- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- Citrix ADC classic policies are deprecated and will be removed in a future release. Citrix recommends using advanced policies. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/appexpert/policies-and-expressions/introduction-to-policies-and-exp/classic-policy-deprecation-faq.html.
Authentication, authorization, and auditing
Polling support during authentication
Citrix ADC appliance can now be configured for Polling during multifactor authentication.
The Polling mechanism enables a Citrix ADC appliance to resume an ongoing authentication with the endpoint without having to restart the authentication process in a rare case of a TCP connection reset at the endpoint.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/polling-for-nfactor.html[ NSAUTH-9043 ]
Bot detection based on mouse and keyboard dynamics
The Citrix bot management system can now detect bots based on keyboard and mouse movements.Unlike conventional bot techniques that require direct human interaction (for example, CAPTCHA validation), the new bot detection technique passively monitors mouse and keyboard dynamics. The Citrix ADC appliance then collects the real-time user data and sends the data to the Citrix ADM server for bot analysis.
The bot detection technique using keyboard and mouse dynamics has the following benefits:
- Enables monitoring throughout the user session, and eliminates single checkpoint.
- Requires no human interaction and it is completely transparent to users.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html[ NSBOT-402 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, an ADC instance state currently shows "Out of Service" when the following conditions are met:
- The password of the ADC instance is changed directly using the instance CLI.
- The password doesn't match the instance admin profile password stored in the Management Service.
- The previous session is lost after you reboot the instance for the first time.
Now, whenever the instance goes out of service due to authentication failure, the instance state color changes to grey. To recover the instance, do one of the following:
[ NSSVM-4193 ]
- From the instance CLI, modify the password of the instance to match the password in the admin profile of the instance. Then rediscover the instance from the Management Service.
- Create an admin profile with the same password as the current password of the ADC instance. Then, update the ADC instance with the new admin profile.
Citrix Web App Firewall
Relaxation and enforcement modes for handling HTML SQL injection attacks
Web Application Firewall is now enhanced tooperate in relaxation mode and enforcement mode for higher security protection. Depending on how you want the appliance to handle HTML SQL injection attacks, you can configure the security check either in enforcement or relaxation mode.
In enforcement mode, the security check allows HTML SQL injection attacks to bypass unless you have explicitly configured the profile to block the violations by binding enforcement rules.[ NSWAF-6435 ]
Improved GSLB configuration synchronization performance and reduced synchronization time
The Citrix ADC appliance now supports incremental synchronization of GSLB configuration. Inincremental synchronization, only the configuration that has changed on the main site between the last synchronization and the subsequent sync interval (10 secs) is synchronized across all the subordinate sites. Pushing only the incremental configurations considerably reduces the configuration file size and thus the overall time taken for synchronization. This also improves the GSLB configuration synchronization performance. If an incremental synchronization fails, the Citrix ADC appliance automatically performs a full configuration synchronization.[ NSLB-7384 ]
New algorithms for consistent hashing
The Prime Re-Shuffled Assisted CARP (PRAC) and Jump table Assisted Ring Hash (JARH) algorithms are now supported to perform consistent hashing. These algorithms provide consistency and uniform distribution of the traffic.[ NSLB-7028 ]
BGP MD5 authentication support for Citrix ADC BLX appliances
The Citrix ADC BLX appliance now supports MD5 authentication for Border Gateway Protocol (BGP) with IPv4 peers.
When authentication is enabled, any BGP TCP segment exchanged between the BGP IPv4 peers is verified and accepted only if authentication is successful. For successful authentication, the peers must be configured with the same MD5 password. If authentication fails, the BGP neighbor relationship is not established.
