- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- Build 76.31 replaces Build 76.29
- Additional fix in build 76.31: NSAUTH-10135
- Additional known issue added in release notes version 2.0: NSNET-21173
Authentication, authorization, and auditing
Rewrite policy support for Citrix ADC and Citrix Gateway generated responses including 401 and 407 responses
With the implementation of CSP header, the support for rewrite policies has now been extended to Citrix Gateway virtual server and authentication virtual server generated responses including 401 and 407 responses.
For more information, refer https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/aaa-rewrite.html[ NSAUTH-8809 ]
Support for default secure CSP header and rewrite policies for Citrix ADC and Citrix Gateway generated responses
The following capabilities are now added to Citrix Gateway virtual server and authentication virtual server.
- Infrastructure for rewrite policies for Citrix ADC generated responses
- Configuration support for a default secure CSP header
For more information, refer https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/aaa-rewrite.html[ NSAUTH-1421 ]
- Infrastructure for rewrite policies for Citrix ADC generated responses
Bot management using ADM StyleBooks
You can now configure bot management settings on your ADC instances, using ADM StyleBooks. The ADM provides you a default StyleBook ("bot-management") to create bot policies configuration. It contains many criteria that describes the features of bad bots. The ADC instances use this configuration to identify and block such bot threats and malicious traffic.[ NSBOT-84 ]
Bot Log Expression
The Citrix bot management profile now enables you to capture additional data as log messages if the incoming traffic is identified as a bot. The data can be the name of the user who requested the URL, the source IP address, and the source port from which the user sent the request.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html[ NSBOT-49 ]
Client IP Address Extraction for Bot Detection
You can now configure an advanced policy expression in a bot profile for extracting client IP address from an HTTP request header, HTTP request body, or HTTP request URL. The extracted value can be used by a bot detection mechanism (such as transaction per second (TPS), bot trap, or rate limit) to detect if an incoming request is a bot.
By adding this configuration, the Citrix ADC appliance can leverage the bot detection mechanism to provide enhanced security to software clients and servers.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html[ NSBOT-48 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, default admin (nsroot) access can be disabled by configuring external authentication and disabling fallback to default admin access. However, if the external servers are not responsive, default admin access (local authentication) is automatically enabled to regain access to the appliance.[ NSSVM-4276 ]
On Citrix ADC SDX appliance, license server can be modified to provide new details without unlicensing the ADC instances.[ NSSVM-2939 ]
Displaying status of nFactor EPA scans in the Citrix ADC logs
The Citrix ADC appliance logs the status of nFactor EPA scans for pre-authentication and post-authentication along with the case ID. The case ID is displayed to the end user in the EPA error HTML page. The case ID is also logged in the appliance along with all the scans that have passed or failed.[ CGOP-12110 ]
Citrix Web App Firewall
SQL Grammar-based Approach for SQL Injection Attacks
The NextGen Citrix Web App Firewall solution is now enhanced to support the following SQL detection methods for reducing false positives in HTTP and JSON payloads. Previously, only the pattern-based approach was supported.
[ NSWAF-6910 ]
- Pattern-based approach
- Grammar-based approach
Custom response error code and message for error object configuration
If Citrix Web App Firewall (WAF) uses an error object for handling error scenarios, the WAF profile now allows you to configure a custom response status code and message. You can customize the response status code and message for an HTML, XML, or JSON error object in a WAF profile. Previously, the error object response was sent with the response status code and message set to 200" and "OK. There was no way for the user to customize the error object's response status. To maintain backward compatibility, if the custom error object response status code and the message are not set, the default values are 200" and "OK, respectively.[ NSWAF-6549 ]
Support for Additional Security Protection
The dynamic profile relaxation counter now supports the following additional security checks.
[ NSWAF-6433 ]
- JSON SQL
- JSON Cross-site scripting
- JSON DoS
- Cookie consistency
- Cross-Site request forgery
- Field format
SQL Grammar-based Approach for SQL Injection Attacks
The NextGen Citrix Web App Firewall solution is now enhanced to support both pattern-based approach and grammar-based approach for detecting SQL injection attacks and reducing false positives in HTTP and JSON payloads. Previously, only the pattern-based approach was supported.[ NSWAF-5822 ]
Reduction in the time taken to synchronize GSLB configuration among the GSLB sites
The time taken to synchronize the GSLB configuration among the GSLB sites is now significantly reduced because of compression of files that are being synchronized with remote sites.[ NSLB-7399 ]
Moving GSLB services to a learning phase to avoid flaps on GSLB services
The parameter, SvcStateLearningTime, can now be used to move the local and child GSLB services to learning phase to avoid unnecessary flaps on remote GSLB sites. When a service is in a learning phase, the remote GSLB sites do not honor the primary site state and statistics received through MEP for that service. However, the state of the sites can be learnt from the health monitor, if bound explicitly.
You can set SvcStateLearningTime in seconds. Default value is 0 and maximum value is 3600.
GSLB services enter the learning phase in any the following scenarios.
- Citrix ADC appliance is rebooted
- High availability failover has occurred
- Owner node in a cluster GSLB setup is changed
- MEP is enabled on a local node
- GSLB site comes out of island scenario. A GSLB Site becomes island when it is not connected to any other site.
In a parent-child deployment, the backup parent (if configured) selectively moves the adopted child sites GSLB services to learning phase when the primary parent goes DOWN.[ NSLB-6707 ]
High Availability Version Control for Account Structure Changes
In a high availability setup, the ISSU process uses the node-to-node TCP communication framework to sync or honor the existing connections.
The appliances might crash during the ISSU process if there is a mismatch of the framework structure size in the two nodes.
With the fix, the Citrix ADC appliance runs the ISSU migration only if the framework structure size is the same on both nodes.
If there is a mismatch of the structure size, the Citrix ADC appliance does not run the ISSU migration operation and it displays an error message.[ NSNET-15370 ]
Support for Citrix ADC VPX configurations at the first boot of the Citrix ADC appliance on Azure, GCP, and AWS clouds
You can now apply the Citrix ADC VPX configurations during the first boot of the Citrix ADC appliance in a cloud environment. In certain cases like Citrix ADC pooled licensing, this feature brings up the VPX instance in much lesser time. You can use this feature by providing a script, metadata, or user data to the cloud instance in XML format. This feature is available in Microsoft Azure, Google Cloud platform, and AWS clouds.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/deploying-vpx/apply-vpx-config-at-preboot.html[ NSPLAT-14774 ]
Support for Azure accelerated networking on Citrix ADC VPX instance
The Citrix ADC VPX instance now supports Azure accelerated networking. Accelerated networking enables single root I/O virtualization (SR-IOV) virtual function (VF) NIC to a virtual machine, which improves the networking performance. You can use this feature with heavy workloads that need to send or receive data at higher throughput with reliable streaming and lower CPU utilization.
