Release Notes for Citrix ADC 13.0-64.35 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 13.0-64.35.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 13.0-64.35 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX281474.

What's New

The enhancements and changes that are available in Build 13.0-64.35.

Authentication, authorization, and auditing

  • Increase in the individual maximum length value for SAML attribute
    The individual maximum length for SAML attributes has been increased to allow a maximum of 40k bytes. The size of all the attributes must not exceed 40k bytes. For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/saml-authentication/citrix-adc-saml-sp.html.
    [ NSAUTH-8225 ]
  • Increase in the maximum length value for attributes
    The maximum length value for the following attributes has changed as follows.

    - set samlaction <saml-action-name> -samlissuerName - 511 (new max length)

    - set samlidPProfile <saml-idp-profile-name> -samlissuerName - 511 (new max length)

    - set samlidPProfile <saml-idp-profile-name> -serviceProviderID - 511 (new max length)

    - set tm samlSSOProfile <saml-sso-profile-name> -samlissuerName - 511 (new max length)

    - set vpn samlSSOProfile <saml-sso-profile-name> -samlissuerName - 511 (new max length)

    - set oauthaction <oauth-action-name> -clientSecret - 239 (new max length)

    - set oauthaction <oauthidp_profile-name> -clientSecret - 239 (new max length)
    [ NSAUTH-8180 ]
  • Support to disable the weak Basic, Digest, and NTLM authentication globally
    The SSO configuration is now made more secure by disabling the following weak authentication methods globally.
    - Basic authentication
    - Digest Access Authentication
    - NTLM without setting Negotiate NTLM2 Key or Negotiate Sign

    For more information, see [https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/enable-sso-for-auth-pol.html].
    [ NSAUTH-7747 ]

Citrix ADC SDX Appliance

  • Auto-upgrade of the built-in agent without initialization
    From Citrix ADC release ADC 13.0 build 61.xx and higher, Citrix ADC SDX appliance has built-in agents with ADM Service Connect functionality. The Citrix ADM built-in agent available on the ADC SDX appliance starts like an active daemon and communicates with ADM service. After communication with ADM service is established, the built-in agent auto-upgrades itself to the latest software version regularly.
    [ NSSVM-3919 ]
  • Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service
    The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC SDX appliances onto Citrix ADM service. This feature lets the ADC SDX appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you can get insights and recommendations for your Citrix ADC infrastructure, on Citrix ADM service.

    By default, the Citrix ADM service connect feature is enabled when you install or upgrade the Citrix ADC SDX appliance.

    For more information, see the following topics:

    - Citrix ADM service: https://docs.citrix.com/en-us/citrix-application-delivery-management-service/citrix-application-delivery-management-service.html
    - Data governance: https://docs.citrix.com/en-us/sdx/13/data-governance.html
    - Citrix ADM service connect: https://docs.citrix.com/en-us/sdx/13/adm-service-connect.html

    Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix will update this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.
    [ NSSVM-3911 ]

Citrix Web App Firewall

  • Security check to block violations in HTTP post body size limit Citrix Web App Firewall profile now supports "PostBodyLimitAction” as a configurable security check to honor error settings and block requests if the HTTP post body size exceeds the maximum allowed limit. The security check is also applicable for requests with a transfer-encoding header set as chunked. Previously, post body limit violations resulted in 400 as a server response.
    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/profiles/app-firewall-profile-settings.html.
    [ NSWAF-5184 ]

Load Balancing

  • Increased character length for the monitor name
    The number of characters in the monitor name is now increased up to 255 characters.
    [ NSLB-5223 ]

Networking

  • Change in Interface numbering scheme in Citrix ADC BLX appliances
    The interfaces numbering scheme for a Citrix ADC BLX appliance is modified such that it aligns with other Citrix ADC platforms. Citrix recommends you to update any scripts that has a dependency on the interface numbering.

    Earlier, both the internal interfaces were numbered as the first and the last interface. All the dedicated interfaces (in a Citrix ADC appliance in non-DPDK or DPDK mode) are numbered in between the first and the last internal interfaces.

    Example 1: A Citrix ADC BLX appliance in non-DPDK mode with two dedicated interfaces:

    - The internal BLX interfaces are numbered as 0/1 and 0/4.
    - The dedicated interfaces are numbered as 0/2 and 0/3.

