Release Notes for Citrix ADC 13.0-87.9 Release

Authentication, authorization, and auditing

• Enable users to use Intune NAC v2 configuration with the new Microsoft Graph APIs

  You can now use Intune NAC v2 configuration with the new Microsoft Graph APIs instead of the deprecated AAD Graph APIs.

  For more information, see https://docs.citrix.com/en-us/citrix-gateway/current-release/microsoft-intune-integration.html. Also see https://docs.citrix.com/en-us/citrix-gateway/current-release/microsoft-intune-integration/extended-support-for-azure-ad-graph.html.

  [ NSAUTH-11897 ]

Load Balancing

• Support to secure script arguments for user monitors

  A new parameter, -secureargs, is added to the "add lb monitor" command. This parameter stores the script arguments in an encrypted format instead of plain text format. You can secure sensitive data related to the scripts for user monitor using this parameter, for example, user name and password. Citrix recommends you to use "-secureargs" parameter instead of the "-scriptargs" parameter for any sensitive data related to the scripts. If you choose to use both the parameters together, the script specified in -scriptname must accept the arguments in the order: <scriptargs> <secureargs>. That is, you need to specify the first few parameters in <scriptargs> and the rest of the parameters in <secureargs> by maintaining the order defined for the arguments. Secure arguments are applicable only for the internal dispatcher.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/13/load-balancing/load-balancing-custom-monitors/configure-user-monitor.html.

  [ NSLB-7310 ]

Networking

• Enhancements to include the severity level when sending SNMP Trap messages

  The Citrix ADC VPX appliance now includes the severity level in the SNMP trap messages as a variable bind. Use the following command with the severityInfoInTrap option:

  • set snmp option -severityInfoInTrap ENABLED

  When this option is enabled, the trap severity level will be included in the SNMP trap message.

  [ NSNET-21603 ]

System

• Configure the slow start threshold parameter

  The Citrix ADC appliance now supports configuring the slow start threshold parameter which solves the following issues.

  • The Dynamic Round Trip Time (RTT) is high for TCP traffic processed by the Citrix ADC appliance.
  • The TCP congestion control protocol variant, Nile, which considers the RTT for congestion control does not operate. The congestion window configured is much higher, and it is mapped to the slow start threshold of Nile.

  For more information, see TCP configurations.

  [ NSBASE-16509 ]

Authentication, authorization, and auditing

• The Citrix ADC appliance might crash if the SAML metadata URL in the configuration does not end with or contains backslash ( / ).

  [ NSHELP-31937 ]

• If you have configured a syslog server, you see a single SAML related log in two lines.

  [ NSHELP-31750 ]

• There might be issues with application rewrite while applying rewrite policies for content security policy (CSP) on an authentication virtual server.

  [ NSHELP-31583 ]

• The Citrix ADC appliance might crash when the synchronization of the session and key configuration happens between the primary to the secondary controller card.

  [ NSHELP-26891 ]

Citrix Gateway

• In some cases, a Citrix ADC appliance might crash while assigning an Intranet IP address to a client.

  [ NSHELP-31712 ]

• When classic EPA policy and nFactor auth are configured, the Gateway Insight events for successful authentication are not sent to Citrix Application Delivery Management.

  [ NSHELP-30901 ]

• You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.

  With this fix, you can now unbind the authorization policy by using the GUI.

  [ NSHELP-27064 ]

• App launch fails after you enter your credentials if the session profile contains FQDN of Storefront. The following error appears.

  'Http/1.1 Internal Server Error 43531'

  With this fix, customers can enter the FQDN instead of the session profile WI address to IP.

  [ NSHELP-26671 ]

Citrix Web App Firewall

• The logs for "No user-agent header action" and "multi user-agent header action" might incorrectly use the log message of IP Reputation check.

  [ NSHELP-31935 ]

• A Citrix ADC appliance might crash while processing BOT signature lookups with slow DNS servers.

  [ NSHELP-31642 ]

Load Balancing

• In a High Availability (HA) setup, routes are dropped on the new primary node and not learned again when the following condition is met.

