Release Notes for Citrix ADC 13.0-64.35 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 13.0-64.35.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 13.0-64.35 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX281474.

What's New

The enhancements and changes that are available in Build 13.0-64.35.

Authentication, authorization, and auditing

  • Increase in the individual maximum length value for SAML attribute
    The individual maximum length for SAML attributes has been increased to allow a maximum of 40k bytes. The size of all the attributes must not exceed 40k bytes. For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/saml-authentication/citrix-adc-saml-sp.html.
    [ NSAUTH-8225 ]
  • Increase in the maximum length value for attributes
    The maximum length value for the following attributes has changed as follows.

    - set samlaction <saml-action-name> -samlissuerName - 511 (new max length)

    - set samlidPProfile <saml-idp-profile-name> -samlissuerName - 511 (new max length)

    - set samlidPProfile <saml-idp-profile-name> -serviceProviderID - 511 (new max length)

    - set tm samlSSOProfile <saml-sso-profile-name> -samlissuerName - 511 (new max length)

    - set vpn samlSSOProfile <saml-sso-profile-name> -samlissuerName - 511 (new max length)

    - set oauthaction <oauth-action-name> -clientSecret - 239 (new max length)

    - set oauthaction <oauthidp_profile-name> -clientSecret - 239 (new max length)
    [ NSAUTH-8180 ]
  • Support to disable the weak Basic, Digest, and NTLM authentication globally
    The SSO configuration is now made more secure by disabling the following weak authentication methods globally.
    - Basic authentication
    - Digest Access Authentication
    - NTLM without setting Negotiate NTLM2 Key or Negotiate Sign

    For more information, see [https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/enable-sso-for-auth-pol.html].
    [ NSAUTH-7747 ]

Citrix ADC SDX Appliance

  • Auto-upgrade of the built-in agent without initialization
    From Citrix ADC release ADC 13.0 build 61.xx and higher, Citrix ADC SDX appliance has built-in agents with ADM Service Connect functionality. The Citrix ADM built-in agent available on the ADC SDX appliance starts like an active daemon and communicates with ADM service. After communication with ADM service is established, the built-in agent auto-upgrades itself to the latest software version regularly.
    [ NSSVM-3919 ]
  • Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service
    The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC SDX appliances onto Citrix ADM service. This feature lets the ADC SDX appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you can get insights and recommendations for your Citrix ADC infrastructure, on Citrix ADM service.

    By default, the Citrix ADM service connect feature is enabled when you install or upgrade the Citrix ADC SDX appliance.

    For more information, see the following topics:

    - Citrix ADM service: https://docs.citrix.com/en-us/citrix-application-delivery-management-service/citrix-application-delivery-management-service.html
    - Data governance: https://docs.citrix.com/en-us/sdx/13/data-governance.html
    - Citrix ADM service connect: https://docs.citrix.com/en-us/sdx/13/adm-service-connect.html

    Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix will update this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.
    [ NSSVM-3911 ]

Citrix Web App Firewall

  • Security check to block violations in HTTP post body size limit Citrix Web App Firewall profile now supports "PostBodyLimitAction” as a configurable security check to honor error settings and block requests (except for redirect URL) if the HTTP post body size exceeds the maximum allowed limit. The security check is also applicable for requests with a transfer-encoding header set as chunked. Previously, post body limit violations resulted in 400 as a server response.

    The log format for "PostBodyLimitAction” setting is now as changed as per the audit log format.

     For more information, see [https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/profiles/app-firewall-profile-settings.html].
    [ NSWAF-5184 ]

Load Balancing

  • Increased character length for the monitor name
    The number of characters in the monitor name is now increased up to 255 characters.
    [ NSLB-5223 ]

Networking

  • Change in Interface numbering scheme in Citrix ADC BLX appliances
    The interfaces numbering scheme for a Citrix ADC BLX appliance is modified such that it aligns with other Citrix ADC platforms. Citrix recommends you to update any scripts that has a dependency on the interface numbering.

