Release Notes for Citrix ADC 11.1-65.10 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 11.1-65.10.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Citrix ADC refers to the product formerly known as NetScaler.

What's New

The enhancements and changes that are available in Build 11.1-65.10.

Platform

  • Title: Option to enable or disable access to Citrix Hypervisor on a Citrix ADC SDX appliance
    You can now enable or disable access to the SDX Control Domain (Citrix Hypervisor) on a Citrix ADC SDX appliance. With this enhancement, a user can directly access the SDX appliance and also change the configuration. Previously, access to the Citrix Hypervisor in the SDX appliance was enabled by default. Upon upgrade to 12.1-56.x, 13.0-52.x, and 11.1-65.x from a previous release, the access will be disabled.
    To enable this access, from the SDX GUI, navigate to System > Network Configuration. Under Appliance Supportability, select Configure Appliance supportability.
    [ NSPLAT-11065 ]

User Interface

Fixed Issues

The issues that are addressed in Build 11.1-65.10.

Authentication, authorization, and auditing

  • In some cases, a Citrix ADC appliance dumps core because SYN packets going towards TACACS server are filled with wrong partition values.
    [ NSHELP-22030 ]
  • A Citrix ADC appliance might dump core upon receiving a RESET command from the client while the appliance is handling VPN traffic requests.
    [ NSHELP-21817 ]
  • In rare cases, the Citrix Gateway appliance might fail when users are challenged for a one-time code.
    [ NSHELP-20967 ]

Citrix ADC SDX Appliance

  • If the IP address of a Citrix ADC SDX appliance that is configured using pooled licensing is changed in SDX, the Citrix ADM managing the SDX appliance continues to show the old SDX IP address.
    [ NSHELP-23490 ]
  • You cannot modify the VPX instance name on the following platforms when the number of cores assigned to that VPX is greater than the number of free cores available on the appliance.
    - SDX 8900
    - SDX 14xxx-40G
    - SDX 14xxx-40S
    - SDX 14xxx FIPS
    - SDX 15xxx-25G
    - SDX 15xxx-50G
    - SDX 25xxx
    - SDX 26xxx
    - SDX 26xxx-50S
    - SDX 26xxx-100G
    [ NSHELP-22048 ]
  • On Citrix ADC SDX 15xxx and SDX 26xxx platforms, you cannot provision multiple VPX instances in L2 mode.
    [ NSHELP-21367 ]

Citrix Gateway

  • If you use a French keyboard on a VPN plug-in, characters entered using CTRL+ALT do not work.
    [ NSHELP-23556 ]
  • The authentication profile settings are lost if you modify the VPN virtual server configuration.
    [ NSHELP-22822 ]
  • The Citrix Gateway appliance crashes when the backend server opens an FTP connection to an intranet IP on port 21 and sends an FTP command 234 to initiate secure FTP.
    [ NSHELP-22672 ]
  • The Citrix Gateway appliance crashes when handling a server-initiated connection because of an error in connection linking.
    [ NSHELP-22598 ]
  • During a transfer logon, the Citrix Gateway appliance might crash when trying to store an invalid connection and then dereferencing the invalid connection.
    [ NSHELP-22568 ]
  • In rare cases, the counter for "vpnusers" parameter with value 0 is incorrectly decremented. This decrement resets the counter to a very high value, resulting in the license check failure.
    [ NSHELP-22558 ]
  • In some cases, the Citrix ADC appliance crashes because the core receives a packet to send to the client but the IIP information is not yet available. in NSHELP-21522 we fix in ns_iip6.c, this is add fix in ns_iip.c
    [ NSHELP-22411 ]
  • The Citrix Gateway appliance might crash if you attempt to print over full VPN tunnel when Intranet IP address is assigned.
    This issue is observed in HP printers that use hp-status and WSDAPI protocols.
    [ NSHELP-22191 ]
  • In a full tunnel setup and classic client certificate authentication with RfWebUI, the appliance responds with a blank page or "Client not capable" error after login.
    [ NSHELP-22084 ]
  • The Citrix Gateway appliance might crash if there are multiple cores and Intranet IP address is enabled with RfWebUI theme.
    [ NSHELP-21722 ]
  • You might intermittently see a 403 access forbidden error for portal files.
    [ NSHELP-21620 ]
  • UDP applications performance might be affected sometimes because of traffic congestion.
    [ NSHELP-21599 ]
  • Sometimes, the Citrix ADC appliance might crash while handling server initiated connection.
    [ NSHELP-21532 ]
  • In some cases, the Citrix ADC appliance crashes because the core receives a packet to send to the client but the IIP information is not yet available.
    [ NSHELP-21522 ]
  • The Citrix Gateway appliance configured for global server load balancing does not work as intended in a parent-child topology.
    [ NSHELP-21381 ]
  • Sometimes, the Citrix ADC appliance might crash during transfer login.
    [ NSHELP-21134 ]
  • The Citrix Gateway appliance might crash if the following conditions are met:
    - The client or server connection has a dangling pointer instead of a link.
    - The linked connection is already freed.
    - The appliance tries to flush the connection to free the link.
    [ NSHELP-20901 ]
  • A Citrix Gateway appliance configured for ICA Proxy might sometimes crash.
    [ NSHELP-20478 ]
  • In rare cases, the Citrix ADC appliance might crash when a client plug-in sends data to another client plug-in.
    [ NSHELP-19002 ]