  • Dynamic Route deletion and HA failover happens at the same time because of critical interface failure.
  [ NSHELP-32264 ]

• A Citrix ADC appliance might crash and dump core if the user monitor script returns a response with more than 1024 bytes.

  [ NSHELP-32097 ]

• In rare cases, a Citrix ADC appliance might crash and dump core if DNSSEC processing is enabled and DNS zone configuration is present.

  [ NSHELP-31993 ]

• In some instances, the state of the service is not synchronized with the state of the monitor.

  [ NSHELP-31747 ]

• In an autoscale DNS deployment, the members in the TROFS state do not detect and respond to health check failure.

  [ NSHELP-29628 ]

• When a member of the DNS service group of type Autoscale is in TROFS state and if the same member is added to the group again, the status of this member is not propagated.

  [ NSHELP-29493 ]

• Incremental synchronization fails for the "add dns action" and "add location" commands with policy expressions that contain wildcards.

  [ NSHELP-29301 ]

• The load balancing or GSLB domain-based Autoscale servicegroup state remains DOWN if you use a wildcard port.

  [ NSHELP-28548 ]

Miscellaneous

• In a Citrix ADC appliance, when an additional HDD is added to the appliance, a link for the "/var/nslog" file is created in the crash folder "/var/crash/nslog". The "newnslog" files available in the crash folder are not collected in the collector folder generated by tech support.

  [ NSHELP-31354 ]

• In a Citrix ADC cluster setup with public-key system authentication configured, the following issue is observed:

  • VTYSH does not display information of all cluster nodes on the cluster configuration coordinator (CCO).
  [ NSHELP-28762 ]

Platform

• The log rotation fails for files stored in the /var/log/waagent folder and takes up more disk space. This failure is seen when you apply a backup configuration taken from a Citrix ADC VPX instance on another ADC VPX instance hosted on the Azure cloud using the restore functionality.

  [ NSHELP-31599 ]

Policies

• In a Citrix ADC appliance, following is observed.
  * Issues related to memory accounting in some unusual cases.
  * Issues related to memory allocation/deallocation of certain entities.

  Additionally tracking of allocation/deallocation of certain entities was added/improved.

  [ NSHELP-29215 ]

• A Citrix ADC appliance might crash if you configure the MATCHES_LOCATION() function in a policy expression and you start nstrace using a filter expression.

  [ NSHELP-22687 ]

SSL

• A Citrix ADC appliance might crash in the following scenarios:

  • A load balancing monitor of type SSL and SSL service have the same name
  • An SSL service is renamed
  • A load balancing monitor is deleted
  [ NSHELP-30445 ]

• A Citrix ADC appliance crashes when all of the following conditions occur:

  • A default RSA certificate-key pair is bound to an internal service.
  • A non-RSA certificate-key pair is bound to the same service.
  • HA sync occurs.
  [ NSHELP-30084 ]

System

• In a Citrix ADC appliance, the default value of the "maxHeaderFieldLen" parameter in the HTTP profile causes the following issue.

  • Traffic failure after upgrading to 13.0 build.
  [ NSHELP-32079 ]

• In a Citrix ADC appliance, the following issue is observed when enabling the HTTP/2 configuration for a content switching or load balancing virtual IP(VIP).

  • An increase in latency of up to 100 ms while forwarding the HTTP/2 header and data frames to the website through the Citrix ADC appliance.
  [ NSHELP-30094 ]

• In a Citrix ADC appliance, if you unbind default advanced global policies and save the configuration, the changes are not reflected on the next reboot.
  [ NSHELP-19867 ]

User Interface

• The following exception is seen in the Python API SDK while trying to delete an SSL virtual server and certificate-key pair binding.
  TypeError: cannot concatenate 'str' and 'bool' objects
  

  [ NSHELP-31746 ]

• You cannot unbind members of load balancing service groups using the GUI on Citrix ADC version 13.0 version 85.15 build.

  [ NSHELP-31474 ]

• Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

  [ NSHELP-20988 ]

• Load balancing server statistics details are misaligned in the Citrix ADC GUI dashboard.

  [ NSHELP-20752 ]

Authentication, authorization, and auditing

• The Citrix ADC appliance crashes if the ADFSPIP URL is set to type "http://". ADFSPIP only supports "https://" URL types.

