Product Documentation

Fixed Issues in Previous 11.0 Builds

Mar 30, 2016

The issues that were addressed in NetScaler 11.0 releases prior to Build 65.31. The build number provided below the issue description indicates the build in which this issue was addressed.


  • The "show aaa session" command causes a high level of CPU usage when executed with the "-username" or "-group" option.

    [From Build 63.16] [#577778, 595104, 595185]

  • When IBM Tivoli IdP is used for SAML authentication with NetScaler appliance as the service provider, there could be an issue with SAML assertion verification.

    [From Build 64.34] [#540396]

  • When kerberos token decryption fails, the NetScaler appliance responds with a 200 response with error message, instead of sending a 401 response.

    [From Build 64.34] [#567233, 593994]

  • Single sign-on to server does not succeed when native clients, such as iOS clients, connect to the NetScaler appliance using Active Sync protocol and send cookies along with authorization header.

    [From Build 64.34] [#597221]

  • If the AAA virtual server is configured to an non-ActiveDirectory LDAP server, and an invalid password is used to logon, the NetScaler appliance becomes unresponsive.

    [From Build 64.34] [#599264, 610045]

  • The status of a LDAP server on the authentication dashboard of the NetScaler GUI, will be shown as UP, regardless of the actual status of the LDAP server, for the following combinations:

    - Security type is SSL and port is 389.

    - Security type is TLS or PLAINTEXT and port is 636.

    [From Build 64.34] [#567376, 567379, 592941]

  • The NetScaler appliance might become unresponsive if the persistence cookie feature is enabled in AAA-TM deployments.

    [From Build 64.34] [#599701, 607138, 608997]

Action Analytics

  • A global flag that tracks stream sessions when the ICMP traffic processing begins is not initiated properly.

    [From Build 64.34] [#595915, 602701]

Admin Partitions

  • When creating an admin partition, you can now set the memory limit to a minimum value of 5 MB.

    [From Build 64.34] [#580419]

  • In an admin partition, changes done to enable or disable a NetScaler feature or mode are not saved. Therefore, after the NetScaler appliance is rebooted, the status of the feature or mode is reset to its default value.

    [From Build 64.34] [#594845]

  • Partition administrators cannot upload scriptable monitor scripts to a partition. This can only be done by NetScaler superusers. Also, scriptable monitors for an admin partition cannot be configured by using the GUI.

    [From Build 64.34] [#583756]

  • Setting L2 and L3 parameters in Admin Partitions

    On a partitioned NetScaler appliance, the scope of updating the L2 and L3 parameters is as follows:

    - For L2 parameters that are set by using the "set L2Param" command, the following parameters can be updated only from the default partition, and their values are applicable to all the admin partitions: maxBridgeCollision, bdgSetting, garpOnVridIntf, garpReply, proxyArp, resetInterfaceOnHAfailover, and skip_proxying_bsd_traffic. The other L2 parameters can be updated in specific admin partitions, and their values are local to those partitions.

    - For L3 parameters that are set by using the "set L3Param" command, all parameters can be updated in specific admin partitions, and their values are local to those partitions. Similarly, the values that are updated in the default partition are applicable only to the default partition.

    [From Build 64.34] [#513564]


  • The order in which AppExpert evaluates application units cannot be changed. With this fix, the NetScaler GUI displays a burger icon for each application unit. After hovering over the icon, you can move an application unit up or down in the order of evaluation.

    Navigation: Configuration > AppExpert > Application > Application Unit section

    [From Build 64.34] [#567425]


  • When routes are updated after an AppFlow collector is added, the NetScaler appliance sends ARP requests for the AppFlow collector IP address, even when the collector is reachable only through a router.

    [From Build 63.16] [#574420]

  • The NetScaler appliance might become unresponsive if you enable the client side measurement option for an AppFlow action.

    [From Build 64.34] [#595238]

  • The NetScaler appliance might become unresponsive if a request generated by a client is corrupted after execution of the client-side measurement script. This issue can occur if you enable the client side measurement option for an AppFlow action.

    [From Build 64.34] [#601915, 601924, 607217]

Application Firewall

  • If, when processing a form for response-side security check inspection, the application firewall resets a connection, the partially parsed form is not freed. The result is a memory leak. With this fix, the memory allocated to the partially parsed forms is freed when a connection is reset.

    [From Build 62.10] [#572637, 581520]

  • After processing a request that consists of multiple headers of the same type, a subsequent request might invoke a 302 response due to the way the application firewall stores the information regarding the parsed headers. With this fix, the variable which stores the information regarding the headers is reinitialized accurately prior to processing the next request.

    [From Build 62.10, 63.16] [#580564]

  • During an application firewall security check inspection, a compressed response from the server might trigger a violation if the XML format check is enabled. With this fix, the Accept-Encoding request header is removed when the XML protections are enabled. If content compression is enabled on the server, the XML check inspection is bypassed when the server sends a compressed response.

    [From Build 63.16] [#580273]

  • The NetScaler appliance might become unresponsive when processing a request, because of an interoperability issue between the application firewall, SSL, and the responder module. The issue arises under the following set of circumstances:

    The configuration includes an application firewall profile protecting an SSL virtual server.

    A responder policy is configured to reset the connection, and this policy is bound either globally or to the virtual server that receives the request.

    [From Build 63.16, 64.34] [#592429, 612052]

  • The Citrix application firewall silently resets the connection when it receives a malformed or invalid request. With this fix, the application firewall logs such events.

    [From Build 63.16] [#577742]

  • The NetScaler application firewall terminates the connection when the request comes with a tampered session cookie and the cookie protection is enabled.

    [From Build 63.16, 64.34] [#574498, 591172]

  • The Skip operation for the application firewall learned rules might take longer than expected.

    [From Build 63.16] [#547978]

  • The NetScaler appliance might fail when the application firewall is processing the cookie header(s) in an HTTP request. This occurs when the cookie transform action is enabled and all other security checks that apply to establishing a user session are disabled.

    [From Build 63.16, 64.34] [#591176, 593996, 597440, 601359]

  • If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

    [From Build 63.16] [#372768]

  • NetScaler application firewall resets the connection when the request contains tampered session cookie and the cookie protection is enabled.

    [From Build 63.16, 64.34] [#591172, 574498]

  • If learning thresholds for the application firewall security checks are set to a value greater than 1, the configuration utility displays the following error message when you try to access the learned data: "communication error with aslearn."

    Workaround: Use the command line interface (CLI) to access the learned data.

    [From Build 63.16] [#584621]

  • When a user-defined application firewall signature object is updated by using the configuration utility, the enabled rules might get disabled and the configured actions in some signature rules might not be preserved.

    [From Build 64.34] [#561567]

  • In a cluster deployment, accessing the application firewall learned data might display "Error in retrieving Application Firewall learning data. Communication error with aslearn". This error is triggered if buffer overflow occurs when the cluster configuration coordinator tries to get learned data from the other nodes of the cluster.

    [From Build 64.34] [#607187]

  • If the application firewall cookie proxy check is enabled and the server tries to expire and modify the same cookie in the same response, the NetScaler appliance might fail because of memory corruption.

    [From Build 64.34] [#603694, 609394]

  • When the application firewall redirects a blocked request to a customized error page, the ${NS_APPFW_SESSION_ID};variable on the error page might not display the session ID accurately. If the request does not contain a session cookie, the variable might display a hyphen (-) instead of the session ID.

    [From Build 64.34] [#599052]

  • The NetScaler appliance might fail when the application firewall receives an HTTP response with an attribute value that exceeds 1 MB in length.

