Product Documentation

Known Issues

Oct 19, 2016

The issues that exist in Build 49.16.

AAA-TM

  • SHA256 digest algorithm is not supported on a NetScaler FIPS appliance configured for SAML authentication or as a SAML IDP. However, an appropriate error message does not appear in the browser.

    [#639349]

  • You cannot load balance external AAA servers, such as LDAP, RADIUS, or TACACS servers, in a non-default partition.

    [#621010]

  • The NetScaler appliance exhibits some inconsistency in the way expired cookies (TEMP) are handled:

    - On an existing TCP connection, access to backend resources is allowed.

    - On a new TCP connection, the request is denied.

    [#610091]

  • If you configure a NetScaler FIPS appliance for SAML authentication, the appliance fails when it tries to process encrypted assertions from an external IDP. However, signed assertions and responses are handled correctly.

    [#635174]

  • Feature: AAA-TM

    If you log on to the NetScaler Traffic Management (TM) virtual server using "401 Basic" authentication, you might observe authentication failures if your username or password contains special characters. This is because only UTF-8 characters below ASCII 128 (for example, A-Z, a-z, 0-9, and ~ ! @ # $ % ^ & * ( ) _ + - = [ { ] } \\ | ; : ' " / ? . > , < special characters) are allowed.

    [#620845, 650263]

  • If a user name containing special characters is prefilled in the login forms, the RfWeb user interface fails to render the form.

    Workaround: Escape the angular brackets.

    Example:

    Username is prefilled in the login forms on the basis of the value of the InitialValue tag in the authentication schema file.

    Change

    <InitialValue>${http.req.user.name}</InitialValue>

    To

    <InitialValue><![CDATA[${http.req.user.name}]]></InitialValue>

    [#646139]

Acceleration

  • If a compression module receives an HTTP header in two NetScaler Buffers (NSBs), where first the NSB has a complete header ending with "

    " and the other NSB header ends with "

    ", the module does not handle the HTTP header properly. Page rendering in the client's browser is garbled.

    [#629128]

Admin Partitions

  • After adding an admin partition, make sure you save the configurations on the default partition. Otherwise, the partition setup configurations will be lost on system reboot.

    [#493668, 516396]

  • In a non-default partition, if the network traffic exceeds the partition bandwidth limit, the FTP control connection fails but the data connection remains established.

    [#620673]

Application Firewall

  • If you use the NetScaler GUI to access the application firewall security check violation log messages from a profile, the syslog viewer cannot display the logs if they are not in the CEF log format. You can enable CEF logging from the application firewall settings pane in GUI the or use the following command from CLI:

    > set appfw settings CEFLogging ON

    [#630056]

  • If you use Mozilla Firefox or Internet Explorer, some buttons might not work.

    Workaround: Use the Google Chrome browser.

    [#648272]

  • The application firewall Graphical User Interface might display a warning when the Qualys signature file is uploaded to the NetScaler appliance. The transformation program that reads the input file is treating a warning message as an error.

    [#547282]

  • A customer's NetScaler Web Application Firewall is not learning traffic.

    Workaround: Change "select" to "poll" for monitoring the events because "select" has a limitation of 1024 as the maximum fd to monitor.

    [#608196]

Cache Redirection

  • In a cluster deployment, if a request is received by a node other than the node on which the client request is received, a packet loop delays the response to the request.

    [#591265]

Clustering

  • In a Cluster setup, after a reboot, tagged VLAN configuration is lost on the vlan 1 interface.

    [#642947]

  • In a cluster setup, if you use an interface on one node to create an LACP channel on another node, the channel is created and runs smoothly, but the system reports a configuration error.

    [#644080]

DNS

  • A NetScaler appliance configured for DNSSEC offloading might fail because of a race condition that can occur when the appliance receives a DNS query for a type A record for a domain that also has a CNAME record, and the canonical name identifies a domain that is in the zone offloaded for DNSSEC processing.

