- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- Build 13.0-82.45 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX319135.
- Build 82.45 replaces Build 82.42.
- This build also includes fixes for the following issues that existed in the previous Citrix ADC 13.0 release build: NSHELP-28098, NSCONFIG-5621, NSHELP-28341.
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, when you reset the configuration or try to recover the password, you must log on using the appliance serial number as the password.[ NSSVM-4357 ]
Citrix Web App Firewall
Support for Microsoft SQL (MSSQL) grammar-based detection
The existing grammar-based SQL injection detection mechanism is enhanced to support Microsoft SQL Server queries for web applications.[ NSWAF-7290 ]
Support is added for SSH, SFTP, and FTP traffic in explicit proxy deployments. Earlier only regular web traffic was supported. The incoming traffic for these protocols is now bridged to the back end.[ NSSWG-1272 ]
Support for IPv4 PBR rules with an LLB virtual server as next hop in a cluster setup
A Citrix ADC cluster setup now supports setting an LLB virtual server as next hop for an IPv4 PBR policy rule. For more information, see:[ NSNET-19331 ]
Cluster setup support for Citrix ADC BLX appliances
You can now form a cluster setup with Citrix ADC BLX appliances. For more information, see https://docs.citrix.com/en-us/citrix-adc-blx/current-release/set-up-blx-cluster.html.
A Citrix ADC BLX cluster has the following limitations:
[ NSNET-9155 ]
- INC mode is not supported.
- CLAG based traffic distribution is not supported.
- All limitations of a standalone Citrix ADC BLX appliance apply to a Citrix ADC BLX cluster as well. For more information about limitations of a Citrix ADC BLX appliance, see https://docs.citrix.com/en-us/citrix-adc-blx/current-release/limitations-blx.html.
New parameter to ignore bad MAC records in a DTLS session
If a bad MAC record is received in a DTLS session, currently the ADC appliance terminates the session and sends an alert. As a result, VDA sessions in the Cloud are disconnected.
A parameter maxBadmacIgnorecount is now added to the DTLS profile to ignore these bad records. Using this parameter, bad records up to the value set in the parameter are ignored. The appliance terminates the session only after the limit is reached and sends an alert.
This parameter setting is effective only when the terminateSession parameter is enabled.[ NSSSL-8581 ]
Support for HTTP/3 Protocol on Virtual Servers
The Citrix ADC appliance now supports HTTP/3 protocol on virtual servers (only on the front-end) for sending multiple streams of HTTP requests over a single connection. QUIC is an emerging protocol that uses UDP instead of TCP as its base transport. The protocol implements a reliable connection upon which, you can stream multiple HTTP requests. QUIC also incorporates TLS as an integrated component and not as an additional layer as in HTTP/1.1 or HTTP/2.
As part of the HTTP/3 configuration, for HTTP/3 traffic, the appliance supports the policy configuration for the following features.
- HTTP compression
- Integrated Caching
- Web Application Firewall
- URL transformation
- Front-End Optimization
In addition, the following feature policy configurations are not supported.
- Authentication, authorization, and auditing policy
- Bot management
The HTTP/3 configuration also supports HTTP/3 service discovery for virtual servers to advertise the availability of an HTTP/3 service endpoint using the HTTP Alternative Services mechanism.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/system/http3-over-quic-protocol.html[ NSBASE-11110 ]
PI expressions for matching gRPC protocol buffer fields
Citrix ADC appliance now supports the following features in gRPC:
- gRPC protocol buffer field access. The arbitrary gRPC API calls now matches the message field number with the new PI expressions. In PI configuration, the matches are done using only the field numbers and API path.
- gRPC header filtering. The HttpProfile" parameters for gRPC is now used to adjust the default behavior of gRPC parsing (including gRPC PI expressions). The following parameters are applicable to gRPC PI expressions:
- gRPCLengthDelimitation. It is enabled by default and expects the protocol buffers to be presented with a length delimited message.
- gRPCHoldLimit. The default value is 131072. It is the maximum protocol buffer message size in bytes.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/system/grpc/grpc-with-responder-policy-configuration.html%23policy-expressions-for-matching-grpc-protocol-buffer-fields[ NSBASE-10458 ]
If you upgrade your Citrix ADC appliance to software version 13.0 build 81.6 and later, the CICO 40G feature does not work as expected.[ NSCONFIG-5621 ]
Authentication, authorization, and auditing
Log in to Citrix Gateway endpoints using full URL bookmarked on user's machine browser fails, if the endpoint appliances have RelayStateRule expression configured in the samlAction command.
