- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- Build 11.1-65.22 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX319135.
- Build 65.22 replaces Build 65.20.
- This build also includes fixes for the following issues that existed in the previous Citrix ADC 11.1 release build: NSHELP-28098, NSAUTH-10517.
Option to enable or disable access to Citrix Hypervisor on a NetScaler ADC SDX appliance
You can now enable or disable access to the SDX Control Domain (Citrix Hypervisor) on a NetScaler ADC SDX appliance. With this enhancement, a user can directly access the SDX appliance and also change the configuration. Previously, access to the Citrix Hypervisor in the SDX appliance was enabled by default. Upon upgrade to 12.1-56.x, 13.0-52.x, and 11.1-65.x from a previous release, the access will be disabled.
To enable this access, from the SDX GUI, navigate to System > Network Configuration. Under Appliance Supportability, select Configure Appliance supportability.[ NSPLAT-11065 ]
Update for licensing server IP addressYou can now update the licensing server IP address in a VPX instance without any impact on the allocated license bandwidth and data loss. For information, see https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/license-server/adc-vpx-check-in-check-out.html%23update-a-licensing-server-ip-address[ NSCONFIG-1974 ]
Authentication, authorization, and auditing
Log in to NetScaler Unified Gateway endpoints using full URL bookmarked on user's machine browser fails, if the endpoint appliances have RelayStateRule expression configured in the samlAction command.
For example, if you try to login using the bookmarked full URL likehttps://citrixgateway.com/citrix/storeweb on your browser and try to login, the login fails.[ NSHELP-28098 ]
In rare cases, the counter for "vpnusers" parameter with value 0 is incorrectly decremented. This decrement resets the counter to a very high value, resulting in the license check failure.[ NSHELP-22558 ]
In some cases, a NetScaler ADC appliance dumps core because SYN packets going towards TACACS server are filled with wrong partition values.[ NSHELP-22030 ]
A NetScaler ADC appliance might dump core upon receiving a RESET command from the client while the appliance is handling VPN traffic requests.[ NSHELP-21817 ]
- A NetScaler ADC appliance might crash during audit logging if the user authentication is prompted with an extra sign-in request such as a password change or a RADIUS challenge.[ NSHELP-21703 ]
- In rare cases, the NetScaler Unified Gateway appliance might fail when users are challenged for a one-time code.[ NSHELP-20967 ]
The authentication from Citrix Workspace app fails when NetScaler ADC is configured with SAML authentication and relayStateRule. The browser based login is not impacted.[ NSAUTH-10517 ]
After upgrading a NetScaler ADC appliance, the GSLB config sync might fail if the "/var/tmp/gslbsync" directory does not exist on the appliance.[ NSHELP-22796 ]
The packet engines (NSPPE) might crash when it receives the first RTSP data packet with an incomplete header, followed by an ACK before receiving the complete header.[ NSHELP-22099 ]
In a GSLB setup with gateway deployment, the NetScaler ADC appliance might fail to resolve the domain name for a GSLB service in the following condition:
When the primary load balancing virtual server is DOWN, even if the backup load balancing virtual server is UP.[ NSHELP-21061 ]
The NetScaler ADC appliance might run out of memory when a client sends packets at regular intervals but the first packet is blocked in the appliance. As a result, packets are queued up and the appliance runs out of memory to store the packets.[ NSHELP-20871 ]
The Citrix NetScaler appliance might fail while removing a server, if the server is bound to a GSLB service and the service is used in a policy configuration.[ NSHELP-18969 ]
A NetScaler ADC appliance might crash when all of the following conditions are met:
[ NSHELP-11969 ]
- A backend server is DOWN.
- An ADC appliance collects information on server, such as RTT and proximity, for selecting a new backend.
NetScaler ADC SDX Appliance
On a NetScaler ADC SDX 8900 appliance, the number of instances available for provisioning are reduced after you upgrade the appliance.[ NSHELP-23808 ]
A VPX instance hosted on a NetScaler ADC SDX 15000-50G or SDX 26000 appliance is unreachable from the Management Service after you change some properties, such as description and host name.[ NSHELP-23491 ]
If the IP address of a NetScaler ADC SDX appliance that is configured using pooled licensing is changed in SDX, the Citrix ADM managing the SDX appliance continues to show the old SDX IP address.[ NSHELP-23490 ]
- You cannot modify the VPX instance name on the following platforms when the number of cores assigned to that VPX is greater than the number of free cores available on the appliance.