When a NIC is enabled with accelerated networking, Azure bundles the NICs existing para virtualized (PV) interface with an SR-IOV VF interface. The support of SR-IOV VF interface enables and enhances the throughput of the Citrix ADC VPX instance.[ NSPLAT-13235 ]
Parsing Proxy Protocol after TLS handshake for SSL and SSL-TCP traffic
According to RFC, the proxy protocol is parsed after the final ACK during a TCP handshake. However, the functionality is now enhanced to parse the proxy protocol after TLS handshake for SSL and SSL-TCP traffic. By parsing after the TLS handshake, the proxy protocol data is TLS encrypted and more secure. To perform this parsing you must enable the "proxyProtocolAfterTLSHandshake" parameter in the net profile. When you enable the parameter, the appliance parses the proxy protocol after the TLS handshake and not after the FINAL ACK of the TCP handshake
Configure proxy protocol after TLS handshake by using the command interface:
At the command prompt, type:
"add netprofile <name> -proxyProtocolAfterTLSHandshake ENABLED"
Where proxyProtocol and proxyProtocolAfterTLSHandshake parameters are mutually exclusive.[ NSBASE-12491 ]
QUIC bridge deployment for HTTP3/QUIC traffic
The Citrix ADC appliance now supports QUIC bridge configuration for HTTP3 QUIC traffic. The deployment enables you to have persistent QUIC connections between client and server in the case of a NAT rebinding or a connection migration.
Advantages of QUIC bridge configuration:
- No expensive crypto operations.
- Stateless routing possible (no 4-tuple based load balancing).
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/system/quic.html[ NSBASE-10636 ]
Support for additional address advertisement (ADD_ADDR)
In an MPTCP deployment, if you have a virtual server bound with an IP set that has additional virtual server IP addresses, then the additional address advertisement (ADD_ADDR) functionality advertises the IP address of the virtual servers bound to the IP set. This IP set is the one on which the client can initiate the new MP-JOIN sub flows.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/system/tcp-configurations.html[ NSBASE-9076 ]
You cannot use the GUI to bind an external OCSP responder to a root certificate if an internal OCSP responder is added for the same root certificate.[ NSUI-1145 ]
Authentication, authorization, and auditing
In rare cases, the OAuth authentication fails if a Citrix ADC appliance configured as OAuth IdP does not send a JWT token in the specified format.[ NSHELP-26323 ]
If a user logs in with an expired timestamp, the Citrix ADC appliance sends an invalid post back URL to re-login.[ NSHELP-26285 ]
In some cases, addition of multiple EPA related authentication policies results in high management CPU.[ NSHELP-26281 ]
In some cases, a Citrix ADC appliance crashes because a default action is bound to a policy that has no login schema.[ NSHELP-26192 ]
In some cases, the Citrix ADC appliance might become unresponsive if the user authentication information is not available.[ NSHELP-26113 ]
In some cases, attributes such as "Secure" and "Domain" present in Samesite cookie are not separated by a comma but are displayed as one attribute.[ NSHELP-25825 ]
In some cases, a Citrix ADC appliance might crash when a user tries to configure a customized EULA login schema.[ NSHELP-25570 ]
System-defined questions in KBA Registration Login Schema are displayed only in English and language localization support is not available for these questions.[ NSHELP-25484 ]
The Citrix ADC appliance drops some valid requests when acting as an ADFS proxy.[ NSHELP-25427 ]
If a Citrix ADC appliance is configured for nFactor authentication and is upgraded to version 13.0, the endpoint (example iPad) used to access the Citrix ADC appliance is presented with 401-based authentication instead of Form-based authentication.[ NSHELP-25309 ]
The Citrix ADC appliance crashes when FIPS certificate is configured for usercertdata.[ NSHELP-25264 ]
A Citrix ADC appliance might crash if the following issues are observed:
[ NSHELP-24551 ]
- Invalid memory allocation.
- Web App Firewall is configured with form-based SSO authentication.
When a Citrix ADC or a Citrix Gateway appliance uses Kerberos authentication followed by an LDAP user search operation, the authentication fails in the following scenario.
The LDAP User Principal Name (UPN) is different than the user name provided by a Kerberos ticket.[ NSHELP-24384 ]
In some cases, SAML authentication breaks when the following conditions are met:
[ NSAUTH-10135 ]
- The Citrix ADC appliance is configured as a SAML SP.
- "Domain drop-down" is configured as a factor on the Citrix ADC appliance.
- SAML policies are evaluated based on inputs from the "Domain drop-down" factor.
A Citrix ADC appliance responds with a 400 error code when the header size of a Citrix Gateway user interface related request exceeds 1024 characters.[ NSAUTH-9475 ]
New bot actions for bot blocklist detection technique
"None" and "Redirect" are added to the list of actions that can be selected for the bot blocklist detection technique.[ NSBOT-397 ]
The bot transaction per second (TPS) functionality does not work as expected.[ NSBOT-353 ]
When you edit or update bot signatures in a Citrix ADC cluster configuration, the Citrix ADC appliance displays the following error:
"Signature Update Failed - Updating the resource failed"[ NSBOT-345 ]
Bot trap URL gets inserted in all requests including the URLs that are not defined in the Trap Insertion URL list.[ NSBOT-316 ]
CAPTCHA mitigation process does not get reinitialized to honor client requests after the mute period.[ NSBOT-224 ]
Bot trap URL logs do not work as expected for "drop", "reset" and "redirect" bot action.[ NSBOT-184 ]
When configuring cache content group, invalid wide spaces are observed in the cache-control header max-age value.[ NSHELP-20066 ]
Citrix ADC SDX Appliance
On the Citrix ADC SDX 8400/8600 platform, health monitoring might display crypto errors.[ NSHELP-26500 ]
On a Citrix ADC SDX appliance, the "geodb" details in the ADC instances are not collected when you take a backup of the appliance.[ NSHELP-26190 ]
If you initiate the deletion of a Citrix ADC instance while the instance is being provisioned, the FIPS partition entry for the deleted instance might still be present in the database.[ NSHELP-25909 ]
On a Citrix ADC SDX appliance, there might be a password mismatch between the Management Service and a VPX instance, if the following conditions occur simultaneously:
[ NSHELP-25709 ]
- The Management Service password is changed.
