- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- 13.0-67.43 is a replacement build for 13.0-67.39. NSHELP-25322 and NSHELP-25443 are the additional fixes in the replacement build.
Authentication, authorization, and auditing
nFactor authentication support for Citrix Gateway with Standard license
Citrix Gateway now supports nFactor authentication with Standard license. For more information, refer https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/multi-factor-nfactor-authentication.html[ NSAUTH-6438 ]
New Citrix logo is introduced.[ CGOP-14440 ]
Citrix Web App Firewall
All import objects name length and profile name length increased to 127 characters
The Citrix Web App Firewall import objects name length and profile name length is now increased to a maximum limit of 127 characters. Previously, the name length was set only up to 32 characters.[ NSWAF-5992 ]
Dynamic profiling relaxation rule counter
When the Citrix Web App Firewall detects a violation, the user has the ability to bypass the action using relaxation rules. To monitor these relaxations, you now have a relaxation hit counter. The counter tracks statistical details, such as the number of times a violation occurs on the appliance, the number of relaxation rules applied at the time of the violation, and the last applied timestamp.
However, the new relaxation hit counter is available only for the following security checks.
[ NSWAF-5842 ]
- Cross-site Scripting
- SQL Injection
JSON command injection protection check
The Citrix Web App Firewall profile is now enhanced with a new protection check for command injection attacks in JSON payload. When the command injection security check examines the JSON traffic and detects any malicious commands, the appliance blocks the request or performs the configured action.[ NSWAF-5837 ]
Bot trap URL randomization
The Citrix Bot trap technique can now randomly or periodically insert a trap URL in the client response. The URL appears invisible and not accessible if the client is a human user. However, if the client is an automated bot, the URL is accessible and when accessed, the attacker is categorized as a bot and any subsequent request from the bot is blocked. The trap technique is effective in blocking attacks from bots.
The Bot trap URL is auto-generated and you can configure the length and interval at which the URL needs to be updated. If the trap URL is configured in a profile, then you must insert only that URL. Also, this technique allows you to insert the trap URL for every response of the top-visited websites or frequently visited websites by binding the website URLs in the profile."[ NSWAF-5774 ]
SameSite cookie attribute for secure web communication
With the recent browser upgrade, such as Google Chrome 80, there is a change in the default cross-domain behavior in cookies. As a result, the SameSite attribute is set as "None", "Lax" or "Strict" and for Google Chrome browser, the default attribute value is set as Lax.
[ NSWAF-5468 ]
- SameSite=None. Indicates the browser to use a cookie in cross-site context only on secure connections.
- SameSite=Lax. Indicates the browser to use a cookie for requests on the same domain and for cross-site only safe HTTP methods like "GET" request can use the cookie.
- SameSite=Strict. Indicates the cookie can be used only when the user is requesting the domain explicitly.
Support added for NET_ADMIN to run multi-core Citrix ADC CPX
You can now use the --cap-add=NET_ADMIN option to run Citrix ADC CPX with both single core and multi-cores in bridge mode deployments.[ NSNET-16016 ]
Setting up a VPX high-availability pair with private IP addresses across different AWS zones
You can now deploy a VPX high-availability pair on AWS using private IP addresses across different AWS zones.[ NSPLAT-14757 ]
VIP scaling support for Citrix ADC VPX instance on GCP
Based on your requirement, you can now add multiple VIP (public IP) addresses on a Citrix ADC VPX instance deployed on GCP. This is supported on both standalone and high availability deployments. Previously, the maximum number of VIPs you were able to add depended on GCP networking limit.[ NSPLAT-14738 ]
Changes to the default admin password
If the password is set to the default admin (nsroot) password, users must change the password on the first login or while creating an instance, and then save the configuration. The password cannot be reset to the default admin password.
