Release Notes for Citrix ADC 13.0-67.39 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 13.0-67.39.


  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

What's New

The enhancements and changes that are available in Build 13.0-67.39.

Authentication, authorization, and auditing

  • nFactor authentication support for Citrix Gateway with Standard license
    Citrix Gateway now supports nFactor authentication with Standard license.
    [ NSAUTH-6438 ]

Citrix Gateway

  • New Citrix logo is introduced.
    [ CGOP-14440 ]

Citrix Web App Firewall

  • All import objects name length and profile name length increased to 127 characters
    The Citrix Web App Firewall import objects name length and profile name length is now increased to a maximum limit of 127 characters. Previously, the name length was set only up to 32 characters.
    [ NSWAF-5992 ]
  • Dynamic profiling relaxation rule counter
    When the Citrix Web App Firewall detects a violation, the user has the ability to bypass the action using relaxation rules. To monitor these relaxations, you now have a relaxation hit counter. The counter tracks statistical details, such as the number of times a violation occurs on the appliance, the number of relaxation rules applied at the time of the violation, and the last applied timestamp. 

    However, the new relaxation hit counter is available only for the following security checks.
    * Starturl
    * Denyurl
    * Cross-site Scripting
    * SQL Injection
    [ NSWAF-5842 ]
  • JSON command injection protection check
    The Citrix Web App Firewall profile is now enhanced with a new protection check for command injection attacks in JSON payload. When the command injection security check examines the JSON traffic and detects any malicious commands, the appliance blocks the request or performs the configured action.

    [ NSWAF-5837 ]
  • Bot trap URL randomization
    The Citrix Bot trap technique can now randomly or periodically insert a trap URL in the client response. The URL appears invisible and not accessible if the client is a human user. However, if the client is an automated bot, the URL is accessible and when accessed, the attacker is categorized as a bot and any subsequent request from the bot is blocked. The trap technique is effective in blocking attacks from bots.

    The Bot trap URL is auto-generated and you can configure the length and interval at which the URL needs to be updated. If the trap URL is configured in a profile, then you must insert only that URL.  Also, this technique allows you to insert the trap URL for every response of the top-visited websites or frequently visited websites by binding the website URLs in the profile."
    [ NSWAF-5774 ]
  • SameSite cookie attribute for secure web communication
    With the recent browser upgrade, such as Google Chrome 80, there is a change in the default cross-domain behavior in cookies. As a result, the “SameSite” attribute is set as "None", "Lax" or "Strict" and for Google Chrome browser, the default attribute value is set as “Lax.”

    In compliance with the browser’s new SameSite cookie policy, the Citrix Web App Firewall profile is enhanced to support the SameSite cookie attribute configuration.  You can now enable the SameSite cookie attribute and also set the attribute as any one of the following options.


    “SameSite=None”. Indicates the browser to use a cookie in cross-site context only on secure connections.

    “SameSite=Lax”. Indicates the browser to use a cookie for requests on the same domain and for cross-site only safe HTTP methods like GET request can use the cookie.

    “SameSite=Strict”. Indicates the cookie can be used only when the user is requesting for the domain explicitly.
    [ NSWAF-5468 ]


  • Support added for NET_ADMIN to run multi-core Citrix ADC CPX
    You can now use the --cap-add=NET_ADMIN option to run Citrix ADC CPX with both single core and multi-cores in bridge mode deployments.

    [ NSNET-16016 ]


