- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
Authentication, authorization, and auditing
Rewrite policy support for Citrix ADC and Citrix Gateway generated responses including 401 and 407 responses
With the implementation of CSP header, the support for rewrite policies has now been extended to Citrix Gateway virtual server and authentication virtual server generated responses including 401 and 407 responses.
For more information, refer https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/aaa-rewrite.html[ NSAUTH-8809 ]
Support for default secure CSP header and rewrite policies for Citrix ADC and Citrix Gateway generated responses
The following capabilities are now added to Citrix Gateway virtual server and authentication virtual server.
- Infrastructure for rewrite policies for ADC generated responses
- Configuration support for a default secure CSP header
For more information, refer https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/aaa-rewrite.html[ NSAUTH-1421 ]
- Infrastructure for rewrite policies for ADC generated responses
Bot management using ADM StyleBooks
You can now configure bot management settings on your ADC instances, using ADM StyleBooks. The ADM provides you a default StyleBook ("bot-management") to create bot policies configuration. It contains many criteria that describes the features of bad bots. The ADC instances use this configuration to identify and block such bot threats and malicious traffic.[ NSBOT-84 ]
Bot Log Expression
The Citrix bot management profile now enables you to capture additional data as log messages if the incoming traffic is identified as a bot. The data can be the name of the user who requested the URL, the source IP address, and the source port from which the user sent the request.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html[ NSBOT-49 ]
Client IP Address Extraction for Bot Detection
You can now configure an advanced policy expression in a bot profile for extracting client IP address from an HTTP request header, HTTP request body, or HTTP request URL. The extracted value can be used by a bot detection mechanism (such as transaction per second (TPS), bot trap, or rate limit) to detect if an incoming request is a bot.
By adding this configuration, the Citrix ADC appliance can leverage the bot detection mechanism to provide enhanced security to software clients and servers.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html[ NSBOT-48 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, default admin (nsroot) access can be disabled by configuring external authentication and disabling fallback to default admin access. However, if the external servers are not responsive, default admin access (local authentication) is automatically enabled to regain access to the appliance.[ NSSVM-4276 ]
On Citrix ADC SDX appliance, license server can be modified to provide new details without unlicensing the ADC instances.[ NSSVM-2939 ]
Displaying status of nFactor EPA scans in the Citrix ADC logs
The Citrix ADC appliance logs the status of nFactor EPA scans for pre-authentication and post-authentication along with the case ID. The case ID is displayed to the end user in the EPA error HTML page. The case ID is also logged in the appliance along with all the scans that have passed or failed.[ CGOP-12110 ]
Citrix Web App Firewall
SQL Grammar-based Approach for SQL Injection Attacks
The NextGen Citrix Web App Firewall solution is now enhanced to support the following SQL detection methods for reducing false positives in HTTP and JSON payloads. Previously, only the pattern-based approach was supported.
[ NSWAF-6910 ]
- Pattern-based approach
- Grammar-based approach
Custom response error code and message for error object configuration
If Citrix Web App Firewall (WAF) uses an error object for handling error scenarios, the WAF profile now allows you to configure a custom response status code and message. You can customize the response status code and message for an HTML, XML, or JSON error object in a WAF profile. Previously, the error object response was sent with the response status code and message set to 200" and "OK. There was no way for the user to customize the error object's response status. To maintain backward compatibility, if the custom error object response status code and the message are not set, the default values are 200" and "OK, respectively.[ NSWAF-6549 ]
Support for Additional Security Protection
The dynamic profile relaxation counter now supports the following additional security checks.
[ NSWAF-6433 ]
- JSON SQL
- JSON Cross-site scripting
- JSON DoS
- Cookie consistency
- Cross-Site request forgery
- Field format
SQL Grammar-based Approach for SQL Injection Attacks
The NextGen Citrix Web App Firewall solution is now enhanced to support both pattern-based approach and grammar-based approach for detecting SQL injection attacks and reducing false positives in HTTP and JSON payloads. Previously, only the pattern-based approach was supported.[ NSWAF-5822 ]
Reduction in the time taken to synchronize GSLB configuration among the GSLB sites
The time taken to synchronize the GSLB configuration among the GSLB sites is now significantly reduced because of compression of files that are being synchronized with remote sites.[ NSLB-7399 ]
Moving GSLB services to a learning phase to avoid flaps on GSLB services
The parameter, SvcStateLearningTime, can now be used to move the local and child GSLB services to learning phase to avoid unnecessary flaps on remote GSLB sites. When a service is in a learning phase, the remote GSLB sites do not honor the primary site state and statistics received through MEP for that service. However, the state of the sites can be learnt from the health monitor, if bound explicitly.
You can set SvcStateLearningTime in seconds. Default value is 0 and maximum value is 3600.
GSLB services enter the learning phase in any the following scenarios.