MD5 authentication support for BGP in the Citrix ADC BLX appliance is compliant with RFC 2385.[ NSNET-19089 ]
VMware ESX 7.0 update 1c support on Citrix ADC VPX instance
The Citrix ADC VPX instance now supports the VMware ESX version 7.0 Update 1c (Build 1732555).[ NSHELP-26444 ]
Support for 4096-bit RSA client certificate
On a Citrix ADC VPX appliance, client authentication with a 4096-bit RSA client certificate is now supported during an SSL handshake.[ NSSSL-8194 ]
Monitor support for proxy protocol
Citrix ADC appliance with a proxy protocol now supports monitor check. The monitor check functionalityensures the backend server also supports the proxy protocol. It is used to monitor the health status of the backend server.[ NSBASE-13489 ]
Monitor support for HTTP/2 protocol
Citrix ADC appliance now supports HTTP/2 monitors for monitoring the health of HTTP/2 services.[ NSBASE-11299 ]
Authentication, authorization, and auditing
Error message customization on the portal page for end users fails when the "enableEnhancedAuthFeedback" parameter is enabled using the "set aaa parameter" command.[ NSHELP-26814 ]
You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.[ NSHELP-26199 ]
The Citrix Gateway plug-in fails to launch if the following conditions are met:
[ NSHELP-26020 ]
- Citrix Gateway appliance is configured as Full VPN only.
- Authentication method is OAuth RP.
In a Citrix ADC BLX appliance, LDAP authentication might not work as expected with the SSL, TLS, and plaintext security types.[ NSHELP-25809 ]
The following issues are observed when the Citrix ADC appliance is configured as the Relying Party (RP).
[ NSHELP-25794 ]
- The appliance fails to process the authentication request from OAuth IdP if the IdP uses signature algorithm for JWT as RS512.
- The appliance sends "anonymous" value for "login_hint" parameter to OAuth IdP.
When you log off from Citrix Gateway and if RADIUS accounting is configured on the gateway, the logout information is not sent to the RADIUS accounting server.[ NSHELP-25765 ]
Authentication fails during dialogue mode when the RADIUS server sends multiple duplicate responses.[ NSHELP-25758 ]
The Citrix Gateway plug-in fails to launch if the following conditions are met:
[ NSHELP-25691 ]
- Citrix Gateway appliance is configured as Full VPN only.
- SSPR registration is configured as the last factor.
While configuring an authentication policy using the Citrix ADC GUI, "NO AUTH" action cannot be selected.[ NSHELP-25466 ]
In some cases, the Citrix ADC appliance might crash when a user tries to authenticate and if the appliance is configured as follows.
[ NSHELP-25051 ]
- The appliance is configured for 401 authentication
- Authentication policy has NoAuth in first factor and Certificate authentication in the second factor
In rare cases, an LDAP monitor incorrectly shows the LDAP server status as down because the monitor does not send the correct password in the server probe.[ NSHELP-24967 ]
You cannot bind multiple rate limit session cookies to a bot profile.[ NSBOT-390 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, the Management Service does not send syslog messages to the configured syslog servers.[ NSHELP-27000 ]
After you restart the Management Service, first time checkout of instances or bandwidth from a pooled licensing server might fail.[ NSHELP-26878 ]
On a Citrix ADC SDX appliance running software version 13.0, the ADC instances can be unreachable from the Management Service even though the instances are reachable directly using the instance IP address.[ NSHELP-26679 ]
When you restart the Management Service and if some VPX instances are provisioned, the following error message appears if you try to edit the session timeout for the default group from the System > User Administration > Groups page.
Authorized scope for default group cannot be changed.[ NSHELP-26556 ]
Inventory does not happen as per the inventory cycle for instances where the IP address used during instance provisioning is changed later from the instance directly.
[ NSHELP-26407 ]
The Citrix ADC appliance might crash in an SSO flow ifCitrix Secure Web Gateway and AppFlow are configured.[ NSHELP-26781 ]
The Override Global option for the Local LAN Access parameter in the Citrix Gateway Session Profile > Client Experience > Advanced is disabled. It is enabled by default in the previous builds.[ NSHELP-26689 ]
The Citrix Gateway appliance crashes if IDENT port (113) is accessed from a user to another user's client using Intranet IP (plugin-to-plugin traffic) over a full VPN tunnel.[ NSHELP-26631 ]
EPA libraries for macOS are updated to version18.104.22.168 (Opswat version : 4.3.1566.0)[ NSHELP-26538 ]
The Citrix Gateway appliance crashes when a server initiated connection sends data packets after the connection is closed.[ NSHELP-26431 ]
The Citric ADC appliance crashes when multiple VPN plug-in clients use X.509 certificates of size 1800 bytes or more to setup a tunnel.[ NSHELP-25195 ]
The Citrix Gateway login page displays an error stating that the login has failed if the following sequence of conditions is met. The error appears even if the user has not tried to log on again.