  • Setting up a VPX high-availability pair with private IP addresses across different AWS zones
    You can now deploy a VPX high-availability pair on AWS using private IP addresses across different AWS zones.
    [ NSPLAT-14757 ]
  • VIP scaling support for Citrix ADC VPX instance on GCP
    Based on your requirement, you can now add multiple VIP (public IP) addresses on a Citrix ADC VPX instance deployed on GCP. This is supported on both standalone and high availability deployments. Previously, the maximum number of VIPs you were able to add depended on GCP networking limit.
    [ NSPLAT-14738 ]
  • Changes to the default admin password If the password is set to the default admin (nsroot) password, users must change the password on the first login or while creating an instance, and then save the configuration. The password cannot be reset to the default admin password.
    This change is applicable to the following Citrix appliances:
    - VPX instances hosted on the Citrix ADC SDX appliance
    - Citrix ADC BLX appliance
    - Citrix VPX virtual appliances that are hosted on the following virtualization and cloud platforms:
    - Citrix Hypervisor
    - VMware ESX
    - Microsoft Hyper-V
    - Linux KVM
    - Amazon Web Services
    - Google Cloud Platform
    [ NSPLAT-14480 ]
  • Setting up a Citrix ADC VPX high-availability pair on GCP using forwarding rules
    You can now deploy a VPX high-availability pair on the Google Cloud Platform (GCP) using forwarding rules with target instances at the backend. Forwarding rules must be in the same region as the VPX instance and target instances must be in the same zone as the VPX instance. Upon failover, the forwarding rule target is updated to the secondary target instance for the traffic to resume.
    [ NSPLAT-14378 ]


  • Built-in HTTP profile for management access
    The Citrix ADC appliance now has a built-in HTTP profile, "nshttp_default_internal_apps" for management access. The profile is configured to block HTTP/0.9 requests and to drop invalid requests for management access. The profile settings are the same as the existing "nshttp_default_strict_validation" profile. However, it is advisable that you do not change the profile settings as done in the "nshttp_default_strict_validation" profile.  
    [ NSBASE-10118 ]
  • Request-retry on TCP SYN connection establishment
    The request retry is applicable to one more error scenario. If a reset is received from the back-end server during TCP SYN establishment, the appliance does not keep retrying the same server until the client connection times out. Instead, based on re-load balancing, the appliance forwards the request to the next available back-end server.
    [ NSBASE-9610 ]
  • Support for gRPC response buffer time and size limitation
    In gRPC bridging scenario,  the Citrix ADC appliance buffers the gRPC response from the back-end server until the response trailer is received. This breaks bi-directional gRPC calls. Also, if the gRPC response is huge, it consumes a significant amount of memory to buffer the response completely. To resolve these issues, you can configure two new parameters, “grpcholdlimit” and/or ““grpcholdtimeout” in the HTTP profile. When configuring both or any one of the two parameters, the appliance stops buffering and starts forwarding the response even if any one of the buffer limit triggers (either the trailer is not received within the configured buffer size or if a configured timeout occurs).
    [ NSBASE-9466 ]

User Interface

  • Citrix logo change
    Citrix now has a new logo that reflects its brand transformation. The Citrix ADC and Citrix Gateway GUI now reflect the new Citrix logo.
    [ NSUI-16210 ]
  • Custom search functionality for bot signatures
    A custom search functionality is now available on the Citrix ADC Bot Signatures GUI page. You can use the search option to locate content in the signature file.
    [ NSUI-15992 ]
  • DSA keys are deprecated and are no longer supported on a Citrix ADC appliance.
    [ NSUI-14778 ]

Fixed Issues

The issues that are addressed in Build 13.0-67.39.


  • A Citrix ADC appliance might crash if AppFlow is enabled after the server-side connection is established.
    [ NSHELP-24546 ]

Authentication, authorization, and auditing

  • In rare cases, a Citrix Gateway appliance crashes if the appliance is configured with "VPN URL" functionality with SSO type as "selfauth".