    Example 2: A Citrix ADC BLX appliance in DPDK mode with one DPDK interface:

    - The internal BLX interfaces are numbered as 0/1 and 0/3.
    - The DPDK interface is numbered as 0/2.

    From this release onwards, the interfaces in a Citrix ADC appliance are numbered in the following sequential order:

    - Both the internal interfaces are numbered as the first and the second interface.
    - dedicated interfaces.
    - DPDK interfaces (in Citrix ADC appliances in DPDK mode).

    Example 1: A Citrix ADC BLX appliance in non-DPDK mode with two dedicated interfaces:

    - The internal BLX interfaces are numbered as 0/1 and 0/2.
    - The dedicated interfaces are numbered as 0/3 and 0/4.

    Example 2: A Citrix ADC BLX appliance in DPDK mode with one DPDK interface (40G) and one non-DPDK dedicated interface:

    - The internal BLX interfaces are numbered as 0/1 and 0/2.
    - The non-DPDK dedicated interface is numbered as 0/3.
    - The DPDK interface (40G) is numbered as 40/1.
    [ NSNET-17067 ]
  • Non-default password support for the root user on Citrix ADC CPX
    Citrix ADC CPX now supports non-default password for the root user (nsroot). When you deploy CPX, a random password is generated and assigned for the root user. You can also change it manually.
    [ NSNET-10520 ]
  • Subscription local licenses support for Citrix ADC BLX appliances
    A Local license is similar to a perpetual license however they have an expiration date. The software subscription that makes up local licenses are term-based and can be installed without requiring ADM as a licensing server.

    The following type of subscription local licenses is available for Citrix ADC BLX appliances:

    Bandwidth-based subscription local license. This type of license is enforced with a maximum allowed throughput that a particular Citrix ADC BLX appliance is entitled to. Each local license is also tied up with one of the Citrix ADC software editions (Standard, Enterprise, or Platinum), which unlocks the ADC feature set of this edition in a Citrix ADC BLX appliance. Embedded Select support is included with the subscription local license purchase.

    Example:

    A Citrix ADC BLX Subscription 10 Gbps Premium Edition - entitles a Citrix ADC BLX appliance with a maximum allowed throughput of 10 Gbps. This license also unlocks all the ADC features, listed in the Premium edition, in the Citrix ADC BLX appliance.
    [ NSNET-9189 ]
  • Mellanox NICs support for Citrix ADC BLX appliances in DPDK mode
    Citrix ADC BLX appliances now support Mellanox NICs with MLX5 driver for deployment in DPDK mode.
    [ NSNET-8946 ]

Policies

  • Server certificate verification for importing responder HTML page You can now use the "import responder htmlpage" command for sending HTML error responses to the client. Previously, no server certification validation happened during HTML page import. This issue is now resolved by using a new parameter, "CAcertFile”. You can configure the parameter to verify the server certificate authentication when importing an HTML page. 
    Note: If you do not configure the CA certificate file name, the default root CA certificates are used for verifying the server certificate.
    import responder htmlpage [<src>] <name> [-comment <string>] [-overwrite][-CAcertFile <string>]

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/appexpert/responder/configuring-responder-action.html%23configure-html-page-import.
    [ NSPOLICY-3620 ]

System

  • Support to bind the analytics profile globally You can now bind the analytics profile globally.
    Previously, you had to bind the analytics profile to each virtual server.
    [ NSBASE-11079 ]

User Interface

  • Auto-upgrade of built-in agents without initialization
    From Citrix ADC release 13.0 build 61.xx and higher, the Citrix ADM built-in agent available on Citrix ADC instances communicates with ADM service without initialization on the respective ADC instance. After communication with ADM service is established, the built-in agent auto-upgrades to the latest software version regularly.

    Previously, you had to initialize the built-in agent on Citrix ADC instances, using "mastools" commands, to establish communication with ADM service, and for regular auto-upgrades.
    [ NSCONFIG-4153 ]
  • Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service
    The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC MPX, SDX, and VPX instances, and Citrix Gateway appliances onto Citrix ADM service. This feature lets the ADC instance or Gateway appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you get insights and recommendations for your Citrix ADC infrastructure on Citrix ADM service.

    By default, the Citrix ADM service connect feature is enabled when you install or upgrade Citrix ADC MPX, SDX, and VPX instances or Citrix Gateway appliance.