- The VPX instance is modified for any change, such as memory, CPU, and profile.
On a Citrix ADC SDX appliance, provisioning or restoring a VPX might fail if the allowed VLAN list on an interface or channel is more that 100 characters.[ NSHELP-25702 ]
When a Citrix ADC SDX appliance is rebooted and the Management Service come up before an ADC instance, the Management Service assumes that the instance state is HALTED. As a result, the Management Service does not add the route entries for the instance and the instance state goes DOWN.[ NSHELP-25674 ]
If you perform a factory reset on a Citrix ADC SDX appliance, the host ID of the appliance changes for the first time. The change happens if one of the following conditions is met:
1. You restore an appliance on which a link aggregation channel is configured on a management interface.
2. The link aggregation channel on a management interface is deleted.[ NSHELP-25670 ]
On a Citrix ADC SDX appliance, the Management Service raises an event if memory usage above threshold persists for more than 15 minutes.[ NSHELP-25668 ]
On a Citrix ADC SDX appliance, the Management Service host ID might change if you delete the link aggregation of the management interfaces. As a result, appliance licensing might be affected.[ NSHELP-25636 ]
Sometimes, endpoint analysis scan with EPA plug-in for macOS fails because the plug-in times out in 5 seconds and as a results the scan quits before it is complete.[ NSHELP-26305 ]
Sometimes, the Citrix ADC appliance crashes when a trace is started either from the GUI or the CLI.[ NSHELP-26249 ]
The Citrix ADC appliance might crash if the "rdpLinkAttribute" attribute size is greater than 64 characters.[ NSHELP-26068 ]
The Citrix Gateway plug-in fails to establish full tunnel and displays content of the local drive after entering the credentials.[ NSHELP-25899 ]
The packet engine crashes while fetching an ICA connection entry when you run the show icaconnection command. This crash happens because the ICA connection information in the ICA connection list is stale.[ NSHELP-25420 ]
In Citrix ADC GUI, the Add tab present in Authentication, authorization, and auditing Groups page does not allow editing the Weights field.[ NSHELP-25200 ]
If an FQDN is used for configuring wiHome or StoreFront over an SSL connection, ECDHE ciphers are not negotiated during the boot-up process.[ NSHELP-25144 ]
Redirection to ShareFile fails when Citrix Gateway is configured for RfWebUI theme.[ NSHELP-25133 ]
Citrix Gateway crashes while decoding the CVPNv2 packet because of incorrect string termination.[ NSHELP-24718 ]
In a rare case, the Citrix Gateway logon page loads slowly if the "nshttp_profile_ids" directory is filling up the storage.[ NSHELP-24705 ]
A Citrix ADC appliance crashes intermittently if the following conditions are met:
[ NSHELP-24676 ]
- A CA certificate is added to a VPN virtual server.
- OCSP check for the CA certificate is set to mandatory on the SSL virtual server.
A delay in the response from StoreFront servers might result in slow Citrix Gateway GUI related operations or "timed out at dispatch_netsvc" error messages.[ NSHELP-24437 ]
The "show audit messages" command displays logs of all log levels instead of the configured log level after the clear config command is run.[ NSHELP-24237 ]
Citrix ADM displays incorrect bandwidth used by users when connected to VPN.[ NSHELP-23855 ]
HDX Insight data is not observed in Director for individual sessions. The issue is seen when Citrix ADC App Experience (NSAP) sessions are established.[ NSHELP-23834 ]
In Analytics > Gateway Insight, under Authentication, it displays an incorrect Authentication Type. This issue occurs when you configure NO_AUTHN action in the ADC instance.[ NSHELP-20117 ]
Memory leak is observed if HDX Insight with advanced encryption is enabled.[ CGOP-15689 ]
Citrix Web App Firewall
Error Response Code for HTML, XML, and JSON requests
In a cluster configuration, the error response code for HTML, XML, and JSON requests is set as "0" instead of "200" if the profile is configured as advanced or basic by default.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/top-level-protections/profiles/custom-error-status-and-message-for-html-xml-json-error-object.html[ NSWAF-7275 ]
During a cluster upgrade, a Citrix ADC appliance might crash if the session key size is not as expected.[ NSWAF-7080 ]
An audit error is observed in Stylebook if the sessionless field consistency parameter is set as "Postonly".[ NSWAF-6894 ]
The signature URL gets modified after you upgrade the Citrix ADC cluster configuration.[ NSWAF-6844 ]
The aslearn process does not start automatically after the Citrix ADC appliance has crashed.[ NSWAF-6766 ]
In a Citrix ADC appliance, the file upload relaxation rules for multiple file types does not work as expected.[ NSHELP-26313 ]
Load balancing and content switching SSL services do not respond because of high memory usage on a Citrix ADC appliance.[ NSHELP-25587 ]
A Nitro API GET call that fetches learning data for XMLWSICheck returns null data in the response.[ NSHELP-25550 ]
Citrix Web App Firewall learn engine might erroneously learn null values for "Value Type" and "Value" parameters if "CheckRequestHeaders" and "HTML SQLi" protections are enabled.[ NSHELP-25549 ]
Soap envelope validation might fail for XML data.[ NSHELP-24412 ]
The memory limit for SSL session IDs is increased to accommodate the maximum SSL session ID persistence entries of 1.66M per packet engine. Previously, the number of SSL session ID entries were limited to 1.06M due to memory limit.[ NSLB-7796 ]
A Citrix ADC appliance might crash while displaying the content switching policy bindings, if the following conditions are met:
[ NSHELP-25652 ]
- Cookie persistence is enabled on the content switching virtual server.
- The target virtual server is of type VPN.
When a truncated response is received in the response to a DNS monitor probe, the subsequent DNS monitor probe is not sent to a TCP name server.[ NSHELP-25527 ]
A Citrix ADC appliance might crash while updating the Autoscale members of the GSLB service group if both GSLB and non-GSLB service groups are configured.[ NSHELP-25361 ]
The custom location entries might be removed when you run the add locationfile or add locationfile6" commands in a high-availability setup.[ NSHELP-23775 ]
A Citrix ADC appliance might crash when DNS logging is enabled and a malformed DNS query is received.[ NSHELP-21959 ]
In a deterministic large scale NAT (LSN) setup, the following issue is observed after you upgrade the Citrix ADC appliance from release 11.1 to release 12.1 or release 13.0.