- Citrix ADC appliance is rebooted
- High availability failover has occurred
- Owner node in a cluster GSLB setup is changed
- MEP is enabled on a local node
- GSLB site comes out of island scenario. A GSLB Site becomes island when it is not connected to any other site.
In a parent-child deployment, the backup parent (if configured) selectively moves the adopted child sites GSLB services to learning phase when the primary parent goes DOWN.[ NSLB-6707 ]
High Availability Version Control for Account Structure Changes
In a high availability setup, the ISSU process uses the node-to-node TCP communication framework to sync or honor the existing connections.
The appliances might crash during the ISSU process if there is a mismatch of the framework structure size in the two nodes.
With the fix, the Citrix ADC appliance runs the ISSU migration only if the framework structure size is the same on both nodes.
If there is a mismatch of the structure size, the Citrix ADC appliance does not run the ISSU migration operation and it displays an error message.[ NSNET-15370 ]
Support for Citrix ADC VPX configurations at the first boot of the Citrix ADC appliance on Azure, GCP, and AWS clouds
You can now apply the Citrix ADC VPX configurations during the first boot of the Citrix ADC appliance in a cloud environment. In certain cases like Citrix ADC pooled licensing, this feature brings up the VPX instance in much lesser time. You can use this feature by providing a script, metadata, or user data to the cloud instance in XML format. This feature is available in Microsoft Azure, Google Cloud platform, and AWS clouds.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/deploying-vpx/apply-vpx-config-at-preboot.html[ NSPLAT-14774 ]
Support for Azure accelerated networking on Citrix ADC VPX instance
The Citrix ADC VPX instance now supports Azure accelerated networking. Accelerated networking enables single root I/O virtualization (SR-IOV) virtual function (VF) NIC to a virtual machine, which improves the networking performance. You can use this feature with heavy workloads that need to send or receive data at higher throughput with reliable streaming and lower CPU utilization.
When a NIC is enabled with accelerated networking, Azure bundles the NICs existing para virtualized (PV) interface with an SR-IOV VF interface. The support of SR-IOV VF interface enables and enhances the throughput of the Citrix ADC VPX instance.[ NSPLAT-13235 ]
Parsing Proxy Protocol after TLS handshake for SSL and SSL-TCP traffic
According to RFC, the proxy protocol is parsed after the final ACK during a TCP handshake. However, the functionality is now enhanced to parse the proxy protocol after TLS handshake for SSL and SSL-TCP traffic. By parsing after the TLS handshake, the proxy protocol data is TLS encrypted and more secure. To perform this parsing you must enable the "proxyProtocolAfterTLSHandshake" parameter in the net profile. When you enable the parameter, the appliance parses the proxy protocol after the TLS handshake and not after the FINAL ACK of the TCP handshake
Configure proxy protocol after TLS handshake by using the command interface:
At the command prompt, type:
"add netprofile <name> -proxyProtocolAfterTLSHandshake ENABLED"
Where proxyProtocol and proxyProtocolAfterTLSHandshake parameters are mutually exclusive.[ NSBASE-12491 ]
QUIC bridge deployment for HTTP3/QUIC traffic
The Citrix ADC appliance now supports QUIC bridge configuration for HTTP3 QUIC traffic. The deployment enables you to have persistent QUIC connections between client and server in the case of a NAT rebinding or a connection migration.
Advantages of QUIC bridge configuration:
- No expensive crypto operations.
- Stateless routing possible (no 4-tuple based load balancing).
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/system/quic.html[ NSBASE-10636 ]
Support for additional address advertisement (ADD_ADDR)
In an MPTCP deployment, if you have a virtual server bound with an IP set that has additional virtual server IP addresses, then the additional address advertisement (ADD_ADDR) functionality advertises the IP address of the virtual servers bound to the IP set. This IP set is the one on which the client can initiate the new MP-JOIN sub flows.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/system/tcp-configurations.html[ NSBASE-9076 ]
You cannot use the GUI to bind an external OCSP responder to a root certificate if an internal OCSP responder is added for the same root certificate.[ NSUI-1145 ]
Authentication, authorization, and auditing
If a user logs in with an expired timestamp, the Citrix ADC appliance sends an invalid post back URL to re-login.[ NSHELP-26285 ]
In some cases, addition of multiple EPA related authentication policies results in high management CPU.[ NSHELP-26281 ]
In some cases, the Citrix ADC appliance might become unresponsive if the user authentication information is not available.[ NSHELP-26113 ]
In some cases, a Citrix ADC appliance might crash when a user tries to configure a customized EULA login schema.[ NSHELP-25570 ]
System-defined questions in KBA Registration Login Schema are displayed only in English and language localization support is not available for these questions.[ NSHELP-25484 ]
The Citrix ADC appliance drops some valid requests when acting as an ADFS proxy.[ NSHELP-25427 ]
If a Citrix ADC appliance is configured for nFactor authentication and is upgraded to version 13.0, the endpoint (example iPad) used to access the Citrix ADC appliance is presented with 401-based authentication instead of Form-based authentication.[ NSHELP-25309 ]
The Citrix ADC appliance crashes when FIPS certificate is configured for usercertdata.[ NSHELP-25264 ]
A Citrix ADC appliance might crash if the following issues are observed:
[ NSHELP-24551 ]
- Invalid memory allocation.