For example, if you try to login using the bookmarked full URL like https://citrixgateway.com/citrix/storeweb on your browser and try to login, the login fails.[ NSHELP-28098 ]
In some cases, authentication fails when Citrix ADC is configured as OAuth IdP in a GSLB active-active site deployment.[ NSHELP-27651 ]
In rare cases, EPA evaluation might fail.[ NSHELP-27333 ]
Citrix ADC appliance configured as an OAuth IdP crashes when an unsupported certificate is bound to the cert endpoint on the appliance.[ NSHELP-27248 ]
Email Validation fails when configured as a next factor after Email ID registration.[ NSHELP-26905 ]
In rare cases, a Citrix Gateway appliance dumps core upon using the OAuth authentication method to access the appliance.[ NSHELP-26745 ]
The Citrix Gateway appliance crashes during nFactor authentication if the following conditions are met.
[ NSHELP-26433 ]
- WebView is used to access the Citrix Gateway appliance.
- Blocking expressions are configured in the VPN session policy.
The "timeout" parameter for emailAction command is deprecated . The default value for timeout is 180 seconds.[ NSHELP-26424 ]
The authentication from Citrix Workspace app fails when Citrix ADC is configured with SAML authentication and relayStateRule. The browser based login is not impacted.[ NSAUTH-10517 ]
Reset and redirect action values are retained in the same signature file and not propagated to the new file after the bot signature auto-update.[ NSBOT-579 ]
HTTP URL info is missing in the log message generated for HOST, GEOLOCATION, and SOURCE IP violation types during BOT TPS detection.[ NSBOT-575 ]
The default bot log format gets changed if the Common Event Format (CEF) logging is enabled in the Web App Firewall settings.[ NSBOT-562 ]
In bot violation logs, the SSL request URLs are shown as "http://" instead of "https://".[ NSBOT-537 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, auto upgrade and registration using "mastools" in the Management Service fails because of a missing python module library.[ NSSVM-4697 ]
The Management Service command line is broken and the following error appears:
ERROR: Invalid property field[ NSSVM-4551 ]
On a Citrix ADC SDX appliance, the IP address (NSIP) of an ADC instance might not be displayed if burst throughput is configured on that instance.[ NSHELP-27133 ]
End users can bypass the EPA scans and log in to the Citrix ADC appliance using a malicious script. Remediation for the EPA device certificate policy bypass is added. The fix is added under the "nsapimgr" knob "sslvpn_toggle_devicecert_epa_validate", which is disabled by default. End-users must enable this knob in ADC to stop the bypass by malicious script.[ NSHELP-27573 ]
In some cases, the EPA plug-in closes the connection if the EPA scan does not complete with in the stipulated time (around 25 seconds).[ NSHELP-27241 ]
The Citrix Gateway appliance might crash if forwardSession is configured for a back-end subnet and a server in the same subnet is accessed over the VPN tunnel.[ NSHELP-27037 ]
The Citrix Gateway appliance might crash when a multi-core appliance receives the "/broker URL" request because of the following reasons:
[ NSHELP-27008 ]
- The request lands on a different core from the one on which the VPN session is created.
- A new authentication, authorization, and auditing cookie is used and a dummy session is created.
Some Citrix Gateway related log files are not rotated resulting in an increased log size.[ NSHELP-26767 ]
The Citrix Gateway appliance displays corrupt session policy names in the SSLVPN NONHTTP_RESOURCEACCESS_DENIED logs.[ NSHELP-26610 ]
If the application name is longer than 20 characters, then the application name appears truncated when connecting over Citrix Gateway.[ NSHELP-26604 ]
The Citrix Receiver download URL (receiver.exe file) does not download after authentication.[ NSHELP-26600 ]
The Citrix Gateway appliance might become unresponsive if it is configured with an IPV6 address and the gateway is used to proxy the Enlightened Data Transport (EDT) protocol.[ NSHELP-26357 ]
The Citrix ADC appliance might crash if an FQDN is used in the syslog action configuration.
In this case, you can use the IP address of the syslog server instead of the FQDN.[ NSHELP-26355 ]
The RfWebUI client detection page displays the Install button instead of the Detect button if a content switching virtual server is configured.[ NSHELP-26138 ]
You might notice a discrepancy in the total number of established TCP connections if Enlightened Data Transport (EDT) is enabled.[ NSHELP-25841 ]
Launching an application from StoreFront over Citrix Gateway might fail if the ICA file generated by StoreFront exceeds 2048 bytes in size.[ NSHELP-25838 ]
The Citrix Gateway login page does not load on deleting an admin partition, if configured.[ NSHELP-25538 ]
The Citrix ADC appliance might crash during a Authentication, authorization, and auditing session logout if the user logs in from Citrix Workspace.[ NSHELP-23623 ]
The following features are deprecated.