    For more information, see the following topics:

    - Citrix ADM service: https://docs.citrix.com/en-us/citrix-application-delivery-management-service/citrix-application-delivery-management-service.html
    - Data governance: https://docs.citrix.com/en-us/citrix-adc/13/data-governance.html
    - Citrix ADM service connect: https://docs.citrix.com/en-us/citrix-adc/13/adm-service-connect.html

    Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix will update this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.
    [ NSCONFIG-4150 ]

Fixed Issues

The issues that are addressed in Build 13.0-64.35.

Authentication, authorization, and auditing

  • If a Citrix ADC appliance is configured for the OTP login and the OTP field is left blank, the authentication fails. In such a scenario, the appliance logs the user password in ns.log leading to a security concern.
    [ NSHELP-24027 ]
  •  In some cases, the SAML assertion breaks when the attribute values have XML tags. This results in the failure of attribute extraction.
    [ NSHELP-23940 ]
  • A Citrix ADC appliance configured as an Identity Provider (IdP) for Citrix Workspace might crash when users are part of a large number of active directory groups.
    [ NSHELP-23899 ]
  • The user does not get a 401 authentication prompt because the Citrix ADC appliance requests the authentication configuration from a wrong virtual server structure.
    [ NSHELP-23892 ]
  • The Citrix Workspace login fails when a Citrix ADC appliance is configured as an Identity Provider (IdP) for Citrix Workspace and a custom attribute extraction error occurs. 
    [ NSHELP-23843 ]
  • VPN session policies bound to a Authentication, authorization, and auditing user or group are not applied if the Citrix ADC appliance is accessed by VPN client using webview nFactor authentication method. 
    [ NSHELP-23526 ]
  • The Citrix ADC GUI under "System Global Authentication Policy Binding" page has the following errors:
    - Goto Expression field incorrectly displays "END" instead of "NEXT".
    - The bound next factor policy is not reflected under the "Next Factor" field.
    [ NSHELP-23474 ]
  • In rare cases, the session user name is incorrectly shown as "anonymous" instead of common name for the device certificate if both the following conditions are met.
    - A Citrix ADC appliance is configured for nFactor authentication.
    - Device Certificate is configured as the only factor in an nFactor configuration.
    [ NSHELP-23243 ]
  • SAML authentication for the last factor fails when both the following conditions are met:
    * The Citrix ADC appliance is configured as SAML SP.
    * EPA is enabled on the VPN virtual server as pre-authentication policy and the RfWebUI theme is bound to the server.
    [ NSHELP-22932 ]
  • The session establishment fails when accessed from the Citrix Workspace app using Webview if preauthentication EPA is configured along with nFactor authentication.
    [ NSHELP-22845 ]
  • The login page for a Citrix ADC appliance is not displayed correctly when LDAP and SAML are configured as the primary authentication mechanism.
    [ NSHELP-22713 ]
  • When you log on to the Citrix Gateway appliance, a blank page is displayed if the following conditions are met:
    * The Citrix Gateway appliance is configured for nFactor authentication with saml as next factor EULA
    * You click the back arrow to go the previous page during the logon process.
    [ NSHELP-22604 ]
  • In some cases, a Citrix ADC appliance crashes because of the memory corruption caused by a buffer overwrite for the list of OTP devices.
    [ NSHELP-22478 ]
  • Sometimes, the form-based SSO authentication fails for the first time if a Set-Cookie is contained in the HTTP response header of the HTML form.
    [ NSHELP-21740 ]

Citrix ADC SDX Appliance

  • An incorrect platform model string is displayed when you configure pooled licensing on the Citrix ADC SDX 8400, 8600, or 8015 appliances.
    [ NSHELP-24234 ]
  • If you take a backup of one SDX appliance, restoring the instances on another SDX appliance fails. 
    [ NSHELP-23947 ]
  • On a Citrix ADC SDX 8900 appliance, the number of instances available for provisioning are reduced after you upgrade the appliance.
    [ NSHELP-23808 ]
  • Upgrading a Citrix ADC SDX appliance to release 12.1 build 57.x might fail because a process in the Management Service is unresponsive.
    [ NSHELP-23612 ]
  • On the Citrix ADC SDX appliance, a user with read-only permissions can transfer files to Management Service using a file transfer utility, such as SCP or SFTP.
    [ NSHELP-22638 ]

