Release Notes for Citrix ADC 13.0-71.44 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 13.0-71.44.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 13.0-71.44 replaces Build 13.0-71.40.
  • This build adds an enhancement to eliminate the susceptibility to DDoS style attack against DTLS as described in https://support.citrix.com/article/CTX289674.
  • This build also includes fixes for the following issues that existed in the previous Citrix ADC 13.0 release build: NSAUTH-9475.

What's New

The enhancements and changes that are available in Build 13.0-71.44.

Authentication, authorization, and auditing

  • Azure Government support for token authentication in Microsoft Intune integration

    In Citrix Gateway and Microsoft Intune integration scenario, Citrix Gateway now supports Microsoft Azure Government infrastructure for Microsoft Active Directory Libraries (ADAL) token authentication. Previously, only Microsoft Azure commercial infrastructure was supported.

    [ NSAUTH-8246 ]

Citrix ADC SDX Appliance

  • After deleting an interface or a channel from an ADC instance, the instance might be unreachable from the Management Service. With this change, if your Citrix ADC SDX appliance is running release 13.0 build 71.x and later or release 12.1 build 60.x and later, you cannot delete the interface or channel on an ADC instance from the Management Service.

    [ NSSVM-3442 ]

Citrix Gateway

  • Support for dynamic secure DNS update on Windows plug-in

    VPN plug-in for Windows now supports Secure DNS update. This feature is disabled by default. To enable it, create HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\secureDNSUpdate value of type REG_DWORD and set it to 1.

    • When you set the value to 1, the VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in tries the secure DNS update.
    • To try only the secure DNS update, you can set the value to 2.
    [ CGOP-13788 ]

Citrix Web App Firewall

  • Device fingerprinting bot detection technique for mobile (Android) applications using Bot Mobile SDK

    The device fingerprinting bot detection mechanism is now enhanced to secure mobile (Android) applications from bot attacks. To detect bots in a mobile application, the device fingerprinting detection technique uses a bot mobile SDK. The SDK is integrated with the mobile application to intercept the mobile traffic, collect client and device details, and send the data to the appliance. On the appliance side, the device fingerprinting bot detection technique examines the data and determines whether the connection is from a bot or a human.

    [ NSWAF-5983 ]

Load Balancing

  • Configurable MEP timer support to avoid MEP flaps on GSLB sites

    A new parameter, MEPKeepAliveTimeout, is now added to configure the MEP timer. By default, the timer value is set as 10 seconds. Previously, the timer had a fixed value of 4 seconds.

    If the local GSLB site does not receive any new packets (retransmitted packets and duplicate acknowledge packets are excluded) from a remote GSLB site on the site-metric MEP connection within the time frame specified in the MEP timer, the Citrix ADC appliance marks the connection as DOWN. And, waits for 15 more seconds without terminating the connection. If it receives any new packet, the MEP connection is retained and the status is marked as UP.

    [ NSLB-7342 ]
  • Support for file-based pattern sets

    The Citrix ADC appliance now supports file-based pattern sets.

    You can import a new pattern set file into the Citrix ADC appliance using the following command:
    "import patsetfile <src> <name> -overwrite -delimiter <char> -charset <ASCII | UTF_8>"

    You can update an existing pattern set file on the Citrix ADC appliance using the following command:
    "update patsetfile <patset filename>"

    You can add a pattern set file to the packet engine using the following command:
    "add patsetfile <patset filename>"

    You can bind patterns to the pattern set file using the following command:
    "add patset <name> -patsetfile <patset filename>"

    [ NSLB-5823 ]
  • MQTT protocol support on Citrix ADC appliances

    Citrix ADC appliances now natively support the Message Queuing Telemetry Transport (MQTT) protocol. MQTT is an OASIS standard messaging protocol for the Internet of Things (IoT). With this support, the Citrix ADC appliance can be used in IoT deployments to load balance MQTT traffic.

    Previously, you could configure MQTT on the Citrix ADC appliance by using protocol extensions. Users had to write their own extension code and import the extension file to the Citrix ADC appliance, from either a web server (using HTTP) or local workstation.

    [ NSLB-5822 ]

Networking

  • Support added in Citrix ADC CPX for Cilium CNI in a Kubernetes environment

    Citrix ADC CPX now supports Cilium CNI in a Kubernetes environment. Cilium is an open-source CNI which uses the extended version of the Berkeley Packet Filter (BPF) to improve the visibility, performance, and scalability of applications on Kubernetes.