- Web App Firewall is configured with form-based SSO authentication.
When a Citrix ADC or a Citrix Gateway appliance uses Kerberos authentication followed by an LDAP user search operation, the authentication fails in the following scenario.
The LDAP User Principal Name (UPN) is different than the user name provided by a Kerberos ticket.[ NSHELP-24384 ]
A Citrix ADC appliance responds with a 400 error code when the header size of a Citrix Gateway user interface related request exceeds 1024 characters.[ NSAUTH-9475 ]
New bot actions for bot blocklist detection technique
"None" and "Redirect" are added to the list of actions that can be selected for the bot blocklist detection technique.[ NSBOT-397 ]
The bot transaction per second (TPS) functionality does not work as expected.[ NSBOT-353 ]
When you edit or update bot signatures in a Citrix ADC cluster configuration, the Citrix ADC appliance displays the following error:
"Signature Update Failed - Updating the resource failed"[ NSBOT-345 ]
Bot trap URL gets inserted in all requests including the URLs that are not defined in the Trap Insertion URL list.[ NSBOT-316 ]
CAPTCHA mitigation process does not get reinitialized to honor client requests after the mute period.[ NSBOT-224 ]
Bot trap URL logs do not work as expected for "drop", "reset" and "redirect" bot action.[ NSBOT-184 ]
When configuring cache content group, invalid wide spaces are observed in the cache-control header max-age value.[ NSHELP-20066 ]
Citrix ADC SDX Appliance
On the Citrix ADC SDX 8400/8600 platform, health monitoring might display crypto errors.[ NSHELP-26500 ]
On a Citrix ADC SDX appliance, the "geodb" details in the ADC instances are not collected when you take a backup of the appliance.[ NSHELP-26190 ]
If you initiate the deletion of a Citrix ADC instance while the instance is being provisioned, the FIPS partition entry for the deleted instance might still be present in the database.[ NSHELP-25909 ]
On a Citrix ADC SDX appliance, there might be a password mismatch between the Management Service and a VPX instance, if the following conditions occur simultaneously:
[ NSHELP-25709 ]
- The Management Service password is changed.
- The VPX instance is modified for any change, such as memory, CPU, and profile.
On a Citrix ADC SDX appliance, provisioning or restoring a VPX might fail if the allowed VLAN list on an interface or channel is more that 100 characters.[ NSHELP-25702 ]
When a Citrix ADC SDX appliance is rebooted and the Management Service come up before an ADC instance, the Management Service assumes that the instance state is HALTED. As a result, the Management Service does not add the route entries for the instance and the instance state goes DOWN.[ NSHELP-25674 ]
If you perform a factory reset on a Citrix ADC SDX appliance, the host ID of the appliance changes for the first time. The change happens if one of the following conditions is met:
1. You restore an appliance on which a link aggregation channel is configured on a management interface.
2. The link aggregation channel on a management interface is deleted.[ NSHELP-25670 ]
On a Citrix ADC SDX appliance, a user can sometimes view high memory usage events during monitoring of entities, such as services and service groups.[ NSHELP-25668 ]
On a Citrix ADC SDX appliance, the Management Service host ID might change if you delete the link aggregation of the management interfaces. As a result, appliance licensing might be affected.[ NSHELP-25636 ]
Sometimes, endpoint analysis scan with EPA plug-in for macOS fails because the plug-in times out in 5 seconds and as a results the scan quits before it is complete.[ NSHELP-26305 ]
Sometimes, the Citrix ADC appliance crashes when a trace is started either from the GUI or the CLI.[ NSHELP-26249 ]
The Citrix ADC appliance might crash if the "rdpLinkAttribute" attribute size is greater than 64 characters.[ NSHELP-26068 ]
The Citrix Gateway plug-in fails to establish full tunnel and displays content of the local drive after entering the credentials.[ NSHELP-25899 ]
The packet engine crashes while fetching an ICA connection entry when you run the show icaconnection command. This crash happens because the ICA connection information in the ICA connection list is stale.[ NSHELP-25420 ]
In Citrix ADC GUI, the Add tab present in Authentication, authorization, and auditing Groups page does not allow editing the Weights field.[ NSHELP-25200 ]
If an FQDN is used for configuring wiHome or StoreFront over an SSL connection, ECDHE ciphers are not negotiated during the boot-up process.[ NSHELP-25144 ]
Redirection to ShareFile fails when Citrix Gateway is configured for RfWebUI theme.[ NSHELP-25133 ]
Citrix Gateway crashes while decoding the CVPNv2 packet because of incorrect string termination.[ NSHELP-24718 ]
In a rare case, the Citrix Gateway logon page loads slowly if the "nshttp_profile_ids" directory is filling up the storage.[ NSHELP-24705 ]
A Citrix ADC appliance crashes intermittently if the following conditions are met:
[ NSHELP-24676 ]
- A CA certificate is added to a VPN virtual server.