Citrix Gateway

  • The Citrix Gateway appliance might crash when adding a cookie_watch JavaScript while serving clientless VPN traffic.
    [ NSHELP-24096 ]
  • You cannot disable the Citrix Gateway EPA plug-in from the GUI after upgrading to release 13.0 build 58.30.
    [ NSHELP-24016 ]
  • The VPN plug-in cannot load the Citrix Gateway logon page if a port number is specified during login. This issue occurs only if nFactor authentication is configured for the virtual server on the appliance.
    [ NSHELP-23925 ]
  • VPN plug-in does not honor host-name based intranet applications if the split tunnel option is set to REVERSE.
    [ NSHELP-23912 ]
  • In the VPN virtual server page, the configured portal themes, policies, and profiles summary does not appear on the left side of the page.
    [ NSHELP-23903 ]
  • In rare cases, a Citrix Gateway appliance might crash while handling transfer logon or logout requests.
    [ NSHELP-23863 ]
  • The Windows plug-in cannot perform a seamless Transfer Logon in the Always On service mode if the RfWebUI portal theme is bound to the Citrix ADC virtual server.
    [ NSHELP-23837 ]
  • When you upgrade your VPN plug-in to 13.0, DNS queries are sent to both local and remote DNS servers if the split tunnel is set to OFF.
    [ NSHELP-23826 ]
  • Local DNS queries over the VPN plug-in if specified to a particular DNS server are not honored because the queries are sent to randomly selected DNS servers on the client.
    [ NSHELP-23743 ]
  • The Windows credential screen does not refresh after the network comes back up.
    [ NSHELP-23594 ]
  • SAP CFolders do not work as intended when accessed over advanced clientless VPN.
    [ NSHELP-23561 ]
  • In the Citrix Gateway Always On service mode, when the machine is rebooted, the tunnel is not established if an Intranet IP address is configured.
    [ NSHELP-23304 ]
  • The Citrix ADC appliance crashes if the "show vpn storeinfo" command is run repeatedly.
    [ NSHELP-23144 ]
  • The ICA Proxy application launch over SOCKS channel fails.
    [ NSHELP-23111 ]
  • Users cannot access resources over the VPN when the machines resume from sleep or hibernate state.
    [ NSHELP-23024 ]
  • VPN plug-in cannot establish a seamless session after the Citrix Gateway appliance is restarted because the configuration is overwritten when Always On is enabled.
    [ NSHELP-22674 ]
  • In rare cases, the Citrix ADC appliance might become unresponsive if the appliance is configured for EDT, and HDX Insight is enabled for EDT sessions.
    [ NSHELP-22640 ]
  • The Citrix Gateway appliance crashes when accessing the DNS server configuration if RDP Proxy is configured and DNS resolution is attempted after WINS resolution.
    [ NSHELP-22577 ]
  • In a Citrix Gateway double hop high availability setup, the ICA connection might be lost after an HA failover.
    [ NSHELP-22444 ]
  • In a Citrix Gateway high availability setup, the secondary node might crash during a failover if syslog is configured.
    [ NSHELP-22438 ]
  • The Citrix Gateway appliance might crash because some commands are not run.
    [ NSHELP-22371 ]
  • The Citrix Gateway appliance might crash intermittently if a syslog policy is configured.
    [ NSHELP-22304 ]

Citrix Web App Firewall

  • A Citrix ADC appliance might crash if the response side or XML security checks are enabled and log expressions are configured in a Web App Firewall profile.
    [ NSWAF-6466 ]
  • In a cluster configuration, the unbind command to configure an HTML Cross-Site Scripting check relaxation rule with the location as URL is unsuccessful.
    [ NSWAF-6463 ]
  • In a cluster configuration, the Citrix Web App Firewall aslearn data aggregation on the cluster coordinator node (CCO) fails when RPC nodes are secured.
    [ NSWAF-6460 ]
  • After an upgrade, the "bufferOverflowMaxqueryLength" and "bufferOverflowmaxHeaderLength" values in an existing Citrix Web App Firewall profile might not be appropriate for deployment. As a result, you might have to modify the values if incorrect.
    [ NSWAF-6346 ]
  • A Citrix ADC appliance might crash if bot signature is enabled with external DNS server configuration.
    [ NSHELP-24190 ]
  • POST requests with content-type "application/octet-stream" are not processed if Streaming is enabled without a signature set.
    [ NSHELP-22668 ]
  • In a high availability setup, the Web App Firewall session in the secondary node is a stale session.
    [ NSHELP-20288 ]