    [#599741]

GSLB

  • In a GSLB setup, if you have configured static proximity as the primary load balancing method and RTT as the backup load balancing method, the NetScaler appliance might intermittently send an empty response to a DNS query for the GSLB domain.

    [#616321]

Integrated Caching

  • A NetScaler appliance fails multiple times if a cache parameter is enabled during an HA persistency test.

    [#610085]

Load Balancing

  • The StoreFront FQDN is not accepted as valid when Test connection is triggered in the XA/XD Wizard. When the user enters the StoreFront FQDN to test the connection, the XA/XD Wizard displays an error when the user clicks Continue.

    [#612276, 621861, 639203, 650065, 651022]

  • After an HA failover, Web Interface on NetScaler displays "State Error" if you try to launch an application.

    [#630435]

  • The NetScaler appliance is unable to reuse an existing probe connection if an HTTP wildcard load balancing virtual server is configured in MAC mode with use source IP (USIP) mode enabled and the Use Proxy Port option turned off. As a result, the connection fails and client the receives a TCP reset.

    [#632872]

NITRO

  • A NetScaler appliance returns error code 0 if the showtechsupport script fails while uploading the collector bundle to the Citrix server.

    To identify the failure, search the script's response data for the following string pattern:

    Upload of collector archive [] failed

    [#629572]

NetScaler CLI

  • When you use the Net::SSH::Perl library to connect to the NetScaler appliance, and run a command where an argument has a @ character, an error message appears indicating that the argument does not exist.

    For example, an error message appears if you use the @ character in the tacacsSecret parameter of the following command:

    > set authentication tacacsAction TACACS-0101 -tacacsSecret Sl4make5f0rd@enc5

    Workaround: Use one of the following alternate approaches:

    - If you use the Net::SSH::Perl library, include double quotes around the command when calling $ssh->cmd().

    - Use the Net::Telnet library.

    - Use the Net::SSH::Expect library.

    [#346066]

NetScaler CPX

  • The behavior of newnslog file rotation, file size, and so on in NetScaler CPX is similar to NetScaler MPX appliance however the files are not compressed in NetScaler CPX as compared to NetScaler MPX appliance . In NetScaler CPX, the newnslog file is rotated once in two days or when the file size reaches 600MB (whichever comes first). The file rotation can go up to 200 files.

    [#644009]

NetScaler GUI

  • Certificate bundles are not supported in cluster setups.

    [#644199]

  • In older versions of Internet Explorer version 7, the browser incompatibility message does not appear for NetScaler build 11.1. The logon page directly appears, and you can log on successfully.

    [#649052]

  • LDAP configuration failed if the virtual server name started with an underscore ("_").

    [#646751]

  • When using the XenApp and XenDesktop wizard, the Retrieve Stores functionality intermittently fails on the first click.

    Workaround: Click the option again.

    [#655159]

  • You cannot bind a cipher or cipher group to an SSL entity by using the NetScaler GUI.

    Workaround: Use the NetScaler CLI.

    [#648293, 638254]

  • The Upgrade Wizard sometimes does not display a message when the appliance is rebooting. However, the NetScaler appliance reboots and the upgrade is successful.

    [#557379, 585649, 609615, 617161, 646039]

  • In the XenApp and XenDesktop wizard, the Administrator cannot choose an existing authentication policy when creating a new virtual server.