The NAT IP addresses and port blocks are allocated based on the "IPADDRS" allocation policy instead of "PORTS" allocation policy.
"PORTS" type was the only deterministic allocation policy present in release 11.1 by default without any configuration option.
"IPADDRS" type is set as the default deterministic allocation policy in release 12.1 or release 13.0.
So, a deterministic LSN configuration with "PORTS" allocation policy is converted to "IPADDRS" allocation policy during the Citrix ADC upgrade process.
As part of the fix, the default deterministic allocation policy is now set to "PORTS" in the following releases:
[ NSNET-19469 ]
- Release 12.1 build 61.18 onwards
- Release 13.0 build 76.x onwards
Joining of a node to a cluster setup might fail if all the following conditions are met:
[ NSNET-18438 ]
- The CLIP address and the NSIP address of the node, to be joined, are indifferent networks.
- A SNIP address present in the node, to be joined, has the same network address as the CLIP address.
- While joining the node to the cluster setup, the connection is initiated with SNIP as the source IP address and CLIP as the destination IP address.
- CLIP address resets the connection.
A Citrix ADC BLX appliance with more than one packet engine might not generate SNMP trap messages.[ NSNET-11296 ]
In a high availability setup, the secondary node might not be able to access the IP addresses on the primary node when the following condition is met:
[ NSHELP-25747 ]
- A VMAC address using an interface through which the primary node is communicating with the secondary node.
FTP and SFTP load balancing configuration with USIP enabled might not work properly in a Citrix ADC appliance because of the following reason:
Internal flags are not set in client-side session information causing port leaks on dummy IP addresses for FTP and SFTP load balancing sessions.[ NSHELP-25569 ]
In a cluster setup, RNAT configurations for FTP data traffic might fail intermittently.[ NSHELP-25566 ]
Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.[ NSHELP-25105 ]
In a high availability setup, the secondary node might crash after a restart if the following conditions are met:
[ NSHELP-25068 ]
- A large number of active LSN session are present in the primary node
- Pitboss process crashes and restarts during the synchronization process of these large number of LSN sessions in the secondary node
In a cluster CLAG setup, you might observe the following issues when the monitor probe of the new active node (passive to active) sends ND6 before the CLAG is UP:
[ NSHELP-25010 ]
- ND6 request from the new active node fails continuously.
- Some of the services owned by the new active node are down.
For a PBR6 rule with no direct route to the next hop, the Citrix ADC appliance might incorrectly discard RNAT6 processed packets with an error.[ NSHELP-24632 ]
In a high availability setup, the SNMP module might crash repeatedly because of improper handling of data by the packet engines and internal networking modules.
This repeated crash of the SNMP module triggers HA failover.[ NSHELP-24434 ]
A Citrix ADC VPX instance crashes when frequent link flaps are seen on 50G and 100G interfaces.[ NSPLAT-16852 ]
Support for new Citrix ADC SDX hardware platformsThis release now supports the following new platforms:
[ NSPLAT-12815 ]
- Citrix ADC SDX 15000. For more information, see https://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-15000.html
- Citrix ADC SDX 26000. For more information, see https://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-26000.html
- Citrix ADC SDX 26000-50S. For more information, see https://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-26000-50s.html
On a Citrix ADC SDX appliance, traffic to the ADC instance might be interrupted when the interface link flaps and interface reset occurs simultaneously.[ NSHELP-26307 ]
Binding a VLAN to a link aggregation channel fails when the VLAN is associated with more than 40 partition-MAC addresses.[ NSHELP-25308 ]
On the Citrix ADC SDX 14000 and SDX 25000 platforms, a core dump is not generated through the lights out management Non-Maskable Interrupt (NMI) button.[ NSHELP-25091 ]
Upgrading a Citrix ADC SDX appliance might fail if the /var/sdx partition is not mounted in the Citrix Hypervisor.[ NSHELP-24847 ]
Policy string map might not work if UTF-8 characters are used in key text.[ NSHELP-25357 ]
A Citrix ADC appliance might crash if the following conditions are observed:
[ NSHELP-24476 ]
- The maximum header length of an HTTP profile is set as 61440 bytes.
- The policy expression "HTTP.REQ.URL" is processed on a request with a URL length greater than 61440 bytes.
A Citrix ADC appliance might crash during ASYNC restoration after you try to bind a policy to a label at a priority in which another policy is already bound.[ NSHELP-18493 ]
- In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.[ NSSSL-3161 ]
A Citrix ADC appliance might dump core if the following conditions are met:
[ NSHELP-26114 ]
- Appliance is low on memory.
- DTLS is enabled.
- DEBUG level log is enabled.
If strong password option is enabled on a Citrix ADC appliance, password protected certificate-key pairs might not be added. With this fix, the password protected certificate-key pairs are always added successfully. However, downgrading to an earlier build causes the certificate-key configuration to be lost.
Also, in the NITRO API response for certificate-key pairs, the passplain variable is sent instead of the passcrypt variable.[ NSHELP-25675 ]
While using SSL forwarding on an MPTCP connection, the following counters display a large value:
- MPTCP session counter on the forwarded virtual server.
- Current client connection counter on the original virtual server.
When the connection is forwarded from the original virtual server to the forwarded virtual server, the MPTCP session counter on the forwarded virtual server is not incremented. However, when the MPTCP connection is freed, the counter is decremented. As a result, the value for the counter becomes negative.
When the connection is forwarded from the original virtual server to the forwarded virtual server, the current client connection counter on the original virtual server is incorrectly decremented. As a result, the value for the counter becomes negative.
The counter values are now calculated as follows:
Counter: Current client connections
- Value on the original virtual server: Regular TCP connections + MPTCP subflows in any state
- Value on the forwarded virtual server (SSL forwarding): Regular TCP connections in any state
Counter: Current client est connections
- Value on the original virtual server: Regular TCP connections + MPTCP subflows connections in established state
- Value on the forwarded virtual server (SSL forwarding): Regular TCP connections in the established state
Counter: Current Multipath TCP subflows
- Value on the original virtual server: MPTCP subflows connections only
- Value on the forwarded virtual server (SSL forwarding): 0 (Subflows are terminated at the original virtual server)
Counter: Current Multipath TCP sessions
[ NSHELP-25555 ]
- Value on the original virtual server: MPTCP sessions only
- Value on the forwarded virtual server (SSL forwarding): Forwarded MPTCP sessions (Decremented at the original virtual server and incremented here)
After you add an SSL_TCP virtual server and attach an SSL profile to it, the "redirectPortRewrite" setting might be incorrectly enabled. As a result, there might be some configuration loss in a future upgrade.