    Earlier, both the internal interfaces were numbered as the first and the last interface. All the dedicated interfaces (in a Citrix ADC appliance in non-DPDK or DPDK mode) are numbered in between the first and the last internal interfaces.

    Example 1: A Citrix ADC BLX appliance in non-DPDK mode with two dedicated interfaces:

    - The internal BLX interfaces are numbered as 0/1 and 0/4.
    - The dedicated interfaces are numbered as 0/2 and 0/3.

    Example 2: A Citrix ADC BLX appliance in DPDK mode with one DPDK interface:

    - The internal BLX interfaces are numbered as 0/1 and 0/3.
    - The DPDK interface is numbered as 0/2.

    From this release onwards, the interfaces in a Citrix ADC appliance are numbered in the following sequential order:

    - Both the internal interfaces are numbered as the first and the second interface.
    - dedicated interfaces.
    - DPDK interfaces (in Citrix ADC appliances in DPDK mode).

    Example 1: A Citrix ADC BLX appliance in non-DPDK mode with two dedicated interfaces:

    - The internal BLX interfaces are numbered as 0/1 and 0/2.
    - The dedicated interfaces are numbered as 0/3 and 0/4.

    Example 2: A Citrix ADC BLX appliance in DPDK mode with one DPDK interface (40G) and one non-DPDK dedicated interface:

    - The internal BLX interfaces are numbered as 0/1 and 0/2.
    - The non-DPDK dedicated interface is numbered as 0/3.
    - The DPDK interface (40G) is numbered as 40/1.
    [ NSNET-17067 ]
  • Non-default password support for the root user on Citrix ADC CPX
    Citrix ADC CPX now supports non-default password for the root user (nsroot). When you deploy CPX, a random password is generated and assigned for the root user. You can also change it manually.
    [ NSNET-10520 ]
  • Subscription local licenses support for Citrix ADC BLX appliances
    A Local license is similar to a perpetual license however they have an expiration date. The software subscription that makes up local licenses are term-based and can be installed without requiring ADM as a licensing server.

    The following type of subscription local licenses is available for Citrix ADC BLX appliances:

    Bandwidth-based subscription local license. This type of license is enforced with a maximum allowed throughput that a particular Citrix ADC BLX appliance is entitled to. Each local license is also tied up with one of the Citrix ADC software editions (Standard, Enterprise, or Platinum), which unlocks the ADC feature set of this edition in a Citrix ADC BLX appliance. Embedded Select support is included with the subscription local license purchase.

    Example:

    A Citrix ADC BLX Subscription 10 Gbps Premium Edition - entitles a Citrix ADC BLX appliance with a maximum allowed throughput of 10 Gbps. This license also unlocks all the ADC features, listed in the Premium edition, in the Citrix ADC BLX appliance.
    [ NSNET-9189 ]
  • Mellanox NICs support for Citrix ADC BLX appliances in DPDK mode
    Citrix ADC BLX appliances now support Mellanox NICs with MLX5 driver for deployment in DPDK mode.
    [ NSNET-8946 ]

Policies

  • Server certificate verification for importing responder HTML page You can now use the "import responder htmlpage" command for sending HTML error responses to the client. Previously, no server certification validation happened during HTML page import. This issue is now resolved by using a new parameter, "CAcertFile”. You can configure the parameter to verify the server certificate authentication when importing an HTML page. 
    Note: If you do not configure the CA certificate file name, the default root CA certificates are used for verifying the server certificate.
    import responder htmlpage [<src>] <name> [-comment <string>] [-overwrite][-CAcertFile <string>]

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/appexpert/responder/configuring-responder-action.html%23configure-html-page-import.
    [ NSPOLICY-3620 ]

System

  • Support to bind the analytics profile globally You can now bind the analytics profile globally.
    Previously, you had to bind the analytics profile to each virtual server.
    [ NSBASE-11079 ]

User Interface

  • Auto-upgrade of built-in agents without initialization
    From Citrix ADC release 13.0 build 61.xx and higher, the Citrix ADM built-in agent available on Citrix ADC instances communicates with ADM service without initialization on the respective ADC instance. After communication with ADM service is established, the built-in agent auto-upgrades to the latest software version regularly.