    Workaround:

    Administrators who want to re-use existing authentication policies should perform the following steps:

    1. In the NetScaler GUI, configure the NetScaler Gateway section in the wizard.

    2. Click the back button to view the dashboard.

    3. On the NetScaler command line, type:

    bind vpnvserver _XD_<THE_GATEWAY_IP_YOU_ENTERED>_443 -policy <AUTH_POLICY_YOU_WANT_TO_REUSE> -priority 0

    Depending on the authentication configured, do one of the following:

    A) If primary authentication is "RADIUS" and secondary authentication is "LDAP," run the following commands:

    set vpnsessionAction AC_OS_<THE_GATEWAY_IP_YOU_ENTERED> -sfGatewayAuthType domainAndRSA

    set vpnsessionAction AC_WB_<THE_GATEWAY_IP_YOU_ENTERED> -sfGatewayAuthType domainAndRSA

    B) If primary authentication is "LDAP," run the following commands:

    set vpnsessionAction AC_OS_<THE_GATEWAY_IP_YOU_ENTERED> -sfGatewayAuthType domain

    set vpnsessionAction AC_WB_<THE_GATEWAY_IP_YOU_ENTERED> -sfGatewayAuthType domain

    C) If primary authentication is "RADIUS," run the following commands:

    set vpnsessionAction AC_OS_<THE_GATEWAY_IP_YOU_ENTERED> -sfGatewayAuthType RSA ( or SMS depending on the use case )

    set vpnsessionAction AC_WB_<THE_GATEWAY_IP_YOU_ENTERED> -sfGatewayAuthType RSA ( or SMS depending on the use case )

    D) If primary authentication is "CLIENTCERTIFICATE," run the following commands:

    set vpnsessionAction AC_OS_<THE_GATEWAY_IP_YOU_ENTERED> -sfGatewayAuthType smartCard

    set vpnsessionAction AC_WB_<THE_GATEWAY_IP_YOU_ENTERED> -sfGatewayAuthType smartCard

    4. In the GUI, from the XA XD dashboard click "Edit" to display the authentication policies.

    [#651851]

NetScaler Gateway

  • For PreAuth and PostAuth Logging, you must use the VPN parameter. If the clientSecurityLog value is modified in a session action whose session policy has a ClientSecurity expression as the rule, the clientSecurityLog value of the session action is not honored.

    [#602928]

  • If an automatic proxy script is configured on a client machine and split tunnel is ON, establishing a VPN tunnel makes all external websites, including a VPN server, inaccessible from Internet Explorer 11 if they are unreachable without a proxy.

    Workaround: Set the following registry to 1 and restart Internet Explorer at least once: HKLMSOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsEnableLegacyAutoProxyFeatures

    [#591311]

  • During VPN session removal, a crash occurs. It happens while detaching the VPN session policies, inherited from VPN virtual server, due to inconsistent data structures

    [#559257, 568456]

  • After resolving double cvpn-ized URL for uploading images, the server still sends 404 Error Messages with a 200/Ok response.

    [#580700, 612006]

  • The si_Cur_Clints counter increments whenever we begin a transaction at a virtual server, and decrements when the corresponding server transaction is completed. However, this counter does not seem to be decremented correctly resulting in incorrect statistics

    [#595962]

  • When Unified-Gateway is deployed with GSLB configured with sitePersistence as ConnectionProxy, then access to published applications with -ssotype selfauth will not work when the connection is proxied from one site to another.

    [#599435]

  • Portal Theme support for AAA TM is not available in admin partitions.

    [#641160]

  • After a HA failover, users cannot launch apps in WebFront until the page is refreshed.

    [#641524]

  • An error message appears when a user a logs off of a Storefront session, if Gateway logon uses SAML based authentication for ICA Proxy mode.

    Workaround: Log off by closing the browser.

    [#646706]

  • Although the NetScaler software has been enhanced to support binding a Netscaler Gateway virtual server as a default virtual server to Content Switching virtual server, this support is not yet available in a Cluster setup.

    [#602637]

  • The VPN plugin resets the tunneled TCP connection if either party tries to close the connection by sending FIN.

    [#495596]

  • Single sign-on (SSO) to StoreFront fails if the TCP fast open option is enabled for the default TCP profile of a manually created NetScaler Gateway virtual server.

    [#656619]

  • The VPN session sync will fail when the NetScaler appliance is upgraded to 11.1.49.11.