The redirectPortRewrite setting is valid only for an HTTP virtual server.[ NSHELP-22984 ]
When the "forward" ssl action is triggered, the counter "Current Client Est connections" incorrectly shows a large value in the output of statistics for the virtual server to which traffic is forwarded.[ NSHELP-22825 ]
Synchronized SSL feature state and SSL hardware state results in inconsistencies with partitions.[ NSHELP-21193 ]
If an AppFlow collector of type Rest is used in an analytics profile, the Citrix ADC appliance might fail during the removal of the profile.[ NSHELP-26299 ]
After an upgrade to Citrix ADC 13.0 release 71.40, the 32-bit weblogging (NSWL) client and 64-bit Citrix ADC appliance have offset of 4 bytes leading to incorrect values in generated logs.[ NSHELP-26241 ]
When you add an ADC high-availability pair to the ADM server, the secondary server connects to ADM using the SNIP as the source address. As a result, network issues occur on the uplink devices. For example, the firewall finds two MAC addresses for a SNIP on its interfaces.[ NSHELP-26010 ]
A Citrix ADC appliance might crash when the AppFlow collector is in a different subnet than the SNIP.[ NSHELP-26008 ]
When a Citrix ADC appliance initiates a connection to the back-end server for "CONNECT" requests sent at a high rate, the following conditions are observed:
[ NSHELP-25925 ]
- The back-end server sends a bad ACK to the appliance.
- The appliance does not retry connection initiation.
- Client connections become unresponsive.
A content switching virtual server displays an incorrect request and response byte count with MPTCP traffic.[ NSHELP-25731 ]
An attempt to remove the AppFlow collector fails after the "set appflow action" command is performed.[ NSHELP-25392 ]
After an SSL handshake, if the Citrix ADC appliance sends SETTINGS and SETTINGS-ACK frames after H2 negotiation, the following issues are observed:
[ NSHELP-25148 ]
- Latency issue of 100ms (by default) is seen at the SSL layer when encrypting data less than 8k.
- The TCP PUSH flag is not set on these frames.
In a non-probing scenario, the MSS value learnt by the bound gateway service is used by all subsequent transactions until the device restarts and this leads to the following errors:
[ NSHELP-25043 ]
- A high frequency of the MSS value 1330 irrespective of the change in MSS value configured on the TCP profile.
- Incorrect fragmentations in the network.
HTTP/2 flag mismanagement decrements few TCP counters to a negative value for both HTTP/2 and non-HTTP/2 streams.[ NSHELP-25031 ]
A Citrix ADC appliance is unable to handle server-side connections and cannot log correct AppFlow records if the following conditions are observed:
[ NSHELP-24824 ]
- The domain name which matches a private urlset is not obfuscated correctly from the AppFlow records.
- The Responder Action, Policy Matched, and Matched ID fields are incorrectly populated in the AppFlow records.
The HTML page might not load when the AppFlow Client-Side Measurements and Rewrite features are enabled.[ NSHELP-24043 ]
Segmentation errors or duplicate free might cause a Citrix ADC appliance to crash if the following conditions are met:
- HTTP profile bound to a backend service has HTTP2 enabled and HTTP2 direct disabled.
[ NSBASE-13582 ]
- Multiple HTTP CONNECT requests are sent from the client over HTTP/2 streams to a virtual server of HTTP type.
When Citrix ADC CPX is deployed as a sidecar and if the environment variable MGMT_HTTP_PORT is not set, NITRO API calls are not working[ NSBASE-12800 ]
A few AppFlow records containing IPFIX information might be abnormal.[ NSBASE-11686 ]
The bot signature edit fails with an error message, "File Does Not Exist" if the signature is imported from CLI or URL.[ NSUI-17261 ]
The link to download the SNMP MIB is broken.[ NSHELP-26107 ]
Single or multiple commands in a NITRO API request to a Citrix ADC appliance might fail causing the following issues in the appliance:
[ NSHELP-25997 ]
- Memory corruption
- HTTPD process crash
An error no such StartURL check is displayed at the bottom of the Citrix ADC GUI page when you try to edit or delete the StartURL rule in the Relaxation Rules section.[ NSHELP-25977 ]
When you configure IP reputation using advanced policy expressions, the "TOR_PROXY" threat category is missing in the Expression Editor GUI.[ NSHELP-25654 ]
HTTPD daemon might crash and generate core files while running the Qualys authenticated vulnerability scan.[ NSHELP-25000 ]
All checkboxes get automatically cleared when you try to modify a security check on the Citrix Web App Firewall Profile page. The intermittent issue occurs randomly on the GUI.[ NSHELP-24409 ]
In a Citrix ADC BLX appliance, the Autocomplete feature might not work as expected.[ NSCONFIG-4338 ]
The Gx interface containing AppFlow records has a wrong timestamp when receiving CCA-T diameter messages. The issue might occur if the following conditions are met:
[ NSHELP-24099 ]
- idleTTL parameter in the set subscriber parameter command is set to non-zero.
- gxSessionReporting parameter in the set appflow param command is enabled.
Authentication, authorization, and auditing
In some cases, a Citrix ADC appliance crashes while performing user authentication for Citrix Gateway and Authentication, authorization, and auditing - traffic managed deployment.[ NSHELP-26555 ]
Incorrect SSO domain name is populated for logged in user if Authentication, authorization, and auditing.USER.DOMAIN is used in the expression.[ NSHELP-26443 ]
The Citrix Gateway appliance crashes during nFactor authentication if the following conditions are met.
[ NSHELP-26433 ]
- WebView is used to access the Citrix Gateway appliance.
- Blocking expressions are configured in the VPN session policy.
Upon entering an incorrect OTP, an error message "Email Auth failed. No further action to continue" is displayed.[ NSHELP-26400 ]
You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.[ NSHELP-26199 ]
In certain scenarios, the Bind Authentication, authorization, and auditing group command might fail if policy name is longer than intranet application name.
[ NSHELP-25971 ]
In a Citrix ADC BLX appliance, LDAP authentication might not work as expected with the SSL, TLS, and plaintext security types.[ NSHELP-25809 ]
The following issues are observed when the Citrix ADC appliance is configured as the Relying Party (RP).