    [ NSNET-17264 ]
  • Configure the Citrix ADC appliance to source Citrix ADC FreeBSD data traffic from a SNIP address

    Some Citrix ADC data features run on the underlying FreeBSD OS instead of on the Citrix ADC OS. Because of this reason, these features send traffic sourced from the Citrix ADC IP (NSIP) address instead of sourced from a SNIP address. Sourcing the data traffic from the NSIP address is not desirable if your setup has configurations to separate all management and data traffic.

    The following Citrix ADC data features run on the underlying FreeBSD OS and send traffic sourced from the Citrix ADC IP (NSIP) address:

    • Load balancing scriptable monitors
    • GSLB autosync

    To resolve this issue, a global Layer-2 parameter "useNetprofileBSDtraffic" has been introduced. When this parameter is enabled, the Citrix ADC features send traffic sourced from one of the SNIP addresses in a netprofile associated with the feature.

    Currently, the global Layer-2 parameter "useNetprofileBSDtraffic" is supported only for load balancing scriptable monitors.

    For configuring the Citrix ADC appliance to source GSLB autosync traffic from a SNIP address, you can use extended ACL and RNAT rules as a workaround.

    [ NSNET-16274 ]
  • Dataset based extended ACLs

    A large number of ACLs are required in an enterprise. Configuring and managing a large number of ACLs is very difficult and cumbersome when they require frequent changes.

    A Citrix ADC appliance now supports datasets in extended ACLs. Dataset is an existing feature of a Citrix ADC appliance. A dataset is an array of indexed patterns of types: number (integer), IPv4 address, or IPv6 address.

    Dataset support in extended ACLs is useful for creating multiple ACL rules, which require common ACL parameters. While creating an ACL rule, instead of specifying the common parameters, you can specify an dataset, which includes these common parameters.

    Any changes made in the dataset are automatically reflected in the ACL rules that are using this dataset. ACLs with datasets are easier to configure and manage. They are also smaller and easier to read than the conventional ACLs.

    Currently, the Citrix ADC appliance supports only the IPv4 address type dataset for extended ACLs.

    [ NSNET-8252 ]

Platform

  • VMware ESX 7.0 support on Citrix ADC VPX instance

    The Citrix ADC VPX instance now supports the VMware ESX hypervisor 7.0 build 1632494.

    [ NSPLAT-16902 ]
  • AWS Top Secret (C2S) region support extended for all the Citrix ADC editions

    The AWS Top Secret (C2S) region now supports all the following Citrix ADC editions along with Bring Your Own License (BYOL):

    • Standard Edition
    • Advanced Edition
    • Premium Edition

    Previously, the AWS Top Secret region supported only the BYOL subscription.
    The AWS Top Secret region is readily available through the Commercial Cloud Services (C2S) contract with AWS.

    [ NSPLAT-9195 ]

Policies

  • Support for dynamic expressions in the CONTAINS function for optimizing advanced policy usage.

    Argument for the following methods are static:

    • contains()
    • after_str()
    • before_str()
    • substr(),
    • strip_end_chars()
    • strip_chars()
    • strip_start_chars()
    [ NSPOLICY-3545 ]

SSL

  • Support to offload crypto operations to Intel Coleto crypto chips in TLS 1.3 connections

    In TLS 1.3 connections, support is now added to offload crypto operations to Intel Coleto crypto chips on specific Citrix ADC MPX platforms.

    The following appliances that ship with Intel Coleto chips are supported:

    • MPX 5900
    • MPX/SDX 8900
    • MPX/SDX 15000
    • MPX/SDX 15000-50G
    • MPX/SDX 26000
    • MPX/SDX 26000-50S
    • MPX/SDX 26000-100G

    Software-only support for the TLSv1.3 protocol is available on all other Citrix ADC MPX and SDX appliances except Citrix ADC FIPS appliances.

    [ NSSSL-7453 ]
  • All subject alternate name (SAN) values are now displayed in a certificate

    A Citrix ADC appliance now displays all the SAN values when the details of a certificates are displayed.

    [ NSSSL-5978 ]
  • Policy support for TLSv1.3 protocol

    When TLSv1.3 protocol is negotiated for a connection, policy rules that inspect TLS data received from the client now trigger the configured action.
    For example, if the following policy rule returns true, the traffic is forwarded to the virtual server defined in the action.
    add ssl action action1 -forward vserver2
    add ssl policy pol1 -rule client.ssl.client_hello.sni.contains(xyz) -action action1

    [ NSSSL-869 ]

System

  • Display CPU usage (in parts per thousand) for a load balancing virtual server

    A new counter, "CPU-PM" now displays the statistical data for the CPU usage in per-Mille (parts per thousand). For example, 500 must be read as 500/1000 which is equal to 50 percent.