    [#659848]

  • You cannot use the GatewayConfig.zip file to create multiple NetScaler Gateway virtual servers for StoreFront. Only the first virtual server configured completely through the new wizard is allowed to download GatewayConfig.zip. If the first virtual server configuration is not completed for all sections in the wizard, the virtual is treated as incomplete virtual server, so the XenApp and XenDesktop wizard's Dashboard does not show the Download option.

    [#655158]

  • Copyright information is not translated from English to another language. The copyright information is displayed only in English.

    [#644559]

  • OPSWAT scan fails to detect System Center Endpoint Protection for Mac. The issue is assigned and under investigation.

    [#627508]

  • If an End User License Agreement (EULA) is bound to the VPN virtual server, the EULA checkbox does not appear if the nFactor authentication is enabled for NetScaler Gateway.

    [#615334]

  • Configuring a portal theme requires more than password authentication. You must also connect through an SSL VPN.

    [#621084, 622825]

  • If nfactor policies are bound to the AAA virtual server, the logon page of the virtual server is not displayed correctly by an Internet Explorer browser on a Windows mobile device.

    [#621962]

  • In a cluster, the "show bindings" command does not display Negotiate type authentication policies.

    [#627652]

  • If the Home Page Text labels are lengthy when you customize an RfWebUI based theme, the home-page user interface does not function properly. The following lengthy text labels can cause this problem:

    Apps Tab Label

    Desktop Tab Label

    Favorite Tab Label

    [#641529]

  • If a VPN session profile and RfWebUI portal theme are in use, end users cannot log on if the following are set to OFF:

    - ICA Proxy

    - Clientless VPN Mode

    - Transparent Interception and Client Choices

    [#639453]

  • If a user is on the intranet and the location based VPN is set to REMOTE, and the VPN plug-in is terminated or the PC is rebooted, the NetScaler Gateway plug-in displays an authentication prompt.

    [#638574]

  • A user bound to a large number of groups is unable to execute commands.

    [#636953]

  • In a FIPS deployment with SAML authentication, if the same NetScaler appliance is used for both SAML signing and SAML signature verification, the signature verification fails.

    [#635470]

  • After the preauthentication EPA scan completes, the cursor does not return to the index page.

    [#644385]

  • If you use CVPN to edit the home page through CVPN, the embed code becomes corrupt.

    [#628835]

  • Under the following set of conditions, the wrong error message appears:

    A VPN traffic action is configured with SSO OFF.

    A samlSSOProfile is configured.

    The user tries to set this samlSSOProfile to the VPN traffic action.

    [#643029]

  • The NetScaler appliance crashes when the corrupted NSB structure member is de-referenced.

    [#594963, 604548]

  • On the LDAP side, if the administrator sets the option to change the user password at the next logon, the X1 Theme is applied to the Password Change page. If the user clicks Submit without entering the password, the "You need to enter the password" prompt is shown in English, even on systems localized for a different language.

    [#647784]

  • If you access a NetScaler Gateway appliance from a browser set to a non-English language, and the page for changing an expired password uses the RfWebUI theme, the text on the page appears is in English only.

    [#641558]

  • While using XD/XA wizard on the NetScaler appliance, the GUI dashboard displays the "Web Interface FQDN" as the IP address; even if, the domain name was provided during XA/XD Wizard configuration.

    [#593927]

  • If a VPN virtual server is bound as the default virtual server to a content switching (CS) virtual server, the "show VPN virtual server" command does not display the details of the CS virtual server to which the VPN virtual server is bound.

    [#600205]

  • Global Server Load Balancing (GSLB) HTTP cookie based persistence does not work with NetScaler Gateway SSL VPN clients when the site prefix is a substring of a GSLB domain.

    [#656026]

  • When used for debugging, Internet Explorer issues 404 errors related to fonts because the NetScaler 11.1 landing page uses the Times New Roman font instead of Citrix Sans in the area where user name and password are displayed.