This change is applicable to the following Citrix appliances:
[ NSPLAT-14480 ]
- VPX instances hosted on the Citrix ADC SDX appliance
- Citrix ADC BLX appliance
- Citrix VPX virtual appliances that are hosted on the following virtualization and cloud platforms:
- Citrix Hypervisor
- VMware ESX
- Microsoft Hyper-V
- Linux KVM
- Amazon Web Services
- Google Cloud Platform
Setting up a Citrix ADC VPX high-availability pair on GCP using forwarding rules
You can now deploy a VPX high-availability pair on the Google Cloud Platform (GCP) using forwarding rules with target instances at the backend. Forwarding rules must be in the same region as the VPX instance and target instances must be in the same zone as the VPX instance. Upon failover, the forwarding rule target is updated to the secondary target instance for the traffic to resume.[ NSPLAT-14378 ]
Built-in HTTP profile for management access
The Citrix ADC appliance now has a built-in HTTP profile, "nshttp_default_internal_apps" for management access. The profile is configured to block HTTP/0.9 requests and to drop invalid requests for management access. The profile settings are the same as the existing "nshttp_default_strict_validation" profile. However, it is advisable that you do not change the profile settings as done in the "nshttp_default_strict_validation" profile.[ NSBASE-10118 ]
Request-retry on TCP SYN connection establishment
The request retry is applicable to one more error scenario. If a reset is received from the back-end server during TCP SYN establishment, the appliance does not keep retrying the same server until the client connection times out. Instead, based on re-load balancing, the appliance forwards the request to the next available back-end server.[ NSBASE-9610 ]
Support for gRPC response buffer time and size limitation
In gRPC bridging scenario, the Citrix ADC appliance buffers the gRPC response from the back-end server until the response trailer is received. This breaks bi-directional gRPC calls. Also, if the gRPC response is huge, it consumes a significant amount of memory to buffer the response completely. To resolve these issues, you can configure two new parameters, grpcholdlimit and/or grpcholdtimeout in the HTTP profile. When configuring both or any one of the two parameters, the appliance stops buffering and starts forwarding the response even if any one of the buffer limit triggers (either the trailer is not received within the configured buffer size or if a configured timeout occurs).[ NSBASE-9466 ]
Citrix logo change
Citrix now has a new logo that reflects its brand transformation. The Citrix ADC and Citrix Gateway GUI now reflect the new Citrix logo.[ NSUI-16210 ]
Custom search functionality for bot signatures
A custom search functionality is now available on the Citrix ADC Bot Signatures GUI page. You can use the search option to locate content in the signature file.[ NSUI-15992 ]
DSA keys are deprecated and are no longer supported on a Citrix ADC appliance.[ NSUI-14778 ]
Authentication, authorization, and auditing
In rare cases, a Citrix Gateway appliance crashes if the appliance is configured with "VPN URL" functionality with SSO type as "selfauth".[ NSHELP-24667 ]
In some cases, the Email OTP validation fails when the OTP request is sent by a core and the validation request is received by another core.[ NSHELP-24442 ]
The Citrix ADC appliance denies log on requests from mobile clients because the login schema validation fails. You must use the OAuthToken_Username_password.xml schema in your configuration.[ NSHELP-24318 ]
The login to a Citrix ADC appliance fails if the following conditions are met.
[ NSHELP-24259 ]
- The appliance is configured for nFactor.
- The login schema policy is bound to an authentication virtual server and authentication schema is set to "noschema".
In rare cases, the Citrix ADC appliance crashes if the appliance is configured for NTLM authentication.[ NSHELP-24236 ]
Citrix SSO QR scan fails for VPN virtual server configured on a non-default (443) port. This happens because of an issue with Native OTP settings.[ NSHELP-24097 ]
In some cases, a Citrix ADC appliance becomes unresponsive while it is doing some background tasks related to user authentication.[ NSHELP-23883 ]
In some cases, a Citrix ADC appliance becomes unresponsive when single sign-on is attempted.[ NSHELP-23632 ]
In rare cases, a Citrix ADC appliance crashes upon handling authentication request if a DUP-FREE (trying to free an already free resource) scenario arises.[ NSHELP-23565 ]
A Citrix ADC appliance fails to extract all the groups in an LDAP scenario for an AD user when the number of groups the user belongs to exceeds the limit of the group size.[ NSHELP-22959 ]
Single Sign-On (SSO) with the following authentication methods does not work if the SSO configuration in Citrix ADC and Citrix Gateway is enabled only at global level and not at per traffic level.