Load Balancing

  • The real-time synchronization of GSLB configuration from the master site to the subordinate sites might fail if the secure option is enabled for the remote site RPC node.
    [ NSHELP-24178 ]
  • A Citrix ADC appliance might crash when trying to evaluate subscriber policies and gxSessionReporting is enabled.
    [ NSHELP-24159 ]
  • The Citrix ADC appliance crashes if the storeDB parameter is enabled in the MYSQL-ECV monitor.
    [ NSHELP-23983 ]
  • If the health check option is enabled for Gx interface and Gx server is not responsive, negative TTL sessions are not created.
    [ NSHELP-23355 ]
  • The statistics for a stream identifier do not show any graphs.
    [ NSHELP-22753 ]
  • For DNS UDP requests the subscriber session is created based on the destination IP address instead of the source IP address, if both a subscriber expression and a DNS expression are used in the same policy.
    [ NSHELP-22521 ]
  • In a cluster setup, ACL rules with VLAN settings do not take effect resulting in packets hitting other ACL rules.

    This issue occurs when you delete a virtual server on the cluster setup resulting in the cluster nodes not adding VLAN information on the steered packets.
    [ NSHELP-22103 ]
  • In a high availability (HA) setup, when the secondary node restarts, the primary node might crash during connection mirroring of sessions to the secondary node.
    [ NSHELP-21715 ]

Miscellaneous

  • Some commands present in the rc.netscaler file are not applied correctly after a Citrix ADC appliance is restarted because of which the appliance might not work as intended.
    [ NSHELP-22507 ]

Networking

  • The nstcpdump.sh script fails to run on the Citrix ADC BLX CLI connected through SSH and logged in using the default admin (nsroot) credentials. The script fails because the default admin (nsroot) does not have permission to access certain files and network resources.
    [ NSNET-16816 ]
  • In a high availability set up with connection mirroring enabled for FTP traffic, the secondary node might crash if the following condition is true.

    - data connection propagates to the secondary node before the control connection

    [ NSHELP-24088 ]
  • When the L2 mode is enabled, the Citrix ADC appliance forwards the DHCP broadcast packets received in the default partition.
    [ NSHELP-23957 ]
  • The Citrix ADC appliance might fail during a NAT64 translation of a received IPv6 request packet if the following condition is true:

    The last 32 bits of the destination IPv6 address, which is the translated destination IPv4 address, is greater than 240.0.0.0 (falls in reserved IP range).

    [ NSHELP-22742 ]
  • You might observe high CPU usage on a Citrix ADC appliance when it sends fragmented IPv6 packets.
    [ NSHELP-22699 ]
  • A packet with an invalid virtual MAC address as the destination address is wrongly classified as a packet having the Citrix ADC owned MAC address.
    [ NSHELP-22697 ]

Platform

  • On the Citrix ADC SDX 24000 platform, a critical alert on logical drives is generated after you upgrade the appliance to software version 13.0. This is a false positive.
    cp /opt/Citrix/system_config/NSSDX-22000 /opt/Citrix/system_config/NSSDX-22000T
    [ NSHELP-23505 ]
  • In some cases on a Citrix ADC SDX appliance, configuring some virtual instances with 50G and 100G Mellanox interfaces exhausts the memory.
    [ NSHELP-23394 ]
  • You need to reboot a Citrix ADC SDX appliance to reset and initialize an SSL card when the card returns an error. With this fix, reboot is not required.
    [ NSHELP-22725 ]

Policies

  • A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.
    [ NSPOLICY-1462 ]

SSL

  • The Citrix ADC appliance might crash if the following conditions are met:
    - TLS 1.3 early data processing is enabled in an SSL profile of a non-default admin partition.
    - TLS 1.3 early data processing is disabled in all the SSL profiles of the default admin partition.
    [ NSHELP-23607 ]
  • A Citrix ADC appliance might crash if the following conditions are met:
    - A certificate-key pair is added with the expiry monitor option enabled.
    - The certificate date is earlier than 01/01/1970.
    [ NSHELP-22934 ]
  • In a cluster setup, a NITRO API query to fetch SSL policy bindings is a success from the CLIP address, but the query fails if is run from a cluster node.
    [ NSHELP-22853 ]
  • A Citrix ADC appliance might crash if there are a large number of OCSP cached entries and you run the clear config command.
    [ NSHELP-22695 ]
  • Configuring empty CRLs for frequent updates exhausts the shared allocated memory on the Citrix ADC appliance.
    [ NSHELP-22166 ]
  • A partitioned Citrix ADC appliance might not respond as expected if you perform the following actions:
    1) Create two OCSP responders in different partitions.
    2) Clear the config in one partition.
    3) Remove the OCSP responder in the other partition.
    [ NSHELP-20861 ]