[ NSHELP-25794 ]
- The appliance fails to process the authentication request from OAuth IdP if the IdP uses signature algorithm for JWT as RS512.
- The appliance sends "anonymous" value for "login_hint" parameter to OAuth IdP.
Authentication fails during dialogue mode when the RADIUS server sends multiple duplicate responses.[ NSHELP-25758 ]
While configuring an authentication policy using the Citrix ADC GUI, "NO AUTH" action cannot be selected.[ NSHELP-25466 ]
In some cases, the Citrix ADC appliance might crash when a user tries to authenticate and if the appliance is configured as follows.
- The appliance is configured for 401 authentication
- Authentication policy has NoAuth in first factor and Certificate authentication in the second factor
[ NSHELP-25051 ]
- Remove NoAuth policy from the configuration
- Move to Form based authentication
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[ NSHELP-563 ]
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.[ NSAUTH-6106 ]
ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
"show adfsproxyprofile <profile name>"
Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.[ NSAUTH-5916 ]
- You might see a No such policy exists message on the nFactor Flow page in nFactor Visualizer when you try to unbind a policy from a factor. The unbind option work as expected.[ NSAUTH-5821 ]
You cannot bind multiple rate limit session cookies to a bot profile.[ NSBOT-390 ]
A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.[ NSHELP-22942 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.[ NSSVM-4333 ]
Inventory does not happen as per the inventory cycle for instances where the IP address used during instance provisioning is changed later from the instance directly.
[ NSHELP-26407 ]
When you enter the FQDN as the proxy in the Create Citrix Gateway Traffic Profile page, the message "Invalid Proxy Value" appears.[ NSHELP-26613 ]
If the application name is longer than 20 characters, then the application name appears truncated when connecting over Citrix Gateway.[ NSHELP-26604 ]
The Windows VPN gateway plug-in blocks use of "CTRL + P" and "CTRL + O" over the VPN tunnel.[ NSHELP-26602 ]
The VPN plug-in for Windows displays incorrect information on the Windows credential screen when the network changes.[ NSHELP-26562 ]
EPA libraries for macOS are updated to version 220.127.116.11 (Opswat version : 4.3.1566.0)[ NSHELP-26538 ]
The Citrix Gateway appliance crashes when a server initiated connection sends data packets after the connection is closed.[ NSHELP-26431 ]
The Citrix Gateway appliance might become unresponsive if it is configured with an IPV6 address and the gateway is used to proxy the Enlightened Data Transport (EDT) protocol.[ NSHELP-26357 ]
The RfWebUI client detection page displays the Install button instead of the Detect button if a content switching virtual server is configured.[ NSHELP-26138 ]
The Citrix ADC appliance crashes if either of the following conditions occur:
- The syslog action is configured with the domain name and you clear the configuration by using the GUI or the CLI.
- High availability synchronization happens on the secondary node.
Create syslog action with syslog server's IP address instead of syslog server's domain name.[ NSHELP-25944 ]
While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:
[ NSHELP-25694 ]
- A default pre-shared key (PSK) is configured.
- You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
The Citric ADC appliance crashes when multiple VPN plug-in clients use X.509 certificates of size 1800 bytes or more to setup a tunnel.[ NSHELP-25195 ]
The Citrix Gateway login page displays an error stating that the login has failed if the following sequence of conditions is met. The error appears even if the user has not tried to log on again.
[ NSHELP-25157 ]
- Log on to the Citrix Gateway fails.
- Log on to the Citrix Gateway succeeds.
- The user logs out.
If you rename a VPN virtual server that is bound to an STA server, the status of the STA server appears DOWN when you run the show command.[ NSHELP-24714 ]
The Gateway Insight does not display accurate information on the VPN users.[ NSHELP-23937 ]
The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0
Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
Global bindpoint: REQ_DEFAULT
Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
Global bindpoint: RES_DEFAULT
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0 Disabled
Global bindpoint: REQ_DEFAULT
Number of bound policies: 1
Done[ NSHELP-23496 ]
False launch failures of applications are reported in Gateway Insight. The launch failures are reported when there are no app or desktop launches.[ NSHELP-23047 ]
Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.[ NSHELP-21897 ]
While adding an authentication virtual server using the XenApp and XenDesktop wizard, test connectivity for that authentication server fails.[ CGOP-16792 ]
Transfer Logon does not work if the following two conditions are met:
[ CGOP-14092 ]
- nFactor authentication is configured.
- Citrix ADC theme is set to Default.
- The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.[ CGOP-13584 ]
- In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[ CGOP-13511 ]
While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.[ CGOP-13050 ]
The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.[ CGOP-13049 ]
- An error message appears when you add or edit a session policy from the Citrix ADC GUI.[ CGOP-11830 ]
In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.[ CGOP-7269 ]
Citrix Web App Firewall
In the Citrix Web App Firewall module, the Distributed Hash Table (DHT) entries are not freed up on the primary node. This issue occurs if application firewall sessions have a shorter timeout and are created at a higher rate.[ NSHELP-26570 ]
In a high availability setup, if dynamic profiling is configured along with SNMP alerts enabled, spike in memory usage might be observed on the secondary node.[ NSHELP-25580 ]
The Citrix ADC appliance might crash because of a timeout issue when adding a violation record to a long list of records.[ NSHELP-25507 ]
In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.[ NSLB-7679 ]
In a high availability setup, the secondary node might crash if the following conditions are met:
- The amount of physical memory on both the nodes is different from each other.
- The data sessions are not synchronized properly.
Keep the same amount and at least 4 GB of physical memory on both the HA nodes.[ NSHELP-26503 ]
In a cluster-GSLB deployment, the effective state of the local GSLB services is not updated on non-owner nodes because the GSLB owner node is unable to send service state updates to the non-owner nodes.[ NSHELP-26260 ]
A Citrix ADC appliance might crash while processing an invalid session initiation protocol (SIP) packet.[ NSHELP-26202 ]
When a content switching virtual server receives an HTTPS request, the largest cookie in the HTTPS request leads to a buffer overflow and stack corruption when the following conditions are met:
[ NSHELP-25932 ]
- The cookie format is incorrect.
- The cookie length is greater than 32 bytes.