    In GUI, navigate to Traffic Management > Virtual Servers > Load Balancing > Statistics

    [ NSBASE-11304 ]
  • Support for request retry on timeout

    Request retry is now available for one more scenario where, if a back-end server takes more time to respond to requests, the appliance performs re-load balancing upon timeout and forwards the request to the next available server. Previously, the appliance kept waiting for server response which led to an increased RTT.
    To perform timeout, a new parameter retryOnTimeout is configurable in appqoe action. Minimum value: 30 millisseconds
    Maximum value: 2000.

    To configure request retry on timeout by using the CLI:
    "add appqoe action <name> -retryOnTimeout <msecs>"

    Example
    "add appqoe action appact1 -retryOnTimeout 35"

    [ NSBASE-10914 ]
  • Process local and retain connections support for MPTCP cluster deployments

    MPTCP connections now support "Process Local" and "Retain Connections" features in the cloud and on-premises Citrix ADC cluster deployments.

    [ NSBASE-10734 ]
  • Responder response-related information in AppFlow records

    The AppFlow records generated by the Citrix ADC appliance now include the responder response-related information.

    [ NSBASE-10634 ]
  • Support for larger HTTP header size

    Citrix ADC appliance can now handle a large header size HTTP requests to accommodate the L7 application request. The header size of an HTTP request is increased to 128 KB.

    [ NSBASE-7957 ]

Fixed Issues

The issues that are addressed in Build 13.0-71.44.

Authentication, authorization, and auditing

  • In some cases, after the user password is changed, the following error message appears, Cannot complete your request.

    The error occurs because the modified password is corrupted after encryption.

    [ NSHELP-25437 ]
  • In some cases, a Citrix ADC appliance might crash if the client closes the TCP connection before finishing the Email OTP authentication.

    [ NSHELP-25154 ]
  • In some cases, a Citrix ADC appliance crashes during the Citrix ADC Authentication, authorization, and auditing session removal on the secondary node.

    [ NSHELP-25075 ]
  • In some cases, when Citrix ADC is used as an IdP to Citrix Cloud, Authentication, authorization, and auditingD crashes while performing nested group extraction activity in AD because of memory buffer overflow.

    [ NSHELP-24884 ]
  • LDAP authentication fails in a Citrix ADC appliance when a user's group length exceeds the defined limit.

    [ NSHELP-24373 ]
  • When trying to log on to the Citrix Gateway appliance, a user does not see a response if the log on attempt fails.

    [ NSHELP-23155 ]
  • A Citrix ADC appliance responds with a 400 error code when the header size of a Citrix Gateway user interface related request exceeds 1024 characters.

    [ NSAUTH-9475 ]
  • The configuration of the non-addressable authentication virtual server is not restored after a reboot if the following conditions are met:

    • The Citrix ADC appliance has a Standard edition license
    • The appliance is configured for nFactor authentication using Citrix Gateway
    [ NSAUTH-9263 ]

Caching

  • A Citrix ADC appliance might randomly crash if the following conditions are observed:

    • Integrated caching feature is enabled.
    • 100 GB or more memory is allocated for integrated caching.
    [ NSHELP-20854 ]

CallHome

  • On the Citrix AC MPX 22000 platform, the show techsupport command incorrectly shows that the hard drive is not mounted.

    [ NSHELP-24223 ]

Citrix ADC SDX Appliance

  • The Citrix ADC SDX appliance upgrade fails if the Citrix Hypervisor consumes more than 90% of the disk space.

    [ NSHELP-24873 ]
  • On the Citrix ADC SDX 8900, SDX 15000, and SDX 15000-50G platforms, a high CPU usage can be noticed on ADC instances after upgrading the SDX appliance from release 11.1 to release 12.1, or from release 11.1 to release 13.0.

    [ NSHELP-24031 ]

Citrix Gateway

  • In rare cases, the Citrix Gateway appliance might crash during session synchronization with the secondary appliance or during Intranet IP assignment.

    [ NSHELP-25221 ]
  • The UrlName parameter is appended to the session and other policy bindings when classic VPN URL is also bound leading to configuration addition on save and reboot.

    [ NSHELP-25072 ]
  • The Citrix Gateway IIP registration fails if Split DNS is set to "Both" or "Local".

    [ NSHELP-24928 ]
  • If ICA smart policy is enabled and there is some residual AppFlow configuration, you might observe a high latency connection.

    [ NSHELP-24908 ]
  • The Citrix ADC appliance might crash when UDP audio is enabled and the internal malloc system call returns an error.

    [ NSHELP-24890 ]
  • In rare cases, a Citrix Gateway appliance crashes when the syslog transport type is modified due to a memory corruption.