[ NSHELP-25157 ]
- Log on to the Citrix Gateway fails.
- Log on to the Citrix Gateway succeeds.
- The user logs out.
False launch failures of applications are reported in Gateway Insight. The launch failures are reported when there are no app or desktop launches.[ NSHELP-23047 ]
While adding an authentication virtual server using the XenApp and XenDesktop wizard,test connectivity for that authentication server fails.[ CGOP-16792 ]
Citrix Web App Firewall
A Citrix ADC appliance might crash if startURL closure is enabled and there is a memory allocation failure.[ NSHELP-27155 ]
An issue is observed if cookie values are separated by a comma (a non-RFC standard) after cookie samesite support is added to the Citrix Web App Firewall profile.[ NSHELP-26846 ]
A memory leak might be observed when some message buffers used for XSS logging are not freed for specific payloads.[ NSHELP-26430 ]
In a high availability setup, if dynamic profiling is configured along with SNMP alerts enabled, spike in memory usage might be observed on the secondary node.[ NSHELP-25580 ]
The Citrix ADC appliance might crash because of a timeout issue when adding a violation record to a long list of records.[ NSHELP-25507 ]
In a cluster-GSLB deployment, the effective state of the local GSLB services is not updated on non-owner nodes because the GSLB owner node is unable to send service state updates to the non-owner nodes.[ NSHELP-26260 ]
A Citrix ADC appliance might crash while processing an invalid session initiation protocol (SIP) packet.[ NSHELP-26202 ]
When a content switching virtual server receives an HTTPS request, the largest cookie in the HTTPS request leads to a buffer overflow and stack corruption when the following conditions are met:
[ NSHELP-25932 ]
- The cookie format is incorrect.
- The cookie length is greater than 32 bytes.
When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.[ NSHELP-24329 ]
In Autoscale high availability or cluster deployment, a Citrix ADC appliance might crash when creating a service member and if the following conditions are met:
-if you bind the service member to a service group in a non-owner nodeor a secondary node with health monitoring option disabled.[ NSHELP-24029 ]
In a cluster setup, the command propagation might fail due to connection lost with CCO. The issue is observed if both of the following conditions are met:
[ NSHELP-26350 ]
- You perform a command propagation operation in the setup.
- The setup is in an idle state for more than two hours. A cluster setup is said to be in an idle state if there is no exchange of any CLI commands between nodes.
In a cluster setup with maximum connection (maxConn) global parameter set to a non-zero value, CLIP connections might fail if any of the following conditions is met:
[ NSNET-21173 ]
- Upgrading the setup from Citrix ADC 13.0 76.x build to Citrix ADC 13.0 79.x build.
- Restarting the CCO node in a cluster setup running Citrix ADC 13.0 76.x build.
When the number of newnslog backup files increase, it may cause disk space crunch for a running Citrix ADC CPX instance over a period of time. Using the NEWNSLOG_MAX_FILENUM environment variable, you can control the number of backup files. By setting the environment variable value to 10, you can limit the maximum number ofnewnslogbackup files to 10.[ NSNET-20261 ]
A Citrix ADC BLX appliance now supports the Citrix ADC IPv6 OSPF (OSPFv3) dynamic routing protocol feature. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-dynamic-routes/configuring-ipv6-ospf.html.[ NSNET-19567 ]
A Citrix ADC appliance might crash when all of the following conditions are met:
- MAC mode is enabled on a non-addressable load balancing virtual server.
- The same virtual server is part of a link load balancing configuration or a policy-based routing configuration.
As part of the fix, the Citrix ADC appliance now displays the following warning message when the above conditions are met:
[ NSNET-19485 ]
- Warning: MAC mode redirection should not be enabled with LLB config.
A Citrix ADC appliance might crash, if the following conditions are present:
[ NSHELP-25695 ]
- IPv6 link load balancing (LLB6) configuration has persistency option enabled.