- WIonNS - Sites using Citrix ADCs Web Interface to access Citrix Virtual Apps and Desktops applications.
- WebFront - Citrix ADCs WebFront for accessing StoreFront.
A warning appears when you run any commands for these features.
Citrix recommends using StoreFront for delivering the Citrix Virtual Apps and Desktops applications.[ CGOP-17707 ]
Citrix Web App Firewall
Web App Firewall log expression does not work for XML security checks.[ NSWAF-7705 ]
In a cluster setup, the "aslearn" process crashes intermittently on non-configuration coordinator nodes.[ NSWAF-7619 ]
The aslearn learnt data is not skipped if there are special characters in the application firewall learnt data.[ NSWAF-7584 ]
A Citrix ADC appliance might crash if the IP reputation feature is enabled and policy expressions are configured.[ NSHELP-26983 ]
In the Citrix Web App Firewall module, the Distributed Hash Table (DHT) entries are not freed up on the primary node. This issue occurs if application firewall sessions have a shorter timeout and are created at a higher rate.[ NSHELP-26570 ]
Memory allocation failure is observed if the following conditions are met:
[ NSHELP-26435 ]
- Web App Firewall profile has Start URL Closure enabled and configured.
- HTTP responses that are being processed constantly contain thousands of unique URLs.
A Citrix ADC appliance might crash if there is a large number of Web App Firewall relaxation rules present in the system.[ NSHELP-26074 ]
Some requests with security violations are not blocked by HTML cross-site scripting security check.[ NSHELP-24762 ]
Configure Proxy Settings for Signature Auto-update
If the outbound traffic is through a proxy device (such as bluecoat or Squid), you can now configure proxy settings for the signature auto-updates.
set appfw settings -proxyServer <IP> -proxyPort <port>
set appfw settings -proxyServer 10.10.10.10 -proxyPort 8080[ NSHELP-17494 ]
The GSLB full synchronization fails if the following conditions are met:
[ NSHELP-26949 ]
- You add a GSLB service with an IP address-based server, whose public IP address and public port are used by another GSLB service.
- You run the "add gslb service" command. In this case, the command fails but the IP address-based server is still part of the GSLB running configuration.
The Citrix ADC appliance might crash if the following conditions are met:
[ NSHELP-26312 ]
- The data array size is odd, such as 3, 5, 7, 9 and so on.
- The static function local variable is not set to zero before using for a session ID.
In rare cases, the Citrix ADC appliance might crash while processing plain ACK packets that are received from a GSLB remote site.[ NSHELP-25886 ]
On a Citrix ADC SDX appliance, new SSL session establishment failure based on RSA is seen on one or more VPX instances if the following conditions are met:
[ SDX-486 ]
- The VPX instances are running ADC software version 12.x or 13.0.
- The Management Service is upgraded to ADC software version 13.0.
In a cluster setup, the following issues are observed after a cluster node, which has a LA channel set as the backplane, is restarted or upgraded to release 13.0 build 82.42:
- The LA channel configuration is lost causing the node to become inactive if the channel was created using LACP and a jumbo MTU was set for the channel.
[ NSHELP-28341 ]
- The LA channel MTU configuration is lost causing the node to drop full sized packets if a non-jumbo MTU was set for the channel.
HTTP URLs are not detected by responder policy as part of the URLset matching process.[ NSHELP-27504 ]
The Citrix ADC appliance might crash when it tries to dereference a non-allocated structure during content inspection. The crash happens because the memory allocation failed for that resource/structure.[ NSHELP-27358 ]
A Citrix ADC appliance might crash because of a null point error.[ NSHELP-27021 ]
A Citrix ADC appliance might crash if the following conditions are met:
[ NSHELP-26980 ]
- Change in request-based policy expression before the response is received.
- Content Inspection does not handle the undef case.
When you deploy Citrix ADC CPX with Citrix Metrics Exporter as a side car in a Kubernetes cluster, it requires the METRICS_EXPORTER_PORT=<port-number> environment variable to be exposed. The port number should be the same port number as specified for "--port" argument of metrics exporter.[ NSNET-21213 ]
In a CGNAT-NAT44 mode, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:
[ NSHELP-27332 ]
- The LSN module does not reset the subscriber paired IP reference count to zero while removing the subscriber related data from the appliance.