    [ NSHELP-24794 ]
  • The Citrix Gateway appliance does not extract the common-name from UTF8String encoded device certificates.

    [ NSHELP-24741 ]
  • The Citrix Gateway appliance crashes on removal of an intranet app whose hostName value exceeds 160 characters.

    [ NSHELP-24524 ]
  • If location detection is enabled, the Always On VPN's machine level tunnel takes a long time to get established after the client machine is restarted.

    [ NSHELP-24508 ]
  • The Citrix ADC appliance might crash when configured for clientless VPN.

    [ NSHELP-24430 ]
  • The Citrix Gateway appliance might reboot if the RDP server profile bound to the VPN virtual server does not have the RDP IP address configured and the same port is used by the RDP server profile and the VPN virtual server.

    [ NSHELP-24199 ]
  • A new, optimized pattern set, "ns_cvpn_v2_fast_regex_light_ver", is introduced for high CPU alerts. If a spike in CPU is intermittently observed with the default pattern set "ns_cvpn_v2_fast_regex", you can switch to the new pattern set.

    [ NSHELP-24085 ]
  • The Citrix Gateway appliance might go down in an EDT proxy deployment if the "kill icaconnection" command is run while an EDT connection establishment is in progress.

    [ NSHELP-23882 ]
  • The Windows plug-in displays the Gateway not reachable message if the client machine has multiple instances of the Hyper-V and WiFi direct access virtual adapters.

    [ NSHELP-23794 ]
  • A Citrix Gateway appliance might crash when trying to parse an incoming packet.

    [ NSHELP-23747 ]
  • The Citrix Gateway appliance crashes when using UDP audio while accessing the Virtual Desktop.

    [ NSHELP-23514 ]
  • The UDP/ICMP/DNS based authorization policy denials for VPN do not show up in the ns.log file.

    [ NSHELP-23410 ]
  • The Citrix ADC appliance might crash during failover if UDP audio is enabled.

    [ NSHELP-22850 ]

Citrix Web App Firewall

  • Communication errors are observed in aslearn when you reset the Citrix Web App Firewall learning data in a cluster configuration.

    [ NSWAF-6768 ]
  • In a cluster configuration, the Web Services Interoperability (WSI) Check value with space is considered as an invalid input although it is valid in a Citrix ADC core appliance.

    [ NSWAF-6745 ]
  • The default credit card name configuration details for basic or advanced Web App Firewall profiles are missing in a cluster deployment.

    [ NSWAF-6675 ]
  • The default XML DOS binding for default Web App Firewall advanced profile is missing in a cluster deployment.

    [ NSWAF-6672 ]
  • In a cluster configuration, unable to bind the "safeobject" rule with a "safeobject" expression length of more than 255 characters.

    [ NSWAF-6670 ]
  • The default value for "FileUploadTypesAction" configuration for basic or advanced Web App Firewall profile is missing in a cluster deployment.

    [ NSWAF-6669 ]
  • Incorrect default "CMDInjectionAction" configuration is observed for Web App Firewall basic or advanced profile in a cluster deployment.

    [ NSWAF-6668 ]
  • A Citrix ADC cluster setup might crash if there are DHT transport errors between the cluster nodes, and the field consistency protection feature is enabled.

    [ NSWAF-6560 ]
  • The Citrix Web App Firewall cookie consistency check removes the SameSite cookie attribute in the response sent by the back-end server.

    [ NSHELP-24313 ]

Load Balancing

  • When a GSLB deployment uses the round trip time (RTT) method for load balance, the Citrix ADC appliance might fail if you delete or unbind a GSLB service during the traffic flow.

    [ NSHELP-24425 ]
  • The Citrix ADC appliance might crash if the association between Distributed Hash Table (DHT) entry and persistence session is deleted while freeing up the persistence session.

    [ NSHELP-24213 ]
  • If a service group member is assigned a wildcard port (port *), the monitor details for that service group member can be viewed from the Monitor Details page.

    [ NSHELP-9409 ]

Networking

  • In a Citrix ADC BLX or Citrix ADC CPX appliance, installing OSPF or BGP routes to the appliance's routing table might fail.

    [ NSNET-18707 ]
  • RNAT with "useproxyport" disabled might not work as expected for source ports that are numbered lesser than 1024.

    [ NSHELP-25162 ]
  • In a high availability setup with INC mode, any RNAT rule that has a VIP address set as the NAT IP address is removed during HA synchronization.

