.
    [ NSNET-23847 ]
  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
    [ NSNET-5233 ]
  • In a high availability setup, the primary node might crash due to memory corruption while clearing a large number of LSN sessions.

    [ NSHELP-32467 ]
  • The Citrix ADC appliance might crash if all of the following conditions are met:

    • TTL-based ACL times out
    • The Citrix ADC appliance has a large number of ACLs configured.
    [ NSHELP-31307 ]
  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • Because of stale filtering entry.
    [ NSHELP-28895 ]
  • A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.

    [ NSHELP-24623 ]
  • In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:

    • A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.

    As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition

    [ NSHELP-24000 ]
  • If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.

    [ NSHELP-21288 ]
  • When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

    [ NSHELP-21082 ]


  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.
    [ NSPLAT-4520 ]
  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
    [ NSPLAT-4451 ]
  • The status of SDX platform appears as UNKNOWN in the LOM console. This is only a display issue and has no functional impact.
    [ NSHELP-20009 ]


  • A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.

    [ NSPOLICY-1462 ]
  • A Citrix ADC appliance might crash during policy addition with patset when the following condition is met:

    • The flag associated with NSB is set in the wrong order for Rewrite TCP scenario.

    [ NSHELP-31064 ]
  • In some scenarios, a Citrix ADC appliance might crash when an assignment action is used with the clear operation for an AppExpert variable.

    [ NSHELP-29766 ]


  • When a virtual server receives a TLS 1.3 record with invalid padding, it sends a fatal "decode_error" alert instead of an "unexpected_message" alert.

    [ NSSSL-11890 ]
  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
    [ NSSSL-4001 ]
  • In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
    [ NSSSL-3402 ]
  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
    [ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]
  • You cannot bind two certificates with public keys signed by different algorithms (for example, RSA and ECDSA) to a virtual server, as an SNI certificate if the domain name is the same.
    [ NSSSL-2560 ]
  • The Citrix ADC SDX appliance crashes when crypto units are assigned to a VPX instance and jumbo config is enabled.

    [ NSHELP-30950 ]
  • A Citrix ADC appliance crashes when all of the following conditions occur:

    • A default RSA certificate-key pair is bound to an internal service.
    • A non-RSA certificate-key pair is bound to the same service.
    • HA sync occurs.
    [ NSHELP-30084 ]
  • A Citrix ADC appliance might crash when processing SSL traffic in software mode.

    [ NSHELP-29996 ]
  • In a cluster setup, when two installed certificates are issuers of one server certificate that has the OCSP AIA extension, the appliance becomes unreachable if you remove the server certificate.

    [ NSHELP-28058 ]
  • A Citrix ADC MPX/SDX 14000 FIPS appliance might crash due to continuous use of APIs for crypto operations, by internal applications such as SAML, over a period of time.

    [ NSHELP-27952 ]
  • In a high availability setup, the certificate type is not synchronised correctly between the primary and secondary nodes.

    [ NSHELP-27589 ]
  • A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.

    [ NSHELP-24201 ]


  • A Citrix ADC appliance with the client-side measurement configuration might corrupt a variable resulting in the page load failure under the following condition:

    • The HTTP response contains a javascript variable that is greater than 2000 bytes.
    [ NSHELP-30026 ]
  • In certain scenarios, Citrix ADC appliance does not forward some HTTP packets to the back-end server, if the following condition is met:

    • If a Citrix ADC feature internally clones HTTP packets.

    [ NSHELP-29958 ]
  • The X-Forwarder header is not added to some requests sent from the Citrix ADC appliance to the back-end server.

    [ NSHELP-29142, NSHELP-29583 ]
  • The Citrix ADC appliance reports a false SNMP alarm on the service SYN flood counters.

    [ NSHELP-28710, NSHELP-28713 ]
  • TCP zombie timeout flushes active server or client connections because of the half-close timeout on the faster side of the connection.

    [ NSHELP-27502, NSBASE-14650 ]
  • The connection chaining TCP option gets added to the Citrix ADC RPC connections. The issue causes an interoperability issue with GSLB sites communication.

    [ NSHELP-27417 ]
  • Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.

    [ NSHELP-27410 ]
  • A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.

    [ NSHELP-27179 ]
  • A Citrix ADC appliance might crash if it receives a partially acknowledged MPTCP MP-FAIL signal on an already closed MPTCP session. The crash is applicable to virtual servers that have MPTCP enabled in the TCP profile.

    [ NSHELP-26594 ]
  • For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output. For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.

    [ NSHELP-22684 ]
  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.
    [ NSHELP-21240 ]
  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.
    [ NSHELP-10972 ]
  • In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.
    [ NSBASE-16304, NSGI-1293 ]
  • In a cluster setup, enabling process local support for MPTCP connections reduces the inter-node steering.

    [ NSBASE-10587 ]
  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.
    [ NSBASE-8506 ]

User Interface

  • In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.

    [ NSUI-14752 ]
  • The Global Binding and Show Binding options are not working on the Content Inspection Policy GUI page. As an alternative, you can configure these parameters through the command interface.
    [ NSUI-13193, NSUI-11561 ]
  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.
    [ NSUI-6838 ]
  • The Citrix ADC appliance login page might not display the valid user name after the user has logged in.

    [ NSHELP-31759 ]
  • Importing a certificate in an admin partition might incorrectly fail with the following message:

    ERROR: User doesnt have permission for given Destination path

    [ NSHELP-26918 ]
  • When you configure IP reputation using advanced policy expressions, the "TOR_PROXY" threat category is missing in the Expression Editor GUI.

    [ NSHELP-25654 ]
  • A Citrix ADC appliance might crash if the /tmp directory is full.

    [ NSHELP-21809 ]
  • The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.
    [ NSHELP-19958 ]
  • The top-level page title is missing on all security check GUI pages.
    [ NSHELP-18607 ]
  • In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:
    Trace not started

    [ NSHELP-18566, NSHELP-24796 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds
      • 13.0 52.24 build
      • 12.1 57.18 build
      • 11.1 65.10 build
    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    `query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]`

    Workaround: To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see

    [ NSCONFIG-3188 ]