    [#654951]

  • Active user sessions GUI view shows Client IP as 0.0.0.0 and Server IP as 0.0.0.0 in the first row of each active user session.

    [#447670, 504936, 521963, 571041, 585030, 586840]

  • If the Label node in a LoginSchema configured for an nFactor setup contains text that includes CDATA tags and an ampersand (&) character, text presented to a user is not displayed correctly. No other special characters cause a problem

    [#648263]

  • Setting the monitor interval for entities configured as NextHOPServers is not supported.

    [#641952]

  • RADIUS group extraction fails, although authentication is successful.

    [#634868]

NetScaler SDX Appliance

  • After you install a new SSL certificate, the Management Service restarts, but the logon screen does not appear. Instead, an error message indicates that the appliance is DOWN. The message is incorrect.

    [#638038]

  • If, the first time you provision a NetScaler VPX appliance, you configure an LA interface for VRID or allowed VLAN, or specify a global base MAC address, the corresponding fields in the Management Service are blank when provisioning is completed.

    [#600793]

  • The CLI or GUI of a NetScaler instance running on a NetScaler SDX appliance does not display the actual state of the management ports.

    [#642709]

  • The Management Service command-line interface (CLI) might fail if you access it over Telnet by using a Perl script with a Net::Telnet object.

    [#608798]

  • In some cases, individual flow control (RX and TX) might not work for interfaces on the NetScaler SDX appliance.

    [#643853]

  • You can only assign 22 partition MAC addresses to SDX Corinth platform. The virtual machine does not start, if you assign more than 22 partition MAC addresses.

    [#647534]

  • "XenServer HTTP not working" events can occur because of the system not assigning enough memory to the XenServer hypervisor. The cause is under investigation.

    [#600940]

  • Enabling trunkAllowedVlan on an interface with more than 100 VLANs might cause a spike in CPU usage.

    [#636978]

  • If you try to modify the trunkAllowedVlan parameter and the command fails, the existing trunkAllowedVlan list configured for the interface is deleted.

    [#632110]

  • LR channel MTU settings are not supported in the Management Service. You must set the MTU settings in the virtual machine.

    [#646977, 640003]

  • When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.

    Workaround: Delete the 10G LACP/static channel that has this issue and create it again.

    [#600152]

  • The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in NetScaler instance:

    ERROR: Operation timed out

    ERROR: Communication error with the packet engine

    [#638599]

NetScaler User Interface

  • After a failure, the configuration does not revert if the VPN virtual server is configured with existing IP_non_defaultPort.

    [#654479]

  • The new XenApp and XenDesktop wizard allows configuring HTTPS STA with an IP address but importing of a config file to StoreFront fails.

    [#654474]

NetScaler VPX Appliance

  • In an ESX environment, a NetScaler VPX appliance configured with a VMXNET3 network interface does not support the autonegotiation feature. However, the NetScaler GUI shows this feature as ENABLED for the VMXNET3 network interface.

    [#641256]

  • Promiscuous Mode needs to be enabled for VMXNET3 interfaces at the ESX Hypervisor for IPv6 or LACP support.

    [#641748]

  • In ESX environment, if a CLAG or Node LAG is created with one or more VMXNET3 interfaces on a NetScaler VPX Appliance then the NetScaler GUI might show the MAC address of the CLAG or Node LAG as 00:00:00:00:00:00.

    [#642495]

  • Compatibility issues between Linux-KVM and the Intel XL710 interface might cause a NetScaler virtual appliance configured with a PCI passthrough to become unresponsive during startup.

    Workaround: Restart the Linux-KVM host.

    [#660139]

  • In an ESX environment, file transfer from a NetScaler instance to an external connection stalls if the MTU is changed during the file transfer.

    [#630639]

  • In an ESX environment, the Interface HAMON Configuration option is not available in the NetScaler GUI.