    [ NSHELP-24667 ]
  • In some cases, the Email OTP validation fails when the OTP request is sent by a core and the validation request is received by another core.
    [ NSHELP-24442 ]
  • The Citrix ADC appliance denies log on requests from mobile clients because the login schema validation fails. You must use the OAuthToken_Username_password.xml schema in your configuration.
    [ NSHELP-24318 ]
  • The login to a Citrix ADC appliance fails if the following conditions are met.
    * The appliance is configured for nFactor.
    * The login schema policy is bound to an authentication virtual server and authentication schema is set to "noschema".
    [ NSHELP-24259 ]
  • In rare cases, the Citrix ADC appliance crashes if the appliance is configured for NTLM authentication.
    [ NSHELP-24236 ]
  • Citrix SSO QR scan fails for VPN virtual server configured on a non-default (443) port. This happens because of an issue with Native OTP settings. 
    [ NSHELP-24097 ]
  • In some cases, a Citrix ADC appliance becomes unresponsive while it is doing some background tasks related to user authentication.
    [ NSHELP-23883 ]
  • In some cases, a Citrix ADC appliance becomes unresponsive when single sign-on is attempted.
    [ NSHELP-23632 ]
  • In rare cases, a Citrix ADC appliance crashes upon handling authentication request if a DUP-FREE (trying to free an already free resource) scenario arises.
    [ NSHELP-23565 ]
  • A Citrix ADC appliance fails to extract all the groups in an LDAP scenario for an AD user when the number of groups the user belongs to exceeds the limit of the group size.
    [ NSHELP-22959 ]
  • Single Sign-On (SSO) with the following authentication methods does not work if the SSO configuration in Citrix ADC and Citrix Gateway is enabled only at global level and not at per traffic level.

    - CitrixAGBasic authentication
    - Kerberos authentication
    - OAuth bearer authentication
    [ NSAUTH-9166 ]
  • In some cases, the Citrix ADC appliance crashes if any expired Authentication, authorization, and auditing session exists during the configuration clean-up.
    [ NSAUTH-7767 ]

Citrix ADC SDX Appliance

  • On a Citrix ADC SDX appliance running software version 13.0 build 64.x or 12.1 build 58.x, a user cannot download the backup of the appliance.
    [ NSSVM-3952 ]
  • The SDX GUI might not be accessible after upgrading a Citrix ADC SDX appliance on which management LA and CLAGs are configured.

    [ NSHELP-24671 ]
  • The SNMP user details are not modified if you change the device profile of an ADC instance provisioned on a Citrix ADC SDX appliance.
    [ NSHELP-24488 ]
  • On a Citrix ADC SDX appliance, an ADC instance configured with an IPv6 address cannot be modified.
    [ NSHELP-24256 ]
  • You cannot include a hash (%23) in community strings for SNMP managers and trap destinations configured on a Citrix ADC SDX appliance.
    [ NSHELP-23989 ]
  • On a Citrix ADC SDX appliance, link aggregation information of ADC instances might be lost due to a race condition between concurrent rediscoveries of ADC instances.
    [ NSHELP-23849 ]
  • If a VPX instance was provisioned on an old 11.1 build, update operations on the VPX instance using the SDX CLI fail if the following conditions are met:
    - The "Shell/SFTP/SCP Access" option was selected.
    - The "Add Instance Administration" option was not selected.
    These options were available under "Instance Administration."
    [ NSHELP-23683 ]
  • In some cases, the licenses are not read correctly by the Management Service after you restart a Citrix ADC SDX appliance.
    [ NSHELP-23619 ]

Citrix Gateway

  • Users cannot access websites if the following conditions are met:
    * The proxy server has a strict SNI check.
    * The backend server is accessed through an outbound proxy for clientless VPN or SecureBrowse.
    * The backendServerSNI parameter is enabled.
    [ NSHELP-24903 ]
  • SAML authentication does not work as expected if the virtual server is configured on a custom port.
    [ NSHELP-24842 ]
  • In a rare case, the Citrix ADC appliance crashes while printing debug logs if the server initiated connection session is already freed.
    [ NSHELP-24581 ]
  • In a rare case, the Citrix ADC appliance crashes during transfer login when the old session has expired.
    [ NSHELP-24286 ]
  • If you log on to Citrix Gateway and access Microsoft Excel via clientless VPN SharePoint, you are logged out of the session created for Microsoft Excel.
    [ NSHELP-24074 ]
  • In rare cases, the Citrix Gateway appliance might crash if intranet IP (IIP) address is enabled and there are server-initiated connections to the IIP address.
    [ NSHELP-23819 ]
  • The Windows plug-in displays the “Gateway not reachable” message if the client machine has multiple instances of the Hyper-V and WiFi direct access virtual adapters.
    [ NSHELP-23794 ]
  • Packet drops are observed when a UDP application server sends packets that are larger than MTU and if the packets are fragmented. 
    [ NSHELP-23770 ]
  • The Citrix ADC appliance might crash during a Authentication, authorization, and auditing session logout if the user logs in from Citrix Workspace.
    [ NSHELP-23623 ]
  • The Citrix Gateway appliance might crash while launching an app if the VDA FQDN resolution fails. 
    [ NSHELP-22454 ]
  • When you access Microsoft Excel through clientless VPN SharePoint, you cannot edit the Excel file.