    [From Build 64.34] [#592018]

  • The application firewall has extended external format signature support for a new scan tool called WebInspect. The WebInspect scan tool, provided by Hewlett Packard (HP), is designed to analyze the web applications and web services for security vulnerabilities. As stated in the following Data Sheet link from HP, "WebInspect provides the broadest dynamic application security testing coverage and detects new types of vulnerabilities that often go undetected by black-box security testing technologies":

    See" for the details of importing and configuring signatures.

    [From Build 64.34] [#588914, 609060]

  • Application firewall profiles that are exported and archived from one build cannot be restored to a system running a different build, because changes introduced in the newer releases can lead to compatibility issues. With this fix, the application firewall now logs an error message, in ns.log, if you attempt to restore an archived profile to a different build than the one from which it was exported.

    [From Build 64.34] [#601064]

  • The application firewall buffers the entire request for security check inspections. Therefore, when the client sends the expect 100-continue header in the request, the application firewall sends the 100-continue response to get the entire request from the client. The application firewall modifies the expect 100-continue header received from the client and corrupts it before forwarding the processed request to the server. In the 11.0 release, the header was not corrupted before it was forwarded request to server. With this fix, the expect 100-continue header from the client is modified and a corrupted header is sent to the server.

    [From Build 64.34] [#598607]

  • Signatures version may not get updated correctly if updated_signatures.xml file is present in /nsconfig folder. With this fix, this file is removed during build installation and the version of the application firewall signatures is updated accurately.

    [From Build 64.34] [#588640]

  • When URLTransform or CVPN policies are configured, application firewall code is invoked to carry out the validation of http packet information even if application firewall feature is disabled. When streaming code is engaged, the application firewall is not processing the conditional headers accurately and might reset connection and respond with RST code 9856. With this fix, parsing and validating the request headers is handled correctly by the application firewall module.

    [From Build 64.34] [#593960, 605920]


  • In a cluster setup, for active FTP, the server cannot initiate a data connection from a random port.

    [From Build 62.10] [#559230, 571042]

  • You cannot add LB routes in a link load balancing setup that is deployed on a cluster.

    [From Build 62.10] [#574717]

  • In a NetScaler cluster, a "sh nslogaction" command that is issued from the NSIP address of a cluster node, goes into an infinite loop. The issue is not observed when the command is issued from the cluster IP address.

    [From Build 62.10] [#574333, 573645]

  • In a cluster setup, a command that is executed on the cluster configuration coordinator is propagated to the other cluster nodes. Therefore, a command that takes a long time to complete (such as "save ns config"), can take a little extra time to complete on all the cluster nodes. During this time, if you execute another command on the cluster (through another session), that command will fail because the previous command is not yet complete.

    [From Build 63.16] [#551607, 495270, 562651]

  • When WIonNS is deployed in a cluster setup, if you add a service that points to the NSIP of a newly joined node, the command fails on the newly joined node but succeeds on the other cluster nodes.

    [From Build 64.34] [#584699]

  • A NetScaler cluster does not respond to cURL HTTP requests from outside the datacenter, because the Path MTU Discovery (PMTUD) mode gets disabled when a cluster is created.

    [From Build 64.34] [#541223]

Command Line Interface

  • A customized CLI prompt is not persisted after rebooting the appliance.

    [From Build 63.16] [#583625]

Configuration Utility

  • The operation to download the nstrace file from the configuration utility fails.

    [From Build 62.10, 63.16] [#571814, 581955]

  • You cannot configure the service path AVP by using the configuration utility.

    Workaround: Use the NetScaler command line to configure the service path AVP. At the command prompt, type:

    set subscriber gxinterface -servicepathAVP 1001 1005

    [From Build 62.10, 63.16] [#576603]

  • The values for the parameters on the "Configure Load Balancing Parameters" page do not appear even though they have been set.

    [From Build 63.16] [#583741]

  • SUBSCRIBER expressions do not appear in the list for rewrite and responder policies and action.

    [From Build 63.16] [#583751]

  • When starting a nstrace and another instance is already running, an option to stop this is not available in the configuration utility. One has to login through the command line interface to stop the trace.

    [From Build 64.34] [#603476]

  • You cannot add user-defined values for the user name and group name fields on the Authentication CERT Profile page.

    With this fix, you can specify a user-defined value by navigating to Security > AAA - Application Traffic > Policies > Authentication > Basic Policies > CERT > Profiles or NetScaler Gateway > Policies > Authentication > CERT > Profiles and selecting New in the User Name Field list and the Group Name Field list.

    [From Build 64.34] [#597708]

  • The configuration utility does not reflect the correct count of cached objects whereas this number is shown correctly through the command line interface.

    [From Build 64.34] [#607622, 608517]

  • When an HTML page is imported, the content is copied to /nsconfig/ssl and then to /var/download/responder. The content is not removed from /nsconfig/ssl, although it serves no purpose there. With this fix, the content is copied directly to to /var/download/responder.

    [From Build 64.34] [#590268]

  • The integrated caching feature is not available on the GUI.

    [From Build 64.34] [#601429]

  • If you are using the configuration utility to run diagnostics on the NetScaler appliance, you cannot specify a traffic domain.

    [From Build 64.34] [#609334]

  • If you create a cipher group and do not add any ciphers to it, an error message appears when you try to open the cipher group in the configuration utility.

    [From Build 64.34] [#604646]

  • If you click a VLAN in the network visualizer, details such as VLAN ID and bound interfaces are not displayed in a separate pane.

    [From Build 64.34] [#540943]

Content Switching

  • If a large number of content switching policies are bound to a content switching virtual server, using the configuration utility to bind a new policy without explicitly assigning a priority might result in the policy being assigned the priority of the first policy on the next page of the display. Since a policy is already assigned that priority, an error message stating that the priority is already used appears.

    [From Build 64.34] [#601203]


  • The query logs contain incorrect information if the UDP payload size in the OPT record is not 1280. Also, if a load balancing virtual server on the NetScaler appliance receives a request with the CD bit set, and the "RecusionAvailable" parameter is disabled on the DNS or DNS-TCP load balancing virtual server, the CD bit is not logged.

    [From Build 63.16] [#579942]

  • The NetScaler appliance fails, if there is a cache miss when the backend DNS server is accessed directly through the NetScaler appliance.

    [From Build 64.34] [#609074]

  • If, while a DNS-TCP client request is in surge queue, the NetScaler appliance receives a FIN from the client and responds with a FIN or ACK before the queued request is forwarded to the backend server, the appliance might fail.

    [From Build 64.34] [#581723]


  • GSLB virtual server configured with Dynamic Proximity as LB method fails.

    [From Build 63.16] [#578969]

  • If you have configured the canonical name as the GSLB domain in NetScaler appliance, when the backend server returns the CNAME record without the requested record, NetScaler appliance changes the TTL value of the GSLB domain with the TTL value of the CNAME record.

    [From Build 63.16] [#582925]

  • GSLB Service Selection using Content Switching

    Description: You can now configure a content switching (CS) policy to customize a GSLB deployment so that you can:

    * Restrict the selection of a GSLB service to a subset of GSLB services bound to a GSLB virtual server for the given domain.

    * Apply different Load Balancing methods on the different subsets of GSLB services in the deployment.

    * Apply spillover policies on a subset of GSLB services, and you can have a backup for a subset of GSLB services.

    * Configure a subset of GSLB services to serve a specific type of content.

