Release Notes for Build 68.7 of NetScaler 10.5 Release

April 2, 2018|Release notes version: 1.0
This release notes document describes the enhancements and changes, lists the issues that are fixed, and specifies the issues that exist, for the NetScaler release 10.5 Build 68.7. See Release history.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • This build includes fixes for the following 4 issues that existed in the previous NetScaler 10.5 release build: 685375, 694904, 669821, 692613.
  • The known issues section is cumulative. It includes issues newly found in this release, and issues that were not fixed in previous NetScaler 10.5 releases.
  • The [# XXXXXX] labels under the issue descriptions are internal tracking IDs used by the NetScaler team.

What's New?

The enhancements and changes that are available in Build 68.7.

Platform

  • Support for New Hardware Platforms
    This release now supports the NetScaler MPX 26000-100G and NetScaler MPX 26000T-100G platforms. For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-100g-26000T-100g.html.
    [# 648922, 653372]

Fixed Issues

The issues that are addressed in Build 68.7.
When a remote GSLB service is configured with an external monitor on a GSLB site node, the state of this service might become inconsistent across packet engines, because of core-to-core message failures. In that case, the NetScaler appliance might generate incorrect replies to GSLB domain queries.
[# 658108, 679822, 692324, 692737, 695765]

NetScaler Gateway

  • End-point Analysis (EPA) scan fails on the client computer, even though the logs indicate otherwise, if the connection between the computer running on Mac OS and the NetScaler appliance is relatively slow (for example, if there's a client-side proxy).
    [# 692771, 687892]
  • In case the Split tunnel ON, the Automatic detect settings checkbox (under LAN Settings) in the Internet Explorer settings was being modified after connecting to VPN, because of which external traffic wasn't reachable.
    [# 694328]

Networking

  • Memory allocated for a TCP session might not get free after a failure in reassembling fragments of a size of more than 1500 bytes. This accumulation over a period of time depletes available memory.
    [# 680185, 680186, 691792]
  • In a high availability configuration, synchronization of session information to the secondary node happens only when the state of the secondary node is UP. When the state of the secondary node is other than UP state for a long time, session information that are to be synchronized are build up on the primary node. This results in memory crunch or session hitting maximum limits in the primary node.
    [# 693995]

Policies

  • A NetScaler appliance crashes or becomes unresponsive if a TCP connection actively uses an HTTP profile in which ClientIPHdrExpression is configured and Weblog is enabled, and if a user removes the profile. The issue occurs because the ClientIpHdrExpression is internally freed and the connection still refers to the profile.
    [# 685375]

SSL

  • In some cases, a NetScaler appliance might crash if it finds invalid data while parsing the binary certificate.
    [# 694904]

System

  • If you enable Web Logging feature before configuring the log buffer size, the NetScaler appliance does not apply the buffer size after a restart.
    [# 667392]
  • A NetScaler appliance fails if multiple vulnerabilities are observed in the Network Time Protocol (NTP) daemon and if it is exploited by an external or local user authentication.
    [# 669821, 670476, 688886, 685045]
  • In a non-end-point mode, for every out-of-order packet, NetScaler generates a duplicate acknowledgment (DUP_ACK). In a rare case of sack disabled packets, after generating a duplicate acknowledgment, the appliance does not reset the counter which results in unnecessary duplicate acknowledgments causing the connection to disconnect.
    [# 676598, 690857]
  • If an SNMP trap is configured by:
    * adding v2/v1 traps
    * adding v3 traps with bindings
    * removing v2/v1 traps
    * unbinding v3 traps
    and if you run the "show SNMP trap" command for displaying the SNMP v3 trap details, the appliance fails.
    [# 682161]
  • HTTP headers can be corrupted by the following series of events:
    * The rewrite feature inserts an end-of-header mark, but the next packet contains more header bytes.
    * The compression (CMP) feature interprets the incorrectly marked HTTP header-end as the actual end of the header, and tries to insert a content-encoding header.
    [# 691308]
  • If a client using the NITRO API over HTTPS to connect to a NetScaler appliance reuses the same source IP address and port within two TCP maximum segment lifetime (MSL) timeout intervals, the connection might be dropped with a TCP reset. Similarly, client TCP connections might be dropped under the following set of conditions:
    * Source IP address is enabled and proxy port disabled in the client's connection request.
    * A previous server connection still exists on the appliance and has persisted for two TCP MSL timeout intervals.
    [# 692613]
  • In a load balancing setup, if you disable SYN-Cookie on a TCP Profile associated with the virtual server and enable TCP Buffering on the services, the appliance might occasionally forward the first packet to the client without the first byte of data.
    [# 694137]
  • The counter update from SNMP OID "vsvrClientConnOpenRate" is missing.
    [# 698549]
  • A NetScaler VPX instance provisioned on a hypervisor other than XenServer or a NetScaler MPX appliance might crash because of an internal bug.
    [# 701050]

User Interface

  • In a cluster setup, the “bind vlan” command and the management connection to the NetScaler appliance might fail if the length of both IP address and subnet mask is 15 characters (including the decimal.)
    For example, bind vlan 100 192.168.250.196 255.255.255.220
    [# 699032, 702822]

Known Issues

The issues that exist in Build 68.7.