    [ NSHELP-24893 ]
  • Loading the Citrix ADC SNMP MIB to an SNMP manager might fail because of the presence of a duplicate object name "urlfiltDbUpdateStatus" in the SNMP MIB. The same object name "urlfiltDbUpdateStatus" is used for an SNMP trap and an SNMP trap variable binding.

    With the fix, the "urlfiltDbUpdateStatus" SNMP trap variable binding is changed to "urlFilterDbUpdateStatus".

    [ NSHELP-24778 ]
  • A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.

    [ NSHELP-24623 ]
  • The following link load balancing route added in a non-default traffic domain is moved to the default traffic domain after you save and restart the appliance.

    • add lb route 0.0.0.0 -td 1
    [ NSHELP-24067 ]
  • IPv6 policy based routes (PBR6) on a Citrix AC appliance might not work as expected.

    [ NSHELP-23161 ]
  • In a high availability setup, one of the Citrix ADC appliances might crash if you perform In Service Software Upgrade (ISSU) from Citrix ADC software version 13.0 47.24 or previous, to a later version.

    [ NSHELP-21701 ]

Platform

  • The Citrix ADC MPX 8000-1G platform supports pooled licensing.

    [ NSPLAT-17354 ]
  • A Citrix ADC VPX instance, on which NSVLAN and two link aggregation (LA) channels are configured, is not reachable when the following conditions are met:

    • First LA channel is disabled.
    • The VPX instance is rebooted.
    [ NSPLAT-16082 ]
  • If a Citrix ADC instance uses ADM-based licensing, the Citrix ADC licensing might not work when the ADM version is lesser than the ADC version. Therefore, when you upgrade the ADC version, ensure the corresponding ADM version is the same as or higher than the current ADC version.

    [ NSPLAT-15184 ]
  • While upgrading a Citrix ADC SDX appliance, if an SSD fails during one of the many reboots, the corresponding RAID pair volume becomes inactive after the appliance reboots. You can observe the following:
    The volume appears as "not created" in the GUI.
    The failed SSD slot is reported as "not present."
    The corresponding VPX-SR also shows up as degraded.
    As a result, ADC instances residing on the VPX-SR might not boot or remain in a halted state.

    [ NSHELP-24751 ]
  • When multiple LA channels are configured on an SDX appliance without any management interfaces (0/1, 0/2) and if the first LA channel is disabled through the VPX CLI, the VPX appliance might be unreachable.
    [ NSHELP-21889 ]
  • On the ADC SDX 14000 and 15000 appliances, traffic loss of up to 9 seconds is observed if the following conditions are met:

    • 10G ports are connected using the LA channel to two Cisco switches that are configured in VPC setup as active or passive
    • The link to active or primary Cisco switch bounces.
    [ NSHELP-21875 ]

Policies

  • A Citrix ADC appliance might crash if the following conditions are met:

    • Use of nstrace with a filter expression.
    • Authentication, authorization, and auditing authentication functionality enabled.
    [ NSPOLICY-3844 ]
  • A Citrix ADC appliance might crash if global scope variables are used in invalid HTTP requests.

    [ NSHELP-25369 ]

SSL

  • On the following Citrix ADC SDX platforms, the SSL card might go down if the external client uses ECDSA P224/521 curve for signature during SSL handshake for client authentication:

    • SDX 11515/11520/11530/11540/11542
    • SDX 22040/22060/22080/22100/22120
    • SDX 24100/24150
    • SDX 14000
    • SDX 14000-40S
    • SDX 14000-40G
    • SDX 14000 FIPS
    • SDX 25000
    • SDX 25000A
    [ NSSSL-9324 ]
  • A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:

    • The default profile is disabled.
    • A secure monitor is bound to a non-SSL service.
    [ NSHELP-24706 ]
  • The SSL handshake at the back end fails when the back-end server sends a single SSL record containing the following messages: 'Server Hello', 'Server Certificate', 'Server Key Exchange' and 'Server Hello Done'.

    [ NSHELP-24615 ]
  • A Citrix ADC appliance closes a DTLS session by sending an alert if the maximum retry timeout value is reached.

    [ NSHELP-24560 ]
  • A Citrix ADC MPX/SDX 11542, MPX/SDX 14000, MPX 22000/24000/25000, or MPX/SDX 14000 FIPS appliance might crash if the following conditions are met:

    • ECDHE/ECDSA hybrid model is enabled.
    • DTLS traffic is received when the CPU utilization is already high.
    [ NSHELP-24405 ]
  • A Citrix ADC appliance might not propose ECDHE ciphers in the client hello message if the following conditions are met:

    • HA synchronization is in progress.
    • Monitor probes are sent before the synchronization is complete.
    [ NSHELP-24355 ]
  • The Citrix ADC appliance crashes if NULL or RC2 ciphers are used by the SSL backend service on the following platforms:

    • MPX 5900
    • MPX 8900
    • MPX 15000
    • MPX 15000-50G
    • MPX 26000
    • MPX 26000-50S
    • MPX 26000-100G
    [ NSHELP-24308 ]
  • A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.