[ NSAUTH-9166 ]
- CitrixAGBasic authentication
- Kerberos authentication
- OAuth bearer authentication
In some cases, the Citrix ADC appliance crashes if any expired Authentication, authorization, and auditing session exists during the configuration clean-up.[ NSAUTH-7767 ]
Citrix ADC appliance might crash if the bot device fingerprint technique is disabled while traffic flowing into the appliance.
[ NSBOT-156 ]
A Citrix ADC appliance might crash if a bot management profile is configured with CAPTCHA as a bot action.[ NSBOT-148 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance running software version 13.0 build 64.x or 12.1 build 58.x, a user cannot download the backup of the appliance.
[ NSSVM-3952 ]
The SDX GUI might not be accessible after upgrading a Citrix ADC SDX appliance on which management LA and CLAGs are configured.[ NSHELP-24671 ]
The SNMP user details are not modified if you change the device profile of an ADC instance provisioned on a Citrix ADC SDX appliance.[ NSHELP-24488 ]
On a Citrix ADC SDX appliance, an ADC instance configured with an IPv6 address cannot be modified.[ NSHELP-24256 ]
You cannot include a hash (%23) in community strings for SNMP managers and trap destinations configured on a Citrix ADC SDX appliance.[ NSHELP-23989 ]
On a Citrix ADC SDX appliance, link aggregation information of ADC instances might be lost due to a race condition between concurrent rediscoveries of ADC instances.[ NSHELP-23849 ]
If a VPX instance was provisioned on an old 11.1 build, update operations on the VPX instance using the SDX CLI fail if the following conditions are met:
[ NSHELP-23683 ]
- The "Shell/SFTP/SCP Access" option was selected.
- The "Add Instance Administration" option was not selected.
These options were available under "Instance Administration."
In some cases, the licenses are not read correctly by the Management Service after you restart a Citrix ADC SDX appliance.[ NSHELP-23619 ]
The Citrix Gateway appliance might crash during a session logout if the appliance tries to remove the connection twice from the session.[ NSHELP-25443 ]
The Citrix Gateway appliance crashes during Transfer Login if the request lands on a core where the previous session has timed out.[ NSHELP-25322 ]
Users cannot access websites if the following conditions are met:
[ NSHELP-24903 ]
- The proxy server has a strict SNI check.
- The backend server is accessed through an outbound proxy for clientless VPN or SecureBrowse.
- The backendServerSNI parameter is enabled.
SAML authentication does not work as expected if the virtual server is configured on a custom port.[ NSHELP-24842 ]
In a rare case, the Citrix ADC appliance crashes while printing debug logs if the server initiated connection session is already freed.[ NSHELP-24581 ]
If you log on to Citrix Gateway and access Microsoft Excel via clientless VPN SharePoint, you are logged out of the session created for Microsoft Excel.[ NSHELP-24074 ]
In rare cases, the Citrix Gateway appliance might crash if intranet IP (IIP) address is enabled and there are server-initiated connections to the IIP address.[ NSHELP-23819 ]
The Windows plug-in displays the Gateway not reachable message if the client machine has multiple instances of the Hyper-V and WiFi direct access virtual adapters.[ NSHELP-23794 ]
Packet drops are observed when a UDP application server sends packets that are larger than MTU and if the packets are fragmented.[ NSHELP-23770 ]
The Citrix ADC appliance might crash during a Authentication, authorization, and auditing session logout if the user logs in from Citrix Workspace.[ NSHELP-23623 ]
The Citrix Gateway appliance might crash while launching an app if the VDA FQDN resolution fails.[ NSHELP-22454 ]
When you access Microsoft Excel through clientless VPN SharePoint, you cannot edit the Excel file.[ CGOP-15123 ]
Support for CredSSP protocol version 2 is removed. Only CredSSP protocol versions 5 and 6 are supported on the Windows operating systems.[ CGOP-14308 ]
Citrix Web App Firewall
File Descriptor leak in aslearn when displaying some XML learn data.[ NSWAF-6648 ]
Support for "cs7" in CEF log messages
The Citrix Web App Firewall Common Event Format (CEF) log messages now include one more parameter, "cs7" for audit log expression name.[ NSWAF-6593 ]
In a cluster configuration, an error message, "Communication error with aslearn" appears when the learning engine tries to view and reset the learned data.[ NSHELP-24584 ]
A Citrix ADC appliance might crash because of the null streaming context in XML processing and if the "multipleHeaderAction" parameter is set as "log".[ NSHELP-24549 ]
A Citrix ADC appliance removes the status code from the response if the following issues are observed:
[ NSHELP-24489 ]
- The reason phrase is missing and
- The status code is not followed by a space.