    * Define a subset GSLB services with different priorities, and define the order in which the services in the subset are applied to a request.

    For more information, see Configuring GSLB Service Selection Using Content Switching.

    [From Build 64.34] [#503588]

  • If a server entity (for example, a server IP address or server name) is associated with both a GSLB entity and a non-GSLB entity on a GSLB site, and the GSLB configuration is synced to another site that does not include this server entity, the synchronization removes the server entity and all other entities associated with that server.

    [From Build 64.34] [#590336]

  • Initiating 280k SIP sessions with 40k subscribers might cause the NetScaler appliance to fail.

    [From Build 64.34] [#582459, 591247]

High Availability

  • The HA traffic between the HA pair is abnormally high. This issue is caused by a loop that repeatedly tries to push the same sessions to the secondary appliance after failover.

    [From Build 63.16] [#560640, 566710, 576012, 576096, 579037, 582354, 590730]

  • When there is a HA issue, the synchronization of persistence sessions between the primary and secondary appliances can fail. This can cause some of the persistence sessions not being replicated on the secondary appliance.

    [From Build 63.16, 64.34] [#580703, 579037, 595491, 595506, 596002, 596215, 599250, 599396, 604164, 605112, 608450, 608485, 595104, 610589]

Load Balancing

  • When editing a service group in the configuration utility, the cacheable option is automatically set to true.

    [From Build 63.16] [#592235]

  • In a load balancing group configuration, the "sh run" command sometimes runs in a loop, which exponentially increases the size of the temporary configuration file. As a result, saving the configuration and synchronizing the nodes in a high availability setup might fail.

    [From Build 63.16] [#587812, 598499, 601918]

  • If an SSL monitor is bound to a domain-based service that is configured with non-default SSL settings, the monitor might not show the service as UP.

    [From Build 63.16] [#575171, 576012]

  • The appliance fails if non-reachable autoscale entities that are part of a service group later become reachable and, in the interim, the service group name has changed.

    [From Build 63.16] [#583647]

  • In a high availability setup, if a large number of services and service groups are configured, service state updates might fail because of a timer issue.

    [From Build 64.34] [#605596, 609999]

  • In a link load balancing (LLB) deployment, if persistence is enabled on a NetScaler appliance and a policy based routing (PBR) or LB route is configured, the appliance might fail intermittently.

    [From Build 64.34] [#554841]

  • If the channel between the primary node and the secondary node is disrupted, the session deletion information sent from the primary node to the secondary node might get lost. As a result, while the persistent sessions are reduced to zero on the primary node, the secondary node reaches its limit.

    [From Build 64.34] [#596524, 597295]

  • While probing the back-end HTTP server by using an HTTP monitor, the appliance does not send the port number in the HTTP host header. This behavior is not compliant with RFC 2616.

    [From Build 64.34] [#564295]

  • In a link load balancing (LLB) deployment, if persistence is enabled on a NetScaler appliance and a policy based routing (PBR) or LB route is configured, the appliance might fail intermittently.

    [From Build 64.34] [#574137]

  • In certain cases, if the name of an FTP virtual server is greater than 32 characters, the virtual server lookup fails and the request is not served.

    [From Build 64.34] [#566644]

  • A secure StoreFront monitor intermittently fails to sends probes.

    Workaround: If your deployment allows non-secure connections, use a non-secure StoreFront monitor.

    [From Build 64.34] [#559164, 582153]


  • For the .NET SDK, when "nitro.dll" is used along with a version later than 4.0 of the "Newtonsoft.json.dll" file, "private" properties cannot be serialized.

    [From Build 63.16] [#567162, 571309]

  • The TCP connection is not persistent for NITRO requests. Therefore, the underlying TCP connection is getting closed for each NITRO request.

    [From Build 63.16] [#583395, 457969]

  • The NetScaler appliance might become unresponsive when a NITRO request is fetching a large number of bound entities.

    [From Build 64.34] [#530805, 562748, 567856]

NetScaler Gateway

  • In a double hop setup, when SSL relay is enabled for XenApp and XenDesktop, the XenApp or XenDesktop resource launch fails. The builds affected: 10.1-118.X to 10.5-55.8.

    [From Build 62.10, 64.34] [#550877]

  • The Expression editor is missing the following new policy expressions: ICA.SERVER.IP, ICA.SERVER.IPV6, ICA.SERVER.PORT.

    [From Build 62.10] [#575468]

  • The Total AAA Session Graph always shows 5 sessions active; even when, there are no active AAA sessions.

    [From Build 62.10] [#573304]

  • When going to NetScaler Gateway > Policies > Content Switching, the breadcrumb shows Traffic Mgmt > Content Switching > Policies. The breadcrumb appears to be incorrect.

    [From Build 62.10] [#572614]

  • When launching applications through NetScaler Gateway, which has an AppFlow policy bound with the type of OTHERTCP_REQUEST, the Gateway can fail. This failure is not seen if the AppFlow policy is bound with the type ICA_REQUEST.

    [From Build 62.10, 63.16] [#582075, 587347]

  • An internet connection is required for publisher verification for the NetScaler Gateway plug-in for Windows. If not connected to the internet when downloading the plug-in from the NetScaler Gateway, the error 'Publisher AGEE_setup.exe couldn't be verified' occurs.

    [From Build 62.10] [#553463, 558963]

  • The plug-in crashes when VPN logout is performed from browser.

    This would cause the logout page to not load in browser which directs user to login page.

    Work around:

    Manually type NSG URL in browser to login again.

    [From Build 62.10] [#576215]

  • An unintentional automatic Linux exit happens under the following conditions:

    * The NetScaler appliance is configured for dual, certificate authentication and LDAP authentication.

    * The subject field of the client certificate doesn't contain an email attribute value.

    [From Build 62.10] [#571281]

  • If you create a la portal theme, avoid using a name with spaces. Use an underscore instead of a space.

    [From Build 62.10] [#548269]

  • Clearing the configuration does not remove the Themes directory from the NetScaler appliance's drive. If you want to remove this directory, use the shell to delete it from the following path:


    To remove just the EULA-string nodes, delete them from the following path:


    [From Build 62.10] [#549128]

  • If NetScaler Gateway is used to access SSL backend resources over Clientless VPN (CVPN) or SecureBrowse mode using a forward proxy, then in the event that client/browser is very slow in sending POST requests to gateway, the request times out.

    [From Build 62.10] [#557909]

  • The Locale settings have been moved out of the Look and Feel section. Now, we have 2 separate sections :

    - Section 1 is for settings the attributes related to the Look and Feel of portal pages.

    - Section 2 is for choosing a locale.

    Users can choose a locale to edit labels/texts for portal pages.

    [From Build 62.10] [#571754]

  • EULA feature: The EULA on a fresh HyperV image issues an error. It works fine for upgraded builds. Workaround is

    1) Go to NetScaler shell

    2) type the command: # perl /var/netscaler/logon/themes/EULA/

    Now an EULA can be configured using the Management GUI.

    [From Build 62.10] [#564048]

  • When accessing SharePoint 2007 through Clientless VPN, the VPN session terminates, and some URL requests are not rewritten in Clientless VPN mode.

    [From Build 62.10] [#567887]

  • App/VDA launch via HTML5 receiver fails when using Firefox.

    [From Build 62.10] [#570690]

  • When logging into NetScaler 11.0 using a clientless VPN, SharePoint 2013 does not load correctly. The SharePoint folders are not accessible.