    Previously, you had to initialize the built-in agent on Citrix ADC instances, using "mastools" commands, to establish communication with ADM service, and for regular auto-upgrades.
    [ NSCONFIG-4153 ]
  • Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service
    The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC MPX, SDX, and VPX instances, and Citrix Gateway appliances onto Citrix ADM service. This feature lets the ADC instance or Gateway appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you get insights and recommendations for your Citrix ADC infrastructure on Citrix ADM service.

    By default, the Citrix ADM service connect feature is enabled when you install or upgrade Citrix ADC MPX, SDX, and VPX instances or Citrix Gateway appliance.

    For more information, see the following topics:

    - Citrix ADM service: https://docs.citrix.com/en-us/citrix-application-delivery-management-service/citrix-application-delivery-management-service.html
    - Data governance: https://docs.citrix.com/en-us/citrix-adc/13/data-governance.html
    - Citrix ADM service connect: https://docs.citrix.com/en-us/citrix-adc/13/adm-service-connect.html

    Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix will update this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.
    [ NSCONFIG-4150 ]

Fixed Issues

The issues that are addressed in Build 13.0-64.35.

Authentication, authorization, and auditing

  • If a Citrix ADC appliance is configured for the OTP login and the OTP field is left blank, the authentication fails. In such a scenario, the appliance logs the user password in ns.log leading to a security concern.
    [ NSHELP-24027 ]
  •  In some cases, the SAML assertion breaks when the attribute values have XML tags. This results in the failure of attribute extraction.
    [ NSHELP-23940 ]
  • A Citrix ADC appliance configured as an Identity Provider (IdP) for Citrix Workspace might crash when users are part of a large number of active directory groups.
    [ NSHELP-23899 ]
  • The user does not get a 401 authentication prompt because the Citrix ADC appliance requests the authentication configuration from a wrong virtual server structure.
    [ NSHELP-23892 ]
  • The Citrix Workspace login fails when a Citrix ADC appliance is configured as an Identity Provider (IdP) for Citrix Workspace and a custom attribute extraction error occurs. 
    [ NSHELP-23843 ]
  •  In some cases, the "ns.log" file in the Citrix ADC appliance gets incorrectly flooded with the following log messages "claims allowed in current loginschema". 
    [ NSHELP-23593 ]
  • VPN session policies bound to a Authentication, authorization, and auditing user or group are not applied if the Citrix ADC appliance is accessed by VPN client using webview nFactor authentication method. 
    [ NSHELP-23526 ]
  • The Citrix ADC GUI under "System Global Authentication Policy Binding" page has the following errors:
    - Goto Expression field incorrectly displays "END" instead of "NEXT".
    - The bound next factor policy is not reflected under the "Next Factor" field.
    [ NSHELP-23474 ]
  • In rare cases, the session user name is incorrectly shown as "anonymous" instead of common name for the device certificate if both the following conditions are met.
    - A Citrix ADC appliance is configured for nFactor authentication.
    - Device Certificate is configured as the only factor in an nFactor configuration.
    [ NSHELP-23243 ]
  • SAML authentication for the last factor fails when both the following conditions are met:
    * The Citrix ADC appliance is configured as SAML SP.
    * EPA is enabled on the VPN virtual server as pre-authentication policy and the RfWebUI theme is bound to the server.
    [ NSHELP-22932 ]
  • The session establishment fails when accessed from the Citrix Workspace app using Webview if preauthentication EPA is configured along with nFactor authentication.
    [ NSHELP-22845 ]
  • The login page for a Citrix ADC appliance is not displayed correctly when LDAP and SAML are configured as the primary authentication mechanism.
    [ NSHELP-22713 ]
  • When you log on to the Citrix Gateway appliance, a blank page is displayed if the following conditions are met:
    * The Citrix Gateway appliance is configured for nFactor authentication with saml as next factor EULA
    * You click the back arrow to go the previous page during the logon process.
    [ NSHELP-22604 ]
  • In some cases, a Citrix ADC appliance crashes because of the memory corruption caused by a buffer overwrite for the list of OTP devices.
    [ NSHELP-22478 ]
  • Sometimes, the form-based SSO authentication fails for the first time if a Set-Cookie is contained in the HTTP response header of the HTML form.
    [ NSHELP-21740 ]