In a Citrix ADC appliance, BGP "neighbor <IPv6 neighbor> shutdown" command is not effective, if the neighbor is part of peer-group.
Because of this issue, any IPv6 BGP neighbor, which was shut down using the "neighbor <IPv6 neighbor> shutdown" command, is in UP state after the appliance is restarted or upgraded.[ NSHELP-26957 ]
Both the nodes of a high availability setup claim to be the primary node, if the following condition is met:
[ NSHELP-26288 ]
- None of the interfaces are in UP state within 3 seconds after the primary node is warm restarted. This issue is caused because a switch learn time is not set for an internal HA INIT module.
In a high availability setup, the secondary node might crash after a restart if the following conditions are met:
[ NSHELP-26257 ]
- A large number of active LSN sessions are present in the primary node.
- The Pitboss process restarts packet engines when synchronizing a large number of LSN sessions in the secondary node.
Management access to the Citrix ADC VPX instance is lost, if you run Citrix ADC VPX for AWS on instance types with Elastic Network Adapter (ENA) NIC that is warm rebooted.[ NSPLAT-20296 ]
On the Citrix ADC SDX 8900 platform, the LOM version is upgraded from 4.5x to 4.61. On the Citrix ADC SDX 15000 and SDX 26000 platforms, the LOM version is upgraded from 5.03 to 5.56. After the upgrade, the default password of the LOM is reset to the serial number of the appliance for newly manufactured platforms. This upgrade addresses the vulnerability described CVE-2013-4786. For more information, see https:// support.citrix.com/article/CTX234367.[ NSPLAT-19327 ]
On the Citrix ADC MPX 14000 FIPS platform, with pooled capacity licensing, the ECC performance numbers are lower than the published numbers when Hybrid ECC mode is enabled.[ NSHELP-27482 ]
If you modify the checksum of the kernel provided by Citrix and then install the kernel, you might observe one of the following issues:
[ NSHELP-27420 ]
- The installns command completes. After the appliance restarts, it reports that the kernel installation could not be completed and the booting process halts. You must then load a different kernel to bring up the box.
- The installns command detects the mismatch and stops installation. An error message appears.
While rebooting the Citrix ADC VPX instance for AWS, if you add static routes to DNS servers using a gateway other than the default gateway, the following events occur:
[ NSHELP-27116 ]
- The static routes added to DNS servers are removed.
- New static routes are added using the default gateway.
If you want to set the cluster nodes to yield, you must perform the following additional configurations on CCO:
- If a cluster is formed, all the nodes come up with yield=DEFAULT.
- If a cluster is formed using the nodes that are already set to yield=YES, then the nodes are added to cluster using DEFAULT yield.
Note: If you want to set the cluster nodes to yield=YES, you can perform suitable configurations only after forming the cluster but not before the cluster is formed.[ NSHELP-27091 ]
On the Citrix ADC SDX platform, the cluster state might flap when a node joins a cluster. The flapping happens when an implicit reset of interface is triggered that impacts the cluster's health.[ NSHELP-27081 ]
A Citrix ADC appliance might crash if the MATCHES() expression is used in the non-TCP-based protocol.[ NSHELP-26062 ]
The Citrix Gateway appliance might crash if all of the following conditions are met.
[ NSHELP-26045 ]
- nstrace is enabled with a filter expression
- Debug audit logging to an external ADC audit server is enabled
- An authentication policy with an advanced rule expression is configured
The following issue is observed if two policy variables are configured with different expiration time:
[ NSHELP-25786 ]
- Deletion of the expired value for the variable with the shorter expiration time might be delayed until the deletion of the expired value with the longer expiration time.
If multiple SSL policies are bound at Client hello bind point to a single virtual server, and an ALPN or SNI policy is the first policy bound, the following error condition might occur:
If the client does not send an ALPN or SNI request, then the other policies bound to the virtual server are not evaluated.[ NSSSL-9865 ]
SSL counters displayed in the output of the "stat ssl" command are not cleared.[ NSHELP-20966 ]
A Citrix ADC appliance closes a server connection approximately around 40 milliseconds after the client connection is closed with connection multiplexing disabled.[ NSHELP-26968 ]
An enlarged round-trip time (RTT) measurement might cause slowness in 5G deployments. The issue occurs when including the queuing delay induced by the pacing layer from an RTT measurement.[ NSHELP-26755 ]
A Citrix ADC appliance might crash if it receives a partially acknowledged MPTCP MP-FAIL signal on an already closed MPTCP session. The crash is applicable to virtual servers that have MPTCP enabled in the TCP profile.[ NSHELP-26594 ]
When Citrix ADC appliance rewrites unsupported TCP options with NOOP option, some IoT or embedded devices might reject TCP connections from the appliance.[ NSHELP-25767 ]
A Citrix ADC appliance might fail during clear configuration if the following conditions are met:
[ NSBASE-11511 ]
- IP address of a service is changed when the service is bound to a virtual server.
