Product Documentation

Fixed Issues

Oct 19, 2016

The issues addressed in Build 49.16.

Admin Partitions

  • SNMP profiles have been modified to avoid dropping SNMP responses intended for non-default partitions. An SNMP agent can now track each SNMP request and send a response to a non-default partition. Previously, if a non-default partition received an SNMP request through a subnet IP address, the SNMP agent on the partition responded to the default partition, because the SNIP address was defined on the default partition.



  • If AppFlow for ICA is enabled on a NetScaler appliance, the appliance might become unresponsive under certain circumstances during ICA capability negotiation in ICA PROXY mode.

    [# 653385, 655823, 661720]

  • When AppFlow for ICA is enabled on a NetScaler appliance in a multicore environment, the Netscaler appliance might become unresponsive.

    [# 647713]

  • ICA parsing uses a lot of memory, so the NetScaler appliance reaches its memory limit with a lower than expected number of connections.

    [# 459458]

  • If HDX Insight is enabled on a NetScaler appliances in high-availability mode, and if the nodes are set to STAY PRIMARY or STAY SECONDARY, session reliability fails when a failover happens.

    [# 653438]

Application Firewall

  • A NetScaler AppFirewall appliance might run out of memory, because firewall sessions might not get cleaned up in a high availability environment if sync or propagation is disabled or the software versions running on a pair of nodes do not match. This is due to DHT not being able to clean up entries properly.

    [#646293, 645547, 658502]

  • If the NetScaler appliance sends AppFlow data with application firewall records to the Security Insight collector, the appliance might fail. This might occur if the built-in NOPOLICY policy, which does not have any specified action, is configured as a global policy.


  • The NetScaler appliance might fail if both of the following conditions are met:

    - The application firewall and compression modules are both active for a connection.

    - The connection is aborted for any reason, such as connection failure on the client or server, or invalid HTTP content is received from the client or server.

    Typically, the application firewall and compression modules free the resources, including references to the connection. However, in rare cases, freeing a connection results in a dangling connection structure pointer or duplicate freeing of the structure pointer. In either of these cases, the appliance might fail.

    [#648981, 648996, 653492, 654739]


  • A NetScaler appliance configured as an DNS end resolver sometimes fails to respond to DNS queries. When the appliance is configured as an end resolver, it generates iterative DNS queries to name servers on behalf of the client and returns the final responses. If a DNS zone has multiple NS records, the appliance queries the first name server in the NS record. If this resolution fails, the appliance does not retry with other name servers in the NS records, and it does not send any response to the client.


NetScaler GUI

  • The NetScaler GUI displays exponent 3 and key size 1024 when you try to create a FIPS key, but these options are not supported.

    Also, you cannot create a key of size 3072 from the GUI.

    [#639154, 654952]

  • The field value for X-Forwarded-For HTTP header is not displayed as client IP in NetScaler Security Insight violation logs.

    [#645284, 636390]

  • In NetScaler Gateway > Policies > RDP, you can now enable and disable the RDP feature. A regression caused this option to break. This issue is fixed now.


NetScaler Gateway

  • The console shows many IPv4 Socks errors that are constantly being generated.

    [#643302, 639579, 639782]

  • Mac OSX users are unable to sign on to the OSX Receiver client and are denied access to their apps and desktops.


  • When Kerberos Constrained Delegation SSO is in use, a memory leak is expected. Once the memory is almost full, failures are expected due to memory allocation

    [#651140, 659660]

  • If SSO is enabled on an AAA-TM or Gateway configuration, the NetScaler appliance might fail.


  • POST EPA scans fail on Windows 8 and 8.1 machines. This problem no longer occurs, because Opswat revised the OESIS 3 library.


  • The Netscaler appliance fails if it attempts to process an invalid incoming HTTP packet.

    [#638992, 637909, 640693, 644682, 646473, 646997, 647022, 647140, 650986, 652072]

  • A control channel between a NetScaler Gateway Plug-in and a NetScaler appliance is terminated if multicast IP packets are tunneled over the control channel.

    [#643558, 649729]

  • If Certificate Authentication with Two Factor ON is chosen, and username extraction from Certificate has been configured, the username field is editable with old Portal Themes (Default, Greenbubble, X1).

    [#643125, 641162, 646600]

  • If only nFactor certificate authentication is configured for NetScaler Gateway, a VPN session is created instead of a traffic management (TM) session for access to a load balancing virtual server.


  • For SmartControl to work, the Gateway login is required on the NetScaler appliance enforcing SmartControl. Storefront's session timeout causes automatic disconnections of ICA sessions launched through NetScaler Gateway if the ICA Smart Control policy is bound to the VPN virtual server. This requirement is now relaxed.

    [#640466, 640223, 642970]

  • The NetScaler appliance fails because of a NetScaler packet processing engine (PPE) error.

    [#653884, 654602]

  • The NetScaler appliance fails whenever a Content Switching VIP is accessed with IP


  • The Citrix virtual adapter is not enabled on a Windows 7 64-bit machine, and its driver is shown as unsigned in the device manager.

    Note: If a Windows 7 64-bit user is logged out immediately after logging in, install security patch KB3033929 on that user's Windows machine.


  • If you connect to NetScaler Gateway by using full tunnel VPN and attempt to access an internal URL that has Kerberos authentication enabled, the authentication fails. You are directed to the authentication screen and prompted for username and password.


  • A safety check was created for incomplete/invalid homepage URLs. The safety check redirects the user to the correct homepage based on the Portal theme. The URL redirects to the correct homepage only when a valid homepage request is received; otherwise, the server sends back a 404 error message.


NetScaler VPX Appliance

  • If you deploy NetScaler VPX on Azure in HA mode, the VPN virtual servers on the secondary node are not reachable after a failover. This is because, during a synchronization operation, the NSIP address of the primary node is used to create the virtual server on the secondary node. After a failover, when the secondary node becomes the new primary, the VPN virtual server has the NSIP address of the old primary.


  • In a KVM environment, a NetScaler VPX instance fails to start if you have configured more than 11 vCPUs.



  • During a "force sync" operation in a cluster deployment, performing a "save config" operation on a node might lead to a full or partial configuration loss on that node. With this fix, the "save config" operation is not permitted during a "force sync" operation.

    [#642375, 658619]


  • A certificate-key pair bound to a secure monitor is not saved in the configuration file (ns.conf). As a result, the binding is lost after you restart the appliance.


  • A NetScaler virtual appliance sometimes fails because of a memory leak if you use GCM-based ciphers on a VPX appliance. The ciphers can eventually exhaust memory, causing the appliance to fail if the memory exhaustion error is not gracefully handled.

    [#652477, 654559, 656035, 657343]

  • Client authentication causes memory leak if a client sends a certificate that includes its intermediate CA certificates. This exhausts memory on the NetScaler appliance.



  • If NetScaler appliance is setup with Web Log feature and weblog clients are connected then under traffic stress, a buffer overrun can cause the weblog client to reconnect. When the clients reconnect, we lose part of the data on connections where reconnect was triggered and hence log data is not complete.

    [#633308, 646753, 648657, 656502]

  • Memory allocation failures occur, because the NetScaler appliance does not allocate sufficient memory for packet engines.

    [#647072, 643407, 650630]

  • The Configd daemon fails if the number of session IDs exceeds the preset limit and existing client sessions are renumbered.

    [#639380, 657168, 657781]

  • On a NetScaler appliance, if a FIN packet is held back by the forwarding interface and in the meantime, if Selective Acknowledgement (SACK) blocks are generated for the previous packet, the appliance fails.