Citrix ADC SDX Appliance

  • An incorrect platform model string is displayed when you configure pooled licensing on the Citrix ADC SDX 8400, 8600, or 8015 appliances.
    [ NSHELP-24234 ]
  • If you take a backup of one SDX appliance, restoring the instances on another SDX appliance fails. 
    [ NSHELP-23947 ]
  • On a Citrix ADC SDX 8900 appliance, the number of instances available for provisioning are reduced after you upgrade the appliance.
    [ NSHELP-23808 ]
  • Upgrading a Citrix ADC SDX appliance to release 12.1 build 57.x might fail because a process in the Management Service is unresponsive.
    [ NSHELP-23612 ]
  • On the Citrix ADC SDX appliance, a user with read-only permissions can transfer files to Management Service using a file transfer utility, such as SCP or SFTP.
    [ NSHELP-22638 ]

Citrix Gateway

  • The Citrix Gateway appliance might crash when adding a cookie_watch JavaScript while serving clientless VPN traffic.
    [ NSHELP-24096 ]
  • You cannot disable the Citrix Gateway EPA plug-in from the GUI after upgrading to release 13.0 build 58.30.
    [ NSHELP-24016 ]
  • The VPN plug-in cannot load the Citrix Gateway logon page if a port number is specified during login. This issue occurs only if nFactor authentication is configured for the virtual server on the appliance.
    [ NSHELP-23925 ]
  • When VPN tunnel is active, users cannot access a portal if the following conditions are met:
    -  Host-name based intranet applications are configured along with reverse split tunnel.
    -  The hostname of the portal matches an intranet application name.
    [ NSHELP-23912 ]
  • In the VPN virtual server page, the configured portal themes, policies, and profiles summary does not appear on the left side of the page.
    [ NSHELP-23903 ]
  • In rare cases, a Citrix Gateway appliance might crash while handling transfer logon or logout requests.
    [ NSHELP-23863 ]
  • The Windows plug-in cannot perform a seamless Transfer Logon in the Always On service mode if the RfWebUI portal theme is bound to the Citrix ADC virtual server.
    [ NSHELP-23837 ]
  • When you upgrade your VPN plug-in to 13.0, DNS queries are sent to both local and remote DNS servers if the split tunnel is set to OFF.
    [ NSHELP-23826 ]
  • Local DNS queries over the VPN plug-in if specified to a particular DNS server are not honored because the queries are sent to randomly selected DNS servers on the client.
    [ NSHELP-23743 ]
  • The Windows credential screen does not refresh after the network comes back up.
    [ NSHELP-23594 ]
  • SAP CFolders do not work as intended when accessed over advanced clientless VPN.
    [ NSHELP-23561 ]
  • In the Citrix Gateway Always On service mode, when the machine is rebooted, the tunnel is not established if an Intranet IP address is configured.
    [ NSHELP-23304 ]
  • The Citrix ADC appliance crashes if the "show vpn storeinfo" command is run repeatedly.
    [ NSHELP-23144 ]
  • The ICA Proxy application launch over SOCKS channel fails.
    [ NSHELP-23111 ]
  • Users cannot access resources over the VPN when the machines resume from sleep or hibernate state.
    [ NSHELP-23024 ]
  • VPN plug-in cannot establish a seamless session after the Citrix Gateway appliance is restarted because the configuration is overwritten when Always On is enabled.
    [ NSHELP-22674 ]
  • In rare cases, the Citrix ADC appliance might become unresponsive if the appliance is configured for EDT, and HDX Insight is enabled for EDT sessions.
    [ NSHELP-22640 ]
  • The Citrix Gateway appliance crashes when accessing the DNS server configuration if RDP Proxy is configured and DNS resolution is attempted after WINS resolution.
    [ NSHELP-22577 ]
  • In a Citrix Gateway double hop high availability setup, the ICA connection might be lost after an HA failover.
    [ NSHELP-22444 ]
  • In a Citrix Gateway high availability setup, the secondary node might crash during a failover if syslog is configured.
    [ NSHELP-22438 ]
  • The Citrix Gateway appliance might crash because some commands are not run.
    [ NSHELP-22371 ]
  • The Citrix Gateway appliance might crash intermittently if a syslog policy is configured.
    [ NSHELP-22304 ]