- Same virtual server is used as a collector in an analytics profile.
The default HTTP level compression policy bindings fail after configuring the HTTP_QUIC protocol.[ NSUI-17729 ]
The front-end optimization (FEO) configuration on Citrix ADC GUI does not support HTTP/3 over QUIC traffic. However, the configuration works fine on the Citrix ADC command interface.[ NSUI-17616 ]
In a high availability setup, configurations with multiple passwords might fail on the secondary node during a high availability synchronization process because of the following reason:
If any of the passwords in the sequence is skipped, the subsequent password decryption fails on the secondary node. The decryption fails because it looks for the primarys local KEK, which is not present in the secondary node.[ NSHELP-27797 ]
The GSLB configuration synchronization might fail to synchronize commands with long user identifiers (UIDs).[ NSHELP-27328 ]
In a high availability setup, HA propagation might fail if all of the following conditions are met:
[ NSHELP-27315 ]
- Validate certificate (validatecert) option of the RPC node is set to YES and then set to NO.
- CA certificate is not configured
The GSLB incremental synchronization fails when you run the "enable gslb servicegroup" or "disable gslb servicegroup" command. As a result, GSLB full configuration synchronization is initiated.[ NSHELP-27079 ]
Importing a certificate in an admin partition might incorrectly fail with the following message:
ERROR: User doesnt have permission for given Destination path[ NSHELP-26918 ]
In a Citrix ADC BLX cluster setup, "sync cluster files" command might fail because of an internal error.[ NSCONFIG-4968 ]
A Citrix ADC appliance might crash if all of the following conditions are met:
[ NSHELP-27474 ]
- GX interface is configured.
- GX session reporting is configured.
- The "clear subscriber sessions" command is triggered when a CCA message is pending to be received from the GX server.
Authentication, authorization, and auditing
When you bind an LDAP monitor to a service, the monitor goes down because the Citrix ADC appliance sends an incorrect password to the active directory.[ NSHELP-27961 ]
In a multiple cascade AD, an account for a user does not get locked, if a user is not found in the last cascade.[ NSHELP-27948 ]
When a Citrix ADC appliance is configured for SAML authentication, the appliance dumps core upon using a certificate other than RSA.[ NSHELP-27813 ]
SameSite cookie attributes are not added to the authentication cookies if a Citrix ADC appliance is configured for 401-based authentication.[ NSHELP-27764 ]
Web App Firewall profile does not work as expected because of SQLite dependency failure in Citrix ADC version 13.0 build 67.x and later.[ NSHELP-27458 ]
In some cases, an HTTP POST request to a Authentication, authorization, and auditing-TM virtual server is processed incorrectly if the request does not have an authentication cookie. The POST body gets lost during processing.[ NSHELP-27227 ]
Incorrect SSO domain name is populated for logged in user if Authentication, authorization, and auditing.USER.DOMAIN is used in the expression.[ NSHELP-26443 ]
In certain scenarios, the Bind Authentication, authorization, and auditing group command might fail if policy name is longer than intranet application name.
[ NSHELP-25971 ]
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[ NSHELP-563 ]
Network connectivity test check fails because of a password decryption issue. However, the authentication functionality works fine.[ NSAUTH-10216 ]
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.[ NSAUTH-6106 ]
ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
"show adfsproxyprofile <profile name>"
Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.[ NSAUTH-5916 ]
An extra header information is sent in the cache response if the 'insertAge' parameter is enabled in the 'set cache contentGroup' command.[ NSHELP-27772 ]
A Citrix ADC appliance might crash if the "Max_age" and "s_maxage" parameter values are not set dynamic in the cache control block.[ NSHELP-27758 ]
In a high availability setup, the primary node crashes after it accesses a NULL pointer instead of a cached object.[ NSHELP-26967 ]
A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.[ NSHELP-22942 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.[ NSSVM-4333 ]
On a Citrix ADC SDX appliance, the default value for raising the alarm on "Hypervisor Disk Usage High" is increased to 98%.[ NSHELP-27854 ]
On a Citrix ADC SDX appliance, the Management Service might report a high memory usage of around 80% due to increased jobs and schedulers running in inventory.[ NSHELP-27805 ]
On a Citrix ADC SDX appliance, an interface that is part of a management channel is displayed along with the management channel if the following sequence of conditions is met:
[ NSHELP-27487 ]
- The VPX instance is part of a cluster.