Citrix Web App Firewall

  • A memory leak is observed on a Citrix ADC appliance if you enable StartURL Closure protection check.
    [ NSHELP-21472 ]
  • XML validation fails if the XML content has nested reference to "APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT" parameter.
    [ NSHELP-21128 ]
  • A Citrix ADC appliance might crash if an error case was handled incorrectly for the credit card verification process.
    [ NSHELP-20562 ]

Load Balancing

  • After upgrading a Citrix ADC appliance, the GSLB config sync might fail if the "/var/tmp/gslbsync" directory does not exist on the appliance.
    [ NSHELP-22796 ]
  • The packet engines (NSPPE) might crash when it receives the first RTSP data packet with an incomplete header, followed by an ACK before receiving the complete header.
    [ NSHELP-22099 ]
  • In a GSLB setup with gateway deployment, the Citrix ADC appliance might fail to resolve the domain name for a GSLB service in the following condition:
    When the primary load balancing virtual server is DOWN, even if the backup load balancing virtual server is UP.
    [ NSHELP-21061 ]
  • The Citrix ADC appliance might run out of memory when a client sends packets at regular intervals but the first packet is blocked in the appliance. As a result, packets are queued up and the appliance runs out of memory to store the packets.
    [ NSHELP-20871 ]
  • The Citrix Citrix ADC appliance might fail while removing a server, if the server is bound to a GSLB service and the service is used in a policy configuration.
    [ NSHELP-18969 ]
  • A Citrix ADC appliance might crash when all of the following conditions are met:
    - A backend server is DOWN.
    - An ADC appliance collects information on server, such as RTT and proximity, for selecting a new backend.
    [ NSHELP-11969 ]

Networking

  • The BGP module in a Citrix ADC appliance might crash if it accesses a null interface related information.
    [ NSHELP-22258 ]
  • In a cluster setup, the following behavior is observed when an ADNS service is bound to a node group:
    * RHI processing is not properly updated.
    * The IP address is not advertised.
    [ NSHELP-18567 ]

Platform

  • On the Citrix ADC SDX 26000-100G platform, the interface might not come up after you restart the appliance.
    [ NSPLAT-11985 ]
  • During heavy traffic, Tx might stop working on Citrix ADC platforms containing 50G interfaces.
    [ NSHELP-22221 ]
  • In some cases, provisioning a VPX instance on a Citrix ADC SDX appliance containing Intel Coleto chips might fail because the SSL Coleto chip initialization failed.
    [ NSHELP-22033 ]
  • SDX 8900 appliances might crash while you are applying the SSL configuration to set client certificate verification to optional with policy-based client authentication.
    [ NSHELP-19297 ]

Policies

  • The “Current Client Est connections” and “Current client connections” counters for a load balancing virtual server display incorrect values if HTTP callout is configured on that virtual server.
    [ NSHELP-22491 ]

SSL

  • On the Citrix ADC MPX 14000 FIPS platforms, all SSL virtual servers appear as DOWN on the non-management CPUs.