    [ NSHELP-24201 ]
  • A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:

    • The default profile is enabled.
    • A secure monitor is bound to a non-SSL service.
    [ NSHELP-24037 ]
  • In a cluster setup, an invalid "bind ssl certkey" command is added to the ns.conf file when you save the configuration. The invalid command is added if a CRL distribution point extension is part of a certificate on the Citrix ADC appliance.

    [ NSHELP-23963 ]

System

  • A lightweight CPX instance might crash if you use an analytics profile without setting the collector.

    [ NSHELP-25239 ]
  • Configure HTTP/2 Initial Connection Window Size

    As per RFC 7540, the flow-control window for HTTP2 stream and connection must be initialized to 64K (65535) octets, and any change to this value must be communicated to the peer. The ADC appliance communicates the change in flow-control window size as follows:

    • Using the SETTINGS frame for the stream level flow-control window.
    • Using the WINDOW_UPDATE frame for the connection level flow-control window.

    In an HTTP profile, you can configure the http2InitialWindowSize parameter to set the initial window size at the stream level.

    Because of an internal system error, the ADC appliance initializes the flow-control window for the connection also with the value configured for "http2InitialWindowSize". When there is a change in the configured flow-control window for the stream, the ADC appliance communicates to the peer using the SETTINGS frame. But the ADC appliance fails to communicate the change in the flow-control window for the connection using the WINDOW_UPDATE frame. This leads to a connection freeze.

    To overcome the issue, the http2InitialConnWindowSize parameter (in bytes) is now added to control the connection level flow-control window. By using separate configurable parameters namely "http2InitialWindowSize" and "http2InitialConnWindowSize", you can now configure the flow-control window size at both stream and connection levels.

    Configure HTTP/2 initial connection-level flow-control window size parameter by using the CLI

    At the command prompt, type:

    "set httpprofile p1 -http2InitialConnWindowSize <window-size>"

    Where, http2InitialConnWindowSize is the initial window size for connection level flow control, in bytes.
    Default value: 65535
    Minimum value: 65535
    Maximum value: 67108864

    [ NSHELP-25155 ]
  • A Citrix ADC appliance might crash because of memory corruption when the HTTP/2 feature is enabled.

    [ NSHELP-25005 ]
  • In a cluster setup, the validation of default values in surge protection is handled differently on the database and packet engine.

    [ NSHELP-24455 ]
  • The analytics records are not sent to the Citrix ADM if the following conditions are observed:

    - IPFIX collector is configured in the admin partition of the Citrix ADC appliance.

    - Collector is in a subnet other than SNIP address.

    [ NSHELP-24283 ]
  • High CPU usage is observed in the Citrix ADC web logging (NSWL) client running on a Linux platform if the polling interval is not set properly.

    [ NSHELP-24266 ]
  • When you enable Appflow on an ADC instance, the ADM does not display HDX Insight of that instance. This issue occurs because ADM fails to process the Logstream data received from the instance.

    [ NSHELP-24227 ]
  • Deleting a TCP profile bound to a content switching virtual server leads to a configuration inconsistency in the cluster database.

    [ NSHELP-24004 ]
  • A Citrix ADC appliance might crash while clearing the configuration when it tries to access the ICAP server details. The server details information is not removed from the monitor list when the ICAP content inspection configuration is cleared.

    [ NSHELP-23945 ]
  • A Citrix ADC appliance might crash if the following conditions are observed:

    • HTTP/2 enabled in the HTTP profile bound to load balancing virtual server of type HTTP/SSL or service.
    • Connection multiplexing option disabled in the HTTP Profile bound to load balancing virtual server or service.
    [ NSHELP-21202 ]
  • A Citrix ADC appliance with connection chaining and SSL enabled might send more MTU data.

    [ NSHELP-9411 ]
  • Enabling metrics collector in the default partition might fail if it is already enabled in the admin partition setup.

    [ NSBASE-12623 ]

User Interface

  • The diff ns config command displays an ERROR: Failed to get UID for command: apply ns pbr6 error message. It happens when the apply ns pbr6 command is saved in ns.conf or running-config files.

    [ NSHELP-25373 ]
  • In a cluster setup, unwanted extra binding configuration gets saved in the ns.conf file.