  [ NSHELP-29838 ]

• Non-ASCII characters are recorded in nsvpn.log when LDAP action is configured to an FQDN instead of an IP address.

  [ NSHELP-27281 ]

• In some cases, "invalid credentials" error message is displayed during the RADIUS authentication process. The error is seen when the Citrix ADC appliance is accessed from a client device using the Google Chrome browser.

  [ NSHELP-27113 ]

• The Citrix ADC GUI does not display the default cache policies bound to a VPN virtual server.

  [ NSHELP-26874 ]

• In certain scenarios, the Bind Authentication, authorization, and auditing group command might fail if policy name is longer than intranet application name.
  
  

  [ NSHELP-25971 ]

• The Citrix ADC appliance dumps core when NOAUTH is configured as the first factor and Negotiate as the subsequent factor in the 401 based authentication flow.

  [ NSHELP-25203 ]

• If the admin password for LDAP, RADIUS or TACACS services contains the double quotes (") character, the Citrix ADC appliance strips it during the "Test Connectivity" check, resulting in connection failure.

  [ NSHELP-23630 ]

• A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
  [ NSHELP-563 ]

• The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

  [ NSAUTH-6106 ]

• ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
  "show adfsproxyprofile <profile name>"

  Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.

  [ NSAUTH-5916 ]

Caching

• A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

  [ NSHELP-22942 ]

Citrix ADC SDX Appliance

• On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.

  [ NSSVM-4333 ]

• On a Citrix ADC SDX GUI, displaying the NTP servers can freeze the user interface if the NTP configuration file (ntp.conf) has only spaces in any of the lines.

  [ NSHELP-31530 ]

Citrix Gateway

• When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.

  [ NSHELP-30662 ]

• ICA app launch fails in the following conditions:

  • Content Security Policy (CSP) feature is enabled.
  • The user logs in from a browser but uses the Citrix Workspace app to launch the app.
  [ NSHELP-30534 ]

• Users cannot connect to the Citrix Gateway appliance after changing the 'networkAccessOnVPNFailure' always on profile parameter from 'fullAccess' to 'onlyToGateway`.

  [ NSHELP-30236 ]

• The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully. To fix this issue, the following registry value is introduced.

  \HKLM\Software\Citrix\Secure Access Client\SecureChannelResetTimeoutSeconds
  Type: DWORD

  
  By default, this registry value is not set or added. When the value of "SecureChannelResetTimeoutSeconds" is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).
  

  [ NSHELP-30189 ]

• Sometimes, the Citrix Secure Access agent in machine tunnel only mode does not establish the machine tunnel automatically after the machine wakes up from sleep mode.

  [ NSHELP-30110 ]

• The Windows VPN client does not honor the 'SSL close notify' alert from the server and sends the transfer login request on the same connection.

  [ NSHELP-29675 ]

• Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

  [ NSHELP-28551 ]

• Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

  [ NSHELP-28404 ]

• The Citrix ADC appliance might crash if EPA is configured and sufficient memory is not available.

  [ NSHELP-28329 ]

• The Citrix Gateway appliance might crash while processing server-initiated UDP traffic.

  [ NSHELP-27611 ]

• The Citrix Gateway appliance might crash if async is blocked and you modify the content switching policy configuration.

  [ NSHELP-27570 ]

• The Citrix Gateway appliance might crash if an unknown VPN client option is set in the session policy.

  [ NSHELP-27380 ]

• While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:

  • A default pre-shared key (PSK) is configured.
  • You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
  [ NSHELP-25694 ]

• EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.

  [ NSHELP-24848 ]

• The Gateway Insight does not display accurate information on the VPN users.

  [ NSHELP-23937 ]

• The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.

  Example:

  New output:

  > show tunnel global
  Policy Name: ns_tunnel_nocmp Priority: 0

  Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
  Priority: 1
  Global bindpoint: REQ_DEFAULT

  Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
  Priority: 100
  Global bindpoint: RES_DEFAULT
  Done
  >

  Previous output:

  > show tunnel global
  Policy Name: ns_tunnel_nocmp Priority: 0 Disabled

  Advanced Policies:

  Global bindpoint: REQ_DEFAULT
  Number of bound policies: 1

  Done

  [ NSHELP-23496 ]

• Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.