System

  • A Citrix ADC appliance might not optimize and compress large objects such as Javascript or CSS if front end optimization is enabled.
    [ NSHELP-24041 ]
  • If connection mirroring does not synchronize PCB parameters, it might lead to loss of TCP options such as Maximum Segment Size (MSS) and Window Scaling.
    [ NSHELP-23990 ]
  • If a service, representing an inline device, is down when traffic is being inspected, a resource is not freed properly. The Citrix ADC appliance crashes when this freed resource is accessed again.
    [ NSHELP-23145 ]
  • For synflood trap generation, if you do not reset the varbinding values, the appliance uses the old trap varbinding values instead of the current and threshold values.
    [ NSHELP-20653 ]
  • In Multi-path TCP (MPTCP) the si_cur_Clients and si_cur_clnt_ConnOpenEst counters are incremented twice.
    [ NSHELP-19896 ]
  • Sometimes, analytics data is not populated in ADM service.
    [ NSBASE-11508 ]

User Interface

  • Multi-Factor(nFactor) login does not work using the Citrix ADC GUI. After the first factor login, the next factor login input does not work.
    [ NSHELP-24078 ]
  • A Citrix ADC appliance might crash when an internal process restarts for a maximum number of times.
    [ NSHELP-23378 ]
  • Only the last three digits of the year are displayed in "Up since (Local)" line of the "stat system" command.
    [ NSHELP-22960 ]
  • Adding a service group member directly is successful. However, the operation fails if you perform the following steps:

    1. Navigate to Traffic Management > Load Balancing > Service Groups.

    2. Select a service group and click Service Group Members.

    3. Right click one of the entries and select Add.

    4. In the Create Service Group Member, change the IP address and click Create.
    [ NSHELP-21925 ]
  • NITRO API (routerdynamicrouting) for fetching the ZebOS running configuration does not fetch the complete output for large configurations (more than 25 lines).
    [ NSCONFIG-3535 ]
  • After you upgrade the Citrix ADC appliance to release 13.0 build 64.x, the Secure option for all the RPC nodes is turned ON by default. This option secures the communication between the ADC nodes in the high availability, cluster, and GSLB deployments, which use the port number 3008. If the firewall between the ADC nodes blocks the port number 3008, unblock it and proceed. Otherwise, configuration synchronization and configuration propagation might fail. You can change this option anytime using the CLI or the GUI.
    [ NSCONFIG-2702 ]

Known Issues

The issues that exist in release 13.0-64.35.

Authentication, authorization, and auditing

  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
    [ NSHELP-563 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
    [ NSAUTH-6106 ]
  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    "show adfsproxyprofile <profile name>"

    Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.
    [ NSAUTH-5916 ]

Caching

  • A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.
    [ NSHELP-22942 ]
  • A Citrix ADC appliance might randomly crash if the following conditions are observed:
    * Integrated caching feature is enabled.
    * 100 GB or more memory is allocated for integrated caching.

    Workaround: Allocate less than 100 GB of memory. 
    [ NSHELP-20854 ]

Citrix Gateway

  • Users cannot access websites if the following conditions are met:
    * The proxy server has a strict SNI check.
    * The backend server is accessed through an outbound proxy for clientless VPN or SecureBrowse.
    * The backendServerSNI parameter is enabled.
    [ NSHELP-24903 ]
  • The Gateway Insight does not display accurate information on the VPN users.
    [ NSHELP-23937 ]
  • The Citrix Gateway appliance might go down in an EDT proxy deployment if the "kill icaconnection" command is run while an EDT connection establishment is in progress.
    [ NSHELP-23882 ]
  • The Windows plug-in displays the “Gateway not reachable” message if the client machine has multiple instances of the Hyper-V and WiFi direct access virtual adapters.
    [ NSHELP-23794 ]
  • The UDP/ICMP/DNS based authorization policy denials for VPN do not show up in the ns.log file.
    [ NSHELP-23410 ]
  • You might face issues when editing documents using the web based office apps linked in SharePoint when these apps are accessed through the advanced clientless VPN.
    [ NSHELP-23364 ]
  • The Citrix ADC appliance might crash during failover if UDP audio is enabled.
    [ NSHELP-22850 ]
  • Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.
    [ NSHELP-21897 ]
  • When you upgrade your Unified Gateway environment to release 13.0 build 58.x or later, the DTLS knob is disabled in the content switching virtual server that is configured before the gateway or the VPN virtual server. You must manually enable the DTLS knob in the content switching virtual server after the upgrade. Do not enable the DTLS knob if you are using the wizard for configuration.
    [ CGOP-13972 ]
  • The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.
    [ CGOP-13584 ]
  • The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
    Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.
    [ CGOP-13532 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
    [ CGOP-13511 ]
  • In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.
    [ CGOP-7269 ]