    [ NSHELP-24636 ]
  • The following error conditions are observed in the Citrix Gateway GUI:

    • When a policy is bound to primary authentication in the VPN virtual server, the GUI incorrectly shows that the policy is bound to the secondary authentication and the group authentication.
    • When the VPN virtual server is bound to a server certificate, the server GUI incorrectly shows that the VPN virtual server is bound to CA cert as well.
    [ NSHELP-24494 ]
  • On a Citrix ADC SDX platform, the following error message appears while loading the GUI:
    Operation not supported by device [Pooled licensing not supported on this platform]

    [ NSHELP-24474 ]
  • On the Citrix ADC GUI, you are unable to view the "Custom Reports" created for a specific partition.

    [ NSHELP-24370 ]
  • The following temporary files present in the /var/tmp folder of a Citrix ADC appliance is causing memory full state.

    • sh.runn.audit.<pid> file created by nsconfigaudit tool.
    • tmp_ns.conf.<pid> file created by show run command for partition.
    [ NSHELP-24092 ]
  • For a "routerdynamicrouting" NITRO API request, the Citrix ADC appliance might return JSON data with formatting errors if the response size is large.

    [ NSHELP-19913 ]
  • A Citrix ADC appliance becomes unstable if you use the -outfilename parameter in diffnsconfig command. As a result, the diffnsconfig output is large to completely fill the root disk.

    [ NSHELP-19345 ]

Known Issues

The issues that exist in release 13.0-71.44.

Authentication, authorization, and auditing

  • You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.

    [ NSHELP-26199 ]
  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

    [ NSHELP-563 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

    [ NSAUTH-6106 ]
  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    "show adfsproxyprofile <profile name>"

    Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.

    [ NSAUTH-5916 ]
  • You might see a No such policy exists message on the nFactor Flow page in nFactor Visualizer when you try to unbind a policy from a factor. The unbind option work as expected.

    [ NSAUTH-5821 ]

Caching

  • A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

    [ NSHELP-22942 ]

Citrix Gateway

  • The Citrix Gateway appliance crashes when a server initiated connection sends data packets after the connection is closed.

    [ NSHELP-26431 ]
  • The Citrix Gateway login page displays an error stating that the login has failed if the following sequence of conditions is met. The error appears even if the user has not tried to log on again.

    1. Log on to the Citrix Gateway fails.
    2. Log on to the Citrix Gateway succeeds.
    3. The user logs out.
    [ NSHELP-25157 ]
  • EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.

    [ NSHELP-24848 ]
  • The Gateway Insight does not display accurate information on the VPN users.

    [ NSHELP-23937 ]
  • False launch failures of applications are reported in Gateway Insight. The launch failures are reported when there are no app or desktop launches.

    [ NSHELP-23047 ]
  • The Citrix ADC appliance becomes unresponsive if the following conditions are met:

    • DTLS is enabled.
    • UDP multiplexing uses a DTLS channel and pumps traffic at a high rate.
    [ NSHELP-22987 ]
  • Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.

    [ NSHELP-21897 ]
  • While adding an authentication virtual server using the XenApp and XenDesktop wizard, test connectivity for that authentication server fails.

    [ CGOP-16792 ]
  • Transfer Logon does not work if the following two conditions are met:

    • nFactor authentication is configured.
    • Citrix ADC theme is set to Default.
    [ CGOP-14092 ]
  • The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.

    [ CGOP-13584 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ CGOP-13511 ]
  • While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

    [ CGOP-13050 ]
  • The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.

    [ CGOP-13049 ]
  • An error message appears when you add or edit a session policy from the Citrix ADC GUI.

    [ CGOP-11830 ]
  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]
  • A Citrix ADC appliance might crash while processing an invalid session initiation protocol (SIP) packet.

    [ NSHELP-26202 ]
  • When a content switching virtual server receives an HTTPS request, the largest cookie in the HTTPS request leads to a buffer overflow and stack corruption when the following conditions are met:

    • The cookie format is incorrect.
    • The cookie length is greater than 32 bytes.
    [ NSHELP-25932 ]
  • When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.

    [ NSHELP-24329 ]
  • The generation of SNMP alarms might be delayed if the synchronization of configuration from the master site to subordinate sites fails.

    [ NSHELP-23391 ]

Networking

  • When the number of newnslog backup files increase, it may cause disk space crunch for a running Citrix ADC CPX instance over a period of time. Using the NEWNSLOG_MAX_FILENUM environment variable, you can control the number of backup files. By setting the environment variable value to 10, you can limit the maximum number of newnslog backup files to 10.

    [ NSNET-20261 ]
  • A Citrix ADC BLX appliance in DPDK mode does not detect an interface if you have bound the interface to DPDK in DOWN state.