    [From Build 62.10] [#580737]

  • An error message is issued when a user tries to bind a CS policy to the VPN virtual server (CS-AG feature). The CS policy points to a VPN virtual server (Unified-Gateway feature). This is an expected behavior. The error message was improved to convey that it is an expected behavior.

    [From Build 62.10] [#572889]

  • In a Chrome browser, the home page is sometimes blank. Refreshing the page resolves the issue.

    [From Build 62.10] [#574173]

  • Applicable only for Mac VPN clients

    Chrome is phasing out NPAPI support. From Chrome version 42+ all NPAPI plugins will appear as if they are not installed. This will affect all existing customers. Affected customers will see a download prompt even though the VPN plugin is installed.

    Workaround: Google has announced that Chrome will stop supporting NPAPI completely in version 45.

    Until then, you can enable NPAPI as follows:

    1) In the Chrome URL bar, type:


    2) Enable the "Enable NPAPI" option.

    3) Restart Chrome.

    For more information about NPAPI deprecation, see

    [From Build 62.10] [#572447, 574353, 575609]

  • Applications configured with SAML or NetScaler self-authentication, on a Unified Gateway portal, return the following 403 error message : Not a privileged user.

    [From Build 62.10] [#574949, 575938]

  • When the maxAAAUsers parameter is UNSET on a VPN virtual server, NetScaler Gateway does not update the value to previously set value. Due to this, numbers of users allowed on a vpn virtual server cannot be increased by applying an UNSET operation. Administrators need to configure a SET operation as a workaround.

    For example, if the administrator configures 10 as the maxAAAUsers value, then issues a SET operation for 5, if he issues another UNSET, the number of allowed users does not go back to 10 users.

    [From Build 62.10] [#576063]

  • Some Unified Gateway traffic management session do not terminate at VPN logout.

    [From Build 62.10] [#575512, 575521]

  • When a VPN works as a SAML SP in a two-factor case, and if the Get /vpn/index after /cgi/samlauth comes to the same core, NetScaler resends the SAML Auth request.

    Intermittent issues appear in multi-core systems. It works normally if both requests go to different cores.

    [From Build 62.10] [#576414]

  • When Netscaler Gateway is configured in a Striped cluster, and a force cluster sync operation is done on a NON CCO node, subsequent access can cause the NetScaler Gateway appliance to crash.

    [From Build 62.10] [#576522]

  • The Unified Gateway Wizard for XenDesktop/Xenapp Application creates wrong configurations with the Storefront option. The client launches the Java plug-in instead of Win/Mac/iOS/Android plug-in.

    [From Build 62.10] [#576275]

  • When the HTTP/2 Protocol is used to access the VPN with external authentication, the transaction will not go through. Ensure HTTP/2 is disabled in nshttp_default_strict_profile.

    [From Build 62.10] [#574742]

  • The Mac OS Endpoint Analysis (EPA) client only supports TLS1.0 and thus cannot perform EPA if the server has only TLS1.1/1.2 enabled.

    There is no workaround for this problem, but a customer can still perform EPA with the Mac VPN plugin. EPA from a browser will not be available if TLS1.0 is not enabled.

    [From Build 63.16] [#572969]

  • Changes made to the Login page using the GUI are not reflected on the virtual server login page.


    1. Use any browser other than IE to make changes to Portal themes.

    [From Build 63.16] [#586483]

  • If an invalid certificate is selected as part of login, when certificate Authentication is optional, and two factor authentication is ON, the login fails as expected. But an app saves the certificate, though login failed. The user has to manually delete the saved certificate from the EditConnection Page to retry with a valid/no certificate.

    [From Build 63.16] [#575047]

  • The NetScaler counters, used to verify connected users, displays a value that does not reflect actual connections.

    [From Build 63.16] [#490991, 398874]

  • The Client and EPA Plug-ins don't work with the latest Chrome versions as support for NPAPI is disabled by default. The support will be deprecated entirely in Chrome version 45 in September 2015.

    From Chrome version 42, all NPAPI plugins will appear as if they are not installed. This will affect customers upgrading from 10.5 to 11.0. This is also applicable to customers who upgrade from 11.0 Beta builds and later Release builds. Affected customers will see a download prompt even though the VPN or EPA plugin is installed.


    There is no work around to enable NPAPI for Chrome on Linux.

    Users need to use a browser which allows NPAPI (e.g. Firefox).

    More about NPAPI deprecation in Chrome browsers can be found at:

    [From Build 63.16] [#574355]

  • Smart Control does not work for applications that have SSL relay enabled on the server with few ICAPOLICY rules.

    [From Build 63.16, 64.34] [#570437]

  • During the installation of Logon Point, the following error message was issued: "Couldn't execute error".

    [From Build 63.16] [#578144, 582708, 583061, 583300, 593263]

  • RPC (Remote Procedure Call) over HTTP communication is blocked if the AppFlow or HTML Injection features are enabled.

    [From Build 63.16, 64.34] [#592904, 593008, 594149, 595496]

  • Audio over UDP is not supported with ICA sessiontimeout enabled or with Smart Control.

    [From Build 63.16] [#572850]

  • The Portal Customization feature does not offer the option to cancel or remove the default GUI or custom GUI images.

    [From Build 63.16] [#572723, 555553]

  • End users are experiencing performance degradation when connecting to their Avaya One-X via VPN connection. End users are able to establish 3-5 calls before the symptoms are exhibited. However, after a period of time, we are able to make calls again. The quality starts to decrease after the first few phone calls are made.

    The workaround is to restart the VPN connection.

    [From Build 64.34] [#578469]

  • NetScaler Gateway sends the wrong error code back to the user when the active directory password has expired, and the user tries to change the password and violates password complexity rules.

    [From Build 64.34] [#564885, 593869, 606564]

  • Two NetScale appliances rebooted themselves because the TACACS accounting code crashed. The crash occurred due to the presence of an invalid flag in the clientPCB.

    [From Build 64.34] [#546122]

  • Client traffic can slow down if ALL of the following conditions are satisfied:

    - Single Sign-on (SSO) is ON.

    - HTTP POST request is involved which requires to do SSO.

    - NTLM authentication is needed to authenticate to back-end.

    - Transferring large payload (greater than 2 MB).

    - The back-end server is responding slow.

    This issue is unlikely to occur if ANY ONE of the following conditions is satisfied:

    - HTTP POST request Payload is in KBs.

    - Back-end authentication method is non-NTLM ( such as AGBasic, Form-based SSO, and KCD).

    - Non-HTTP POST request involved.

    - SSO is not involved or disabled.

    Workaround: Disable SSO for HTTP POST request.

    [From Build 64.34] [#592982, 605622]

  • On the Windows 10 system, if users log off from the NetScaler Gateway portal, the Windows VPN plugin crashes intermittently. As a workaround, users may use the VPN plugin's context menu for logging-out.

    [From Build 64.34] [#579788, 572866, 581274]

  • NetScaler unexpectedly terminates when accessing network share using the following apps: iOS Sharefile app /MDX Wrapped app.

    [From Build 64.34] [#594994, 610020]

  • You cannot bind an ECC curve to a NetScaler Gateway virtual server by using the NetScaler GUI.

    [From Build 64.34] [#607474]

  • The NetScaler EPA (Endpoint Analysis) timeout was increased to 5 minutes.

    [From Build 64.34] [#604253]

  • If the WI home is configured with FQDN, NetScaler modifies the host header with the IP address of the WI server when sending traffic to WI server. Similarly, if wihome is configured with the IP address, that IP address is sent in the host header to the WI server. In both these cases, the WI server returns an error.