    >add rewrite policy ns_cvpn_v2_req_body_decode_pol "http.req.header(\"Content-Length\").exists && http.req.header(\"Content-Length\").value(0).typecast_num_t(decimal).gt(0) && http.req.header(\"Content-Type\").exists && (HTTP.REQ.HEADER(\"Content-Type\").CONTAINS(\"text/\") || (HTTP.REQ.HEADER(\"Content-Type\").CONTAINS(\"application/\") && HTTP.REQ.HEADER(\"Content-Type\").CONTAINS_ANY(\"ns_cvpn_v2_application_content_type_end\")))" ns_cvpn_v2_req_body_decode_act

    >bind rewrite policylabel ns_cvpn_v2_req_rw_label ns_cvpn_v2_req_body_decode_pol 27001

    [ CGOP-15123 ]
  • Support for CredSSP protocol version 2 is removed. Only CredSSP protocol versions 5 and 6 are supported on the Windows operating systems.
    [ CGOP-14308 ]

Citrix Web App Firewall

  • Support for "cs7" in CEF log messages
    The Citrix Web App Firewall Common Event Format (CEF) log messages now include one more parameter, "cs7" for audit log expression name. 
    [ NSWAF-6593 ]
  • In a cluster configuration, an error message, "Communication error with aslearn" appears when the learning engine tries to view and reset the learned data.
    [ NSHELP-24584 ]
  • A Citrix ADC appliance might crash because of the null streaming context in XML processing and if the "multipleHeaderAction" parameter is set as "log". 
    [ NSHELP-24549 ]
  • A Citrix ADC appliance removes the status code from the response if the following issues are observed:
    * The reason phrase is missing and
    * The status code is not followed by a space. 
    [ NSHELP-24489 ]
  • A Citrix ADC appliance might crash during the Web App Firewall XML validation check.
    [ NSHELP-23562 ]

Load Balancing

  • During GSLB real-time synchronization, the continuous batching of GSLB configuration commands might result in pushing the commands to the subordinate sites in an incorrect order.
    [ NSHELP-23934 ]
  • When GSLB is configured in admin partitions, the “sync gslb config -forceSync” command might remove any cert-key bindings to SSL services specific to the GSLB site IP address.
    [ NSHELP-23203 ]
  • When you upgrade the Citrix ADC appliance to release 12.0 build 63.13, you might see some duplicate configuration entries for load balancing persistence groups. For example, the "show running config" command might display the "add lb group" command multiple times. This is only a display issue and does not impact the functionality. However, the "show running config" command might take slightly more time to execute than usual.
    [ NSHELP-23050 ]
  • A high availability failover occurs in a Citrix ADC appliance, if all of the following conditions are met:
    * Services bound to a SIP load balancing virtual server are unbound from it.
    * Connections on the SIP load balancing virtual server are not flushed completely.
    * Client requests are received on these connections.
    [ NSHELP-22589 ]
  • The Citrix ADC appliance might rarely crash when an integer value is truncated after series of operations related to Stream Identifier.
    [ NSHELP-22489 ]


  • Citrix ADC appliance might crash if the bot device fingerprint technique is disabled while traffic flowing into the appliance.
    Workaround: Unbind the bot profile before disabling the device fingerprint technique.
    [ NSBOT-156 ]
  • A Citrix ADC appliance might crash if a bot management profile is configured with CAPTCHA as a bot action. 
    [ NSBOT-148 ]