When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.[ NSHELP-24329 ]
In Autoscale high availability or cluster deployment, a Citrix ADC appliance might crash when creating a service member and if the following conditions are met:
- if you bind the service member to a service group in a non-owner node or a secondary node with health monitoring option disabled.[ NSHELP-24029 ]
On a Citrix ADC SDX appliance, new SSL session establishment failure based on RSA is seen on one or more VPX instances if the following conditions are met:
[ SDX-486 ]
- The VPX instances are running ADC software version 12.x or 13.0.
- The Management Service is upgraded to ADC software version 13.0.
When you push configurations to the cluster instances using a StyleBook, the commands fail with the "Command propagation failed" error message.
On successive failures, the cluster retains the partial configuration.
[ NSHELP-24910 ]
- Identify the failed commands from the log.
- Manually apply the recovery commands to the failed commands.
In a cluster setup with maximum connection (maxConn) global parameter set to a non-zero value, CLIP connections might fail if any of the following conditions is met:
- Upgrading the setup from Citrix ADC 13.0 76.x build to Citrix ADC 13.0 79.x build.
- Restarting the CCO node in a cluster setup running Citrix ADC 13.0 76.x build.
[ NSNET-21173 ]
- Before upgrading a cluster setup from Citrix ADC 13.0 76.x build to Citrix ADC 13.0 79.x build, maximum connection (maxConn) global parameter must be set to zero. After upgrading the setup, you can set the maxConn parameter to a desired value and then save the configuration.
- Citrix ADC 13.0 76.x build is not suitable for cluster setups. Citrix recommends not to use the Citrix ADC 13.0 76.x build for a cluster setup.
When the number of newnslog backup files increase, it may cause disk space crunch for a running Citrix ADC CPX instance over a period of time. Using the NEWNSLOG_MAX_FILENUM environment variable, you can control the number of backup files. By setting the environment variable value to 10, you can limit the maximum number of newnslog backup files to 10.[ NSNET-20261 ]
A Citrix ADC BLX appliance now supports the Citrix ADC IPv6 OSPF (OSPFv3) dynamic routing protocol feature. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-dynamic-routes/configuring-ipv6-ospf.html.[ NSNET-19567 ]
A Citrix ADC appliance might crash when all of the following conditions are met:
- MAC mode is enabled on a non-addressable load balancing virtual server.
- The same virtual server is part of a link load balancing configuration or a policy-based routing configuration.
As part of the fix, the Citrix ADC appliance now displays the following warning message when the above conditions are met:
[ NSNET-19485 ]
- Warning: MAC mode redirection should not be enabled with LLB config.
In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.[ NSNET-18586 ]
After an upgrade from Citrix ADC BLX appliance 13.0 61.x build to 13.0 64.x build, settings on the BLX configuration file are lost. The BLX configuration file is then reset to default.[ NSNET-17625 ]
The following interface operations are not supported for Intel `X710 10G (i40e)` interfaces on a Citrix ADC BLX appliance with DPDK:
[ NSNET-16559 ]
On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file ("/etc/blx/blx.conf") settings. This issue occurs because "mawk", which is present by default on Debian based Linux systems, does not run some of the awk commands present in the "blx.conf" file.
Workaround: Install "gawk" before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install "gawk":
[ NSNET-14603 ]
- apt-get install gawk
Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:
"The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable"
Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:
[ NSNET-14602 ]
- dpkg --add-architecture i386
- apt-get update
- apt-get dist-upgrade
- apt-get install libc6:i386
A Citrix ADC appliance might crash, if the following conditions are present:
[ NSHELP-25695 ]
- IPv6 link load balancing (LLB6) configuration has persistency option enabled.
- Some IPv6 dummy connections are created for this LLB6 configuration
In a high availability setup, VPN user sessions get disconnected if the following condition is met:
- If two or more successive manual HA failover operations are performed when HA synchronization is in progress.
Workaround: Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).[ NSHELP-25598 ]
On the Citrix ADC SDX 8900 platform, the LOM version is upgraded from 4.5x to 4.61. On the Citrix ADC SDX 15000 and SDX 26000 platforms, the LOM version is upgraded from 5.03 to 5.56. After the upgrade, the default password of the LOM is reset to the serial number of the appliance for newly manufactured platforms. This upgrade addresses the vulnerability described CVE-2013-4786. For more information, see https:// support.citrix.com/article/CTX234367.[ NSPLAT-19327 ]
On a Citrix ADC SDX 15000-50G appliance, in cases of a brief surge of data traffic not directed to any of the ADC VPX instances, the following issue might happen:
- The LACP link on 10G ports might flap intermittently or go down permanently.
1. Find out the internal ethX port corresponding to the 10G port
2. Run the following command on the Citrix Hypervisor shell prompt: ethtool -G ethX rx 4096 tx 512
3. Review traffic profile to block off unwanted traffic on the switch side[ NSHELP-25561 ]
On a Citrix ADC SDX appliance, during a warm reboot of a VPX instance configured as a cluster node, the backplane LA channel might go into a PARTIAL-UP state because of a set interface command failure.[ NSHELP-23353 ]
By default, high availability monitor (HAMON) and HA heartbeat are disabled on a management interface that is configured as an internal management interface. Also, HAMON and HA heartbeat cannot be enabled on this interface.
Later, if the same interface is configured back as a management interface and the VPX instance is rebooted, HAMON and HA heartbeat options are still disabled.
However, you can now enable these options manually to avoid any issues with the HA configuration.[ NSHELP-21803 ]
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.[ NSPOLICY-1267 ]
Unable to use variables in the assignment if the variable length is greater than 31 characters.[ NSHELP-26362 ]
The Citrix Gateway appliance might crash if all of the following conditions are met.
[ NSHELP-26045 ]
- nstrace is enabled with a filter expression
- Debug audit logging to an external ADC audit server is enabled
- An authentication policy with an advanced rule expression is configured
The following issue is observed if two policy variables are configured with different expiration time:
[ NSHELP-25786 ]
- Deletion of the expired value for the variable with the shorter expiration time might be delayed until the deletion of the expired value with the longer expiration time.
The following issue might cause a failover in a high availability setup:
If many non-HTTP, non-TCP packets get queued waiting to be handled after processing on them has been blocked.[ NSHELP-23506 ]
On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.
[ NSSSL-9572 ]
- On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, "set ssl vserver <name> -SSL3 DISABLED".
- Save the configuration.