- Some IPv6 dummy connections are created for this LLB6 configuration
In a cluster AWS cloud setup, the node with a higher priority value might become the CCO. It happens when eight or more nodes with all different priority values are rebooted together.[ NSHELP-25244 ]
In some cases, a VPX instance on a Citrix SDX appliance does not come up if a large number of interfaces are added to the VPX instance.[ NSHELP-26861 ]
On a Citrix ADC SDX 15000-50G appliance, in cases of a brief surge of data traffic not directed to any of the ADC VPX instances, the following issue might happen:
[ NSHELP-25561 ]
- The LACP link on 10G ports might flap intermittently or go down permanently.
On a Citrix ADC SDX appliance, during a warm reboot of a VPX instance configured as a cluster node, the backplane LA channel might go into a PARTIAL-UP statebecause of a set interface command failure.[ NSHELP-23353 ]
By default, high availability monitor (HAMON) and HA heartbeat are disabled on a management interface that is configured as an internal management interface. Also, HAMON and HA heartbeat cannot be enabled on this interface.
Later, if the same interface is configured back as a management interface and the VPX instance is rebooted, HAMON and HA heartbeat options are still disabled.
However, you can now enable these options manually to avoid any issues with the HA configuration.[ NSHELP-21803 ]
Unable to use variables in the assignment if the variable length is greater than 31 characters.[ NSHELP-26362 ]
The following issue might cause a failover in a high availability setup:
If many non-HTTP, non-TCP packets get queued waiting to be handled after processing on them has been blocked.[ NSHELP-23506 ]
On a Citrix ADC appliance, memory leak is seen if the SSL "sessionTicket" parameter is enabled.[ NSHELP-26207 ]
A Citrix ADC appliance might crash while handling requests from TLS 1.3 clients if the following conditions are met:
[ NSHELP-26089 ]
- The TLS 1.3 protocol is enabled on the front-end virtual server.
- The underlying hardware platform uses Intel Coleto Creek crypto acceleration cards (select MPX and SDX models use these chips.)
- On SDX platforms, Intel Coleto Creek crypto card resources are assigned to the ADC instance.
Connection failures due to low memory might be seen on a Citrix ADC appliance when admin partition is enabled. The issue happens when the SSL crypto hardware chips are full.[ NSHELP-25981 ]
In a cluster setup, you might observe the following issues:
[ NSHELP-25764 ]
- Missing command for the default certificate-key pair binding to the SSL internal services on the CLIP. However, if you upgrade from an older build you might have to bind the default certificate-key pair to the affected SSL internal services on the CLIP.
- Configuration discrepancy between the CLIP and the nodes for the default set command to the internal services.
- Missing default cipher bind command to the SSL entities in the output of the show running config command run on a node. The omission is only a display issue and has no functional impact. The binding can be viewed using the show ssl <entity> <name> command.
The Citrix ADC appliance becomes unresponsive if the following conditions are met:
[ NSHELP-22987 ]
- DTLS is enabled.
- UDP multiplexing uses a DTLS channel and pumps traffic at a high rate.
In a high availability setup, the secondary node might crash if metrics is enabled on the Citrix ADC appliance from Citrix ADM.[ NSHELP-26969 ]
When a Citrix ADC appliance processes a duplicate TCP packet, the following issues are observed on the appliance:
[ NSHELP-26893 ]
- The appliance generates a duplicate ACK with DSACK and the packet is dropped.
- If the incoming packet has any window update, the appliance makes a copy of it and simulates a window update ACK.
- The appliance creates the window update ACK with an incorrect timestamp.
In HTTP/2 front-end and HTTP/1.1 back-end scenarios, the user is unable to see back-end server connections if theVserver IP filter and -link enabled parameters are configured in nstrace command.[ NSHELP-26717 ]
For a client connection, a Citrix ADC appliance might incorrectly send a connection keep-alive header in response to the client's connection-close header. This incorrect connection keep-alive header leads to a delay in closing the connection on the client.[ NSHELP-26474 ]
Once enabled,the "clientSideMeasurements" parameter cannot be disabled in the AppFlow action command.[ NSHELP-26464 ]
A Citrix ADC appliance might crash if the following conditions are observed:
[ NSHELP-26450 ]
- If a client request comes from a resource (with the same IP address and port) for which a resource on the previousIntrusion Prevention System (IPS) connection structure is not freed.