    [#641498]

  • If you add additional SR-IOV or PCI passthrough interfaces to an existing NetScaler virtual appliance configured with SR-IOV or PCI passthrough interfaces, the existing interface names might get corrupted.

    [#659827]

  • Untagged packets are allowed to pass through an SRIOV VF interface (Intel 82599 NIC) if the VMWare vCenter 6.0 Distributed Virtual Switch( DVS) is used to configure the VLAN trunk mode.

    [#616044]

  • In ESX-5.5.0 (Patch-2456374), you cannot restart or shut down the NetScaler VPX instance from the VPX console.

    [#617922]

  • On a XenServer platform, if NetScaler virtual appliances with different interfaces, such as SR-IOV and Para-virtualized (PV) mode interfaces, use the same physical NIC, traffic between the virtual appliances with different interfaces fails.

    [#652640]

  • If you add new PCI passthrough interfaces to an existing NetScaler virtual appliance configured with SR-IOV interface, the PCI passthrough interfaces always take precedence over the existing SR-IOV interfaces.

    [#660000]

  • When you disable, enable, or reset the PCI passthrough interface of a NetScaler virtual appliance, the physical link status is not updated accordingly.

    [#660159]

  • Enabling trunk mode with tagged VLAN settings on an SR-IOV interface fails with the following error message:

    "ERROR: Maximum number of tagged VLANs bound to the interface exceeded or the binding of this VLAN is not allowed on the interface."

    However, trunk mode with tagged VLAN settings is shown as enabled in the output of the following command:

    show interface summary

    [#657462]

  • If you use the following command to remove an allowed-VLAN list from an SR-10V interface, the list is not removed, and therefore you cannot configure new VLAN settings for the interface.

    unset int -trunkallowedVlan

    Workaround: Restart the NetScaler virtual appliance.

    [#657468]

  • The NetScaler virtual appliance might fail to start if you have configured 15 or more SR-IOV and PCI passthrough interfaces.

    [#657492]

  • In ESX environment, a CLAG channel that includes a VMXNET3 interface might continue to send LACPDUs to it's partner even when it is in DETACHED state.

    [#642389]

Networking

  • In a high availability setup, allowed VLAN list is not propagated or synchronized. Therefore, you have to configure allowed VLAN list on both the nodes.

    [#631592]

  • The NetScaler appliance might become unresponsive while processing a route dependency check for multiple recursive BGP routes if the next hop for any of the routes changes or goes down.

    [#625841]

  • If an interface and an IP address are bound to a VLAN, binding them to another VLAN fails with the following error message: "ERROR: Either the subnet is not directly connected or subnet already bound to another VLAN." The interface is unbound from its current VLAN and gets bound to the native VLAN.

    [#643341]

  • In a high availability setup, NSVLAN is synchronized to the secondary node as a regular VLAN if the same NSVLAN is not configured on the secondary node.

    [#629102]

  • VLAN trunk mode and allowed VLAN list configurations are not supported on Link Aggregation (LA) channels and redundant interface sets.

    [#590805]

  • When a NetScaler appliance processes traffic at line rate, management CPU spike is observed on the appliance while configuring allowed VLAN list.

    Configuring the allowed VLAN list while the NetScaler appliance is processing traffic at line rate causes spikes in management CPU usage.

    [#638915]

  • If a VLAN specified in the allowed VLAN list of a trunk interface overlaps with the native VLAN of another interface, both the interfaces participate in packet processing on that VLAN.

    [#631589]

Platform

  • If you add an NTP time server by specifying the server name (host name), and the ns.conf file is very large, the result is a race condition in which the NTP daemon (NTPD) is started before host name services are ready.

    Workaround: Do one of the following:

    -Restart the NTP daemon after starting the NetScaler appliance.

    -Add the NTP server by specifying the IP address of the server instead of specifying the host name.

    [#573306]

  • A NetScaler VPX instance does not reboot successfully when deployed on a KVM linux host with Xeon E5-26xx v2 processors.