Load Balancing

  • The generation of SNMP alarms might be delayed if the synchronization of configuration from the master site to subordinate sites fails.
    [ NSHELP-23391 ]

Networking

  • After an upgrade to Citrix ADC 12.1 build 58.x, any one command propagation failure from the CCO node might lead to complete propagation failure. As a result, the further commands might fail from CCO node to non-CCO nodes.
    [ NSNET-18028 ]
  • The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
    ERROR: Operation timed out
    ERROR: Communication error with the packet engine
    [ NSNET-4312 ]
  • For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.
    [ NSHELP-24034 ]
  • In a high availability setup, one of the Citrix ADC appliances might crash if you perform In Service Software Upgrade (ISSU) from Citrix ADC software version 13.0 47.24 or previous, to a later version.
    [ NSHELP-21701 ]

Platform

  • When multiple LA channels are configured on an SDX appliance without any management interfaces (0/1, 0/2) and if the first LA channel is disabled through the VPX CLI, the VPX appliance might be unreachable.
    Workaround: Enable the first LA channel even if it is unused or if its member interfaces are physically down.
    [ NSHELP-21889 ]

Policies

  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
    [ NSPOLICY-1267 ]

SSL

  • Update command is not available for the following add commands:
    - add azure application
    - add azure keyvault
    - add ssl certkey with hsmkey option
    [ NSSSL-6484 ]
  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.
    [ NSSSL-6478 ]
  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.
    [ NSSSL-6213 ]
  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled
    [ NSSSL-6106 ]
  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
    [ NSSSL-4001 ]
  • A Citrix ADC MPX/SDX 11542, MPX/SDX 14000, MPX 22000/24000/25000, or MPX/SDX 14000 FIPS appliance might crash if the following conditions are met:
    - ECDHE/ECDSA hybrid model is enabled.
    - DTLS traffic is received when the CPU utilization is already high.
    [ NSHELP-24405 ]
  • The Citrix ADC appliance crashes if NULL or RC2 ciphers are used by the SSL backend service on the following platforms:
    * MPX 5900
    * MPX 8900
    * MPX 15000
    * MPX 15000-50G
    * MPX 26000
    * MPX 26000-50S
    * MPX 26000-100G
    [ NSHELP-24308 ]
  • A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.
    [ NSHELP-24201 ]
  • In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
    [ NSHELP-13466 ]

System

  • A Citrix ADC appliance might crash if the following conditions are observed:
    - HTTP/2 enabled in the HTTP profile bound to load balancing virtual server of type HTTP/SSL or service.
    - Connection multiplexing option disabled in the HTTP Profile bound to load balancing virtual server or service.
    [ NSHELP-21202 ]
  • A Citrix ADC appliance with connection chaining and SSL enabled might send more MTU data.
    [ NSHELP-9411 ]
  • The Citrix ADC MPX 26000-100G appliance might become unresponsive if the aggregator process becomes unstable.
    [ NSBASE-11747 ]

User Interface

  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.
    [ NSUI-13024 ]
  • On the Citrix ADC GUI, you are unable to view the "Custom Reports" created for a specific partition.
    [ NSHELP-24370 ]
  • Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.
    [ NSHELP-24195 ]
  • In a Citrix ADC appliance, HTTPD might *dump core* while processing NITRO API calls.
    [ NSHELP-23208 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:
    * 13.0 52.24 build
    * 12.1 57.18 build
    * 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

    Workaround:

    To fix this issue, use one of the following independent options:
    * If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    * Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    * If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
    [ NSCONFIG-3188 ]