- The Intrusion Prevention System (IPS) module tries to access the non-freed resource from the freed structure.
A Citrix ADC appliance might crash when a reset is sent on a request which is being cached.[ NSHELP-26410 ]
A Citrix ADC appliance might crash in an AppFlow module when the appliance is under memory stress.[ NSHELP-26367 ]
During clear configuration, when there is no URL set in use, an error log entry corresponding to the URL set is seen in the ns.log.[ NSHELP-26242 ]
After an upgrade from Citrix ADC 12.1 build 50.31 to Citrix ADC 13.0 build 58.32, the appliance does not retryafter receiving a bad ACKfor TCP SYN packet in the case of monitors. As a result, the appliance resets the monitor TCP connection and marks the service as DOWN state.[ NSHELP-25813 ]
RNAT configuration does not work with HTTP/2 connections if the appliance uses theRNAT IP address for server-side (both http2 and http1.1) connections.[ NSHELP-23783 ]
The CAPTCHA validation does not work as expected if ahigh TTL value is set as 255 for all packets.[ NSBASE-13966 ]
An error in the HTTP/2 and TCP window management logic might cause the server connection to run into an HTTP/2 and TCP window problem. It prevents the object from being cached completely. The issue is observed if the following conditions are met:
[ NSBASE-13878 ]
- The integrated caching feature is enabled and the response is being cached.
- During the preceding condition, the HTTP/2 client abruptly sends a reset stream packet or the HTTP/1.1 client sends a TCP RST on the connection.
A Citrix ADC appliance might fail while generating AppFlow records for certain HTTP responses generated by VPN. The issue happens when Gateway Insight is enabled.[ NSBASE-13698 ]
The TCP advertised window (ADV_WND) update is not as per expectation on receiving data packet if the dynamic receive buffering (DRB) feature is enabled. As a result, uploads are slower compared to the rate when the DRB feature is disabled.[ NSBASE-13100 ]
The Citrix ADC GUI displays an incorrect VIP when you edit the content switching virtual server after it is bound to a policy.[ NSHELP-26853 ]
In a Citrix ADC BLX appliance, expiry time for a local license might not decrement as expected.
As a fix, the expiry time for a local license now decrements by 1 for every 24 hrs.[ NSHELP-26554 ]
In a high availability setup of Citrix ADC BLX appliances, config synchronization might fail sometimes.[ NSHELP-26495 ]
After a Citrix ADC appliance is restarted, the license state of the appliance goes in grace state if the license server is not reachable from the appliance. The license state remains in grace state even if the license server becomes reachable.[ NSHELP-26468 ]
The switch partition command allows forceful execution option f or force. It can allow users to switch to a new partition without prompting the save configuration and the configuration is not saved. The forceful switch will happen without prompt and the configuration is saved. It happens when you use the -save flag.[ NSHELP-26222 ]
A load balancing virtual server persistence view fails to display all parameters when you edit an existing virtual server persistenceconfiguration.[ NSHELP-25965 ]
The show partition command might cause the "nsconfigd" daemon to crash if the following conditions are met:
-API session token is short-lived.
-Session token is expired before the show partition command is completed.[ NSHELP-25880 ]
In a cluster setup, when you access the Citrix ADC GUI from CLIP, you might observe the audit Syslog policies are not globally bound. The same issue is not observed when you access Citrix ADC GUI from the NSIP.[ NSHELP-24631 ]
Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.[ NSHELP-24195 ]
A Citrix ADC appliance does not support addition of CRL files greater than 2 MB using NITRO APIs.[ NSHELP-20821 ]
In a Citrix ADC BLX appliance, the "Reporting" tab in the GUI might not work as expected.[ NSCONFIG-4877 ]
The connection between the ADC instance and ADM service is lost when the following conditions are met:
[ NSCONFIG-4368 ]
- The instance is added to ADM service using a built-in agent.
- The instance is upgraded using the -Y option or from the ADM GUI. In both cases, the built-in agent doesn't restart. The -Y option provides Yes as an answer to all upgrade-related questions that appear on the CLI or GUI.