[ NSHELP-22048 ]
- SDX 8900
- SDX 14xxx-40G
- SDX 14xxx-40S
- SDX 14xxx FIPS
- SDX 15xxx-25G
- SDX 15xxx-50G
- SDX 25xxx
- SDX 26xxx
- SDX 26xxx-50S
- SDX 26xxx-100G
- On NetScaler ADC SDX 15xxx and SDX 26xxx platforms, you cannot provision multiple VPX instances in L2 mode.[ NSHELP-21367 ]
If you use a French keyboard on a VPN plug-in, characters entered using CTRL+ALT do not work.[ NSHELP-23556 ]
The authentication profile settings are lost if you modify the VPN virtual server configuration.[ NSHELP-22822 ]
The NetScaler Unified Gateway appliance crashes when the backend server opens an FTP connection to an intranet IP on port 21 and sends an FTP command 234 to initiate secure FTP.[ NSHELP-22672 ]
The NetScaler Unified Gateway appliance crashes when handling a server-initiated connection because of an error in connection linking.[ NSHELP-22598 ]
- During a transfer logon, the NetScaler Unified Gateway appliance might crash when trying to store an invalid connection and then dereferencing the invalid connection.[ NSHELP-22568 ]
- In some cases, the NetScaler ADC appliance crashes because the core receives a packet to send to the client but the IIP information is not yet available. in
NSHELP-21522we fix in ns_iip6.c, this is add fix in ns_iip.c[ NSHELP-22411 ]
- The NetScaler Unified Gateway appliance might crash if you attempt to print over full VPN tunnel when Intranet IP address is assigned.
This issue is observed in HP printers that use hp-status and WSDAPI protocols.[ NSHELP-22191 ]
- In a full tunnel setup and classic client certificate authentication with RfWebUI, the appliance responds with a blank page or "Client not capable" error after login.[ NSHELP-22084 ]
- The NetScaler Unified Gateway appliance might crash if there are multiple cores and Intranet IP address is enabled with RfWebUI theme.[ NSHELP-21722 ]
- You might intermittently see a 403 access forbidden error for portal files.[ NSHELP-21620 ]
- UDP applications performance might be affected sometimes because of traffic congestion.[ NSHELP-21599 ]
- Sometimes, the NetScaler ADC appliance might crash while handling server initiated connection.[ NSHELP-21532 ]
- In some cases, the NetScaler ADC appliance crashes because the core receives a packet to send to the client but the IIP information is not yet available.[ NSHELP-21522 ]
The NetScaler Unified Gateway appliance configured for global server load balancing does not work as intended in a parent-child topology.[ NSHELP-21381 ]
- Sometimes, the NetScaler ADC appliance might crash during transfer login.[ NSHELP-21134 ]
- The NetScaler Unified Gateway appliance might crash if the following conditions are met:
[ NSHELP-20901 ]
- The client or server connection has a dangling pointer instead of a link.
- The linked connection is already freed.
- The appliance tries to flush the connection to free the link.
A NetScaler Unified Gateway appliance configured for ICA Proxy might sometimes crash.[ NSHELP-20478 ]
- In rare cases, the NetScaler ADC appliance might crash when a client plug-in sends data to another client plug-in.[ NSHELP-19002 ]
NetScaler Web App Firewall
A memory leak might be observed when some message buffers used for XSS logging are not freed for specific payloads.[ NSHELP-26430 ]
- A memory leak is observed on a NetScaler ADC appliance if you enable StartURL Closure protection check.[ NSHELP-21472 ]
- XML validation fails if the XML content has nested reference to "APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT" parameter.[ NSHELP-21128 ]
A NetScaler ADC appliance might crash if an error case was handled incorrectly for the credit card verification process.[ NSHELP-20562 ]
The BGP module in a NetScaler ADC appliance might crash if it accesses a null interface related information.[ NSHELP-22258 ]
In a cluster setup, the following behavior is observed when an ADNS service is bound to a node group:
[ NSHELP-18567 ]
- RHI processing is not properly updated.
- The IP address is not advertised.