    After the fix, the host header is updated to the FQDN in the wihome as opposed to IPaddress. In cases where wihome FQDN resolves to the domain based server on Netscaler, The host header is updated with the FQDN of the domain based server

    [From Build 64.34] [#586921, 586949, 598624]

  • Applications using more than 128 simultaneous connections over VPN fail on Windows machines.

    [From Build 64.34] [#596994]

  • The NetScaler appliance crashed due to invalid memory access. The memory allocation failure occurred due to a bug processing a cookie.

    [From Build 64.34] [#601668]

  • If SSL SessionReuse is enabled on Gateway virtual server, if a user cancels certificate authentication prompt at the time of login, he sees an error. However, at times, a browser refresh shows login page and allows access.

    Workaround: SessionReuse should be disabled.

    [From Build 64.34] [#597963]

  • For a VPN virtual server with ipaddress -, listen policies and services are not allowed to be set. The NetScaler appliance terminated due to invalid memory access.

    [From Build 64.34] [#597615]

  • In Unified Gateway deployment, if there are no matching Content Switching policies for the storefront requests in ICA Proxy mode, and default Load Balancing is used for serving this traffic, the NetScaler appliance might fail.

    [From Build 64.34] [#597556]

  • While assigning an IntranetIP, if Netscaler Gateway finds a duplicate, it cleans up associated session. In this process, occasionally Gateway might fail.

    [From Build 64.34] [#596826]

  • The EPA may fail if a high number of EPA scans are configured.

    [From Build 64.34] [#596103]

  • If you remove a Negotiate authentication profile that is available on NetScaler Gateway, the appliance can fail when checking for incorrect IPv6 mapping.

    [From Build 64.34] [#594224, 595596]

  • The RDP Proxy messages were enhanced to include information concerning the controls that are in place at the connection.

    [From Build 64.34] [#593412]

  • The NetScaler appliance connected to the Linux SSL VPN client, but could not connect to the DNS lookups. After a reboot of the appliance, the NetScaler appliance connected to the Linux SSL VPN client and the DNS lookups worked fine.

    [From Build 64.34] [#599410]

  • With ICA policies configured or with ICA session timeout enabled and with Storefront 3.0 configured, Apps/Desktops won't launch because of a change in Storefront behavior that the Netscaler is not handling.

    [From Build 64.34] [#593023, 593026, 597946]

  • When the NetScaler Gateway virtual server is bound to a Content Switching virtual server, all web socket connections are passed to the NetScaler Gateway virtual server.

    [From Build 64.34] [#592828]

  • The NetScaler appliance experienced a system error due to a memory corruption issue.

    [From Build 64.34] [#587825]

  • If a user logs into a receiver on a machine, which is configured to use an AutoProxy Script, and that AutoProxy script URL is unreachable, the login fails.

    [From Build 64.34] [#585722]

  • A crash occurs when the packet engine is set up with an aync call with a NULL NSB pointer.

    [From Build 64.34] [#578889]

  • The customer experiences long set up times when using the following plug-ins: V10.1-128.8 or V10.5-55.8. If they downgrade back to receiver plugin 10.0-54.6, the issue disappears and they see immediate VPN setup times.

    [From Build 64.34] [#579027]

  • When a user tries to access the system and if that connection gets terminated while authentication is in progress, NetScaler might fail.

    [From Build 64.34] [#574377]

  • When users from INTL domain login via NetScaler ( a dual factor with RADIUS) by entering username only (no domain information in the login page) it fails. When users from Corp domain login via NetScaler (dual factor RADIUS) by entering username only (no domain information in the logon page) it works. The above is expected behavior. Storefront needs the domain\\username information when a user from INTL domain logon. When entering domain\\username format on the NetScaler login page, RADIUS rejects the login, and it does not pass the domain\\username information to the Storefront server, so the login fails.

    [From Build 64.34] [#573406]

  • Single sign on (SSO) for the NavUI file share view does not honor the ssocredential configuration on the authentication action, and instead sends only the username from the authentication session. If a domain is configured to accept something other than the session username, SSO will fail. This fix makes NavUI file share properly honor the ssocredential setting and send what the administrator has configured.

    [From Build 64.34] [#607507]

  • Terminal Access Controller Access Control System (TACACS) counting sometimes causes memory corruption and the authentication daemon crashes. Multiple crashes of the authentication daemon lead to the NetScaler rebooting.

    [From Build 64.34] [#550695, 594062]

  • The RDP Proxy feature on NetScaler Gateway now requires special licensing, and needs to be explicitly enabled using the 'enable feature rdpproxy' command. In addition, the 'psk' attribute, used to protect the user information sent to the STA server, is now mandatory whenever a rdpserverprofile is configured.

    [From Build 64.34] [#543064, 518094, 527616]

  • When configuring DTLS to be ON on an existing virtual server, unbind and rebind the SSL cert-key pair bound to the virtual server to connect with DTLS. If this is not done, the DTLS connection handshake between the client and the NetScaler Gateway appliance fails. After rebinding the SSL certkey pair, the handshake is accepted and the DTLS traffic goes through.

    [From Build 64.34] [#532891, 604570]

  • The Federated Service SSO fails when using the browser to access the NetScaler appliance.

    [From Build 64.34] [#582973]

NetScaler Insight Center

  • The NetScaler Insight Center appliance might fail and not respond, when you add, update, or delete the private IP address block that is used for geo location.

    [From Build 62.10] [#576477, 581927]

  • The NetScaler Insight Center appliance throws an error when modifying the name of a threshold record. To fix this issue, the name field has been made read-only.

    [From Build 62.10] [#573550]

  • An exported report displays the time duration as "custom" irrespective of the time duration selected in the report.

    [From Build 62.10] [#577426]

  • Media Classification Support for Insight Center

    Web Insight supports content and media type classification reports. Viewing these features are optional similar to the existing HTTP header fields User Agents, Operating Systems, Request Methods etc. You can enable or disable these features from the Configuration section. For media classification and httpContentType Appflow parameter, you must first enable Appflow on virtual server from Insight center configuration.

    Insight Center's Web Insight dash board reports the following Media types:

    1) Uncategorized

    2) FLV F4V Audio

    3) FLV F4V Video

    4) MP4 M4V Audio

    5) MP4 M4V Video

    6) GP 3G2 Video

    7) ADTS Audio

    8) APPLE Video

    9) MICROSOFT Video

    10) AAC Audio


    12) APPLE PLAYLIST Video

    13) MP3 Audio

    14) Unknown

    [From Build 62.10] [#558890]

  • If there are more than 25 records to display in the skip flow window, then only 25 records are displayed as the window does not provide support for pagination.

    [From Build 62.10] [#576471]

  • The NetScaler appliance might become unresponsive if Appflow reporting is enabled for ICA traffic and network disruptions occur while the ICA connections are being processed.

    [From Build 63.16] [#580581, 580579, 583831, 584155, 589925, 590656, 594604, 595717, 595718, 595719]

  • If you enable the Appflow feature, the NetScaler appliance might become unresponsive while processing ICA connections.

    [From Build 63.16] [#584795]

  • The NTP server configuration on NetScaler Insight Center is not propagated to the connector, agent, and database nodes.

    [From Build 63.16] [#579777]

  • Poor performance or latency is observed while accessing published applications over plain ICA port 1494 when AppFlow is enabled. This issue is not observed on ICA over CGP port 2598.

    [From Build 63.16] [#591437, 586981, 591338, 591696]

  • If you enable Appflow for ICA and there are a large number of ICA connections which have reconnected after a network disruption, the NetScaler appliance will experience a memory leak.