    Workaround: Reload the kvm_intel module with enable_apicv=N parameter by using the following command:

    modprobe kvm_intel enable_apicv=N

    [#587727, 615203, 642617, 657386]

Policies

  • If a policy expression name is same as its function name, subsequent use of the expression function results in an error. In addition, if you reboot the appliance and use the function in a running configuration, the policy expression receives errors, which results in a configuration loss.

    Workaround: Do not name a policy expression with the same name as its function. The simplest way to rename a policy expression is to add a prefix or suffix to the expression name (for example, myco_func or func_myco).

    [#637060]

  • The command for configuring a content filtering action is being saved in a wrong order in the ns.conf file. Service is a mandatory parameter for adding a add content filtering action, but the add content filter action command is saved before the command that adds the service. As a result, when the build is upgraded, the content filtering action is not configured as required.

    [#603551]

SSL

  • The number of SSL cards that are UP is not displayed for non-default partitions. Because SSL cards are shared between the default partition and the non-default partitions, the total number of SSL cards that are UP in all the non-default partitions is equal to the number of cards that are UP in the default partition.

    [#628914]

  • If you use the add crl command in release 9.3 to add a certificate revocation list (CRL) with refresh enabled, and you don't specify a method, the add crl command returns an error after an upgrade to a later release. Unlike 9.3, later releases do not have a default method.

    [#604061]

  • Even if an SSL service group does not have all the ECC curves bound to it, after the NetScaler appliance restarts all the ECC curves become bound.

    Workaround: Unbind the unwanted ECC curves.

    [#660090]

  • In a cluster deployment, some SSL configurations, such as ECC bindings and cipher bindings, on newly added nodes are not consistent with those on the CCO. Running the "force cluster sync" command on a node might also create inconsistencies in the configuration.

    [#648352]

  • If you restart the SafeNet network HSM, you must also restart the SafeNet gateway daemon.

    [#628067]

  • In a high availability (HA) setup, if the primary node supports a SafeNet HSM, the HSM configuration is propagated to the secondary node even though the secondary node is not configured to support the SafeNet HSM. For information about configuring an HA setup with SafeNet network HSMs, see the NetScaler documentation for SafeNet network HSM.

    [#628082]

  • If you run the command "sh ssl service group" on the cluster IP (CLIP) and nodes on a cluster setup, ECC curves are displayed as unbound from the CLIP.

    Workaround: Run the following commands:

    1. unbind ssl servicegroup <serviceGroupName> -eccCurveName <eccCurveName>

    2. bind ssl servicegroup < serviceGroupName > -eccCurveName <eccCurveName>

    It is recommended not to use keyword ALL in the eccCurveName as it has display issues.

    [#660257]

  • If you have configured two SafeNet HSMs in a high availability setup on a standalone NetScaler appliance, and the primary HSM goes down, the secondary HSM does not serve traffic after a failover.

    [#628075]

  • If you create a custom cipher group and bind it to an SSL entity, the profile name "SSL_EMBEDDED_PROFILE" incorrectly appears in the output of the "show ciphergroup" command. This error does not occur if you enable the Default profile before creating the custom cipher group and binding it to the SSL entity.

    [#637230]

  • The output of the "stat ssl vserver" command includes the statistics for non-SSL virtual servers.

    [#627650]

  • ECDHE support with SSLv3 protocol on the NetScalar appliance is not compatible with RFC 4492, because SSLv3 does not support extensions and ECDHE needs extension support.

    [#610588, 657755]

System

  • A hot swap from 10G to 1G speed fails on the link connected to the 10G interface.

    Auto-negotiation intermittently fails after a change in link status on a 10G interface with a 1G copper NIC connected to Cisco.

    Workaround: If the far-end interface fails to come up after a change in link status or SFP hot swap on the NetScaler appliance, manually configure the active NetScaler interface to match the far-end interface.