- On the NetScaler ADC SDX 26000-100G platform, the interface might not come up after you restart the appliance.[ NSPLAT-11985 ]
During heavy traffic, Tx might stop working on NetScaler ADC platforms containing 50G interfaces.[ NSHELP-22221 ]
- In some cases, provisioning a VPX instance on a NetScaler ADC SDX appliance containing Intel Coleto chips might fail because the SSL Coleto chip initialization failed.[ NSHELP-22033 ]
- SDX 8900 appliances might crash while you are applying the SSL configuration to set client certificate verification to optional with policy-based client authentication.[ NSHELP-19297 ]
TheCurrent Client Est connections and Current client connections counters for a load balancing virtual server display incorrect values if HTTP callout is configured on that virtual server.[ NSHELP-22491 ]
On the NetScaler ADC MPX 14000 FIPS platforms, all SSL virtual servers appear as DOWN on the non-management CPUs.[ NSSSL-8015 ]
- The NetScaler ADC appliance might crash if the following conditions are met:
1. Two OCSP responders are configured with the same host name.
2. Both responders are bound to same root certificate-key pair.
3. The request fails with the first responder.
4. The appliance attempts to send the request to the second responder and the host name is unresolved.[ NSHELP-21278 ]
OCSP signature verification fails when an empty extension is received in the "SingleResponse" field of the OCSP response.[ NSHELP-20997 ]
- For SNI enabled sessions, the ADC appliance can control how the host header is validated. A new parameter SNIHTTPHostMatch is added to SSL profile and SSL global parameters to have better control on this validation. This parameter can take three values; CERT, STRICT, and NONE. SNI must be enabled on the SSL virtual server or the profile bound to the virtual server, and the HTTP request must contain the host header.[ NSHELP-13370 ]
- For synflood trap generation, if you do not reset the varbinding values, the appliance uses the old trap varbinding values instead of the current and threshold values.[ NSHELP-20653 ]
When a NetScaler ADC appliance sends a "tcpSynFloodAttack" SNMP trap, the "unackSynCount" log message has string characters instead of integer values.[ NSHELP-20401 ]
Saved v/s Running config utility may display differences for 'bind serviceGroup' command even after saving the configuration.[ NSHELP-22459 ]
In a high availability setup, a synchronization issue might replace the secondary node's license file with the primary node's license file.
The presence of the primary nodes license file cause a host ID mismatch for this file on the secondary node. Because of this host ID mismatch, all the NetScaler ADC features are disabled when the secondary node takes over as primary after a failover.[ NSHELP-21871 ]
- If the SDX appliance is in grace period for pooled licensing, the remaining grace period shows zero instead of 30 days.[ NSHELP-19615 ]
- A NetScaler ADC appliance becomes unstable if you use the -outfilename parameter in diffnsconfig command. As a result, the diffnsconfig output is large to completely fill the root disk.[ NSHELP-19345 ]
In a cluster setup, the certificate-key pair might sync to the non-CCO nodes with some delay. As a result, it is possible that the certificate-key pair is added to the CCO node but fails on the non-CCO nodes with no error message.[ NSHELP-12037 ]
Authentication, authorization, and auditing
- In the SAML LogoutRequest parameter, the attributes SPNameQualifier and NameQualifier are missing from the NameID element when a SAML Service Provider (SP) receives an assertion from SAML Identity Provider (IdP).[ NSHELP-8018 ]
If some cases, a NetScaler appliance becomes unresponsive during handling of POST requests for SSO to backend resources.[ NSHELP-753 ]
- The AAA parameter configurations related to "set aaa parameter" command is lost if you execute the force cluster sync command manually.
Workaround: Do not execute the force cluster sync command.[ NSAUTH-6274 ]
A NetScaler ADC appliance might randomly crash if the following conditions are observed:
- Integrated caching feature is enabled.
- 100 GB or more memory is allocated for integrated caching.
Workaround: Allocate less than 100 GB of memory.[ NSHELP-20854 ]
- The show gslb domain command does not populate the correct MIR and ECS values between the GSLB virtual server and the GSLB domain bound to the same virtual server.[ NSHELP-11729 ]
Support for VPX Instance on SDX 8900 ApplianceThis release supports NetScaler VPX instance on a NetScaler SDX 8900 appliance. Note that the NetScaler SDX 8900 appliance is available only on release 11.0 build 70.109, but the VPX instances are supported on 11.0 builds 70.109 and 70.112 and 11.1 build 56.15. For more information see:
https://docs.citrix.com/en-us/sdx/11-1/sdx-ag-supported-versions-ref.html[ NSOTHER-98 ]
In rare cases, the NetScaler Unified Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.[ NSHELP-22349 ]
- The following error message appears when you import an SJIS file from AppExpert>Responder>HTML Page Imports.
Workaround: Save the SJIS file in UTF-8 format, and then import it.[ NSHELP-20711 ]
The "show audit messages" output does not display the latest logs if you modify the syslog server in the global syslog parameters.[ NSHELP-19430 ]
- SOCKS Proxy CR virtual server configuration for a NetScaler Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).