In a cluster setup, you cannot modify or remove the rfcprofiles in the set or rm appfw rfcprofile command.[ NSHELP-24222 ]
A Citrix ADC appliance might crash during the Web App Firewall XML validation check.[ NSHELP-23562 ]
During GSLB real-time synchronization, the continuous batching of GSLB configuration commands might result in pushing the commands to the subordinate sites in an incorrect order.[ NSHELP-23934 ]
When GSLB is configured in admin partitions, the sync gslb config -forceSync command might remove any cert-key bindings to SSL services specific to the GSLB site IP address.[ NSHELP-23203 ]
When you upgrade the Citrix ADC appliance to release 12.0 build 63.13, you might see some duplicate configuration entries for load balancing persistence groups. For example, the "show running config" command might display the "add lb group" command multiple times. This is only a display issue and does not impact the functionality. However, the "show running config" command might take slightly more time to execute than usual.[ NSHELP-23050 ]
A high availability failover occurs in a Citrix ADC appliance, if all of the following conditions are met:
[ NSHELP-22589 ]
- Services bound to a SIP load balancing virtual server are unbound from it.
- Connections on the SIP load balancing virtual server are not flushed completely.
- Client requests are received on these connections.
The Citrix ADC appliance might rarely crash when an integer value is truncated after series of operations related to Stream Identifier.[ NSHELP-22489 ]
After an upgrade to Citrix ADC 12.1 build 58.x, any one command propagation failure from the CCO node might lead to complete propagation failure. As a result, the further commands might fail from CCO node to non-CCO nodes.[ NSNET-18028 ]
In an admin partition setup, memory allocation might fail when you run the "set" command during an incorrect partition of memory resource.[ NSNET-17719 ]
If you run the set appflow command in a cluster setup, you might not be able to form a cluster.[ NSHELP-24220 ]
The following issues are observed related to BGP community strings in the Citrix ADC appliance:
[ NSHELP-24119 ]
- When the appliance receives a BGP community string x:65535, the BGP session is disconnected.
- When "bgp extended asn" capability is not enabled, the BGP daemon doesn't handle the combination of AS4_PATH attribute and certain community strings in a desired manner. This improper handling results in crash of BGP daemon.
In a high availability setup, HA heartbeat packets might be lost during the "apply acls" operation for some ACL rules.[ NSHELP-23663 ]
In a high availability set up in INC mode, BFD sessions are lost after a failover.[ NSHELP-23648 ]
BFD settings might not apply in a Citrix ADC appliance after you hard reboot the appliance several times.[ NSHELP-23471 ]
After entering and exiting the VTYSH shell in a Citrix ADC appliance, the symlink for '/nsconfig/syslog.conf' in '/etc/syslog.conf' might be removed. As a result, the changes in '/nsconfig/syslog.conf' are not reflected in '/etc/syslog.conf'.[ NSHELP-23200 ]
A Citrix ADC appliance might crash during deployment if the following conditions are observed:
[ NSHELP-22418 ]
- Multipath TCP (MPTCP) is enabled with MBF and PMTUD
- MPTCP traffic is received and the response causes ICMP Fragmentation Needed error.
When you add a slave interface with jumbo MTU to link aggregation channel that is used as backplane, the following warning message incorrectly appears:
"The MTU for a backplane interface must be large enough to handle all packets. It must be equal to the (MTU value). If recommended value is not configurable, please review MTU of jumbo interfaces."
This is only a display issue, and there is no impact on the functionality.[ NSHELP-20794 ]
Upgrade on a Citrix ADC SDX appliance fails due to lack of space.
[ NSHELP-24066 ]
The Citrix ADC SDX 15000-50G on a reboot operation might fail to reboot completely, when all the 10G and 50G interfaces are configured as LACP channels with 9000 MTU. The 50G interfaces might also end up missing after reboot.