    [From Build 63.16] [#587725]

  • The SNMP daemon runs on NetScaler Insight Center even though NetScaler Insight Center does not support SNMP requests.

    [From Build 63.16] [#537253]

  • If a failover occurs in a high availability configuration, an ICA connection that uses Automatic Client Reconnect (ACR) might fail to reconnect.

    [From Build 64.34] [#601318, 603208]

  • When you configure authentication (Configuration > System > Authentication > Authentication Configuration), the Server Name field does not display the selected server.

    [From Build 64.34] [#599322]

  • When Appflow for ICA is enabled, NeScaler can fail if the client reconnects with an invalid ticket and server responds with a CGP BINDRESP followed by some extra data.

    [From Build 64.34] [#596784, 596953]

  • If the AppFlow feature is enabled for ICA applications, the NetScaler appliance might become unresponsive when Citrix Receiver performs a session reconnect with a ticket that starts with "NS" and the next two bytes have unrecognizable values.

    [From Build 64.34] [#605779]

NetScaler SDX Appliance

  • If you are running a NetScaler SDX 11.0 beta version and upgrade to NetScaler 11.0, then some components may not be upgraded. This does not cause any malfunction in the running of the system. However, the upgrade is incomplete.

    Workaround: Reset your appliance to factory defaults and upgrade to the latest 10.5 or 10.1 version and then upgrade the appliance to NetScaler SDX 11.0

    [From Build 62.10] [#576100]

  • If a 10G interface is a part of the LACP channel, it might incorrectly report stalling of transmission (Tx) on VPX.

    Workaround: Reset the 10G interface using the management service.

    [From Build 62.10] [#564451, 564743]

  • After interface reset from management service, L2 mode will stop working for the 10G interface.

    Workaround: Disable and re-enable L2 mode from SVM for the VPX.

    [From Build 62.10] [#564871]

  • You cannot change only the SSLReneg setting from the "Change SSL Settings" option in the configuration utility.

    [From Build 62.10] [#572485]

  • You cannot restore any NetScaler instance from a backup file unless you first upload the XVA files for all of the instances that are included in the backup file.

    [From Build 63.16] [#585161, 584634]

  • Citrix User Experience Improvement Program (CUXIP) collects data for the sole purpose of improving the graphical user interface. The collected data is used only by Citrix engineers. It is not shared with anyone.

    CUXIP collects the following types of data:

    1. Number of clicks by a user

    2. Information about the client browser and operating system

    For more information, see

    [From Build 63.16] [#542084]

  • Performing SNMP walk using the EMC SMART tool is slow.

    [From Build 63.16] [#588451]

  • Management Service now supports provisioning or modifying a NetScaler instance with gateway IP address from a different subnet as that of the NetScaler IP Address (NSIP).

    [From Build 64.34] [#600090]

  • The management Service does not support provisioning or modifying a NetScaler instance with gateway IP address from a different subnet as that of the NetScaler IP (NSIP) address.

    [From Build 64.34] [#593158]

  • The NetScaler SDX appliance displays the "SubSystem Down: svm_service" error message when the Management Service creates multiple SNMP requests at run time to fetch network configuration information from XenServer and Management Service configuration files.

    [From Build 64.34] [#605247]


  • A PBR6 rule might not get evaluated if you set the operator option to NEQ (!=) for source and destination IPv6 addresses.

    [From Build 62.10] [#575906]

  • High availability (HA) synchronization fails if the NetScaler IP (NSIP) addresses of the nodes in the HA configuration are IPv6 addresses.

    [From Build 62.10] [#573935]

  • An ACL6 rule might not get evaluated if you set the operator option to NEQ (!=) for source and destination IPv6 addresses.

    [From Build 62.10] [#573516]

  • ICMPv6 requests with a payload greater than 1232 bytes (fragmented ICMPv6 requests) from a nondefault NetScaler admin partition might not succeed.

    [From Build 62.10] [#506332]

  • Duplicate address detection might fail for a global IPv6 address.

    [From Build 62.10] [#560243]

  • The output of the show ACL does not display the correct hits for ICMP packets that match the ACL rules.

    [From Build 63.16] [#585265]

  • In a high availability configuration, when the connection between primary and secondary goes down and comes up again, the secondary node receives HA INIT request from the primary node and it terminates all BGP connections.

    [From Build 63.16, 64.34] [#588509]

  • You cannot configure INAT46, INAT64, or INAT66 rules by using the configuration utility.

    Workaround: Use the command line interface.

    [From Build 63.16] [#582682]

  • The NetScaler appliance might assign the NTP module a port that is used by some other feature module. Therefore, an incoming NTP response can be processed by the feature module. This can result in the failure of the NetScaler appliance.

    [From Build 63.16] [#588477]

  • On a NetScaler appliance with a forwarding session rule configured and connection failover enabled, the appliance might become unresponsive when processing packets that match the forwarding session rule.

    Workaround: Create a dummy load balancing virtual server with stateful connection failover enabled.

    [From Build 64.34] [#587382, 603629]

  • On a NetScaler appliance with a NetScaler owned IP address configured with a VMAC address on a traffic domain, when a peer device sends an ARP request with unicast MAC for this IP address, the NetScaler appliance responds with the physical MAC address instead of the VMAC address. As a result, the NetScaler appliance drops packets forwarded by the peer device if the packets are destined to the physical MAC address for that IP address.

    [From Build 64.34] [#588912]

  • In an IPSec tunnel, the NetScaler appliance might remove sessions between client and server before encrypting (IPSec) DNS response packets, resulting in the loss of these DNS packets in the tunnel.

    [From Build 64.34] [#587718]

  • The configuration utility does not display any route monitors configured on the NetScaler appliance.

    [From Build 64.34] [#589128]

  • You cannot securely access (HTTPS) the NetScaler GUI by using a subnet IP (SNIP) address that is configured on a traffic domain.

    [From Build 64.34] [#600364]

  • Binding a redundant interface set (for example, LR/1) to NSVLAN might cause the NetScaler appliance to become unresponsive.

    [From Build 64.34] [#597071]

  • The NetScaler appliance might erroneously forward DHCP broadcast packets to the default router. As a result, the broadcast packets go in loops between the appliance and the router.

    [From Build 64.34] [#591657, 595649]

  • If a connection matches a RNAT rule, the NetScaler appliance probes for the existence of the destination server before processing the connection based on the RNAT rule. The connection that is used for probing is sometimes left idle on the appliance and a new connection is opened once the client connection is successfully established. This probe connection stays idle for the configured idle timeout (2.5 hours) thus holding up resources on the server.

    Now, these probe connections are flushed within a minute if they remain idle.

    [From Build 64.34] [#588694, 588551]

  • For extended ACL rules that are associated in NAT configurations (for example, RNAT rules, Large Scale NAT configurations), the configuration utility displays the TCP established parameter as enabled for these ACL rules.

    [From Build 64.34] [#597458]

  • A NetScaler appliance might consume a high percentage of CPU cycles, because the appliance repeatedly updates the active connections with changes in MAC addresses of servers.

    [From Build 64.34] [#579099]


  • Enabling the media classification feature causes the NetScaler appliance to become unresponsive.

    [From Build 64.34] [#581123, 584501, 588400, 590438, 594672, 595638, 601727, 601862, 603667, 604126, 607439, 609907, 611899]

  • A NetScaler appliance crashes when Media classification mode is enabled and HTTP request of bigger URLs are received.