    [ NSSSL-8015 ]
  • The Citrix ADC appliance might crash if the following conditions are met:
    1. Two OCSP responders are configured with the same host name.
    2. Both responders are bound to same root certificate-key pair.
    3. The request fails with the first responder.
    4. The appliance attempts to send the request to the second responder and the host name is unresolved.
    [ NSHELP-21278 ]
  • OCSP signature verification fails when an empty extension is received in the "SingleResponse" field of the OCSP response.
    [ NSHELP-20997 ]
  • For SNI enabled sessions, the ADC appliance can control how the host header is validated. A new parameter “SNIHTTPHostMatch” is added to SSL profile and SSL global parameters to have better control on this validation. This parameter can take three values; CERT, STRICT, and NONE. SNI must be enabled on the SSL virtual server or the profile bound to the virtual server, and the HTTP request must contain the host header.
    [ NSHELP-13370 ]

System

  • For synflood trap generation, if you do not reset the varbinding values, the appliance uses the old trap varbinding values instead of the current and threshold values.
    [ NSHELP-20653 ]
  • When a Citrix ADC appliance sends a "tcpSynFloodAttack" SNMP trap, the "unackSynCount" log message has string characters instead of integer values.
    [ NSHELP-20401 ]

User Interface

  • Saved v/s Running config utility may display differences for 'bind serviceGroup' command even after saving the configuration.
    [ NSHELP-22459 ]
  • In a high availability setup, a synchronization issue might replace the secondary node's license file with the primary node's license file.

    The presence of the primary node’s license file cause a host ID mismatch for this file on the secondary node. Because of this host ID mismatch, all the Citrix ADC features are disabled when the secondary node takes over as primary after a failover.
    [ NSHELP-21871 ]
  • If the SDX appliance is in grace period for pooled licensing, the remaining grace period shows zero instead of 30 days.
    [ NSHELP-19615 ]
  • A Citrix ADC appliance becomes unstable if you use the -outfilename parameter in diffnsconfig command. As a result, the diffnsconfig output is large to completely fill the root disk.
    [ NSHELP-19345 ]
  • In a cluster setup, the certificate-key pair might sync to the non-CCO nodes with some delay. As a result, it is possible that the certificate-key pair is added to the CCO node but fails on the non-CCO nodes with no error message.
    [ NSHELP-12037 ]

Known Issues

The issues that exist in release 11.1-65.10.

Authentication, authorization, and auditing

  • In some cases, SAML authentication fails when Oracle is configured as an Identity Provider (IdP).
    [ NSHELP-23094 ]
  • The session establishment fails when accessed from the Citrix Workspace app using Webview if preauthentication EPA is configured along with nFactor authentication.
    [ NSHELP-22845 ]
  • In the SAML LogoutRequest parameter, the attributes SPNameQualifier and NameQualifier are missing from the NameID element when a SAML Service Provider (SP) receives an assertion from SAML Identity Provider (IdP).
    [ NSHELP-8018 ]
  • The Authentication, authorization, and auditing parameter configurations related to "set aaa parameter" command is lost if you execute the “force cluster sync” command manually.
    Workaround: Do not execute the “force cluster sync” command.
    [ NSAUTH-6274 ]

Caching

  • A Citrix ADC appliance might randomly crash if the following conditions are observed:
    * Integrated caching feature is enabled.
    * 100 GB or more memory is allocated for integrated caching.

    Workaround: Allocate less than 100 GB of memory. 
    [ NSHELP-20854 ]

Citrix Gateway

  • The user name in the ICA log message might be truncated if it contains character ' (single quote) in the user name.
    [ NSHELP-22814 ]
  • In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.
    [ NSHELP-22349 ]
  • The following error message appears when you import an SJIS file from AppExpert>Responder>HTML Page Imports.

    "URL malformed"

    Workaround: Save the SJIS file in UTF-8 format, and then import it.
    [ NSHELP-20711 ]
  • The "show audit messages" output does not display the latest logs if you modify the syslog server in the global syslog parameters.
    [ NSHELP-19430 ]
  • SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).
    Workaround: Use an IP address for VDA.

    [ NSHELP-8549 ]
  • In an outbound ICA proxy deployment, the Citrix ADC appliance closes the client connection if the following conditions are met:
    - A TCP service has the same IP address as the destination server.
    - The TCP service also has the same IP port as the destination server.
    The appliance closes the connection because it fails to establish a connection with the destination server.
    [ NSHELP-8469 ]
  • For command "add vpn intranetApplication", description for "protocol" parameter is incorrectly displayed in man page. The description has "BOTH" as a possible value instead of "ANY". However, the man page correctly displays the possible values required for configuration.
    [ NSHELP-8392 ]
  • An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.
    [ NSHELP-7872 ]
  • After upgrading the Citrix Gateway appliance to release 11.x or later, users might see a blank page upon log on. The blank page appears because the browser serves some of the files from its own cache, instead of requesting all the files from the upgraded appliance.
    Workaround: Clear the browser cache.
    [ NSHELP-6807 ]
  • A Citrix ADC appliance in a clustered setup displays a "Cannot allocate memory" error message if you use the set command to set the server domain name in a SYSLOG action.