[ NSHELP-23104 ]
NITRO API request or GUI access to a Citrix ADC appliance fails if the appliance remains idle from management activity over HTTP(S) for more than six days.[ NSHELP-22849 ]
The target field in the responder action of "NOOP" action type is not saved in the configuration file (ns.conf). As a result, when you restart your appliance, there is a configuration loss.[ NSHELP-23772 ]
An error message Directory does not exist" appears on the HTML Page Import Object GUI page after you upgrade the Citrix ADC appliance release 11.1 build 63.15.[ NSHELP-22826 ]
A Citrix ADC appliance might crash if you configure the MATCHES_LOCATION() function in a policy expression and you start nstrace using a filter expression.[ NSHELP-22687 ]
An error message that appeared when an XML namespace error occurred was not clear and sufficiently descriptive to tell users how to fix the issue.[ NSHELP-18283 ]
In rare cases, a Citrix ADC appliance crashes if the following conditions are met:
[ NSHELP-23754 ]
- An SSL virtual server receives a Client Hello message with the SSL record header split into two or more TCP packets.
- A policy bound at client hello with a forward action specified returns true.
- The TCP checksum of the packet, which completes the record header of Client Hello message, contains the 0xXX 0x16 pattern.
A Citrix ADC appliance might crash if AppFlow is enabled after the server-side connection is established.[ NSHELP-24546 ]
If the rewrite module or the HTTP strict transport security (HSTS) header modifies a packet and splits it into two, the intrusion prevention system (IPS) frees the second packet. This results in corrupting the packet flow to the client and thereby allowing only a partial response forwarded to the client.[ NSHELP-24294 ]
A Citrix appliance with connection chaining parameter enabled might crash if the following conditions are met:
[ NSHELP-23322 ]
- The incoming packet has TCP options of more than 20 bytes.
- The appliance tries to insert an extra 20 bytes, which leads to TCP overflow.
The Citrix ADC MPX 26000-100G appliance might become unresponsive if the aggregator process becomes unstable.[ NSBASE-11747 ]
The "Decrypt Only" cookie option is incorrectly spelled on the Cookie Consistency Settings GUI page.[ NSUI-16857 ]
When you edit a relaxation rule on the Web Application Firewall profile GUI page, an error message appears at the page bottom. The error occurs because of an internal framework issue.[ NSUI-16806 ]
In a cluster setup, the "Bot Management" feature does not appear under Security in the navigation menu.[ NSUI-16796 ]
The Citrix ADC GUI might not display the Save and Refresh button in Microsoft Internet Explorer browser.[ NSHELP-24774 ]
An intermittent WSI error message Required argument missing [profileName] appears on the Citrix ADC GUI when the Citrix ADC appliance invokes the "appfwlearningdata" API for the following.
[ NSHELP-24648 ]
- WSI check
The following behavior is observed in both cluster and high availability setup:
- In a cluster setup, a file deleted from "/nsconfig/ssl" path from the CLIP is not reflecting on the non-CCO node even after synchronization.
- In a high availability setup, a file deleted from "/nsconfig/ssl" path from the primary node is not reflecting on the secondary node even after synchronization.[ NSHELP-24578 ]
The Citrix ADC GUI displays less number of cached objects when compared to the command interface.[ NSHELP-24337 ]
After an upgrade to Citrix ADC 13.0 build 56.x Citrix Web App Firewall regex evaluators do not work as expected.[ NSHELP-24212 ]
The Citrix ADC GUI does not display the "Top CLIENT.UDP.DNS.DOMAIN" statistical data in graphical format for the selected stream identifier.[ NSHELP-23777 ]
After executing the "saveconfig - all" command, the last saved time for the admin partitions is not accurately updated.[ NSHELP-23740 ]
The real-time synchronization of GSLB configuration from the master site to the subordinate sites does not occur when you run the "set cs policy" command.[ NSHELP-23393 ]
In a Citrix ADC appliance, HTTPD might dump core while processing NITRO API calls.[ NSHELP-23208 ]
In Citrix ADC GUI, the Web App Firewall Profiles page does not have the next or previous navigation options to view more than 25 profiles in the list pane.