- OCSP check for the CA certificate is set to mandatory on the SSL virtual server.
A delay in the response from StoreFront servers might result in slow Citrix Gateway GUI related operations or "timed out at dispatch_netsvc" error messages.[ NSHELP-24437 ]
The "show audit messages" command displays logs of all log levels instead of the configured log level after the clear config command is run.[ NSHELP-24237 ]
Citrix ADM displays incorrect bandwidth used by users when connected to VPN.[ NSHELP-23855 ]
HDX Insight data is not observed in Director for individual sessions. The issue is seen when NetScaler App Experience (NSAP) sessions are established.[ NSHELP-23834 ]
In Analytics > Gateway Insight, under Authentication, it displays an incorrect Authentication Type. This issue occurs when you configure NO_AUTHN action in the ADC instance.[ NSHELP-20117 ]
Memory leak is observed if HDX Insight with advanced encryption is enabled.[ CGOP-15689 ]
Citrix Web App Firewall
Error Response Code for HTML, XML, and JSON requests
In a cluster configuration, the error response code for HTML, XML, and JSON requests is set as "0" instead of "200" if the profile is configured as advanced or basic by default.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/top-level-protections/profiles/custom-error-status-and-message-for-html-xml-json-error-object.html[ NSWAF-7275 ]
During a cluster upgrade, a Citrix ADC appliance might crash if the session key size is not as expected.[ NSWAF-7080 ]
An audit error is observed in Stylebook if the sessionless field consistency parameter is set as "Postonly".[ NSWAF-6894 ]
The signature URL gets modified after you upgrade the Citrix ADC cluster configuration.[ NSWAF-6844 ]
The aslearn process does not start automatically after the Citrix ADC appliance has crashed.[ NSWAF-6766 ]
In a Citrix ADC appliance, the file upload relaxation rules for multiple file types does not work as expected.[ NSHELP-26313 ]
Load balancing and content switching SSL services do not respond because of high memory usage on a Citrix ADC appliance.[ NSHELP-25587 ]
A Nitro API GET call that fetches learning data for XMLWSICheck returns null data in the response.[ NSHELP-25550 ]
Citrix Web App Firewall learn engine might erroneously learn null values for "Value Type" and "Value" parameters if "CheckRequestHeaders" and "HTML SQLi" protections are enabled.[ NSHELP-25549 ]
Soap envelope validation might fail for XML data.[ NSHELP-24412 ]
The memory limit for SSL session IDs is increased to accommodate the maximum SSL session ID persistence entries of 1.66M per packet engine. Previously, the number of SSL session ID entries were limited to 1.06M due to memory limit.[ NSLB-7796 ]
A Citrix ADC appliance might crash while displaying the content switching policy bindings, if the following conditions are met:
[ NSHELP-25652 ]
- Cookie persistence is enabled on the content switching virtual server.
- The target virtual server is of type VPN.
When a truncated response is received in the response to a DNS monitor probe, the subsequent DNS monitor probe is not sent to a TCP name server.[ NSHELP-25527 ]
A Citrix ADC appliance might crash while updating the Autoscale members of the GSLB service group if both GSLB and non-GSLB service groups are configured.[ NSHELP-25361 ]
The custom location entries might be removed when you run the add locationfile or add locationfile6" commands in a high-availability setup.[ NSHELP-23775 ]
A Citrix ADC appliance might crash when DNS logging is enabled and a malformed DNS query is received.[ NSHELP-21959 ]
In a deterministic large scale NAT (LSN) setup, the following issue is observed after you upgrade the Citrix ADC appliance from release 11.1 to release 12.1 or release 13.0.
The NAT IP addresses and port blocks are allocated based on the "IPADDRS" allocation policy instead of "PORTS" allocation policy.
"PORTS" type was the only deterministic allocation policy present in release 11.1 by default without any configuration option.
"IPADDRS" type is set as the default deterministic allocation policy in release 12.1 or release 13.0.
So, a deterministic LSN configuration with "PORTS" allocation policy is converted to "IPADDRS" allocation policy during the Citrix ADC upgrade process.