A Citrix ADC appliance might crash if an incoming request is not in compliance with the FQDN grammar rules for policy evaluation. Some examples of invalid FQDNs are SNI and hostname starting with a period ('.').[ NSHELP-25564 ]
Authentication, authorization, and auditing
In certain scenarios, the Bind Authentication, authorization, and auditing group commandmightfail if policy name is longer than intranet application name.[ NSHELP-25971 ]
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[ NSHELP-563 ]
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.[ NSAUTH-6106 ]
ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
"show adfsproxyprofile <profile name>"
Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.[ NSAUTH-5916 ]
A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.[ NSHELP-22942 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, the IP address (NSIP) of an ADC instance might not be displayed if burst throughput is configured on that instance.[ NSHELP-27133 ]
The Citrix Gateway appliance might crash if forwardSession is configured for a back-end subnet and a server in the same subnet is accessed over the VPN tunnel.[ NSHELP-27037 ]
Some Citrix Gateway related log files are not rotated resulting in an increased log size.[ NSHELP-26767 ]
The Citrix Gateway appliance displays corrupt session policy names in theSSLVPN NONHTTP_RESOURCEACCESS_DENIED logs.[ NSHELP-26610 ]
The VPN plug-in for Windows displays incorrect information on the Windows credential screen when the network changes.[ NSHELP-26562 ]
Auto logon to Windows VPN plug-in fails if Always On is configured.[ NSHELP-26297 ]
The RfWebUI client detection page displays the Install button instead of the Detect button if a content switching virtual server is configured.[ NSHELP-26138 ]
You might notice a discrepancy in the total number of established TCP connections ifEnlightened Data Transport (EDT) is enabled.[ NSHELP-25841 ]
The VPN plug-in for Windows fails to create a user tunnel when the network changes.[ NSHELP-25805 ]
The Windows VPN gateway plug-in fails to drop IPv6 DNS packets resulting in issues with DNS resolution.[ NSHELP-25684 ]
The Citrix Gateway login page does not load on deleting an admin partition, if configured.[ NSHELP-25538 ]
EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.[ NSHELP-24848 ]
The "show tunnel global" command output includes advanced policy names. Previously, the outputdid not display the advanced policy names.
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0
Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
Global bindpoint: REQ_DEFAULT
Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
Global bindpoint: RES_DEFAULT
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0 Disabled
Global bindpoint: REQ_DEFAULT
Number of bound policies: 1
Done[ NSHELP-23496 ]
Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.[ NSHELP-21897 ]
- Application launch failure due to invalid STA ticket is not reported in Gateway Insight.[ CGOP-13621 ]
- The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.[ CGOP-13584 ]
- In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[ CGOP-13511 ]
While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.[ CGOP-13050 ]
The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.[ CGOP-13049 ]
- An error message appears when you add or edit a session policy from the Citrix ADC GUI.[ CGOP-11830 ]
In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.[ CGOP-7269 ]
Citrix Web App Firewall
In the Citrix Web App Firewall module, the Distributed Hash Table (DHT) entries are not freed up on the primary node. This issue occurs if application firewall sessions have a shorter timeout and are created at a higher rate.[ NSHELP-26570 ]
Some requests with security violations are not blocked by HTML cross-site scripting security check.[ NSHELP-24762 ]
In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.[ NSLB-7679 ]
The GSLB configuration might be partially lost if the following conditions are met:
[ NSHELP-26816 ]
- The Citrix ADC appliance is rebooted.
- The ADNS service is configured with the same IP address as of the remote GSLB site.
The generation of SNMP alarms might be delayed if thesynchronization of configuration from the master site to subordinate sites fails.[ NSHELP-23391 ]
In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.[ NSHELP-20406 ]
WhenyoupushconfigurationstotheclusterinstancesusingaStyleBook,thecommandsfail withthe"Command propagation failed" error message.
[ NSHELP-24910 ]
In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.[ NSNET-18586 ]
The following interface operations are not supported in a Citrix ADC BLX appliance:
[ NSNET-16559 ]
In a Citrix ADC appliance, BGP "neighbor <IPv6 neighbor> shutdown" command is not effective, if the neighbor is part of peer-group.