  • After an upgrade to Citrix ADC 12.1 build 58.x, any one command propagation failure from the CCO node might lead to complete propagation failure. As a result, the further commands might fail from CCO node to non-CCO nodes.
    [ NSNET-18028 ]
  • In an admin partition setup, memory allocation might fail when you run the "set" command during an incorrect partition of memory resource.
    [ NSNET-17719 ]
  • If you run the “set appflow” command in a cluster setup, you might not be able to form a cluster.
    [ NSHELP-24220 ]
  • The following issues are observed related to BGP community strings in the Citrix ADC appliance:
    - When the appliance receives a BGP community string x:65535, the BGP session is disconnected.
    - When <bgp extended asn> capability is not enabled, the BGP daemon doesn't handle the combination of AS4_PATH attribute and certain community strings in a desired manner. This improper handling results in crash of BGP daemon.
    [ NSHELP-24119 ]
  • In a high availability setup, HA heartbeat packets might be lost during the "apply acls" operation for some ACL rules.
    [ NSHELP-23663 ]
  • In a high availability set up in INC mode, BFD sessions are lost after a failover.
    [ NSHELP-23648 ]
  • BFD settings might not apply in a Citrix ADC appliance after you hard reboot the appliance several times.
    [ NSHELP-23471 ]
  • After entering and exiting the VTYSH shell in a Citrix ADC appliance, the symlink for '/nsconfig/syslog.conf' in '/etc/syslog.conf' might be removed. As a result, the changes in '/nsconfig/syslog.conf' are not reflected in '/etc/syslog.conf'.
    [ NSHELP-23200 ]
  • A Citrix ADC appliance might crash during deployment if the following conditions are observed:
    - Multipath TCP (MPTCP) is enabled with MBF and PMTUD
    - MPTCP traffic is received and the response causes ICMP Fragmentation Needed error.
    [ NSHELP-22418 ]
  • When you add a slave interface with jumbo MTU to link aggregation channel that is used as backplane, the following warning message incorrectly appears:

    "The MTU for a backplane interface must be large enough to handle all packets. It must be equal to the (MTU value). If recommended value is not configurable, please review MTU of jumbo interfaces."

    This is only a display issue, and there is no impact on the functionality.
    [ NSHELP-20794 ]


  • Upgrade on a Citrix ADC SDX appliance fails due to lack of space.
    1. On an appliance running software version 13.0, switch to the shell prompt and type:
    sed -i.bak 's|vbd-list vm-uuid=\$dom0_uuid|vbd-list vdi-name-label="Dom0 Extra Storage"|g' /opt/xensource/libexec/sdx-boot/sdx-dom0-vbd-plug

    2. Log on to the Management Service GUI and reboot the appliance. Navigate to System > System Administration and click Reboot Appliance.

    3. Upgrade the appliance. Navigate to System > System Administration and click Upgrade Appliance.
    [ NSHELP-24066 ]
  • The Citrix ADC SDX 15000-50G on a reboot operation might fail to reboot completely, when all the 10G and 50G interfaces are configured as LACP channels with 9000 MTU. The 50G interfaces might also end up missing after reboot.
    1. Delete the 50G interface LACP channel.
    2. Restore each individual interface to 1500 MTU.
    3. Recreate the LACP channel with MTU 1500.
    [ NSHELP-23104 ]
  • NITRO API request or GUI access to a Citrix ADC appliance fails if the appliance remains idle from management activity over HTTP(S) for more than six days.

    - add serviceGroup mgmt_http_svc HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES

    - bind serviceGroup mgmt_http_svc 80
    [ NSHELP-22849 ]


  • The target field in the responder action of "NOOP" action type is not saved in the configuration file (ns.conf). As a result, when you restart your appliance, there is a configuration loss.
    [ NSHELP-23772 ]
  • An error message “Directory does not exist" appears on the HTML Page Import Object GUI page after you upgrade the Citrix ADC appliance release 11.1 build 63.15.
    [ NSHELP-22826 ]
  • A Citrix ADC appliance might crash if you configure the MATCHES_LOCATION() function in a policy expression and you start nstrace using a filter expression.
    [ NSHELP-22687 ]
  • An error message that appeared when an XML namespace error occurred was not clear and sufficiently descriptive to tell users how to fix the issue.
    [ NSHELP-18283 ]