    Workaround: Do not bind DOWN interfaces to DPDK.

    [ NSNET-16561 ]
  • The following interface operations are not supported in a Citrix ADC BLX appliance:

    • Disable
    • Enable
    • Reset
    [ NSNET-16559 ]
  • A Citrix ADC appliance might crash, if the following conditions are present:

    • IPv6 link load balancing (LLB6) configuration has persistency option enabled.
    • Some IPv6 dummy connections are created for this LLB6 configuration
    [ NSHELP-25695 ]
  • When you push configurations to the cluster instances using a StyleBook, the commands fail with the "Command propagation failed" error message.
    On successive failures, the cluster retains the partial configuration.
    Workaround:
    1. Identify the failed commands from the log.
    2. Manually apply the recovery commands to the failed commands.

    [ NSHELP-24910 ]

Platform

  • On a Citrix ADC SDX 15000-50G appliance, in cases of a brief surge of data traffic not directed to any of the ADC VPX instances, the following issue might happen:

    • The LACP link on 10G ports might flap intermittently or go down permanently.

    Workaround:
    1. Find out the internal ethX port corresponding to the 10G port
    2. Run the following command on the Citrix Hypervisor shell prompt: ethtool -G ethX rx 4096 tx 512
    3. Review traffic profile to block off unwanted traffic on the switch side

    [ NSHELP-25561 ]
  • By default, high availability monitor (HAMON) and HA heartbeat are disabled on a management interface that is configured as an internal management interface. Also, HAMON and HA heartbeat cannot be enabled on this interface.
    Later, if the same interface is configured back as a management interface and the VPX instance is rebooted, HAMON and HA heartbeat options are still disabled.
    However, you can now enable these options manually to avoid any issues with the HA configuration.

    [ NSHELP-21803 ]

Policies

  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]

SSL

  • On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

    Workaround:

    1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, "set ssl vserver <name> -SSL3 DISABLED".
    2. Save the configuration.
    [ NSSSL-9572 ]
  • Update command is not available for the following add commands:

    • add azure application
    • add azure keyvault
    • add ssl certkey with hsmkey option
    [ NSSSL-6484 ]
  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

    [ NSSSL-6478 ]
  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

    [ NSSSL-6213 ]
  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled

    [ NSSSL-6106 ]
  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]
  • In a cluster setup, you might observe the following issues:

    • Missing command for the default certificate-key pair binding to the SSL internal services on the CLIP. However, if you upgrade from an older build you might have to bind the default certificate-key pair to the affected SSL internal services on the CLIP.
    • Configuration discrepancy between the CLIP and the nodes for the default set command to the internal services.
    • Missing default cipher bind command to the SSL entities in the output of the show running config command run on a node. The omission is only a display issue and has no functional impact. The binding can be viewed using the show ssl <entity> <name> command.
    [ NSHELP-25764 ]
  • In a cluster setup, certificate configuration changes are not allowed if any certificate or key files are removed.

    [ NSHELP-24913 ]

User Interface

  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

    [ NSUI-13024 ]
  • A load balancing virtual server persistence view fails to display all parameters when you edit an existing virtual server persistence configuration.

    [ NSHELP-25965 ]
  • In a cluster setup, a delay is observed when a huge configuration, (for example, 100 load balancing virtual IP addresses are bound to a Citrix Web App Firewall profile with multiple responder policies and IP patsets) is provisioned across all cluster nodes.

    [ NSHELP-25458 ]
  • Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.

    [ NSHELP-24195 ]
  • Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

    [ NSHELP-20988 ]
  • A Citrix ADC appliance does not support addition of CRL files greater than 2 MB using NITRO APIs.

    [ NSHELP-20821 ]
  • In a Citrix ADC BLX appliance, the "Reporting" tab in the GUI might not work as expected.

    [ NSCONFIG-4877 ]
  • When you downgrade a Citrix ADC appliance version 13.0-71.x to an earlier build, some Nitro APIs might not work because of the file permission changes.

    Workaround: Change permission for "/nsconfig/ns.conf" to 644.

    [ NSCONFIG-4628 ]
  • The connection between the ADC instance and ADM service is lost when the following conditions are met:

    • The instance is added to ADM service using a built-in agent.
    • The instance is upgraded using the -Y option or from the ADM GUI. In both cases, the built-in agent doesn't restart. The -Y option provides Yes as an answer to all upgrade-related questions that appear on the CLI or GUI.
    [ NSCONFIG-4368 ]
  • Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.

    [ NSCONFIG-4330 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:

    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

    Workaround:

    To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

    [ NSCONFIG-3188 ]