Because of this issue, any IPv6 BGP neighbor, which was shut down using the "neighbor <IPv6 neighbor> shutdown" command, is in UP state after the appliance is restarted or upgraded.[ NSHELP-26957 ]
For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.[ NSHELP-24034 ]
On the Citrix ADC SDX 8900 platform, the LOM version is upgraded from 4.5x to 4.61. On the Citrix ADC SDX 15000 and SDX 26000 platforms, the LOM version is upgraded from 5.03 to 5.56. After the upgrade, the default password of the LOM is reset to the serial number of the appliance for newly manufactured platforms. This upgrade addresses the vulnerability described CVE-2013-4786. For more information, seehttps:// support.citrix.com/article/CTX234367.[ NSPLAT-19327 ]
While rebooting the Citrix ADC VPX instance for AWS, if you add static routes to DNS servers using a gateway other than the default gateway, the following events occur:
[ NSHELP-27116 ]
- The static routes added to DNS servers are removed.
- New static routes are added using the default gateway.
If you want to set the cluster nodes to yield, you must perform the following additional configurations on CCO:
- If a cluster is formed, all the nodes come up with yield=DEFAULT.
- If a cluster is formed using the nodes that are already set to yield=YES, then the nodes are added to cluster using DEFAULT yield.
Note: If you want to set the cluster nodes to yield=YES, you can perform suitable configurations only after forming the cluster but not before the cluster is formed.[ NSHELP-27091 ]
On the Citrix ADC SDX platform, the cluster state might flap when a node joins a cluster. The flapping happens when an implicit reset of interface is triggered that impacts the cluster's health.[ NSHELP-27081 ]
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.[ NSPOLICY-1267 ]
The Citrix Gateway appliance might crash if all of the following conditions are met.
[ NSHELP-26045 ]
- nstrace is enabled with a filter expression
- Debug audit logging to an external ADC audit server is enabled
- An authentication policy with an advanced rule expression is configured
The following issue is observed iftwo policy variables are configured with different expiration time:
[ NSHELP-25786 ]
- Deletion of the expired value for the variable with the shorter expiration time might be delayed until the deletion of the expired value with the longer expiration time.
If multiple SSL policies are bound at Client hello bind point to a single virtual server, and an ALPN or SNI policy is the first policy bound, the following error condition might occur:
If the client does not send an ALPN or SNI request, then the other policies bound to the virtual server are not evaluated.[ NSSSL-9865 ]
On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.
[ NSSSL-9572 ]
- On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, "set ssl vserver <name> -SSL3 DISABLED".
- Save the configuration.
- Update command is not available for the following add commands:
[ NSSSL-6484 ]
- add azure application
- add azure keyvault
- add ssl certkey with hsmkey option
- You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.[ NSSSL-6478 ]
- You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.[ NSSSL-6213 ]
- The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
ERROR: crl refresh disabled[ NSSSL-6106 ]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[ NSSSL-4001 ]
In a cluster setup, certificate configuration changes are not allowed if any certificate or key files are removed.[ NSHELP-24913 ]
A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.[ NSHELP-27179 ]
A Citrix ADC appliance might fail during clear configuration if the following conditions are met:
[ NSBASE-11511 ]
- IP address of a service is changed when the service is bound to a virtual server.
- Same virtual server is used as a collector in an analytics profile.
Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.
Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.[ NSUI-13024 ]
Importing a certificate in an admin partition might incorrectly fail with the following message:
ERROR: User doesnt have permission for given Destination path[ NSHELP-26918 ]
Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.[ NSHELP-20988 ]
In a Citrix ADC BLX cluster setup, "sync cluster files" command might fail because of an internal error.
Workaround: Restart the "nsclfsyncd" process.[ NSCONFIG-4968 ]
When you downgrade a Citrix ADC appliance version 13.0-71.x toan earlierbuild, someNitro APIs might not work because ofthe file permission changes.
Workaround: Change permission for "/nsconfig/ns.conf" to 644.[ NSCONFIG-4628 ]
Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.[ NSCONFIG-4330 ]
If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
1. Upgrade the Citrix ADC appliance to one of the builds:
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the Citrix ADC appliance to any older build.
To display the list of these system users by using the CLI:
At the command prompt, type:
"query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"
To fix this issue, use one of the following independent options:
[ NSCONFIG-3188 ]
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.