As part of the fix, the default deterministic allocation policy is now set to "PORTS" in the following releases:
[ NSNET-19469 ]
- Release 12.1 build 61.18 onwards
- Release 13.0 build 76.x onwards
Joining of a node to a cluster setup might fail if all the following conditions are met:
[ NSNET-18438 ]
- The CLIP address and the NSIP address of the node, to be joined, are indifferent networks.
- A SNIP address present in the node, to be joined, has the same network address as the CLIP address.
- While joining the node to the cluster setup, the connection is initiated with SNIP as the source IP address and CLIP as the destination IP address.
- CLIP address resets the connection.
A Citrix ADC BLX appliance with more than one packet engine might not generate SNMP trap messages.[ NSNET-11296 ]
In a high availability setup, the secondary node might not be able to access the IP addresses on the primary node when the following condition is met:
[ NSHELP-25747 ]
- A VMAC address using an interface through which the primary node is communicating with the secondary node.
FTP and SFTP load balancing configuration with USIP enabled might not work properly in a Citrix ADC appliance because of the following reason:
Internal flags are not set in client-side session information causing port leaks on dummy IP addresses for FTP and SFTP load balancing sessions.[ NSHELP-25569 ]
In a cluster setup, RNAT configurations for FTP data traffic might fail intermittently.[ NSHELP-25566 ]
Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.[ NSHELP-25105 ]
In a high availability setup, the secondary node might crash after a restart if the following conditions are met:
[ NSHELP-25068 ]
- A large number of active LSN session are present in the primary node
- Pitboss process crashes and restarts during the synchronization process of these large number of LSN sessions in the secondary node
In a cluster CLAG setup, you might observe the following issues when the monitor probe of the new active node (passive to active) sends ND6 before the CLAG is UP:
[ NSHELP-25010 ]
- ND6 request from the new active node fails continuously.
- Some of the services owned by the new active node are down.
For a PBR6 rule with no direct route to the next hop, the Citrix ADC appliance might incorrectly discard RNAT6 processed packets with an error.[ NSHELP-24632 ]
In a high availability setup, the SNMP module might crash repeatedly because of improper handling of data by the packet engines and internal networking modules.
This repeated crash of the SNMP module triggers HA failover.[ NSHELP-24434 ]
For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.[ NSHELP-24034 ]
A Citrix ADC VPX instance crashes when frequent link flaps are seen on 50G and 100G interfaces.[ NSPLAT-16852 ]
- Support for new Citrix ADC SDX hardware platforms
This release now supports the following new platforms:
[ NSPLAT-12815 ]
- Citrix ADC SDX 15000. For more information, see https://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-15000.html
- Citrix ADC SDX 26000. For more information, see https://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-26000.html
- Citrix ADC SDX 26000-50S. For more information, see https://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-26000-50s.html
On a Citrix ADC SDX appliance, traffic to the ADC instance might be interrupted when the interface link flaps and interface reset occurs simultaneously.[ NSHELP-26307 ]
Binding a VLAN to a link aggregation channel fails when the VLAN is associated with more than 40 partition-MAC addresses.[ NSHELP-25308 ]
On the Citrix ADC SDX 14000 and SDX 25000 platforms, a core dump is not generated through the lights out management Non-Maskable Interrupt (NMI) button.[ NSHELP-25091 ]
Upgrading a Citrix ADC SDX appliance might fail if the /var/sdx partition is not mounted in the Citrix Hypervisor.[ NSHELP-24847 ]
Policy string map might not work if UTF-8 characters are used in key text.[ NSHELP-25357 ]
A Citrix ADC appliance might crash if the following conditions are observed:
[ NSHELP-24476 ]
- The maximum header length of an HTTP profile is set as 61440 bytes.
- The policy expression "HTTP.REQ.URL" is processed on a request with a URL length greater than 61440 bytes.
A Citrix ADC appliance might crash during ASYNC restoration after you try to bind a policy to a label at a priority in which another policy is already bound.[ NSHELP-18493 ]
- In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.[ NSSSL-3161 ]
A Citrix ADC appliance might dump core if the following conditions are met:
[ NSHELP-26114 ]
- Appliance is low on memory.
- DTLS is enabled.
- DEBUG level log is enabled.
If strong password option is enabled on a Citrix ADC appliance, password protected certificate-key pairs might not be added. With this fix, the password protected certificate-key pairs are always added successfully. However, downgrading to an earlier build causes the certificate-key configuration to be lost.
Also, in the NITRO API response for certificate-key pairs, the passplain variable is sent instead of the passcrypt variable.[ NSHELP-25675 ]
While using SSL forwarding on an MPTCP connection, the following counters display a large value:
- MPTCP session counter on the forwarded virtual server.
- Current client connection counter on the original virtual server.