    [From Build 64.34] [#589825, 594694, 606589, 607919]


  • NetScaler VPX instances, running on SDX 22040/22060/22080/22100/22120 and SDX 24100/24150 appliances, fail to start after you upgrade to the NetScaler SDX release 11 single bundle image. Starting the NetScaler instances manually also fails.

    Workaround: Delete the VPX instances and provision them again by using the Management Service.

    [From Build 62.10] [#569291]

  • The memory usage statistic shown on the LCD display of a NetScaler appliance is the allocated memory. The NetScaler configuration utility displays the currently used memory. Therefore, the two values are different.

    [From Build 63.16] [#334358, 576545]

  • The LOM firmware on NetScaler MPX 11500/13500/14500/16500/18500/20500 and MPX 11515/11520/11530/11540/11542 appliances can report VTT sensor data, but the NetScaler appliance does not support it.

    [From Build 64.34] [#563987, 572404]

  • OpenSSL libraries are now integrated to operate in the FIPS mode.

    [From Build 64.34] [#523834]


  • The NetScaler appliance fails to respond when a blocking log action is configured with a responder action.

    [From Build 62.10] [#574458, 574593]

  • Some IP based expressions might not work for IP addresses starting from octet 128 or greater (128.x.x.x - 254.x.x.x).

    The following expressions are not impacted:


    The following expressions do not work:


    [From Build 63.16] [#534244]

  • An HTTP callout that is configured for use with a virtual server does not work with a backup virtual server (if configured).

    [From Build 64.34] [#382341, 540646, 585790]

  • If packet tracing is configured with a default-syntax expression and non-TCP traffic is being processed, and rewrite action applied on a HTTP chunked message is occurring then the rewritten data maybe incorrect or it might crash a NetScaler appliance.

    Workaround: Configure the packet tracing filter expression with a Classic syntax expression or avoid using filter expression.

    [From Build 64.34] [#598465]


  • On a NetScaler MPX appliance, AES-GCM/SHA2 ciphers are supported only on the front end SSL entities.

    [From Build 62.10] [#575001]

  • You cannot enable TLSv1.1/1.2 on a front end SSL service after explicitly disabling it.

    [From Build 62.10] [#574589]

  • If you have configured optional client-certificate authentication and your policies target client certificate x509 extensions, such as auth keyid, a transaction with a client that doesn't have a certificate might cause the appliance to fail or to use stale values from a previous transaction.

    [From Build 63.16, 64.34] [#593091]

  • In some cases, when client authentication is enabled, incorrect data form a client leads to a memory leak on the NetScaler appliance. If a large number of clients send incorrect data, the appliance fails.

    [From Build 63.16] [#570754]

  • An incoming SSL record that spans more than 256 TCP packets and contains TCP header options causes memory corruption in the Cavium command buffer structure. As a result, the NetScaler appliance fails.

    [From Build 63.16] [#573904, 583295, 590222]

  • If you downgrade the software on your NetScaler appliance that does not have a license to release 9.3 build 61.66 or earlier, some commands related to the default server certificate might not be saved in the running configuration. As a result, after restarting, secure access (HTTPS) to the appliance fails.

    [From Build 63.16] [#551603, 559154]

  • If you update the certificate-key pair for a service group, the change is not reflected in the individual services that are bound to this service group. As a result, the old certificate-key pair continues to be used for negotiation in the SSL handshake.

    [From Build 63.16] [#554925]

  • If TLS1.1/1.2 protocol is used with AES/3DES ciphers, the length of the TCP window at the back end shrinks to zero. As a result, after some time, the connection is terminated.

    [From Build 63.16, 64.34] [#591600, 595713, 596278, 596556, 596566, 598045, 599524, 600591, 604929, 604409]

  • If you use the "add ssl certkey" command to add an encrypted .pfx file, the password is now encrypted and saved in the configuration file (ns.conf). In earlier releases, the password was not saved, so automatic execution of the add ssl certkey command failed when the appliance was restarted.

    [From Build 63.16] [#591167]

  • If you have a large number of SSL services (greater than 3000) in the backend, CPU usage increases exponentially and the appliance fails.

    [From Build 63.16] [#581193]

  • If you enable the DH parameter while creating an SSL profile by using the configuration utility, the following error message appears:

    Error in retrieving File. Invalid args in query parameters

    [From Build 64.34] [#594922]

  • In the OpenSSL interface in the NetScaler configuration utility, if you type a command before the OpenSSL> prompt appears, the OpenSSL> prompt might not appear at all. As a result, any commands that you type are not run in OpenSSL mode.

    [From Build 64.34] [#595413]

  • If the passphrase for a certificate contains the "$" character, the configuration utility becomes unresponsive.

    [From Build 64.34] [#591743]

  • In release 10.5 or later, TLS protocol versions 1.1 and 1.2 are enabled by default, but you can disable them for all services except SSL_BRIDGE and dynamic services, which can't otherwise be configured. In this release, you can disable TLS1.1/1.2 on SSL_BRIDGE and dynamic services by enabling the new svctls1112disable and montls1112disable parameters, as follows:

    > set ssl param -svctls1112disable enable -montls1112disable enable

    After the new parameters are enabled, you cannot disable them by using the "set ssl param" command. You must edit the configuration (ns.conf) file as follows:

    1. Remove these parameters from the "set ssl param" command.

    2. Save the configuration.

    3. Restart the appliance.

    [From Build 64.34] [#602502, 599209, 609284]

  • NetScaler VPX virtual appliances do not support AES-GCM/SHA2 ciphers, but in earlier builds you can bind these ciphers, incorrectly, to an SSL virtual server. From the current build, you cannot bind these ciphers to the virtual server. If you have bound AES-GCM/SHA2 ciphers to a VPX instance that you upgrade to the current build, the bind commands in the configuration return an error. In a comparison of the configurations of the old and new build, the missing bindings can be mistakenly construed as a configuration loss.

    [From Build 64.34] [#609476]

  • Even though SSL renegotiation is set to deny (that is, denySSLReneg is set to ALL), the server responds with the "server reneg" extension in the initial SSL handshake.

    [From Build 64.34] [#559082]

  • If you bind a secure monitor to a service, such as SSL_BRIDGE, that does not allow SSL configuration, the default settings are used. The default SSL version sent in the SSL handshake record header is SSLv3.

    Contact Citrix support if you want to disable SSLv3 and use the next higher protocol.

    [From Build 64.34] [#584424]

  • If you are running FIPS firmware 2.2 on your appliance, some commands might fail after 9 days.

    [From Build 64.34] [#600267]

  • An MPX-FIPS appliance might not restart if you attempt a warm reboot.

    [From Build 64.34] [#597101]

  • If you restart a NetScaler appliance that has FIPS firmware version 2.2, the FIPS key might be temporarily unavailable.

    [From Build 64.34] [#572645, 563418, 576719, 594569, 603072]

  • If you upgrade the FIPS firmware on your appliance to version 2.2 and then restart it, you might notice some loss in the configuration.

    [From Build 64.34] [#597313]

  • On an MPX-FIPS platform running firmware version 2.2, if you have configured SSL services at the back end, an attempt to download a file fails if its size is greater than 16KB.

    [From Build 64.34] [#578464, 582280]


  • The option to set the transport type has been removed from the SET and UNSET operations. You can specify the transport type while adding a Syslog action. In a Syslog action, by default the transport type is set as UDP.

    Note: Once you have set the transport type in a Syslog action, you cannot change the transport type.