  [ NSHELP-21897 ]

• Application launch failure due to invalid STA ticket is not reported in Gateway Insight.
  [ CGOP-13621 ]

• The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.
  [ CGOP-13584 ]

• In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
  [ CGOP-13511 ]

• While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

  [ CGOP-13050 ]

• The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.

  [ CGOP-13049 ]

• An error message appears when you add or edit a session policy from the Citrix ADC GUI.
  [ CGOP-11830 ]

• In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

  [ CGOP-7269 ]

Load Balancing

• In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

  [ NSLB-7679 ]

• In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.

  [ NSHELP-21196 ]

• In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

  [ NSHELP-20406 ]

Miscellaneous

• AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.

  [ NSHELP-31836 ]

• Citrix ADC CPX instance, running on a Linux system with 64-bit architecture and 1 TB of file storage, can load certificate and key files now.

  [ NSHELP-28986 ]

Networking

• In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.

  [ NSNET-18586 ]

• The following interface operations are not supported for Intel `X710 10G (i40e)` interfaces on a Citrix ADC BLX appliance with DPDK:

  • Disable
  • Enable
  • Reset
  [ NSNET-16559 ]

• On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file ("/etc/blx/blx.conf") settings. This issue occurs because "mawk", which is present by default on Debian based Linux systems, does not run some of the awk commands present in the "blx.conf" file.

  Workaround: Install "gawk" before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install "gawk":

  • apt-get install gawk
  [ NSNET-14603 ]

• Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

  "The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable"

  Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

  • dpkg --add-architecture i386
  • apt-get update
  • apt-get dist-upgrade
  • apt-get install libc6:i386
  [ NSNET-14602 ]

• In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • The LSN module does not find the service while decrementing the reference count or deleting the service.
  [ NSHELP-29134 ]

• In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • Because of stale filtering entry.
  [ NSHELP-28895 ]

• In a Large scale NAT44 deployment, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • The LSN module accessed the memory location of an already deleted service.
  [ NSHELP-28815 ]

• In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:

  • A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.

  As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition

  [ NSHELP-24000 ]

Platform

• The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:

  1. During the first boot of the Citrix ADC appliance, you do not save the prompted password.
  2. Subsequently, you reboot the Citrix ADC appliance.
  [ NSPLAT-22013 ]

• When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:

  • 13.1-4.x
  • 13.0-82.31 and later
  • 12.1-62.21 and later

  The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:

  • Any 11.1 build
  • 12.1-62.21 and earlier
  • 13.0-81.x and earlier
  [ NSPLAT-21691 ]

• In a cluster setup on a Citrix ADC SDX appliance, there is a CLAG MAC mismatch on the second node and CLIP if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You add another VPX instance to the cluster and CLAG setup.

  As a result, traffic to the VPX instance stops.

  [ NSPLAT-21049 ]

• In a cluster setup on a Citrix ADC SDX appliance, the first node goes DOWN because of a MAC address mismatch on CLIP and MAC table, if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You remove the second node from the cluster.
  [ NSPLAT-21042 ]

• During the Citrix ADC VPX HA failover, the Elastic IP address movement in the AWS cloud fails if you configure an IPset without binding the IPset to any IP address.

  [ NSHELP-29425 ]

• The HA failover for Citrix ADC VPX instance on the GCP and AWS cloud fails when the password of an RPC node contains a special character.

  [ NSHELP-28600 ]

Policies

• Connections might hang if the size of processing data is more than the configured default TCP buffer size.

  Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

  [ NSPOLICY-1267 ]

• A Citrix ADC appliance might crash during policy addition with patset when the following condition is met:

  • The flag associated with NSB is set in the wrong order for Rewrite TCP scenario.

  [ NSHELP-31064 ]

SSL

• On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

  Workaround:

  1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, "set ssl vserver <name> -SSL3 DISABLED".
  2. Save the configuration.
  [ NSSSL-9572 ]

• You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.
  [ NSSSL-6478 ]

• You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.
  [ NSSSL-6213 ]

• The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
  ERROR: crl refresh disabled
  [ NSSSL-6106 ]

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
  [ NSSSL-4427 ]

• An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
  [ NSSSL-4001 ]

• A Citrix ADC appliance might crash if the certificate authentication rule is evaluated and triggered twice on the same request.