When the connection is forwarded from the original virtual server to the forwarded virtual server, the MPTCP session counter on the forwarded virtual server is not incremented. However, when the MPTCP connection is freed, the counter is decremented. As a result, the value for the counter becomes negative.
When the connection is forwarded from the original virtual server to the forwarded virtual server, the current client connection counter on the original virtual server is incorrectly decremented. As a result, the value for the counter becomes negative.
The counter values are now calculated as follows:
Counter: Current client connections
- Value on the original virtual server: Regular TCP connections + MPTCP subflows in any state
- Value on the forwarded virtual server (SSL forwarding): Regular TCP connections in any state
Counter: Current client est connections
- Value on the original virtual server: Regular TCP connections + MPTCP subflows connections in established state
- Value on the forwarded virtual server (SSL forwarding): Regular TCP connections in the established state
Counter: Current Multipath TCP subflows
- Value on the original virtual server: MPTCP subflows connections only
- Value on the forwarded virtual server (SSL forwarding): 0 (Subflows are terminated at the original virtual server)
Counter: Current Multipath TCP sessions
[ NSHELP-25555 ]
- Value on the original virtual server: MPTCP sessions only
- Value on the forwarded virtual server (SSL forwarding): Forwarded MPTCP sessions (Decremented at the original virtual server and incremented here)
After you add an SSL_TCP virtual server and attach an SSL profile to it, the "redirectPortRewrite" setting might be incorrectly enabled. As a result, there might be some configuration loss in a future upgrade.
The redirectPortRewrite setting is valid only for an HTTP virtual server.[ NSHELP-22984 ]
When the "forward" ssl action is triggered, the counter "Current Client Est connections" incorrectly shows a large value in the output of statistics for the virtual server to which traffic is forwarded.[ NSHELP-22825 ]
Synchronized SSL feature state and SSL hardware state results in inconsistencies with partitions.[ NSHELP-21193 ]
If an AppFlow collector of type Rest is used in an analytics profile, the Citrix ADC appliance might fail during the removal of the profile.[ NSHELP-26299 ]
After an upgrade to Citrix ADC 13.0 release 71.40, the 32-bit weblogging (NSWL) client and 64-bit Citrix ADC appliance have offset of 4 bytes leading to incorrect values in generated logs.[ NSHELP-26241 ]
When you add an ADC high-availability pair to the ADM server, the secondary server connects to ADM using the SNIP as the source address. As a result, network issues occur on the uplink devices. For example, the firewall finds two MAC addresses for a SNIP on its interfaces.[ NSHELP-26010 ]
A Citrix ADC appliance might crash when the AppFlow collector is in a different subnet than the SNIP.[ NSHELP-26008 ]
When a Citrix ADC appliance initiates a connection to the back-end server for "CONNECT" requests sent at a high rate, the following conditions are observed:
[ NSHELP-25925 ]
- The back-end server sends a bad ACK to the appliance.
- The appliance does not retry connection initiation.
- Client connections become unresponsive.
A content switching virtual server displays an incorrect request and response byte count with MPTCP traffic.[ NSHELP-25731 ]
An attempt to remove the AppFlow collector fails after the "set appflow action" command is performed.[ NSHELP-25392 ]
After an SSL handshake, if the Citrix ADC appliance sends SETTINGS and SETTINGS-ACK frames after H2 negotiation, the following issues are observed:
[ NSHELP-25148 ]
- Latency issue of 100ms (by default) is seen at the SSL layer when encrypting data less than 8k.
- The TCP PUSH flag is not set on these frames.
In a non-probing scenario, the MSS value learnt by the bound gateway service is used by all subsequent transactions until the device restarts and this leads to the following errors:
[ NSHELP-25043 ]
- A high frequency of the MSS value 1330 irrespective of the change in MSS value configured on the TCP profile.
- Incorrect fragmentations in the network.
HTTP/2 flag mismanagement decrements few TCP counters to a negative value for both HTTP/2 and non-HTTP/2 streams.[ NSHELP-25031 ]
A Citrix ADC appliance is unable to handle server-side connections and cannot log correct AppFlow records if the following conditions are observed:
[ NSHELP-24824 ]
- The domain name which matches a private urlset is not obfuscated correctly from the AppFlow records.
- The Responder Action, Policy Matched, and Matched ID fields are incorrectly populated in the AppFlow records.
The HTML page might not load when the AppFlow Client-Side Measurements and Rewrite features are enabled.[ NSHELP-24043 ]
Segmentation errors or duplicate free might cause a Citrix ADC appliance to crash if the following conditions are met:
- HTTP profile bound to a backend service has HTTP2 enabled and HTTP2 direct disabled.
[ NSBASE-13582 ]
- Multiple HTTP CONNECT requests are sent from the client over HTTP/2 streams to a virtual server of HTTP type.