Citrix Web App Firewall

  • A Citrix ADC appliance might crash if the response side or XML security checks are enabled and log expressions are configured in a Web App Firewall profile.
    [ NSWAF-6466 ]
  • In a cluster configuration, the unbind command to configure an HTML Cross-Site Scripting check relaxation rule with the location as URL is unsuccessful.
    [ NSWAF-6463 ]
  • In a cluster configuration, the Citrix Web App Firewall aslearn data aggregation on the cluster coordinator node (CCO) fails when RPC nodes are secured.
    [ NSWAF-6460 ]
  • After an upgrade, the "bufferOverflowMaxqueryLength" and "bufferOverflowmaxHeaderLength" values in an existing Citrix Web App Firewall profile might not be appropriate for deployment. As a result, you might have to modify the values if incorrect.
    [ NSWAF-6346 ]
  • A Citrix ADC appliance might crash if bot signature is enabled with external DNS server configuration.
    [ NSHELP-24190 ]
  • POST requests with content-type "application/octet-stream" are not processed if Streaming is enabled without a signature set.
    [ NSHELP-22668 ]
  • In a high availability setup, the Web App Firewall session in the secondary node is a stale session.
    [ NSHELP-20288 ]

Load Balancing

  • The real-time synchronization of GSLB configuration from the master site to the subordinate sites might fail if the secure option is enabled for the remote site RPC node.
    [ NSHELP-24178 ]
  • A Citrix ADC appliance might crash when trying to evaluate subscriber policies and gxSessionReporting is enabled.
    [ NSHELP-24159 ]
  • If connection mirroring does not synchronize PCB parameters, it might lead to loss of TCP options such as Maximum Segment Size (MSS) and Window Scaling.
    [ NSHELP-23990 ]
  • The Citrix ADC appliance crashes if the storeDB parameter is enabled in the MYSQL-ECV monitor.
    [ NSHELP-23983 ]
  • When you add two service groups with the same value for "devno" parameter explicitly using CLI, the addition of the second service group fails. This is because the same devno is already assigned to the first service group. It is recommended not to provide the devno explicitly from CLI because it is automatically populated.
    [ NSHELP-23817 ]
  • If the health check option is enabled for Gx interface and Gx server is not responsive, negative TTL sessions are not created.
    [ NSHELP-23355 ]
  • The statistics for a stream identifier do not show any graphs.
    [ NSHELP-22753 ]
  • For DNS UDP requests the subscriber session is created based on the destination IP address instead of the source IP address, if both a subscriber expression and a DNS expression are used in the same policy.
    [ NSHELP-22521 ]
  • In a cluster setup, ACL rules with VLAN settings do not take effect resulting in packets hitting other ACL rules.

    This issue occurs when you delete a virtual server on the cluster setup resulting in the cluster nodes not adding VLAN information on the steered packets.
    [ NSHELP-22103 ]
  • In a high availability (HA) setup, when the secondary node restarts, the primary node might crash during connection mirroring of sessions to the secondary node.
    [ NSHELP-21715 ]

Miscellaneous

  • Some commands present in the rc.netscaler file are not applied correctly after a Citrix ADC appliance is restarted because of which the appliance might not work as intended.
    [ NSHELP-22507 ]

Networking

  • The nstcpdump.sh script fails to run on the Citrix ADC BLX CLI connected through SSH and logged in using the default admin (nsroot) credentials. The script fails because the default admin (nsroot) does not have permission to access certain files and network resources.
    [ NSNET-16816 ]
  • In a high availability set up with connection mirroring enabled for FTP traffic, the secondary node might crash if the following condition is true.