- Update command is not available for the following add commands:
[ NSSSL-6484 ]
- add azure application
- add azure keyvault
- add ssl certkey with hsmkey option
- You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.[ NSSSL-6478 ]
- You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.[ NSSSL-6213 ]
- The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
ERROR: crl refresh disabled[ NSSSL-6106 ]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[ NSSSL-4001 ]
On a Citrix ADC appliance, memory leak is seen if the SSL "sessionTicket" parameter is enabled.[ NSHELP-26207 ]
A Citrix ADC appliance might crash while handling requests from TLS 1.3 clients if the following conditions are met:
[ NSHELP-26089 ]
- The TLS 1.3 protocol is enabled on the front-end virtual server.
- The underlying hardware platform uses Intel Coleto Creek crypto acceleration cards (select MPX and SDX models use these chips.)
- On SDX platforms, Intel Coleto Creek crypto card resources are assigned to the ADC instance.
Connection failures due to low memory might be seen on a Citrix ADC appliance when admin partition is enabled. The issue happens when the SSL crypto hardware chips are full.[ NSHELP-25981 ]
In a cluster setup, you might observe the following issues:
[ NSHELP-25764 ]
- Missing command for the default certificate-key pair binding to the SSL internal services on the CLIP. However, if you upgrade from an older build you might have to bind the default certificate-key pair to the affected SSL internal services on the CLIP.
- Configuration discrepancy between the CLIP and the nodes for the default set command to the internal services.
- Missing default cipher bind command to the SSL entities in the output of the show running config command run on a node. The omission is only a display issue and has no functional impact. The binding can be viewed using the show ssl <entity> <name> command.
The Citrix ADC appliance becomes unresponsive if the following conditions are met:
[ NSHELP-22987 ]
- DTLS is enabled.
- UDP multiplexing uses a DTLS channel and pumps traffic at a high rate.
For a client connection, a Citrix ADC appliance might incorrectly send a connection keep-alive header in response to the client's connection-close header. This incorrect connection keep-alive header leads to a delay in closing the connection on the client.[ NSHELP-26474 ]
A Citrix ADC appliance might crash if the following conditions are observed:
[ NSHELP-26450 ]
- If a client request comes from a resource (with the same IP address and port) for which a resource on the previous Intrusion Prevention System (IPS) connection structure is not freed.
- The Intrusion Prevention System (IPS) module tries to access the non-freed resource from the freed structure.
The patch HTTP method gets blocked when the markHTTPHeaderExtraWSError parameter is enabled in the set httpProfile command.[ NSHELP-26398 ]
A Citrix ADC appliance might crash in an AppFlow module when the appliance is under memory stress.[ NSHELP-26367 ]
During clear configuration, when there is no URL set in use, an error log entry corresponding to the URL set is seen in the ns.log.[ NSHELP-26242 ]
After an upgrade from Citrix ADC 12.1 build 50.31 to Citrix ADC 13.0 build 58.32, the appliance does not retry after receiving a bad ACK for TCP SYN packet in the case of monitors. As a result, the appliance resets the monitor TCP connection and marks the service as DOWN state.[ NSHELP-25813 ]
A mismatch in Logstream records is observed in the Citrix ADC appliance and the dataloader.[ NSHELP-25796 ]
An error in the HTTP/2 and TCP window management logic might cause the server connection to run into an HTTP/2 and TCP window problem. It prevents the object from being cached completely. The issue is observed if the following conditions are met:
[ NSBASE-13878 ]
- The integrated caching feature is enabled and the response is being cached.
- During the preceding condition, the HTTP/2 client abruptly sends a reset stream packet or the HTTP/1.1 client sends a TCP RST on the connection.
A Citrix ADC appliance might fail while generating AppFlow records for certain HTTP responses generated by VPN. The issue happens when Gateway Insight is enabled.[ NSBASE-13698 ]
A Citrix ADC appliance might fail during clear configuration if the following conditions are met:
[ NSBASE-11511 ]
- IP address of a service is changed when the service is bound to a virtual server.
- Same virtual server is used as a collector in an analytics profile.
Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.
Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.[ NSUI-13024 ]
In a Citrix ADC BLX appliance, expiry time for a local license might not decrement as expected.
As a fix, the expiry time for a local license now decrements by 1 for every 24 hrs.[ NSHELP-26554 ]
In a high availability setup of Citrix ADC BLX appliances, config synchronization might fail sometimes.[ NSHELP-26495 ]
A load balancing virtual server persistence view fails to display all parameters when you edit an existing virtual server persistence configuration.[ NSHELP-25965 ]
An error message appears when you try to unbind a certificate from an SSL virtual server using the Citrix ADC GUI.[ NSHELP-25087 ]
Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.[ NSHELP-24195 ]
In a Citrix ADC VPX appliance, a set capacity operation might fail after adding a license server. The issue occurs because the Flexera related components take a longer time to initialize because of the large number of supported licenses of type check-in and check-out (CICO)[ NSHELP-23310 ]
Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.[ NSHELP-20988 ]
A Citrix ADC appliance does not support addition of CRL files greater than 2 MB using NITRO APIs.[ NSHELP-20821 ]
In a Citrix ADC BLX appliance, the "Reporting" tab in the GUI might not work as expected.[ NSCONFIG-4877 ]
If a Citrix ADC BLX appliance is licensed using Citrix ADM, licensing might fail after upgrading the appliance to release 13.0 build 83.x.
Workaround: First upgrade Citrix ADM to release 13.0 build 83.x or later before upgrading the Citrix ADC BLX appliance.[ NSCONFIG-4834 ]
When you downgrade a Citrix ADC appliance version 13.0-71.x to an earlier build, some Nitro APIs might not work because of the file permission changes.
Workaround: Change permission for "/nsconfig/ns.conf" to 644.[ NSCONFIG-4628 ]
The connection between the ADC instance and ADM service is lost when the following conditions are met:
[ NSCONFIG-4368 ]
- The instance is added to ADM service using a built-in agent.
- The instance is upgraded using the -Y option or from the ADM GUI. In both cases, the built-in agent doesn't restart. The -Y option provides Yes as an answer to all upgrade-related questions that appear on the CLI or GUI.
Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.[ NSCONFIG-4330 ]
If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
1. Upgrade the Citrix ADC appliance to one of the builds:
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the Citrix ADC appliance to any older build.
To display the list of these system users by using the CLI:
At the command prompt, type:
"query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"
To fix this issue, use one of the following independent options:
[ NSCONFIG-3188 ]
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.
A Citrix ADC appliance might crash if an incoming request is not in compliance with the FQDN grammar rules for policy evaluation. Some examples of invalid FQDNs are SNI and hostname starting with a period ('.').[ NSHELP-25564 ]