    Workaround: Delete the SYSLOG action in which you set the domain name, and add a new SYSLOG action that specifies the server domain name instead of the server IP address.
    rm syslogaction
    add syslogaction -loglevel [-options ...]
    [ CGOP-6745 ]
  • If you use CVPN to edit the home page through CVPN, the embed code becomes corrupt.
    [ CGOP-4505 ]
  • If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.
    [ CGOP-3359 ]
  • If the Home Page Text labels are lengthy when you customize an RfWebUI based theme, the home-page user interface does not function properly. The following lengthy text labels can cause this problem:
    Apps Tab Label
    Desktop Tab Label
    Favorite Tab Label
    [ CGOP-1622 ]
  • If a VPN session profile and RfWebUI portal theme are in use, end users cannot log on if the following are set to OFF:
    - ICA Proxy
    - Clientless VPN Mode
    - Transparent Interception and Client Choices
    [ CGOP-1575 ]

Citrix Web App Firewall

  • If you upgrade a Citrix ADC appliance in a high availability (HA) setup from version 10.5.56.15 to version 11.1.51.1901 and skip 250 rules with active traffic, the GUI or CLI displays a "failed to skip some rules" error message and an operation time-out error message.

    Workaround: Turn off the Learning feature when skipping learned rules.
    [ NSWAF-1184 ]
  • The information that the GUI displays for the application firewall web services interoperability (WSI) check does not say that it is a prerequisite and cannot be disabled.
    [ NSWAF-679 ]
  • The NetScaler application firewall should bypass requests from application firewall processing after the system reaches a specified CPU/memory usage limit, but there is currently no policy for reviewing CPU and memory capacity and bypassing the application firewall.
    [ NSHELP-17352 ]

Load Balancing

  • The show gslb domain command does not populate the correct MIR and ECS values between the GSLB virtual server and the GSLB domain bound to the same virtual server.

    [ NSHELP-11729 ]
  • If a service group member is assigned a wildcard port (port *), the monitor details for that service group member can be viewed from the Monitor Details page.
    [ NSHELP-9409 ]

Miscellaneous

Networking

  • When a Citrix ADC appliance processes traffic at line rate, management CPU spike is observed on the appliance while configuring allowed VLAN list.
    [ NSNET-5689 ]
  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
    [ NSNET-5233 ]
  • No Error or Warning is announced if a user tries to set trunk mode on the loopback interface.
    [ NSNET-4405 ]
  • The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
    ERROR: Operation timed out
    ERROR: Communication error with the packet engine
    [ NSNET-4312 ]
  • In a cluster setup, after a reboot, tagged VLAN configuration is lost on the vlan 1 interface.
    [ NSNET-4162 ]

  • The Citrix ADC appliance allows configuration through NITRO APIs even before the protocol modules are not completely initialised. Because of this reason, the write memory command fail with the following error message:

    “save config denied – modules not ready”
    [ NSHELP-19431 ]

NSDOC

  • If you have to set a domain wide cookie for an authentication domain, you must enable authentication profile on a load balancing virtual server.
    [ NSHELP-15356 ]