    - data connection propagates to the secondary node before the control connection

    [ NSHELP-24088 ]
  • When the L2 mode is enabled, the Citrix ADC appliance forwards the DHCP broadcast packets received in the default partition.
    [ NSHELP-23957 ]
  • The Citrix ADC appliance might fail during a NAT64 translation of a received IPv6 request packet if the following condition is true:

    The last 32 bits of the destination IPv6 address, which is the translated destination IPv4 address, is greater than 240.0.0.0 (falls in reserved IP range).

    [ NSHELP-22742 ]
  • You might observe high CPU usage on a Citrix ADC appliance when it sends fragmented IPv6 packets.
    [ NSHELP-22699 ]
  • A packet with an invalid virtual MAC address as the destination address is wrongly classified as a packet having the Citrix ADC owned MAC address.
    [ NSHELP-22697 ]

Platform

  • On the Citrix ADC SDX 24000 platform, a critical alert on logical drives is generated after you upgrade the appliance to software version 13.0. This is a false positive.
    cp /opt/Citrix/system_config/NSSDX-22000 /opt/Citrix/system_config/NSSDX-22000T
    [ NSHELP-23505 ]
  • In some cases on a Citrix ADC SDX appliance, configuring some virtual instances with 50G and 100G Mellanox interfaces exhausts the memory.
    [ NSHELP-23394 ]
  • You need to reboot a Citrix ADC SDX appliance to reset and initialize an SSL card when the card returns an error. With this fix, reboot is not required.
    [ NSHELP-22725 ]

Policies

  • A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.
    [ NSPOLICY-1462 ]

SSL

  • The Citrix ADC appliance might crash if the following conditions are met:
    - TLS 1.3 early data processing is enabled in an SSL profile of a non-default admin partition.
    - TLS 1.3 early data processing is disabled in all the SSL profiles of the default admin partition.
    [ NSHELP-23607 ]
  • A Citrix ADC appliance might crash if the following conditions are met:
    - A certificate-key pair is added with the expiry monitor option enabled.
    - The certificate date is earlier than 01/01/1970.
    [ NSHELP-22934 ]
  • In a cluster setup, a NITRO API query to fetch SSL policy bindings is a success from the CLIP address, but the query fails if is run from a cluster node.
    [ NSHELP-22853 ]
  • A Citrix ADC appliance might crash if there are a large number of OCSP cached entries and you run the clear config command.
    [ NSHELP-22695 ]
  • Configuring empty CRLs for frequent updates exhausts the shared allocated memory on the Citrix ADC appliance.
    [ NSHELP-22166 ]
  • A partitioned Citrix ADC appliance might not respond as expected if you perform the following actions:
    1) Create two OCSP responders in different partitions.
    2) Clear the config in one partition.
    3) Remove the OCSP responder in the other partition.
    [ NSHELP-20861 ]

System

  • A Citrix ADC appliance might not optimize and compress large objects such as Javascript or CSS if front end optimization is enabled.
    [ NSHELP-24041 ]
  • In the case of TLS v1.2 session reuse protocol, the following behavior is observed in the Citrix ADC appliance:
    - The categorization information is saved in the server PCB, and the domain information is saved in the client PCB.
    - Data is sent to AppFlow only from the client PCB, hence for session reuse cases, categorization information is sent as null.
    [ NSHELP-23542 ]
  • If a service, representing an inline device, is down when traffic is being inspected, a resource is not freed properly. The Citrix ADC appliance crashes when this freed resource is accessed again.
    [ NSHELP-23145 ]
  • For synflood trap generation, if you do not reset the varbinding values, the appliance uses the old trap varbinding values instead of the current and threshold values.
    [ NSHELP-20653 ]
  • In Multi-path TCP (MPTCP) the si_cur_Clients and si_cur_clnt_ConnOpenEst counters are incremented twice.
    [ NSHELP-19896 ]
  • Sometimes, analytics data is not populated in ADM service.
    [ NSBASE-11508 ]