  [ NSHELP-31785 ]

• If the SSL interception is enabled, and the DNS servers do not return a valid DNS response, then the website access is blocked.

  [ NSHELP-30201 ]

System

• The Citrix ADC appliance with the virtual server service type SSL configuration crashes when the following condition is met:

  • The Citrix ADC appliance receives the TCP FIN control packet followed by the TCP RESET control packet.
  [ NSHELP-31656 ]

• The Citrix ADC appliance reports a false SNMP alarm on the service SYN flood counters.

  [ NSHELP-28710, NSHELP-28713 ]

• Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.

  [ NSHELP-27410 ]

• A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.

  [ NSHELP-27179 ]

• A mismatch in Logstream records is observed in the Citrix ADC appliance and the dataloader.

  [ NSHELP-25796 ]

• Some SYSLOG messages are dropped when logging on to an external SYSLOG server using TCP protocol.

  [ NSHELP-24522 ]

• In certain scenarios, the nstrace packet capture misses all packets if you apply the IP address based filter.

  [ NSHELP-23483 ]

• When you install Citrix ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.

  Workaround : Reboot the Management pod.

  [ NSBASE-15556 ]

• In a cluster configuration, a node with CCO priority gets disconnected from Open vSwitch (OVS) because of network issues. After the node rejoins to the cluster configuration, it does not receive the latest SYN cookie.

  [ NSBASE-14419 ]

User Interface

• Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

  Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

  [ NSUI-13024 ]

• In a Citrix ADC appliance, binding the cache policy to override global or default global using the GUI interface fails with the following error:

  • Required argument missing.

  This error is not seen while binding the cache policy using the CLI interface.

  [ NSHELP-30826 ]

• Due to an incorrect upgrade installation sequence, the following issue occurs in the Citrix ADC appliance.

  • The kernel image is updated first and after a few steps, encryption keys are copied. In between these steps some failure happens and the ADC appliance comes up with a new image. The missing encryption keys in the new image lead to decryption failure and missing configuration.
  [ NSHELP-30755 ]

• In a Citrix ADC HA setup, the following issue is observed in the Citrix ADC GUI after saving a configuration and clicking the refresh button:

  • The GUI incorrectly shows the orange dot on the Save button even when no unsaved configuration changes are present on the appliance.
  [ NSHELP-30031 ]

• Citrix ADC GUI might incorrectly generate a cluster technical support bundle of only one node instead of all the cluster nodes.

  [ NSHELP-28606 ]

• Generating a cluster technical support bundle by using Citrix ADC GUI might fail with an error.

  [ NSHELP-28586 ]

• After upgrading a high availability setup or a cluster setup to release 13.0 build 74.14 or later, config synchronization might fail because of the following reason:

  • Both "ssh_host_rsa_key" private and public keys are an incorrect pair.

  Workaround: Regenerate "ssh_host_rsa_key". For more information, see https://support.citrix.com/article/CTX322863.

  [ NSHELP-27834 ]

• You cannot bind a service or a service group to a priority load balancing virtual server using the Citrix ADC GUI.

  [ NSHELP-27252 ]

• In a high availability setup, VPN user sessions get disconnected if the following condition is met:

  • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.

  Workaround: Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

  [ NSHELP-25598 ]

• Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.

  [ NSCONFIG-4330 ]

• If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

  1. Upgrade the Citrix ADC appliance to one of the builds:

  • 13.0 52.24 build
  • 12.1 57.18 build
  • 11.1 65.10 build

  2. Add a system user, or change the password of an existing system user, and save the configuration, and
  3. Downgrade the Citrix ADC appliance to any older build.

  To display the list of these system users by using the CLI:
  At the command prompt, type:

  "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

  Workaround:

  To fix this issue, use one of the following independent options:

  • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
  • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
  • If none of the above options work, a system administrator can reset the system user passwords.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

  [ NSCONFIG-3188 ]