Platform

  • On a Citrix ADC SDX appliance, Tx stalls might be reported for an interface on a VPX instance if the following conditions are met:
    - The VPX instance has more than one dedicated core.
    - Three or four reset operations are issued consecutively with JUMBO MTU traffic on a 10G, 25G, or 40G interface.
    - Malicious Driver Detected (MDD) event is observed for the interface in the Citrix Hypervisor (formerly XenServer) logs.
    [ NSPLAT-11798 ]
  • In an Openstack Environment, if a custom flavor with an Ephemeral Disk of size of less than 8GB is used to a start a Citrix ADC VPX or Cisco Nexus 1000v instance, the config drive is not attached to the instance.
    [ NSPLAT-7395 ]
  • Enabling trunk mode with tagged VLAN settings on an SR-IOV interface fails with the following error message:
    "ERROR: Maximum number of tagged VLANs bound to the interface exceeded or the binding of this VLAN is not allowed on the interface."
    However, trunk mode with tagged VLAN settings is shown as enabled in the output of the following command:
    show interface summary
    [ NSPLAT-3614 ]
  • On the Citrix ADC SDX 15000-50G platform, some files from the NIC dump might not be cleared from the /tmp directory when the Citrix Hypervisor support bundle is collected multiple times. These files might disrupt a successful reboot of the appliance.
    Workaround: At the Citrix SDX XenServer shell prompt, run the "rm -f /tmp/mlxdump_snapshot.*" command to clear the temp files before rebooting the system to free the disk space.
    [ NSHELP-22903 ]
  • Upgrading a Citrix ADC SDX appliance from release 11.1 build 61.112 to release 11.1 build 63.x fails.

    Workaround: Upgrade the appliance to release 11.1 build 64.x.
    [ NSHELP-22648 ]
  • VLAN filtering does not work on the VPX instances with LA interface and L2 mode configured because all the member interfaces in the channel are set to promiscuous mode. As a result, all the VPX instances with this LA interface see all the packets from all the VLANs.

    Workaround: Use a different LA channel for each VPX instance.
    [ NSHELP-22500 ]
  • On the Citrix ADC MPX platform, a 50G port that is a member of a link aggregation group continues to be DOWN if the following actions are performed:

    1. The 50G port is disabled.
    2. The port on the peer switch is disabled.
    3. The port on the peer switch is enabled.
    4. The 50G port is enabled.

    The 50G port does not come up even after it is enabled. As a result, traffic cannot pass through the 50G port.
    [ NSHELP-20529 ]
  • On the following Citrix ADC SDX platforms, connectivity to a VPX instance might fail if it receives heavy multicast traffic when a management port is not assigned to a VPX instance and instance management is done through the data ports.
    - SDX 8900
    - SDX 14000-40G
    - SDX 14000-40S
    - SDX 15000-50G
    - SDX 25000-40G
    - SDX 25000T
    - SDX 25000T-40G
    [ NSHELP-19861 ]

Policies

  • The Citrix ADC appliance now allows all string and character literals which include binary characters. However, the UTF-8 character sets still require the string and character literals to be a valid UTF-8.

    Previously, the appliance allowed only valid UTF-8 string and character literals. This was true for both UTF-8 and binary (ASCII) character sets. However, this did not allow some binary string and character literals which meant that some valid expressions related to binary content cannot be written.

    Example:

    CLIENT.TCP.PAYLOAD(100).CONTAINS("\xff\x02")
    [ NSPOLICY-2362 ]
  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
    [ NSPOLICY-1267 ]

SSL

  • ECDHE support with SSLv3 protocol on the Citrix ADC appliance is not compatible with RFC 4492, because SSLv3 does not support extensions and ECDHE needs extension support.
    [ NSSSL-4724 ]
  • If you create a custom cipher group and bind it to an SSL entity, the profile name "SSL_EMBEDDED_PROFILE" incorrectly appears in the output of the "show ciphergroup" command. This error does not occur if you enable the Default profile before creating the custom cipher group and binding it to the SSL entity.
    [ NSSSL-4486 ]
  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
    [ NSSSL-4427 ]
  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
    [ NSSSL-3184 ]
  • In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
    [ NSSSL-3161 ]
  • The SSL entities to which an SSL profile is bound do not appear when you run the show ssl profile command on a cluster IP (CLIP) address.
    Workaround: You can view the bound entities from the NetScaler IP (NSIP) address.
    [ NSSSL-2481 ]
  • In a cluster setup, if a client certificate is bound to a back-end SSL service or service group, it appears as a "Server Certificate" instead of a "Client Certificate" when you run the "show ssl service" or the "show ssl servicegroup" command on the CLIP address.
    [ NSSSL-1223 ]
  • An incorrect error message is displayed in both the following cases:
    1. Client authentication is enabled, root CA certificate is not bound to the SSL virtual server, and a request with a valid client certificate is sent to the virtual server.
    2. Client authentication is enabled, root CA certificate is bound to the SSL virtual server, and a request with a wrong certificate is sent to the virtual server.