  • In rare cases, a Citrix ADC appliance crashes if the following conditions are met:
    - An SSL virtual server receives a Client Hello message with the SSL record header split into two or more TCP packets.
    - A policy bound at client hello with a forward action specified returns true.
    - The TCP checksum of the packet, which completes the record header of Client Hello message, contains the 0xXX 0x16 pattern.
    [ NSHELP-23754 ]


  • If the rewrite module or the HTTP strict transport security (HSTS) header modifies a packet and splits it into two, the intrusion prevention system (IPS) frees the second packet. This results in corrupting the packet flow to the client and thereby allowing only a partial response forwarded to the client.
    [ NSHELP-24294 ]
  • A Citrix appliance with connection chaining parameter enabled might crash if the following conditions are met:
    - The incoming packet has TCP options of more than 20 bytes.
    - The appliance tries to insert an extra 20 bytes, which leads to TCP overflow.
    [ NSHELP-23322 ]
  • The Citrix ADC MPX 26000-100G appliance might become unresponsive if the aggregator process becomes unstable.
    [ NSBASE-11747 ]

User Interface

  • The "Decrypt Only" cookie option is incorrectly spelled on the Cookie Consistency Settings GUI page.
    [ NSUI-16857 ]
  • When you edit a relaxation rule on the Web Application Firewall profile GUI page, an error message appears at the page bottom. The error occurs because of an internal framework issue.
    [ NSUI-16806 ]
  • In a cluster setup, the "Bot Management" feature does not appear under Security in the navigation menu. 
    [ NSUI-16796 ]
  • The Edit Bot Profile GUI page appears clipped on the right side when the user adds a lengthy comment or log message. 
    [ NSUI-16697 ]
  • The Citrix ADC GUI might not display the Save and Refresh button in Microsoft Internet Explorer browser.
    [ NSHELP-24774 ]
  • An intermittent WSI error message “Required argument missing [profileName]” appears on the Citrix ADC GUI when the Citrix ADC appliance invokes the "appfwlearningdata" API for the following.
    * XMLDOS
    * XMLAttachment
    * WSI check
    [ NSHELP-24648 ]
  • The following behavior is observed in both cluster and high availability setup:
    -   In a cluster setup, a file deleted from "/nsconfig/ssl" path from the CLIP is not reflecting on the non-CCO node even after synchronization.
    -   In a high availability setup, a file deleted from "/nsconfig/ssl" path from the primary node is not reflecting on the secondary node even after synchronization.
    [ NSHELP-24578 ]
  • The Citrix ADC GUI displays less number of cached objects when compared to the command interface.
    [ NSHELP-24337 ]
  • After an upgrade to Citrix ADC 13.0 build 56.x Citrix Web App Firewall regex evaluators do not work as expected. 
    [ NSHELP-24212 ]
  • The Citrix ADC GUI does not display the "Top CLIENT.UDP.DNS.DOMAIN" statistical data in graphical format for the selected stream identifier.
    [ NSHELP-23777 ]
  • After executing the "saveconfig - all" command, the last saved time for the admin partitions is not accurately updated.
    [ NSHELP-23740 ]
  • The real-time synchronization of GSLB configuration from the master site to the subordinate sites does not occur when you run the "set cs policy" command.
    [ NSHELP-23393 ]
  • In a Citrix ADC appliance, HTTPD might *dump core* while processing NITRO API calls.
    [ NSHELP-23208 ]
  • In Citrix ADC GUI, the Web App Firewall Profiles page does not have the next or previous navigation options to view more than 25 profiles in the list pane.

    Navigation: Security->Citrix Web App Firewall->Profiles
    [ NSHELP-22622 ]
  • The "nsconfigaudit" config diff tool does not maintain the order of commands within the same resource group when generating the corrective commands.
    [ NSHELP-21791 ]
  • On a Citrix ADC MPX appliance, to transition the pooled capacity license to a perpetual license, you must first remove the pooled licensing configuration and then remove the pooled capacity license.
    [ NSCONFIG-4167 ]

Known Issues

The issues that exist in release 13.0-67.39.