When Citrix ADC CPX is deployed as a sidecar and if the environment variable MGMT_HTTP_PORT is not set, NITRO API calls are not working[ NSBASE-12800 ]
A few AppFlow records containing IPFIX information might be abnormal.[ NSBASE-11686 ]
The bot signature edit fails with an error message, "File Does Not Exist" if the signature is imported from CLI or URL.[ NSUI-17261 ]
The link to download the SNMP MIB is broken.[ NSHELP-26107 ]
Single or multiple commands in a NITRO API request to a Citrix ADC appliance might fail causing the following issues in the appliance:
[ NSHELP-25997 ]
- Memory corruption
- HTTPD process crash
An error no such StartURL check is displayed at the bottom of the Citrix ADC GUI page when you try to edit or delete the StartURL rule in the Relaxation Rules section.[ NSHELP-25977 ]
When you configure IP reputation using advanced policy expressions, the "TOR_PROXY" threat category is missing in the Expression Editor GUI.[ NSHELP-25654 ]
HTTPD daemon might crash and generate core files while running the Qualys authenticated vulnerability scan.[ NSHELP-25000 ]
All checkboxes get automatically cleared when you try to modify a security check on the Citrix Web App Firewall Profile page. The intermittent issue occurs randomly on the GUI.[ NSHELP-24409 ]
The Gx interface containing AppFlow records has a wrong timestamp when receiving CCA-T diameter messages. The issue might occur if the following conditions are met:
[ NSHELP-24099 ]
- idleTTL parameter in the set subscriber parameter command is set to non-zero.
- gxSessionReporting parameter in the set appflow param command is enabled.
Authentication, authorization, and auditing
You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.[ NSHELP-26199 ]
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[ NSHELP-563 ]
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.[ NSAUTH-6106 ]
ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
"show adfsproxyprofile <profile name>"
Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.[ NSAUTH-5916 ]
- You might see a No such policy exists message on the nFactor Flow page in nFactor Visualizer when you try to unbind a policy from a factor. The unbind option work as expected.[ NSAUTH-5821 ]
A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.[ NSHELP-22942 ]
The Citrix Gateway appliance crashes when a server initiated connection sends data packets after the connection is closed.[ NSHELP-26431 ]
The Citrix Gateway login page displays an error stating that the login has failed if the following sequence of conditions is met. The error appears even if the user has not tried to log on again.
[ NSHELP-25157 ]
- Log on to the Citrix Gateway fails.
- Log on to the Citrix Gateway succeeds.
- The user logs out.
EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.[ NSHELP-24848 ]
The Gateway Insight does not display accurate information on the VPN users.[ NSHELP-23937 ]
False launch failures of applications are reported in Gateway Insight. The launch failures are reported when there are no app or desktop launches.[ NSHELP-23047 ]
The Citrix ADC appliance becomes unresponsive if the following conditions are met:
[ NSHELP-22987 ]
- DTLS is enabled.
- UDP multiplexing uses a DTLS channel and pumps traffic at a high rate.
Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.[ NSHELP-21897 ]
While adding an authentication virtual server using the XenApp and XenDesktop wizard, test connectivity for that authentication server fails.[ CGOP-16792 ]
Transfer Logon does not work if the following two conditions are met:
[ CGOP-14092 ]
- nFactor authentication is configured.
- Citrix ADC theme is set to Default.
- The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.[ CGOP-13584 ]
- In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[ CGOP-13511 ]
While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.[ CGOP-13050 ]
The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.[ CGOP-13049 ]
- An error message appears when you add or edit a session policy from the Citrix ADC GUI.[ CGOP-11830 ]
In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.[ CGOP-7269 ]
In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.[ NSLB-7679 ]
A Citrix ADC appliance might crash while processing an invalid session initiation protocol (SIP) packet.[ NSHELP-26202 ]
When a content switching virtual server receives an HTTPS request, the largest cookie in the HTTPS request leads to a buffer overflow and stack corruption when the following conditions are met:
[ NSHELP-25932 ]
- The cookie format is incorrect.
- The cookie length is greater than 32 bytes.
When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.[ NSHELP-24329 ]
The generation of SNMP alarms might be delayed if the synchronization of configuration from the master site to subordinate sites fails.[ NSHELP-23391 ]
When the number of newnslog backup files increase, it may cause disk space crunch for a running Citrix ADC CPX instance over a period of time. Using the NEWNSLOG_MAX_FILENUM environment variable, you can control the number of backup files. By setting the environment variable value to 10, you can limit the maximum number of newnslog backup files to 10.[ NSNET-20261 ]
A Citrix ADC BLX appliance now supports the Citrix ADC IPv6 OSPF (OSPFv3) dynamic routing protocol feature. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-dynamic-routes/configuring-ipv6-ospf.html.[ NSNET-19567 ]
A Citrix ADC BLX appliance in DPDK mode does not detect an interface if you have bound the interface to DPDK in DOWN state.