    The error message that appears is "Handshake failure-Internal Error" instead of "No client certificate received."
    [ NSSSL-851 ]
  • In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
    [ NSHELP-13466 ]

System

  • Event monitor logs are not displayed on the Citrix ADC GUI dashboard.
    [ NSHELP-19965 ]
  • When capture buffers overflow it causes packets missing in the captured trace. This could be due to a high management CPU usage or high traffic rate with a large packet engine count.
    [ NSHELP-18345 ]
  • A Citrix ADC appliance silently truncates and drops HTTP request body packets greater than the maximum HTTP header size configured in the HTTP profile. The request body is truncated only if the appliance receives an HTTP request after an incomplete header assembly (request header spanning more than one packet) and the request body is received when the appliance awaits a TCP acknowledgment for the request header sent to the server. The truncation results in TCP retransmission and latency issues.
    [ NSHELP-11096 ]
  • The Application Firewall policy for HTTP requests (HTTP.REQ.HEADER) does not detect a content type with multiple lines.
    [ NSHELP-11092 ]
  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.
    [ NSHELP-10972 ]
  • A Citrix ADC appliance sends a TCP fast open cookie instead of an MPTCP MP_CAPABLE option for MPTCP traffic.
    [ NSHELP-10909 ]
  • A Citrix ADC appliance might not honor persistence for a load balancing virtual server with a wildcard configuration if information about the back-end server is not available.
    [ NSHELP-10559 ]
  • Random packets on loopback interface are found missing if you capture nstrace on a Citrix ADC appliance.
    [ NSHELP-10166 ]
  • When you reboot your appliance, a mismatch between default TCP profiles and built-in profiles causes the Forward RTO-recovery (FRTO) option to be enabled on a TCP profile other of a node.
    [ NSHELP-9453 ]
  • A Citrix ADC appliance with connection chaining and SSL enabled might send more MTU data.
    [ NSHELP-9411 ]
  • Compression policies of classic policy type do not work as expected. Citrix ADC recommends you to use the advanced policy infrastructure.
    [ NSHELP-9108 ]
  • If you set the AppFW profile post body limit to a value greater than 2 GB, client requests get dropped. The issue occurs because of TCP overflow for a window size variable.

    [ NSHELP-8860 ]
  • If multiple AppFlow policies are bound to the same bind point, only the last policy is chosen.
    [ NSBASE-4140 ]
  • The Citrix ADC appliance is unable to reuse an existing probe connection if an HTTP wildcard load balancing virtual server is configured in MAC mode with use source IP (USIP) mode enabled and the Use Proxy Port option turned off. As a result, the connection fails and client the receives a TCP reset.
    [ NSBASE-2785 ]
  • The initial probe connection that a Citrix ADC appliance makes with the back-end internet server to check for server availability is now reusable for actual server connection with the internet server.
    [ NSBASE-1185 ]

User Interface

  • In the Visualizer, some buttons might not work if you use Mozilla Firefox or Internet Explorer.

    Workaround: Use the Google Chrome browser.
    [ NSUI-8412 ]
  • When you import an UTF-8/S-JIS based HTML file type by using the Citrix ADC GUI, the following error message appears:
    "URL malformed"

    Workaround: Before importing, save the file in UTF-8 format.
    [ NSHELP-19512 ]
  • The Actions tab is missing from "Unknown Certificates" page in the GUI.
    [ NSHELP-12948 ]
  • The Events page in the Citrix ADC GUI (Configuration > System > Diagnostics > View events > Events) does not display the "Start Date Time" field. The issue is observed only in the Firebox browser.
    [ NSHELP-12591 ]
  • When you run the set command on a Citrix ADC appliance, the ns.log file stores the command with all parameter values, including customer provided values.
    [ NSHELP-11291 ]
  • The NITRO .NET SDK get call for SNMP MIB resource snmpmib.get() fails with JSON deserialization errors.
    [ NSHELP-9032 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:

    - 13.0 52.24 build
    - 12.1 57.18 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    query ns config -changedpassword [-config ]

    Workaround:

    To fix this issue, use one of the following independent options:

    - If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.

    - Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.

    - If none of the above options work, a system administrator can reset the system user passwords. For more information, see: https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

    [ NSCONFIG-3188 ]
  • If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled and the nsroot password is changed at the first logon to the Citrix ADC appliance, the nsroot password change is not propagated to non-CCO nodes. Therefore, when an nsroot user logs on to non-CCO nodes, the appliance asks for password change again.
    [ NSCONFIG-2370 ]