Authentication, authorization, and auditing

  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
    [ NSHELP-563 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
    [ NSAUTH-6106 ]
  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    "show adfsproxyprofile <profile name>"

    Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.
    [ NSAUTH-5916 ]


  • A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.
    [ NSHELP-22942 ]
  • A Citrix ADC appliance might randomly crash if the following conditions are observed:
    * Integrated caching feature is enabled.
    * 100 GB or more memory is allocated for integrated caching.

    Workaround: Allocate less than 100 GB of memory. 
    [ NSHELP-20854 ]

Citrix ADC SDX Appliance

  • On the Citrix ADC SDX 8900, SDX 15000, and SDX 15000-50G platforms, a high CPU usage can be noticed on ADC instances after upgrading the SDX appliance from release 11.1 to release 12.1, or from release 11.1 to release 13.0.
    [ NSHELP-24031 ]

Citrix Gateway

  • The Gateway Insight does not display accurate information on the VPN users.
    [ NSHELP-23937 ]
  • The Citrix Gateway appliance might go down in an EDT proxy deployment if the "kill icaconnection" command is run while an EDT connection establishment is in progress.
    [ NSHELP-23882 ]
  • The Windows plug-in displays the “Gateway not reachable” message if the client machine has multiple instances of the Hyper-V and WiFi direct access virtual adapters.
    [ NSHELP-23794 ]
  • The UDP/ICMP/DNS based authorization policy denials for VPN do not show up in the ns.log file.
    [ NSHELP-23410 ]
  • You might face issues when editing documents using the web based office apps linked in SharePoint when these apps are accessed through the advanced clientless VPN.
    [ NSHELP-23364 ]
  • The intranet IP deregistration does not occur after the VPN is logged off, if the Intranet IP had taken more than 15 seconds for registration.
    [ NSHELP-23021 ]
  • The Citrix ADC appliance might crash during failover if UDP audio is enabled.
    [ NSHELP-22850 ]
  • Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.
    [ NSHELP-21897 ]
  • When you upgrade your Unified Gateway environment to release 13.0 build 58.x or later, the DTLS knob is disabled in the content switching virtual server that is configured before the gateway or the VPN virtual server. You must manually enable the DTLS knob in the content switching virtual server after the upgrade. Do not enable the DTLS knob if you are using the wizard for configuration.
    [ CGOP-13972 ]
  • The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.
    [ CGOP-13584 ]
  • The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
    Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.
    [ CGOP-13532 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
    [ CGOP-13511 ]
  • In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.
    [ CGOP-7269 ]

Citrix Web App Firewall

  • The learn action for XML cross-site scripting is not supported but it is still configurable.
    [ NSWAF-6555 ]

Load Balancing

  • The generation of SNMP alarms might be delayed if the synchronization of configuration from the master site to subordinate sites fails.
    [ NSHELP-23391 ]


  • A Citrix ADC appliance might crash if bot Captcha is configured as a bot action in IP reputation or device fingerprint detection techniques.

    [ NSBOT-226 ]


  • The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
    ERROR: Operation timed out
    ERROR: Communication error with the packet engine
    [ NSNET-4312 ]
  • For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.
    [ NSHELP-24034 ]
  • In a high availability setup, one of the Citrix ADC appliances might crash if you perform In Service Software Upgrade (ISSU) from Citrix ADC software version 13.0 47.24 or previous, to a later version.
    [ NSHELP-21701 ]


  • If a Citrix ADC instance uses ADM-based licensing, the Citrix ADC licensing might not work when the ADM version is lesser than the ADC version. Therefore, when you upgrade the ADC version, ensure the corresponding ADM version is the same as or higher than the current ADC version.
    [ NSPLAT-15184 ]
  • When multiple LA channels are configured on an SDX appliance without any management interfaces (0/1, 0/2) and if the first LA channel is disabled through the VPX CLI, the VPX appliance might be unreachable.
    Workaround: Enable the first LA channel even if it is unused or if its member interfaces are physically down.
    [ NSHELP-21889 ]