Navigation: Security->Citrix Web App Firewall->Profiles[ NSHELP-22622 ]
The "nsconfigaudit" config diff tool does not maintain the order of commands within the same resource group when generating the corrective commands.[ NSHELP-21791 ]
On a Citrix ADC MPX appliance, to transition the pooled capacity license to a perpetual license, you must first remove the pooled licensing configuration and then remove the pooled capacity license.[ NSCONFIG-4167 ]
Authentication, authorization, and auditing
You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.[ NSHELP-26199 ]
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[ NSHELP-563 ]
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.[ NSAUTH-6106 ]
ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
"show adfsproxyprofile <profile name>"
Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.[ NSAUTH-5916 ]
- You might see a No such policy exists message on the nFactor Flow page in nFactor Visualizer when you try to unbind a policy from a factor. The unbind option work as expected.[ NSAUTH-5821 ]
A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.[ NSHELP-22942 ]
The Citrix Gateway appliance crashes when a server initiated connection sends data packets after the connection is closed.[ NSHELP-26431 ]
The Citrix Gateway login page displays an error stating that the login has failed if the following sequence of conditions is met. The error appears even if the user has not tried to log on again.
[ NSHELP-25157 ]
- Log on to the Citrix Gateway fails.
- Log on to the Citrix Gateway succeeds.
- The user logs out.
EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.[ NSHELP-24848 ]
The Gateway Insight does not display accurate information on the VPN users.[ NSHELP-23937 ]
False launch failures of applications are reported in Gateway Insight. The launch failures are reported when there are no app or desktop launches.[ NSHELP-23047 ]
The Citrix ADC appliance becomes unresponsive if the following conditions are met:
[ NSHELP-22987 ]
- DTLS is enabled.
- UDP multiplexing uses a DTLS channel and pumps traffic at a high rate.
Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.[ NSHELP-21897 ]
While adding an authentication virtual server using the XenApp and XenDesktop wizard, test connectivity for that authentication server fails.[ CGOP-16792 ]
Transfer Logon does not work if the following two conditions are met:
[ CGOP-14092 ]
- nFactor authentication is configured.
- Citrix ADC theme is set to Default.
- The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.[ CGOP-13584 ]
- In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[ CGOP-13511 ]
While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.[ CGOP-13050 ]
The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.[ CGOP-13049 ]
- An error message appears when you add or edit a session policy from the Citrix ADC GUI.[ CGOP-11830 ]
In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.[ CGOP-7269 ]
In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.[ NSLB-7679 ]
A Citrix ADC appliance might crash while processing an invalid session initiation protocol (SIP) packet.[ NSHELP-26202 ]
When a content switching virtual server receives an HTTPS request, the largest cookie in the HTTPS request leads to a buffer overflow and stack corruption when the following conditions are met:
[ NSHELP-25932 ]
- The cookie format is incorrect.
- The cookie length is greater than 32 bytes.
When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.[ NSHELP-24329 ]
The generation of SNMP alarms might be delayed if the synchronization of configuration from the master site to subordinate sites fails.[ NSHELP-23391 ]
When the number of newnslog backup files increase, it may cause disk space crunch for a running Citrix ADC CPX instance over a period of time. Using the NEWNSLOG_MAX_FILENUM environment variable, you can control the number of backup files. By setting the environment variable value to 10, you can limit the maximum number of newnslog backup files to 10.[ NSNET-20261 ]
A Citrix ADC BLX appliance now supports the Citrix ADC IPv6 OSPF (OSPFv3) dynamic routing protocol feature. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-dynamic-routes/configuring-ipv6-ospf.html.[ NSNET-19567 ]
A Citrix ADC BLX appliance in DPDK mode does not detect an interface if you have bound the interface to DPDK in DOWN state.
Workaround: Do not bind DOWN interfaces to DPDK.[ NSNET-16561 ]
The following interface operations are not supported in a Citrix ADC BLX appliance:
[ NSNET-16559 ]
A Citrix ADC appliance might crash, if the following conditions are present:
[ NSHELP-25695 ]
- IPv6 link load balancing (LLB6) configuration has persistency option enabled.
- Some IPv6 dummy connections are created for this LLB6 configuration
When you push configurations to the cluster instances using a StyleBook, the commands fail with the "Command propagation failed" error message.