User Interface

  • Multi-Factor(nFactor) login does not work using the Citrix ADC GUI. After the first factor login, the next factor login input does not work.
    [ NSHELP-24078 ]
  • A Citrix ADC appliance might crash when an internal process restarts for a maximum number of times.
    [ NSHELP-23378 ]
  • Only the last three digits of the year are displayed in "Up since (Local)" line of the "stat system" command.
    [ NSHELP-22960 ]
  • Adding a service group member directly is successful. However, the operation fails if you perform the following steps:

    1. Navigate to Traffic Management > Load Balancing > Service Groups.

    2. Select a service group and click Service Group Members.

    3. Right click one of the entries and select Add.

    4. In the Create Service Group Member, change the IP address and click Create.
    [ NSHELP-21925 ]
  • NITRO API (routerdynamicrouting) for fetching the ZebOS running configuration does not fetch the complete output for large configurations (more than 25 lines).
    [ NSCONFIG-3535 ]
  • After you upgrade the Citrix ADC appliance to release 13.0 build 64.x, the Secure option for all the RPC nodes is turned ON by default. This option secures the communication between the ADC nodes in the high availability, cluster, and GSLB deployments, which use the port number 3008. If the firewall between the ADC nodes blocks the port number 3008, unblock it and proceed. Otherwise, configuration synchronization and configuration propagation might fail. You can change this option anytime using the CLI or the GUI.
    [ NSCONFIG-2702 ]

Known Issues

The issues that exist in release 13.0-64.35.

Authentication, authorization, and auditing

  • In some cases, a Citrix ADC appliance might crash if the client closes the TCP connection before finishing the Email OTP authentication.
    [ NSHELP-25154 ]
  • In some cases, a Citrix ADC appliance crashes during the Citrix ADC Authentication, authorization, and auditing session removal on the secondary node.
    [ NSHELP-25075 ]
  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
    [ NSHELP-563 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
    [ NSAUTH-6106 ]
  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    "show adfsproxyprofile <profile name>"

    Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.
    [ NSAUTH-5916 ]
  • You might see a “No such policy exists” message on the nFactor Flow page in nFactor Visualizer when you try to unbind a policy from a factor. The unbind option work as expected.
    [ NSAUTH-5821 ]

Caching

  • A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.
    [ NSHELP-22942 ]
  • A Citrix ADC appliance might randomly crash if the following conditions are observed:
    * Integrated caching feature is enabled.
    * 100 GB or more memory is allocated for integrated caching.

    Workaround: Allocate less than 100 GB of memory. 
    [ NSHELP-20854 ]

Citrix Gateway

  • In rare cases, the Citrix Gateway appliance might crash during session synchronization with the secondary appliance or during Intranet IP assignment.
    [ NSHELP-25221 ]
  • EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.
    [ NSHELP-24848 ]
  • A Citrix Gateway appliance might crash when trying to parse an incoming packet.
    [ NSHELP-23747 ]
  • You might face issues when editing documents using the web based office apps linked in SharePoint when these apps are accessed through the advanced clientless VPN.
    [ NSHELP-23364 ]
  • Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.
    [ NSHELP-21897 ]
  • A Citrix Gateway appliance does not fallback to the LDAP policy if the following conditions are met:
    - Certificate authentication and LDAP are configured as the first factor and LDAP checks data from login Schema.
    - The certificate authentication fails.
    [ NSHELP-1853 ]
  • Transfer Logon does not work if the following two conditions are met:
    * nFactor authentication is configured.
    * Citrix ADC theme is set to Default.
    [ CGOP-14092 ]
  • The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.
    [ CGOP-13584 ]
  • The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
    Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.
    [ CGOP-13532 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
    [ CGOP-13511 ]
  • While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.
    [ CGOP-13050 ]
  • The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.
    [ CGOP-13049 ]
  • An error message appears when you add or edit a session policy from the Citrix ADC GUI.
    [ CGOP-11830 ]
  • In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.
    [ CGOP-7269 ]

