Citrix Secure Private Access™ Hybrid Deployment

Known issues

November 25, 2025

Contributed by:

The following known issues exist in the Secure Private Access for hybrid deployments in the 2511 release.

App launches from Citrix Workspace app or web-based user interface prompts for proxy login.

Workaround: Cancel the prompt to continue with app launch.

[SPAOP-8997]
On the first app launch from Citrix Workspace app or the web-based user interface without a Chrome profile, the app does not open in the Chrome browser after the profile is added.

[SPAOP-10480]
If NetScaler is added as an IdP for OIDC under Third Party SSO in Google Cloud Identity, users are unable to sign in to the Chrome profile after signing out either explicitly or due to a session timeout.

Workaround: The managed profile must be removed and re-added.

[SPAOP-10479]
In Secure Private Access hybrid CEP deployment, the mTLS handshake between the CEP proxy and Secure Private Access proxy fails when SSL default profile or cipher group is enabled.

[SPAOP-10478]
Policy changes on Network Location service condition (adding or removing a location tag) fail on update.

[SPAOP-10446]
When configuring Citrix Enterprise Premium, if the Google customer changes, incorrect validation and unclear error message is displayed.

[SPAOP-10441]
The Policy modeling tool does not display the apps from a disabled policy.

[SPAOP-10451]
The Application Launch count chart in the Secure Private Access dashboard does not display the SaaS apps launch count.

[SPAOP-10398]
The Application Launch count chart in the Secure Private Access dashboard does not display all launched apps for a given time frame.

[SPAOP-10175]
Web app launches from Citrix Receiver for Linux display an AM_ERROR_UNEXPECTED prompt.

[RFLNX-12726]
You cannot add conditions for a machine-based policy from the access policy user interface (Secure Private Access > Access Policies).

[SPAOP-10492]
Device Posture with SAML is not supported in an nFactor authentication flow.

[SPAOP-8529]
Special characters (#, @, !, ^, &, %) are not allowed in the Client Secret field while configuring the OAuth IdP profile on NetScaler.

[NSAUTH-17351]
The Citrix Secure Access client for Linux doesn’t work if the client certificate authentication is configured in the NetScaler Gateway.
The Citrix Secure Access client for Linux cannot tunnel the applications if the app FQDN ends with “.local”.
First-time app launches intermittently show the error message ‘Service Unavailable…’ in a managed profile.
If data loss prevention (DLP) is configured, app access is allowed by the Citrix Secure Access client.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Known issues

November 25, 2025

Contributed by:

November 25, 2025

Contributed by:

Known issues

In this article