Workaround: Do not bind DOWN interfaces to DPDK.[ NSNET-16561 ]
The following interface operations are not supported in a Citrix ADC BLX appliance:
[ NSNET-16559 ]
A Citrix ADC appliance might crash, if the following conditions are present:
[ NSHELP-25695 ]
- IPv6 link load balancing (LLB6) configuration has persistency option enabled.
- Some IPv6 dummy connections are created for this LLB6 configuration
When you push configurations to the cluster instances using a StyleBook, the commands fail with the "Command propagation failed" error message.
On successive failures, the cluster retains the partial configuration.
1. Identify the failed commands from the log.
2. Manually apply the recovery commands to the failed commands.[ NSHELP-24910 ]
On a Citrix ADC SDX 15000-50G appliance, in cases of a brief surge of data traffic not directed to any of the ADC VPX instances, the following issue might happen:
- The LACP link on 10G ports might flap intermittently or go down permanently.
1. Find out the internal ethX port corresponding to the 10G port
2. Run the following command on the Citrix Hypervisor shell prompt: ethtool -G ethX rx 4096 tx 512
3. Review traffic profile to block off unwanted traffic on the switch side[ NSHELP-25561 ]
By default, high availability monitor (HAMON) and HA heartbeat are disabled on a management interface that is configured as an internal management interface. Also, HAMON and HA heartbeat cannot be enabled on this interface.
Later, if the same interface is configured back as a management interface and the VPX instance is rebooted, HAMON and HA heartbeat options are still disabled.
However, you can now enable these options manually to avoid any issues with the HA configuration.[ NSHELP-21803 ]
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.[ NSPOLICY-1267 ]
The following issue might cause a failover in a high availability setup:
If many non-HTTP, non-TCP packets get queued waiting to be handled after processing on them has been blocked.[ NSHELP-23506 ]
On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.
[ NSSSL-9572 ]
- On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, "set ssl vserver <name> -SSL3 DISABLED".
- Save the configuration.
- Update command is not available for the following add commands:
[ NSSSL-6484 ]
- add azure application
- add azure keyvault
- add ssl certkey with hsmkey option
- You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.[ NSSSL-6478 ]
- You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.[ NSSSL-6213 ]
- The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
ERROR: crl refresh disabled[ NSSSL-6106 ]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[ NSSSL-4001 ]
In a cluster setup, you might observe the following issues:
[ NSHELP-25764 ]
- Missing command for the default certificate-key pair binding to the SSL internal services on the CLIP. However, if you upgrade from an older build you might have to bind the default certificate-key pair to the affected SSL internal services on the CLIP.
- Configuration discrepancy between the CLIP and the nodes for the default set command to the internal services.
- Missing default cipher bind command to the SSL entities in the output of the show running config command run on a node. The omission is only a display issue and has no functional impact. The binding can be viewed using the show ssl <entity> <name> command.
In a cluster setup, certificate configuration changes are not allowed if any certificate or key files are removed.[ NSHELP-24913 ]
Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.
Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.[ NSUI-13024 ]
A load balancing virtual server persistence view fails to display all parameters when you edit an existing virtual server persistence configuration.[ NSHELP-25965 ]
In a cluster setup, a delay is observed when a huge configuration, (for example, 100 load balancing virtual IP addresses are bound to a Citrix Web App Firewall profile with multiple responder policies and IP patsets) is provisioned across all cluster nodes.[ NSHELP-25458 ]
Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.[ NSHELP-24195 ]
Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.[ NSHELP-20988 ]
A Citrix ADC appliance does not support addition of CRL files greater than 2 MB using NITRO APIs.[ NSHELP-20821 ]
In a Citrix ADC BLX appliance, the "Reporting" tab in the GUI might not work as expected.[ NSCONFIG-4877 ]
When you downgrade a Citrix ADC appliance version 13.0-71.x to an earlier build, some Nitro APIs might not work because of the file permission changes.
Workaround: Change permission for "/nsconfig/ns.conf" to 644.[ NSCONFIG-4628 ]
The connection between the ADC instance and ADM service is lost when the following conditions are met:
[ NSCONFIG-4368 ]
- The instance is added to ADM service using a built-in agent.
- The instance is upgraded using the -Y option or from the ADM GUI. In both cases, the built-in agent doesn't restart. The -Y option provides Yes as an answer to all upgrade-related questions that appear on the CLI or GUI.
Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.[ NSCONFIG-4330 ]
If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
1. Upgrade the Citrix ADC appliance to one of the builds:
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the Citrix ADC appliance to any older build.
To display the list of these system users by using the CLI:
At the command prompt, type:
"query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"
To fix this issue, use one of the following independent options:
[ NSCONFIG-3188 ]
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.