Workaround: Use an IP address for VDA.[ NSHELP-8549 ]
- In an outbound ICA proxy deployment, the NetScaler appliance closes the client connection if the following conditions are met:
[ NSHELP-8469 ]
- A TCP service has the same IP address as the destination server.
- The TCP service also has the same IP port as the destination server.
The appliance closes the connection because it fails to establish a connection with the destination server.
- For command "add vpn intranetApplication", description for "protocol" parameter is incorrectly displayed in man page. The description has "BOTH" as a possible value instead of "ANY". However, the man page correctly displays the possible values required for configuration.[ NSHELP-8392 ]
- An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.[ NSHELP-7872 ]
NetScaler Web App Firewall
If you upgrade a NetScaler appliance in a high availability (HA) setup from version 10.5.56.15 to version 18.104.22.1681 and skip 250 rules with active traffic, the GUI or CLI displays a "failed to skip some rules" error message and an operation time-out error message.
Workaround: Turn off the Learning feature when skipping learned rules.[ NSWAF-1184 ]
The information that the GUI displays for the application firewall web services interoperability (WSI) check does not say that it is a prerequisite and cannot be disabled.[ NSWAF-679 ]
A NetScaler ADC appliance might crash when all of the following conditions are met:
- MAC mode is enabled on a non-addressable load balancing virtual server.
- The same virtual server is part of a link load balancing configuration or a policy-based routing configuration.
As part of the fix, the NetScaler ADC appliance now displays the following warning message when the above conditions are met:
[ NSNET-19485 ]
- Warning: MAC mode redirection should not be enabled with LLB config.
- When a NetScaler appliance processes traffic at line rate, management CPU spike is observed on the appliance while configuring allowed VLAN list.[ NSNET-5689 ]
- In some cases of FTP data connections, the NetScaler appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.[ NSNET-5233 ]
- No Error or Warning is announced if a user tries to set trunk mode on the loopback interface.[ NSNET-4405 ]
- In a cluster setup, after a reboot, tagged VLAN configuration is lost on the vlan 1 interface.[ NSNET-4162 ]
In a high availability setup, the secondary node might crash after a restart if the following conditions are met:
[ NSHELP-25068 ]
- A large number of active LSN session are present in the primary node
- Pitboss process crashes and restarts during the synchronization process of these large number of LSN sessions in the secondary node
The NetScaler ADC appliance allows configuration through NITRO APIs even before the protocol modules are not completely initialised. Because of this reason, the write memory command fail with the following error message:
save config denied modules not ready[ NSHELP-19431 ]
On a NetScaler ADC SDX appliance, Tx stalls might be reported for an interface on a VPX instance if the following conditions are met:
[ NSPLAT-11798 ]
- The VPX instance has more than one dedicated core.
- Three or four reset operations are issued consecutively with JUMBO MTU traffic on a 10G, 25G, or 40G interface.
- Malicious Driver Detected (MDD) event is observed for the interface in the Citrix Hypervisor (formerly XenServer) logs.
In an Openstack Environment, if a custom flavor with an Ephemeral Disk of size of less than 8GB is used to a start a NetScaler VPX or Cisco Nexus 1000v instance, the config drive is not attached to the instance.[ NSPLAT-7395 ]
On the NetScaler ADC MPX 5900 and MPX 8900 platforms, an incorrect platform number appears on the LCD screen.[ NSHELP-28207 ]
On the NetScaler ADC SDX 15000-50G platform, some files from the NIC dump might not be cleared from the /tmp directory when the Citrix Hypervisor support bundle is collected multiple times. These files might disrupt a successful reboot of the appliance.
Workaround: At the Citrix SDX XenServer shell prompt, run the "rm -f /tmp/mlxdump_snapshot.*" command to clear the temp files before rebooting the system to free the disk space.[ NSHELP-22903 ]
VLAN filtering does not work on the VPX instances with LA interface and L2 mode configured because all the member interfaces in the channel are set to promiscuous mode. As a result, all the VPX instances with this LA interface see all the packets from all the VLANs.
Workaround: Use a different LA channel for each VPX instance.[ NSHELP-22500 ]
- On the NetScaler ADC MPX platform, a 50G port that is a member of a link aggregation group continues to be DOWN if the following actions are performed:
1. The 50G port is disabled.
2. The port on the peer switch is disabled.
3. The port on the peer switch is enabled.
4. The 50G port is enabled.
The 50G port does not come up even after it is enabled. As a result, traffic cannot pass through the 50G port.[ NSHELP-20529 ]
- On the following NetScaler ADC SDX platforms, connectivity to a VPX instance might fail if it receives heavy multicast traffic when a management port is not assigned to a VPX instance and instance management is done through the data ports.