    [From Build 62.10] [#580890]

  • On rebooting the NetScaler appliance, the timeout is not set to the value specified by the "set ns timeout" command.

    [From Build 63.16] [#587074]

  • In a high availability setup, if stateful connection failover is configured on a virtual server that has been serving traffic for some time, running the "clear config extended" command results in a warm restart on both the primary and secondary appliances. Unsetting connection failover on the virtual server results is a warm restart on only the secondary appliance.

    [From Build 63.16] [#575108, 581862]

  • For a NetScaler appliance with extended memory configured for Large Scale NAT (LSN) feature, after warm rebooting the appliance, when the appliance is added as secondary node to an appliance that does not have the extended memory configured for LSN, the secondary appliance becomes unresponsive.

    [From Build 63.16, 64.34] [#593261]

  • After cleaning up an MPTCP session, the NetScaler appliance might not set the DATA_FIN flag in the TCP header of the data or acknowledgement packet if there is no subflow for sending the data.

    [From Build 63.16] [#553650]

  • The NetScaler appliance might become unresponsive if it receives a retransmitted TCP jumbo frame that carries the TCP FIN flag.

    [From Build 63.16] [#571176]

  • In NetScaler Insight Center, NetScaler 1000V, and NetScaler VPX on ESX, the Vmtoolsd daemon fails during start up and creates a core dump in the directory /var/core. It does not affect normal VPX functionality. However, operations such as "Shut Down Guest" and "Restart Guest" from the vSphere client summary tab fail.

    [From Build 63.16] [#570166, 477094, 498384, 520519, 530951, 543554, 555689, 585809]

  • The upgrade wizard in the configuration utility puts the NetScaler software in the /var directory instead of the /var/nsinstall/<build id> directory.

    [From Build 63.16] [#586721]

  • If a server advertises a maximum segment size (MSS) greater than 1460 bytes, a TCP transaction might not generate a response after passing through the NetScaler appliance.

    [From Build 63.16] [#584079]

  • If you execute NTP commands, such as enable ntp sync and show ntp status, the NetScaler appliance might become unresponsive because of a memory leak.

    [From Build 63.16] [#529787, 546378, 574866, 581849]

  • If a NetScaler appliance that is sending auditlog messages over TCP (audit syslogaction specifies TCP as the transport protocol) has more than 200 million active sessions, the rate at which the syslogs are sent drops to 700 Kbps or lower, and the appliance consumes a high percentage of the CPU cycles.

    [From Build 63.16] [#580309]

  • Management CPU usage is high when you use the configuration utility's memory usage diagnostic tool (System > Diagnostics > Memory usage).).

    [From Build 63.16] [#586328]

  • When SPDY Protocol is enabled and SPDY Traffic is received on the NetScaler appliance, the TCP current clients counter goes to negative values and shows a very large value in the stat or the SNMP OID.

    [From Build 63.16] [#551562, 551786, 568554]

  • The NetScaler appliance might become unresponsive if front end optimization (FEO) is enabled with the SSL and rewrite features.

    [From Build 63.16] [#583829]

  • A NetScaler appliance might crash if you attempt to start the nstrace instance with advanced filter expression.

    [From Build 64.34] [#493737, 526095, 598148]

  • In a HA setup, if a domain-based SNMP manager is added on the secondary appliance, the NetScaler appliance stops responding eventually. You must configure the SNMP manager on the primary appliance.

    [From Build 64.34] [#581355, 593292, 595943]

  • Failed SNMP requests were not removed properly, therefore, subsequent set requests were retained in the queue. This lead to all SNMP requests getting blocked and high memory usage, due to which the SNMP module stops responding.

    [From Build 64.34] [#590289, 584527, 596242]

  • In certain cases, the NetScaler appliance might not retransmit the lost TCP segments resulting in a transaction failure.

    [From Build 64.34] [#565938, 560394, 592227, 597160, 607864, 609068]

  • After you upgrade a Netscaler appliance to 10.5 build, the Client-Server Link Mapping check box is now available in the TCP Connections page

    [From Build 64.34] [#551611, 519966]

  • If weblog data is sent over a TCP connection that the NetScaler appliance has terminated because of buffer overflow, the appliance fails. With the fix, the connection is checked to ensure that it is not closed before the weblog data is sent.

    [From Build 64.34] [#593968, 574996]

  • Syslog messages generated by user action are logged as error messages instead of informational messages.

    [From Build 64.34] [#538212]

  • The NetScaler appliance does not reduce the received Maximum Segment Size (MSS) to accommodate TCP options (such as timestamps). Therefore, the NIC drops such packets.

    [From Build 64.34] [#593209]

  • Some events may be logged twice if DEBUG level is enabled for syslog, by using the "set audit syslogParam" command.

    [From Build 64.34] [#594485]

  • A Netscaler appliance has high memory consumption if Front End Optimization (FEO) feature is enabled.

    Work around: Disable the feature or reboot the appliance.

    [From Build 64.34] [#591928]

  • If the NetScaler appliance receives a data or an acknowledgement packet without the Data Sequence Signal (DSS) option before the MPTCP connection is established, the appliance does not seamlessly fallback to regular TCP.

    [From Build 64.34] [#588909]

  • The appliance might fail under the following set of conditions:

    1. A pipelined HTTP request is received that spans multiple TCP segments.

    2. An internal HTTP response generated by NetScaler for the HTTP request in condition 1, is terminated by a TCP segment that has the TCP FIN flag set.

    3. The appliance receives another HTTP request on the same connection.

    [From Build 64.34] [#587817, 587879, 589416, 594044, 595927, 601915, 610728]

  • When adding a syslog action for which the netProfile parameter is set, the Subnet IP (SNIP) address is used as the source IP address for sending log messages. If the netProfile parameter is not set, the NetScalerIP (NSIP) address is used as the source IP for sending the log messages.

    [From Build 64.34] [#595449]

  • When the NetScaler appliance receives MPTCP traffic, the number of established client connections is high, because both MPTCP sessions and subflows are treated as client connections.

    With this fix, the SNMP OID of following MIBs have changed to:

    mptcpCurSessWithoutSFs: 130

    vsvrCurMptcpSessions: 73

    vsvrCursubflowConn: 74

    [From Build 64.34] [#583292]

  • A NetScaler appliance might occasionally fail when a client connects to an HTTP/SSL server and the server sends a 101 (switching protocols) response. The connection is closed before data can be sent or received from the client.

    [From Build 64.34] [#576561, 587759]

  • When parsing a host name with no Path component, the URL parsing logic does not search for a question mark (?), so an entire string might be interpreted as the host name. This causes an error when the appliance tries to resolve the DNS name. With this fix, the parsing logic searches for question marks.


    [From Build 64.34] [#587858]


  • In a network setup that includes both dynamic and deterministic types of clients, the first request from a deterministic client is not served if a dynamic client has sent a request.

    [From Build 63.16] [#576602]

  • After a failover occurs in a high availability configuration, some LSN static maps might become inactive on the new secondary node.

    Workaround: Delete the LSN static maps on the primary node and then add them again.

    [From Build 63.16] [#487318]

  • SIP registration might fail, if authentication is enabled in the SIP proxy server.

    [From Build 64.34] [#579797]

Web Interface on NetScaler (WIonNS)

  • After upgrading to nswi-1.8.tgz, existing WI sites are not accessible till you remove the sites and then add them back.

    [From Build 62.10] [#576883]

  • WIonNS v1.7 does not work when WebFront is installed.

    Workaround: Upgrade to WIonNS v1.8.

    [From Build 63.16] [#577988]