    [#513575]

  • If a wildcard virtual server's redirection mode is set to IP (-m IP), the NetScaler appliance cannot forward a TCP connection request to a service bound to that virtual server if the back-end server is down.

    [#331889]

  • The HTML page rendering might fail if you insert a prebody script before the header tag. The HTML specification requires the character-encoding declaration to be serialized within the first 1024 bytes of the document, and the script might push the meta tag past the 1024 byte limit.

    [#305196, 393696]

  • A memory leak is observed if AppFlow and AppQoE features are enabled.

    [#640545]

  • Connection failover might fail, if it is enabled on virtual servers that have the same IP address and port, but different listen policies.

    [#582087, 587620]

  • The default setting for auto-negotiation is 'OFF', which causes an error if you configure the interface from the SVM.

    [#598688]

  • When client sends a small window size (less than 8190 bytes) in its request packet to a NetScaler appliance, the appliance advertises a window size of 8190 bytes to the back-end server. Upon receiving this information, the server sends up to 8190 bytes of data to the appliance, and in turn the appliance, in transparent mode, sends the same amount of data to the client, even if the actual window size is less than the window size advertised by the client. If a device between the appliance and client checks the window size before accepting the data, that device might drop the data that does not fit in the client's window size.

    Workaround: Enable the end point device (for example, TCP Buffer) in the NetScaler appliance.

    [#622573]

  • With the ICA Proxy Appflow OFF, and the session reliability ON, the EPIC application shows a black screen when launched.

    Work Around: The black screen does not happen when bypassing the NetScaler appliance. Any change in either the Appflow or Session Reliability allows the app to launch.

    [#626193]

  • If VLAN filtering is enabled, a maximum of 256 VLANs are supported on the 10G and 40G interfaces of the SDX 14020/14040/14060/14080 40G and SDX 25100/25160 40G appliances. If you bind more than 256 VLANs, hardware filtering is automatically disabled on the interface and all filtering is done in the software on a virtual instance.

    [#594068]

  • When a NetScaler appliance sends a large number of packets on the wire if few packets randomly drop in the network, it leads to multiple holes. When the appliance retransmits packets in these holes, it results in packet drops at the NetScaler Interface Card (NIC).

    [#643929]

  • In a high availability environment, if you add Network Time Protocol (NTP) to a primary node by specifying the NTP server's DNS name, the command is not propagated to the secondary node.

    Workaround: Specify the NTP server's IP address.

    [#639529]

  • A NetScaler appliance does not open a new connection to the back-end server if the following set of conditions is met:

    - The global maxconn parameter is set to 1.

    - The appliance is unable to reuse the connection for probing.

    As a result, the transaction fails.

    [#636416]

  • By default, on a standalone NetScaler applaince, if "Syn-Cookie" option is disabled on a TCP profile and "SYN Attack Detection" option is enabled globally for TCP connections, the NetScaler appliance automatically enables SYN-Cookie protection on the TCP profile when TCP SYN re-transmission crosses the configured threshold.

    For a cluster deployment, TCP profile configurations on all the cluster nodes might be inconsistent because TCP profile setting changes are applicable locally on a node. To solve this issue, ether disable "SYN Attack Detection" option globally or set a high threshold for TCP SYN re-transmission on all cluster nodes.

    [#647458, 646786]

  • A NetScaler appliance might not honor persistence for a load balancing virtual server with a wildcard configuration if information about the back-end server is not available.

    [#556385]

  • If an LACP channel is bound to nine or more interfaces and is a member of a tagged VLAN, deleting the channel from a service VM can cause the NetScaler appliance to fail intermittently.

    [#524320, 630772]

  • No Error or Warning is announced if a user tries to set trunk mode on the loopback interface.

    [#643131]

Telco

  • In a high availability setup, forcing synchronization does not synchronize Port Control Protocol (PCP) mappings to the secondary node.

    [#647630]