[ NSHELP-19861 ]
- SDX 8900
- SDX 14000-40G
- SDX 14000-40S
- SDX 15000-50G
- SDX 25000-40G
- SDX 25000T
- SDX 25000T-40G
An error message Directory does not exist" appears on the HTML Page Import ObjectGUI page after you upgrade the NetScaler ADC appliance release 11.1 build 63.15.[ NSHELP-22826 ]
- ECDHE support with SSLv3 protocol on the NetScaler appliance is not compatible with RFC 4492, because SSLv3 does not support extensions and ECDHE needs extension support.[ NSSSL-4724 ]
- If you create a custom cipher group and bind it to an SSL entity, the profile name "SSL_EMBEDDED_PROFILE" incorrectly appears in the output of the "show ciphergroup" command. This error does not occur if you enable the Default profile before creating the custom cipher group and binding it to the SSL entity.[ NSSSL-4486 ]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
- An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.[ NSSSL-3184 ]
- In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.[ NSSSL-3161 ]
- The SSL entities to which an SSL profile is bound do not appear when you run the show ssl profile <Default-Profile> command on a cluster IP (CLIP) address.
Workaround: You can view the bound entities from the NetScaler IP (NSIP) address.[ NSSSL-2481 ]
- In a cluster setup, if a client certificate is bound to a back-end SSL service or service group, it appears as a "Server Certificate" instead of a "Client Certificate" when you run the "show ssl service" or the "show ssl servicegroup" command on the CLIP address.[ NSSSL-1223 ]
- An incorrect error message is displayed in both the following cases:
1. Client authentication is enabled, root CA certificate is not bound to the SSL virtual server, and a request with a valid client certificate is sent to the virtual server.
2. Client authentication is enabled, root CA certificate is bound to the SSL virtual server, and a request with a wrong certificate is sent to the virtual server.
The error message that appears is "Handshake failure-Internal Error" instead of "No client certificate received."[ NSSSL-851 ]
Event monitor logs are not displayed on the NetScaler ADC GUI dashboard.[ NSHELP-19965 ]
When capture buffers overflow it causes packets missing in the captured trace. This could be due to a high management CPU usage or high traffic rate with a large packet engine count.[ NSHELP-18345 ]
The Application Firewall policy for HTTP requests (HTTP.REQ.HEADER) does not detect a content type with multiple lines.[ NSHELP-11092 ]
- A NetScaler appliance with connection chaining and SSL enabled might send more MTU data.[ NSHELP-9411 ]
In the Visualizer, some buttons might not work if you use Mozilla Firefox or Internet Explorer.
Workaround: Use the Google Chrome browser.[ NSUI-8412 ]
When you import an UTF-8/S-JIS based HTML file type by using the NetScaler ADC GUI, the following error message appears:
Workaround: Before importing, save the file in UTF-8 format.[ NSHELP-19512 ]
- The Events page in the NetScaler ADC GUI (Configuration > System > Diagnostics > View events > Events) does not display the "Start Date Time" field. The issue is observed only in the Firebox browser.[ NSHELP-12591 ]
A NetScaler ADC appliance incorrectly logs "Not logged in" error message when you access the reporting tab in NetScaler ADC GUI.
"Jul 21 11:20:14 <<a href="http://local0.info/"> local0.info</a>> 203.0.113.18 07/21/2016:08:20:14 GMT T1100-16-2 0-PPE-10 : default UI CMD_EXECUTED 290 0 : User (null) - Remote_ip - Command "show ns hardware" - Status "ERROR: Not logged in" "[ NSHELP-12534 ]
When you run the set command on a NetScaler appliance, the ns.log file stores the command with all parameter values, including customer provided values.[ NSHELP-11291 ]
The NITRO .NET SDK get call for SNMP MIB resource snmpmib.get() fails with JSON deserialization errors.[ NSHELP-9032 ]
If you (system administrator) perform all the following steps on a NetScaler ADC appliance, the system users might fail to log in to the downgraded NetScaler ADC appliance.
1. Upgrade the NetScaler ADC appliance to one of the builds:
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the NetScaler ADC appliance to any older build.
To display the list of these system users by using the CLI:
At the command prompt, type:
"query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"
To fix this issue, use one of the following independent options:
[ NSCONFIG-3188 ]
- If the NetScaler ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the NetScaler ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.