- The management channel is created.
On a Citrix ADC SDX appliance, the Management Service might report a high memory usage of around 80% due to increased jobs and schedulers running in inventory.[ NSHELP-27396 ]
The Citrix ADC appliance crashes while processing the incoming Encapsulating Security Payload (ESP) traffic and the security association (SA) is not found.[ NSHELP-27991 ]
After the tunnel establishment, instead of adding DNS server routes with the previous gateway IP address, the Windows plug-in adds the routes with the default gateway address.[ NSHELP-27850 ]
In rare cases, the Citrix Gateway portal page does not display the Download button for EPA plug-in on the Internet Explorer browser.[ NSHELP-27849 ]
When accessing the Citrix Gateway appliance using the clientless VPN, core dump might be generated.[ NSHELP-27653 ]
The Citrix Gateway appliance might crash if async is blocked and you modify the content switching policy configuration.[ NSHELP-27570 ]
A Citrix ADC appliance might crash while processing the UDP traffic.[ NSHELP-27536 ]
The personal bookmarks file of users cannot be copied from one Citrix Gateway appliance to another appliance.[ NSHELP-27389 ]
The Citrix Gateway appliance reboots unexpectedly because of flooding of SSL VPN log messages in the local ns.log file when Gateway Insight is enabled.[ NSHELP-27040 ]
The Citrix ADC logs might be flooded with the log message "GwInsight: Func=ns_sslvpn_send_app_launch_fail_record Appflow policy evaluation has failed" when Gateway Insight is enabled.[ NSHELP-26750 ]
The Citrix Gateway GUI displays the message "Invalid IP or Port" when editing a VPN session profile.[ NSHELP-26722 ]
When you enter the FQDN as the proxy in the Create Citrix Gateway Traffic Profile page, the message "Invalid Proxy Value" appears.[ NSHELP-26613 ]
The VPN plug-in for Windows displays incorrect information on the Windows credential screen when the network changes.[ NSHELP-26562 ]
The Citrix ADC appliance crashes if either of the following conditions occur:
- The syslog action is configured with the domain name and you clear the configuration by using the GUI or the CLI.
- High availability synchronization happens on the secondary node.
Create syslog action with syslog server's IP address instead of syslog server's domain name.[ NSHELP-25944 ]
While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:
[ NSHELP-25694 ]
- A default pre-shared key (PSK) is configured.
- You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
The Windows VPN gateway plug-in fails to drop IPv6 DNS packets resulting in issues with DNS resolution.[ NSHELP-25684 ]
The SNMP OID sends incorrect set of current connections to the VPN virtual server.[ NSHELP-25596 ]
The Citric ADC appliance crashes when multiple VPN plug-in clients use X.509 certificates of size 1800 bytes or more to setup a tunnel.[ NSHELP-25195 ]
EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.[ NSHELP-24848 ]
The Gateway Insight does not display accurate information on the VPN users.[ NSHELP-23937 ]
The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0
Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
Global bindpoint: REQ_DEFAULT
Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
Global bindpoint: RES_DEFAULT
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0 Disabled
Global bindpoint: REQ_DEFAULT
Number of bound policies: 1
Done[ NSHELP-23496 ]
The ICA latency of a session is recorded incorrectly as 64,000 ms in the Citrix Director when L7 latency is enabled. L7 latency is enabled when the "nsapimgr" knob "enable_ica_l7_latency" is set to 1.
Workaround: Set the L7 latency frequency to 5 by using the CLI or the GUI.[ NSHELP-23459 ]
If you have configured RADIUS accounting for ICA start/stop event, the session ID in the RADIUS accounting request for ICA start is displayed as all zeroes.[ NSHELP-22576 ]
Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.[ NSHELP-21897 ]
The "show audit messages" output does not display the latest logs if you modify the syslog server in the global syslog parameters.[ NSHELP-19430 ]
Citrix Web App Firewall
In a Citrix ADC cluster setup, one of the nodes crashes if one or more nodes are upgraded from Citrix ADC version 12.0, 12.1, or 13.0 build 52.x or earlier builds. The crash occurs because of an incompatibility in the Web App Firewall cookie format and size.[ NSWAF-7689 ]
The Citrix Web App Firewall learning engine learns the field format rules only when a violation is observed.[ NSWAF-7677 ]
The cookie hijacking feature has limited support for the Internet Explorer (IE) browser because IE browsers do not reuse the SSL connections. Because of the limitation, multiple redirects are sent for a request eventually leading to a "MAX REDIRECTS EXCEEDED" error in the IE browser.[ NSHELP-27193 ]
After an upgrade to Citrix ADC version 13.0 build 76.29 and with the File Upload feature enabled on the appliance, the following issue is observed:
[ NSHELP-27140 ]
- SQL and XSS protection checks block the file upload process for all web applications.