  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
    [ NSPOLICY-1267 ]


  • Update command is not available for the following add commands:
    - add azure application
    - add azure keyvault
    - add ssl certkey with hsmkey option
    [ NSSSL-6484 ]
  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.
    [ NSSSL-6478 ]
  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.
    [ NSSSL-6213 ]
  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled
    [ NSSSL-6106 ]
  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
    [ NSSSL-4001 ]
  • A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:
    - The default profile is disabled.
    - A secure monitor is bound to a non-SSL service.
    [ NSHELP-24706 ]
  • The SSL handshake at the back end fails when the back-end server sends a single SSL record containing the following messages: 'Server Hello', 'Server Certificate', 'Server Key Exchange' and 'Server Hello Done'.
    [ NSHELP-24615 ]
  • A Citrix ADC MPX/SDX 11542, MPX/SDX 14000, MPX 22000/24000/25000, or MPX/SDX 14000 FIPS appliance might crash if the following conditions are met:
    - ECDHE/ECDSA hybrid model is enabled.
    - DTLS traffic is received when the CPU utilization is already high.
    [ NSHELP-24405 ]
  • A Citrix ADC appliance might not propose ECDHE ciphers in the client hello message if the following conditions are met:
    - HA synchronization is in progress.
    - Monitor probes are sent before the synchronization is complete.
    [ NSHELP-24355 ]
  • The Citrix ADC appliance crashes if NULL or RC2 ciphers are used by the SSL backend service on the following platforms:
    * MPX 5900
    * MPX 8900
    * MPX 15000
    * MPX 15000-50G
    * MPX 26000
    * MPX 26000-50S
    * MPX 26000-100G
    [ NSHELP-24308 ]
  • A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.
    [ NSHELP-24201 ]
  • A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:

    - The default profile is enabled.
    - A secure monitor is bound to a non-SSL service.
    [ NSHELP-24037 ]
  • In a cluster setup, an invalid "bind ssl certkey" command is added to the ns.conf file when you save the configuration. The invalid command is added if a CRL distribution point extension is part of a certificate on the Citrix ADC appliance.
    [ NSHELP-23963 ]
  • In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
    [ NSHELP-13466 ]


  • A Citrix ADC appliance might crash if the following conditions are observed:
    - HTTP/2 enabled in the HTTP profile bound to load balancing virtual server of type HTTP/SSL or service.
    - Connection multiplexing option disabled in the HTTP Profile bound to load balancing virtual server or service.
    [ NSHELP-21202 ]
  • A Citrix ADC appliance with connection chaining and SSL enabled might send more MTU data.
    [ NSHELP-9411 ]
  • Enabling metrics collector in the default partition might fail if it is already enabled in the admin partition setup.

    Workaround: Do not enable metrics collector in the admin partition setup.
    [ NSBASE-12623 ]

User Interface

  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.
    [ NSUI-13024 ]
  • On the Citrix ADC GUI, you are unable to view the "Custom Reports" created for a specific partition.
    [ NSHELP-24370 ]
  • Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.
    [ NSHELP-24195 ]
  • The following temporary files present in the /var/tmp folder of a Citrix ADC appliance is causing memory full state.
    - “sh.runn.audit.<pid>” file created by nsconfigaudit tool.
    - “tmp_ns.conf.<pid>” file created by “show run” command for partition.
    [ NSHELP-24092 ]
  • For a "routerdynamicrouting" NITRO API request, the Citrix ADC appliance might return JSON data with formatting errors if the response size is large.
    [ NSHELP-19913 ]
  • A Citrix ADC appliance becomes unstable if you use the -outfilename parameter in diffnsconfig command. As a result, the diffnsconfig output is large to completely fill the root disk.
    [ NSHELP-19345 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:
    * 13.0 52.24 build
    * 12.1 57.18 build
    * 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"


    To fix this issue, use one of the following independent options:
    * If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    * Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    * If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see
    [ NSCONFIG-3188 ]