On successive failures, the cluster retains the partial configuration.
1. Identify the failed commands from the log.
2. Manually apply the recovery commands to the failed commands.[ NSHELP-24910 ]
On a Citrix ADC SDX 15000-50G appliance, in cases of a brief surge of data traffic not directed to any of the ADC VPX instances, the following issue might happen:
- The LACP link on 10G ports might flap intermittently or go down permanently.
1. Find out the internal ethX port corresponding to the 10G port
2. Run the following command on the Citrix Hypervisor shell prompt: ethtool -G ethX rx 4096 tx 512
3. Review traffic profile to block off unwanted traffic on the switch side[ NSHELP-25561 ]
By default, high availability monitor (HAMON) and HA heartbeat are disabled on a management interface that is configured as an internal management interface. Also, HAMON and HA heartbeat cannot be enabled on this interface.
Later, if the same interface is configured back as a management interface and the VPX instance is rebooted, HAMON and HA heartbeat options are still disabled.
However, you can now enable these options manually to avoid any issues with the HA configuration.[ NSHELP-21803 ]
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.[ NSPOLICY-1267 ]
The following issue might cause a failover in a high availability setup:
If many non-HTTP, non-TCP packets get queued waiting to be handled after processing on them has been blocked.[ NSHELP-23506 ]
On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.
[ NSSSL-9572 ]
- On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, "set ssl vserver <name> -SSL3 DISABLED".
- Save the configuration.
- Update command is not available for the following add commands:
[ NSSSL-6484 ]
- add azure application
- add azure keyvault
- add ssl certkey with hsmkey option
- You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.[ NSSSL-6478 ]
- You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.[ NSSSL-6213 ]
- The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
ERROR: crl refresh disabled[ NSSSL-6106 ]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[ NSSSL-4001 ]
In a cluster setup, you might observe the following issues:
[ NSHELP-25764 ]
- Missing command for the default certificate-key pair binding to the SSL internal services on the CLIP. However, if you upgrade from an older build you might have to bind the default certificate-key pair to the affected SSL internal services on the CLIP.
- Configuration discrepancy between the CLIP and the nodes for the default set command to the internal services.
- Missing default cipher bind command to the SSL entities in the output of the show running config command run on a node. The omission is only a display issue and has no functional impact. The binding can be viewed using the show ssl <entity> <name> command.
In a cluster setup, certificate configuration changes are not allowed if any certificate or key files are removed.[ NSHELP-24913 ]
Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.
Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.[ NSUI-13024 ]
A load balancing virtual server persistence view fails to display all parameters when you edit an existing virtual server persistence configuration.[ NSHELP-25965 ]
In a cluster setup, a delay is observed when a huge configuration, (for example, 100 load balancing virtual IP addresses are bound to a Citrix Web App Firewall profile with multiple responder policies and IP patsets) is provisioned across all cluster nodes.[ NSHELP-25458 ]
Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.[ NSHELP-24195 ]
Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.[ NSHELP-20988 ]
A Citrix ADC appliance does not support addition of CRL files greater than 2 MB using NITRO APIs.[ NSHELP-20821 ]
In a Citrix ADC BLX appliance, the "Reporting" tab in the GUI might not work as expected.[ NSCONFIG-4877 ]
When you downgrade a Citrix ADC appliance version 13.0-71.x to an earlier build, some Nitro APIs might not work because of the file permission changes.
Workaround: Change permission for "/nsconfig/ns.conf" to 644.[ NSCONFIG-4628 ]
The connection between the ADC instance and ADM service is lost when the following conditions are met:
[ NSCONFIG-4368 ]
- The instance is added to ADM service using a built-in agent.
- The instance is upgraded using the -Y option or from the ADM GUI. In both cases, the built-in agent doesn't restart. The -Y option provides Yes as an answer to all upgrade-related questions that appear on the CLI or GUI.
Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.[ NSCONFIG-4330 ]
If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
1. Upgrade the Citrix ADC appliance to one of the builds:
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the Citrix ADC appliance to any older build.
To display the list of these system users by using the CLI:
At the command prompt, type:
"query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"
To fix this issue, use one of the following independent options:
[ NSCONFIG-3188 ]
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.