In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.[ NSLB-7679 ]
In a GSLB setup, the status of the remote services are not updated after the stats are cleared on the GSLB site. As a workaround, clear the stats again on the same GSLB site. The status of the remote services are then updated.[ NSHELP-28169 ]
The cookieTimeout value is incorrectly set during the GET operation, resulting in failure of CS virtual server update operation.[ NSHELP-27979 ]
In some cases, a Citrix ADC appliance might crash when the show running configuration command is issued.[ NSHELP-27815 ]
In a cluster setup, when one or more nodes go to "DOWN" state, the backup node might fail to join the cluster node group. This failure causes some Citrix ADC features to fail.[ NSHELP-27664 ]
A Citrix ADC appliance might not insert an appropriate packet identifier in the responses, when pipelined radius requests are received. Due to this issue, the client receives an invalid response.[ NSHELP-27391 ]
In a high availability setup, the secondary node might crash if the following conditions are met:
- The amount of physical memory on both the nodes is different from each other.
- The data sessions are not synchronized properly.
Keep the same amount and at least 4 GB of physical memory on both the HA nodes.[ NSHELP-26503 ]
In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.[ NSHELP-20406 ]
After a Citrix ADC BLX appliance is upgraded to release 13.1 build 4.x, the web application firewall might incorrectly blocks a request that has no content type header.
Workaround: Run the following commands in the Citrix ADC BLX CLI:
[ NSNET-21415 ]
- "add appfw JSONContentType "^application/json$" -isRegex REGEX"
- "add appfw UrlencodedFormContentType "application/x-www-form-urlencoded" -isRegex NOTREGEX"
- "add appfw UrlencodedFormContentType "application/x-www-form-urlencoded.*" -isRegex REGEX"
- "add appfw MultipartFormContentType "multipart/form-data" -isRegex NOTREGEX"
- "add appfw MultipartFormContentType "multipart/form-data.*" -isRegex REGEX"
- "add appfw XMLContentType ".*/xml" -isRegex REGEX"
- "add appfw XMLContentType "./.+xml" -isRegex REGEX"
- "add appfw XMLContentType "./xml-." -isRegex REGEX"
In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.[ NSNET-18586 ]
After an upgrade from Citrix ADC BLX appliance 13.0 61.x build to 13.0 64.x build, settings on the BLX configuration file are lost. The BLX configuration file is then reset to default.[ NSNET-17625 ]
The following interface operations are not supported for Intel `X710 10G (i40e)` interfaces on a Citrix ADC BLX appliance with DPDK:
[ NSNET-16559 ]
On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file ("/etc/blx/blx.conf") settings. This issue occurs because "mawk", which is present by default on Debian based Linux systems, does not run some of the awk commands present in the "blx.conf" file.
Workaround: Install "gawk" before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install "gawk":
[ NSNET-14603 ]
- apt-get install gawk
Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:
"The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable"
Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:
[ NSNET-14602 ]
- dpkg --add-architecture i386
- apt-get update
- apt-get dist-upgrade
- apt-get install libc6:i386
In a Citrix ADC appliance, the internal driver layer might use an incorrect data buffer resulting in data corruption, which in turn causes the appliance to crash.[ NSHELP-27858 ]
The Citrix ADC VPX instance might crash when the following conditions are met:
[ NSHELP-27816 ]
- A high number of FTP data connections are present.
- A failover happens on the Citrix ADC appliance.
- A client or server side NATPCB connection is cleared out.
Citrix ADC CPX deployed as a sidecar and connected with multiple networks was not able to choose the correct source IP address for the destination subnet.[ NSHELP-27810 ]
In a high availability setup, HA synchronization might fail for WAF profile and location file configurations.[ NSHELP-27546 ]
In a high availability setup, VPN user sessions get disconnected if the following condition is met:
- If two or more successive manual HA failover operations are performed when HA synchronization is in progress.
