Product Documentation

Fixed Issues in Previous 11.1 Builds

Oct 19, 2016

The issues that were addressed in NetScaler 11.1 releases prior to Build 49.16. The build number provided below the issue description indicates the build in which this issue was addressed.


  • If you have configured NetScaler Gateway in a double-hop setup, HDX virtual desktops might become unresponsive when you perform the following sequence of actions: connect, disconnect and reconnect.

    [From Build 48.10] [#641396]

Application Firewall

  • If the HTML response page contains a pair of hyphens (--) in the comment tag, the NetScaler appliance might parse the response page incorrectly and not add the URLs to starturl closure. This could result in some starturl violations.

    [From Build 48.10] [#648104]

  • The name of a user defined signature objects must not contain a hash character (#), even though the feedback message inaccurately lists it as an allowed character.

    [From Build 48.10] [#648010]

  • Applications might not load properly when the memory_max_allowed value for the AppFW pool is low. This low memory condition can also cause memory allocation errors that result in numerous connection resets.

    [From Build 48.10] [#649031, 651536]

  • Sites that use the NetScaler application firewall have excessive high availability failovers because of a faulty error-handling routine related to memory allocation.

    [From Build 48.10] [#647309]

  • The exported, learned data for field formats does not match the output of the following command: sh appfw learning data.

    [From Build 48.10] [#329025, 303481]

  • The NetScaler appliance fails if the signature match function accesses invalid memory while matching signature rules.

    [From Build 48.10] [#643854]


  • A clear config operation in a Cluster deployment does not set non-CCO nodes to the default value for the "max pipeline" parameter.

    [From Build 48.10] [#648087]

Load Balancing

  • In the SAML response, the RelayState field is truncated. When the samlidp feature is processed, the URL decodes the entire content before parsing for individual elements. The customer's service provider sends the RelayState that was encoded. When the service provider posts the assertion back, the RelayState is truncated resulting in an SP failure.

    [From Build 48.10] [#648337]

  • The NetScaler appliance fails to send an assertion back to the service provider when the SAML request comes without an ID field. When behaving as a samlidp, the ID field from the authnReq is remembered, so it can be sent back in the assertion. If service providers don't send IDs, we fail due to logic error. The logic was revised so if we don not get an ID, we don't send it back.

    [From Build 48.10] [#648489]

  • A secure HTTP-ECV monitor might time out if the back-end server sends a large certificate.

    [From Build 48.10] [#638148]

NetScaler GUI

  • If you have configured static proximity as the load balancing method on a load balancing virtual server, you cannot set a backup method by using the GUI.

    [From Build 48.10] [#648408]

  • When creating a cluster node group, you no longer have to specify a node state. The "Add Node Group" page in the NetScaler GUI displays "state" as optional, not as a required field.

    Page Navigation: Configuration > System >Cluster > NodeGroup > Add Node Group

    [From Build 48.10] [#650357]

  • In NetScaler Gateway > Policies > RDP, an attempt to enable and disable the RDP feature now succeeds.

    [From Build 48.10] [#651030]

  • In Security > AAA > Virtual Servers, you can now bind an SSL profile to a virtual server.

    [From Build 48.10] [#651031]

  • On a NetScaler SDX appliance, the selected order of external authentication servers for cascading authentication might change in the NetScaler GUI if you randomly switch views. This is a display issue.

    [From Build 48.10] [#649190]

NetScaler Gateway

  • For Windows 7 in English, Espanol, or Francaise, the NetScaler Gateway plug-in truncates the Add button on the Connection tab if the browser is Internet Explorer 8.

    [From Build 48.10] [#647789]

  • Functionality issues were present if the following do not have a trailing slash:

    - The VPN URLs are of the Selfauth/Samlauth type

    - The relay state is evaluated from the SAMLSSO Profile

    - The relay state is sent from the IDP to the SAML SP case

    [From Build 48.10] [#645585]

  • If the LDAP bind account password used on NetScaler contains a pair of dollar signs"$$", the authentication for the bind account fails, and the dashboard shows that the LDAP server is down.

    [From Build 48.10] [#644689]

  • If DNS Truncate configuration is used, all the DNS suffixes are pushed from the NetScaler appliance, but not all of the DNS suffixes are used by the AGEE Client.

    [From Build 48.10] [#641458, 543403]

  • Build 47.14 of the Enterprise Edition does not support the RDP Proxy feature. (This issue does not apply to the Platinum Edition).

    [From Build 48.10] [#649848]

  • Kerberos authentication can fail, and the connection might be dropped, if consumption of AAA session memory is very high. In a high availability setup, a failover might occur.

    [From Build 48.10] [#650492]

  • If a client machine with the following configuration is on the Internet when it enters the logged-off state, its network access remains blocked if it is moved to an intranet:

    *A location-based VPN is set to REMOTE.

    *Network access upon VPN failure is set to onlyToGateway.

    [From Build 48.10] [#649057]

  • If the NetScaler Gateway appliance is configured for End Point Analysis (EPA) and the user has bookmarked the advanced login page (/logon/LogonPoint/tmindex.html), attempts to log on fail.

    [From Build 48.10] [#647678]

  • Users cannot access the RfWebUI homepage if wiHome in the session action points to a load balancing virtual server.

    [From Build 48.10] [#649395]

  • If RfWebUI or a VPN portal theme with RfWebUI as the base theme is bound at the VPN Global level, users cannot connect to VPN virtual servers that are configured with a non-RfWebUI theme.

    [From Build 48.10] [#648950]

  • User access to servers might be erratic, and users might lose information if step-up authentication is configured to begin or end with a SAML action.

    [From Build 48.10] [#648306]

  • Single sign-on (SSO) users connected to a VPN virtual server configured for SAML authentication cannot log off if Shibboleth is the SAML identity provider (IDP). Instead of the logoff page, an HTTP error message appears. This failure occurs with the following configuration:

    * VPN virtual server is configured for SAML authentication.

    * Shibboleth is the SAML identity provider (IDP).

    [From Build 48.10] [#642554, 576014]

NetScaler Insight Center

  • Appflow configuration fails if you use the NetScaler Insight Center FQDN instead of the NetScaler Insight Center IP address.

    [From Build 48.10] [#652425]

  • System groups cannot be created in the NetScaler Insight Center GUI.

    [From Build 48.10] [#650657]


  • A NetScaler appliance with OSPFv3 dynamic routing protocol configured might measure the length of OSPFv3 LSA packets in Network Byte Order instead of Host Byte Order for comparison with the minimum required packet length. As a result, the NetScaler appliance becomes unresponsive.

    [From Build 48.10] [#652131]


  • Adding a certificate revocation list (CRL) on the NetScaler appliance fails with the error message "Certificate Issuer Mismatch" for a DER certificate, and with the error message "Invalid CRL" for a PEM certificate. This issue occurs because the attribute type of the common name field is different for the CA certificate than for the CRL.

    [From Build 48.10] [#623058, 634017]

  • You can bind ECDSA ciphers to an SSL virtual server on a platform that does not have N3 chips even though ECDSA ciphers are supported only on platforms with N3 chips.

    [From Build 48.10] [#635234]


  • The CPU parameter value on the LCD panel does not match the value reported by the Netscaler CLI or GUI.

    [From Build 48.10] [#643237]

  • Heavy traffic through a NetScaler appliance can result in a web log buffer overrun, causing a NetScaler Web logging (NSWL) client to reconnect. When the client reconnects, the use of surplus connections results in omission of the PCB's user-name information (part of connection related information) during cloning. This leads to a loss of log data.

    [From Build 48.10] [#633308, 646753, 648657]