AAA-TM

  • User-account lockout details for a AAA virtual server cannot be configured at the global level, but only at the AAA virtual server level, because the maxLoginAttempts and failedlogintimeout parameters are not supported at the global level.
    [# 483521]

Application Firewall

Cisco RISE Integration

Clustering

Configuration Utility

DNS

GSLB

High Availability

Integrated Caching

Load Balancing

NetScaler CLI

NetScaler GUI

NetScaler Gateway

NetScaler Insight Center

NetScaler SDX Appliance

NetScaler VPX Appliance

Networking

Platform

Policies

SSL

System

Upgrade and Downgrade

User Interface

Web Interface on NetScaler (WIonNS)

What's New in Previous NetScaler 10.5 Releases

The enhancements and changes that were available in NetScaler 10.5 releases prior to Build 68.7. The build number provided below the issue description indicates the build in which this enhancement or change was provided.

AAA-TM

  • With previous versions of the NetScaler ADC, OWA 2010 connections did not timeout because OWA sends repeated keepalive requests to the server to prevent timeouts, which interfered with single sign-n and posed a security risk. AAA-tm now supports forced timeouts that ensure that OWA 2010 sessions timeout after the specified period of inactivity.
    For more information and configuration instructions, see the documentation.
    [From Build 50.10] [# 247952, 419622, 426196]

AAA-TM, Responder

AppFlow

Cisco RISE Integration

Cluster

Compression

Configuration Utility

Content Accelerator

Content Switching

DNS

DataStream

Enhancements

GSLB

Integrated Caching

Load Balancing

NITRO API

NetScaler Gateway

NetScaler Insight Center

NetScaler SDX Appliance

NetScaler VPX Appliance

Networking

Optimization

Platform

Policies

Responder

Rewrite

SSL

System

Traffic Domain

WIonNS

Fixed Issues in Previous NetScaler 10.5 Releases

The issues that were addressed in NetScaler 10.5 releases prior to Build 68.7. The build number provided below the issue description indicates the build in which this issue was addressed.

AAA-TM

  • The NetScaler ADC now offers the ability to configure 16 attributes in an LDAP action. These attributes are sent to the Active Directory (AD) during a user search. These values are extracted and stored. During the user session, they can be invoked/referenced in PI expressions.
    [From Build 53.9] [# 301241]

Acceleration

Action Analytics

Admin Partitions

AppExpert

AppFlow

AppFlow Insight

Application Firewall

Cache Redirection

Cache Redirection/NetScaler Gateway

CloudBridge

CloudBridge Connector

Cluster

Clustering

Command Line Interface

Configuration Utility

Content Optimization

Content Switching

DNS

DataStream

Front End Optimization

GSLB

Graphical User Interface

HTML Injection

High Availability

Integrated Caching

Load Balancing

NITRO

NITRO API

NS-CBC

NetScaler CLI

NetScaler GUI

NetScaler Gateway

NetScaler ICA

NetScaler Insight Center

NetScaler MPX Appliance

NetScaler SDX Appliance

NetScaler VPX Appliance

Networking

Optimization

Platform

Policies

Policy

Responder

SSL

SureConnect

System

User Interface

XML

Release history

For details of a specific release, see the corresponding release notes.
  • Build 68.7 (2018-03-22) (Current build)
  • Build 67.13 (2017-10-17) Replaces: 67.10
  • Build 66.9 (2017-05-16) Replaces: 66.6
  • Build 65.11 (2017-01-27)
  • Build 64.9 (2016-10-19)
  • Build 63.8 (2016-06-23)
  • Build 62.9 (2016-04-20)
  • Build 61.11 (2016-02-06)
  • Build 60.7 (2015-11-18)
  • Build 59.13 (2015-09-08) Replaces: 59.11
  • Build 58.11 (2015-07-16)
  • Build 57.7 (2015-05-18)
  • Build 56.22 (2015-03-30) Replaces: 56.21
  • Build 55.8 (2015-02-02)
  • Build 54.9 (2014-12-17)
  • Build 53.9 (2014-11-14)
  • Build 52.11 (2014-11-03)
  • Build 51.10 (2014-11-03)
  • Build 50.10 (2014-10-21)