Workaround: Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).[ NSHELP-25598 ]
The Citrix ADC appliance generates false packets per second (PPS) rate-limit alerts even before the Citrix ADC appliance reaches its PPS limit for the license.[ NSHELP-26935 ]
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.[ NSPOLICY-1267 ]
On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.
[ NSSSL-9572 ]
- On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, "set ssl vserver <name> -SSL3 DISABLED".
- Save the configuration.
- Update command is not available for the following add commands:
[ NSSSL-6484 ]
- add azure application
- add azure keyvault
- add ssl certkey with hsmkey option
- You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.[ NSSSL-6478 ]
- You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.[ NSSSL-6213 ]
- The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
ERROR: crl refresh disabled[ NSSSL-6106 ]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[ NSSSL-4001 ]
In a high availability setup, CRL auto refresh fails intermittently if both of the following conditions are met:
[ NSHELP-27435 ]
- Files are syncing from the primary node to the secondary node.
- CRL file is downloading from the CRL server at the same time.
The CA certificate name that issued the CRL is truncated to 32 characters, even though a certificate-key name can be up to 64 characters. This issue occurs because the CRL field has a limit of 32 characters.[ NSHELP-26986 ]
If the header size received is greater than the maximum header table size, the appliance resets the table size as zero. As a result, HTTP2 requests fail after a few requests.
Workaround: Configure header table size to greater than or equal to the maximum header size.[ NSHELP-27977 ]
If ADM has pending transactions in the queue, it reports randomly a critical alert for high memory usage.[ NSHELP-27913 ]
A Citrix ADC appliance might crash with an ICAP OPTIONS response. The issue happens when the allowed header value contains a value other than 204.[ NSHELP-27879 ]
In the AppFlow, the layer 4 byte count for flow records is not matching the HTTP virtual server transactions. The count value is lower than the layer 7 virtual server byte count value.[ NSHELP-27495 ]
The tcpCurClientConn counter shows a large value if the Citrix ADC appliance is registered on the Citrix ADM.[ NSHELP-27463 ]
Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.[ NSHELP-27410 ]
A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.[ NSHELP-27179 ]
A mismatch in Logstream records is observed in the Citrix ADC appliance and the dataloader.[ NSHELP-25796 ]
In the Compression Policy Manager GUI, unable to bind a compression policy to an HTTP protocol by specifying a relevant bind point and connection type.[ NSUI-17682 ]
Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.
Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.[ NSUI-13024 ]
There might be a loss in configuration if a VPX instance on AWS, configured with KEK is upgraded to Citrix ADC release 13.0 build 76.x or later. All sensitive data encrypted using KEK fails if the configuration is loaded after a reboot.[ NSHELP-28010 ]
After upgrading a high availability setup or a cluster setup to release 13.0 build 74.14 or later, config synchronization might fail because of the following reason:
- Both "ssh_host_rsa_key" private and public keys are an incorrect pair.
Workaround: Regenerate "ssh_host_rsa_key". For more information, see https://support.citrix.com/article/CTX322863.[ NSHELP-27834 ]
An additional backslash character is incorrectly introduced if special characters are used within arguments in some SSL commands, such as "create ssl rsakey" and "create ssl cert".[ NSHELP-27378 ]
In a high availability setup, HA synchronization or HA propagation might fail if any of the following conditions is met:
[ NSHELP-27375 ]
- The RPC node password has special characters.
- The RPC node password has 127 characters (maximum characters allowed).
In a Citrix ADC VPX appliance, a set capacity operation might fail after adding a license server. The issue occurs because the Flexera related components take a longer time to initialize because of the large number of supported licenses of type check-in and check-out (CICO)[ NSHELP-23310 ]
Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.[ NSHELP-20988 ]
If a Citrix ADC BLX appliance is licensed using Citrix ADM, licensing might fail after upgrading the appliance to release 13.0 build 83.x.
Workaround: First upgrade Citrix ADM to release 13.0 build 83.x or later before upgrading the Citrix ADC BLX appliance.[ NSCONFIG-4834 ]
When you downgrade a Citrix ADC appliance version 13.0-71.x to an earlier build, some Nitro APIs might not work because of the file permission changes.
Workaround: Change permission for "/nsconfig/ns.conf" to 644.[ NSCONFIG-4628 ]
Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.[ NSCONFIG-4330 ]
If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
1. Upgrade the Citrix ADC appliance to one of the builds:
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the Citrix ADC appliance to any older build.
To display the list of these system users by using the CLI:
At the command prompt, type:
"query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"
To fix this issue, use one of the following independent options:
[ NSCONFIG-3188 ]
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.