Citrix Web App Firewall

  • The aslearn process does not start automatically after the Citrix ADC appliance has crashed.
    [ NSWAF-6766 ]
  • Bot log expression
    The Citrix bot management profile now enables you to capture additional data as log messages if the incoming traffic is identified as a bot. The data can be any request side tcp or http information such as:
    * Request URL
    * Source IP address
    * Source port

     
    [ NSWAF-22 ]
  • Soap envelope validation might fail for XML data.
    [ NSHELP-24412 ]

Load Balancing

  • The custom location entries might be removed when you run the “add locationfile” or “add locationfile6" commands in a high-availability setup.
    [ NSHELP-23775 ]
  • The generation of SNMP alarms might be delayed if the synchronization of configuration from the master site to subordinate sites fails.
    [ NSHELP-23391 ]
  • A Citrix ADC appliance might crash when DNS logging is enabled and a malformed DNS query is received.
    [ NSHELP-21959 ]

Networking

  • Joining of a node to a cluster setup might fail if all the following conditions are met:
    - The CLIP address and the NSIP address of the node, to be joined, are indifferent networks.
    - A SNIP address present in the node, to be joined, has the same network address as the CLIP address.
    - While joining the node to the cluster setup, the connection is initiated with SNIP as the source IP address and CLIP as the destination IP address.
    - CLIP address resets the connection.

    Workaround: Perform the following operations in the node to be joined to a cluster setup:
    - Enable layer 2 parameter: skipProxyingBsdTraffic
    - Join the node to the cluster setup
    - Disable layer 2 parameter: skipProxyingBsdTraffic

    Example:

    > set l2param -skipProxyingBsdTraffic enable
    > join cluster -clip 203.0.113.10 -password examplepassword
    > set l2param -skipProxyingBsdTraffic disable

    [ NSNET-18438 ]
  • When you push configurations to the cluster instances using a StyleBook, the commands fail with the "Command propagation failed" error message.
    On successive failures, the cluster retains the partial configuration.
    Workaround:
    1.  Identify the failed commands from the log.
    2.  Manually apply the recovery commands to the failed commands.
    [ NSHELP-24910 ]
  • For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.
    [ NSHELP-24034 ]

Platform

  • The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
    ERROR: Operation timed out
    ERROR: Communication error with the packet engine
    [ NSPLAT-17546 ]

Policies

  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
    [ NSPOLICY-1267 ]

SSL

  • Update command is not available for the following add commands:
    - add azure application
    - add azure keyvault
    - add ssl certkey with hsmkey option
    [ NSSSL-6484 ]
  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.
    [ NSSSL-6478 ]
  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.
    [ NSSSL-6213 ]
  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled
    [ NSSSL-6106 ]
  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
    [ NSSSL-4001 ]
  • In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
    [ NSSSL-3161 ]
  • In a cluster setup, certificate configuration changes are not allowed if any certificate or key files are removed.
    [ NSHELP-24913 ]
  • When the "forward" ssl action is triggered, the counter "_Current Client Est connections_" incorrectly shows a large value in the output of statistics for the virtual server to which traffic is forwarded.
    [ NSHELP-22825 ]
  • In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
    [ NSHELP-13466 ]

System

  • An HTTP/2 connection becomes unresponsive if the "http2InitialWindowSize" parameter value is set to 131070 or any value greater than 131070.
    Workaround: Set the parameter value to less than 131070.
    [ NSHELP-25155 ]
  • Enabling metrics collector in the default partition might fail if it is already enabled in the admin partition setup.

    Workaround: Do not enable metrics collector in the admin partition setup.
    [ NSBASE-12623 ]

User Interface

  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.
    [ NSUI-13024 ]
  • Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.
    [ NSHELP-24195 ]
  • Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.
    [ NSCONFIG-4330 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:
    * 13.0 52.24 build
    * 12.1 57.18 build
    * 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

    Workaround:

    To fix this issue, use one of the following independent options:
    * If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    * Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    * If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
    [ NSCONFIG-3188 ]