Product Documentation

Fixed Issues

Mar 30, 2016

The issues addressed in Build 65.31.


  • When the NetScaler appliance is configured as SAML Service Provider (SP), the SAML Identity Provider (IdP) dishonors a logout request that is performed on the traffic management virtual server (load balancing or content switching) that uses a AAA-TM traffic policy.

    This happens because the NetScaler SP sends to the SAML IdP a SAML logoutRequest that contains "Conditions" XML tag.


  • In a multi-core NetScaler environment, user sessions sometimes do not get terminated if the decision to terminate is based on a force timeout value that is configured on a TM traffic action.

    [#610604, 618760, 623053]

  • The Netscaler appliance intermittently fails if a user accesses a very long URL without proper AAA context.


  • Authentication fails if the server name in an LDAP action is changed from an FQDN to an IP address by using the "set ldapaction" command.


  • You cannot enter the FQDN for a RADIUS or LDAP server by using the NetScaler GUI.

    [#596382, 618884]

  • When RADIUS is used in nFactor authentication, the NetScaler appliance fails to complete the request if user is prompted for password change.


  • If a logout message from a session owner to a cached session is dropped, the NetScaler appliance might fail while trying to resend the message.


  • On a NetScaler MPX-FIPS appliance, the AAA module becomes unresponsive if the configured RADIUS or TACACS policies are triggered. So, from this build onwards, RADIUS and TACACS policies are not supported on MPX-FIPS appliances.

    Note: RADIUS and TACACS are not FIPS compliant protocols.


Admin Partitions

  • When the NSIP password is changed (by using the "set ns rpcnode" command) on the default partition, the GSLB auto-sync function does not work in the available admin partitions.

    Workaround: Make sure you set the same password for the loopback IP address (using the "set ns rpcNode" command) for each of the admin partitions.


Application Firewall

  • When you use the NetScaler GUI to perform the Skip operation, the application firewall learned rules might not be deleted. This occurs because NITRO is sending wrong "Location" ("Field") data to the GUI. With this fix, the GUI converts "Field" into "FORMFIELD," and the Skip operation removes the skipped rules, as expected.


  • NetScaler application firewall handles memory incorrectly if XSS and "CrossSiteScriptingCheckCompleteURLs" are enabled in the application firewall profile. The errors also appear if "checkrequestHeaders" and finegrained relaxations are enabled.


  • The XSS transform for special characters in the application firewall might not work as expected if the -crossSiteScriptingTransformUnsafeHTML option or the sqlTransformAction option is set to ON in the profile.


  • In release 10.5.e (enhancement builds only) as well as in the 11.0 release builds, application firewall processing of the Cookie header was changed. In those releases, every cookie is evaluated individually, and if the length of any one cookie received in the Cookie header exceeds the configured BufferOverflowMaxCookieLength, the Buffer Overflow violation is triggered. As a result of this change, requests that were blocked in 10.5 and earlier release builds might be allowed, because the length of the entire cookie header is not calculated for determining the cookie length. In some situations, the total cookie size forwarded to the server might be larger than the accepted value, and the server might respond with "400 Bad Request".

    With this fix, the change has been reverted. The behavior is now similar to that of the non-enhancement builds of release 10.5. The entire raw Cookie header is now considered when calculating the length of the cookie. Surrounding spaces and the semicolon (;) characters separating the name-value pairs are also included in determining the cookie length.


  • When the application firewall cookie proxy check is enabled, the NetScaler appliance might become unresponsive while updating the cookies in the distributed hash table with a set of cookies from the server.

    [#609394, 618385]

  • When you use the NetScaler GUI to perform the Skip operation, the application firewall learned rules might not be deleted. This occurs because NITRO is sending wrong "Location" ("Field") data to the GUI. With this fix, the GUI converts "Field" into "FORMFIELD," and the Skip operation removes the skipped rules, as expected.

    [#610116, 603473]

  • The application firewall might experience a transient low-memory condition during a traffic surge if advanced security check protections (such as Form Field consistency, CSRF, form tagging and so on, which require rewriting the HTML forms in the response) are enabled for the profiles. This might result in a memory leak, and memory allocation failures might occur even after the traffic surge subsides.

    [#598776, 597952]

  • You might encounter unexpected failures if form field consistency protection is enabled on the application firewall profile and you try to retrieve the form from Distributed Hash Table (DHT).


  • Application Firewall memory allocation errors might occur if the license on the NetScaler appliance restricts the number of packet engines.


  • In certain cases, if a custom error page containing variables is served to the client, the content length in the response is incorrect. As a result, the custom error page might not be visible in the client's browser.


  • If you use the Mozilla Firefox browser to access the NetScaler GUI, you cannot make changes to the application firewall configuration.


  • In NetScaler web application firewall high availability deployments, application firewall sessions are not cleaned up on the secondary node. As a result, memory usage increases on the secondary node.

    [#612284, 619056]

Audit logging

  • You can now customize the log levels for logs generated for AAATM user logon or logoff, and for logs generated for executive commands by a NetScaler administrative user.


Cache Redirection

  • If a request to a cache redirection virtual server resolves to an IP address that belongs to a content switching virtual server configured on the NetScaler appliance, the appliance might fail.


  • In the GUI, the Policy drop-down list does not display the cache redirection policies.


Cisco RISE Integration

  • If RISE feature is not enabled and we try to disable it, an error message is displayed for all the features.


Configuration Utility

  • If you log on to the appliance by using the GUI, the list of licenses is not retrieved.


  • You cannot install a server, client, or intermediate certificate with a FIPS key by using the configuration utility.

    Workaround: Use the FIPS wizard to create and install the certificate.


Content Switching

  • In certain cases, if the state of a load balancing virtual server changes, the NetScaler appliance might fail while changing the state of the associated content switching virtual server.

    [#522510, 528782, 538223, 552913, 602829]


  • If, while resolving a domain name in DNS resolver mode, the NetScaler appliance does not receive a response from the first name server, it tries to resolve the domain name with the other name servers. During this process, if the address record for the associated NS record is not present, the NetScaler appliance fails.

    [#609967, 617204]

  • If a Netscaler appliance in DNS resolver mode is configured to resolve queries with suffixes, the appliance fails if there is no address record for the NS record associated with one of the suffixes.



  • A NetScaler client becomes unresponsive if:

    1. The NetScaler appliance receives the complete response to the client's query from the server.

    2. At the same time, the client sends an attention packet to the appliance.

    The client becomes unresponsive because the appliance closes the server-side connection but does not send the client a response to the attention packet.



  • When using the GUI in a partitioned environment, you cannot add GSLB services.


  • In a content switching GSLB deployment, you can bind multiple domains to a CS GSLB virtual server, but the show cs vserver command shows only one domain bound to the CS GSLB virtual server.


  • The NetScaler appliance fails if you run the "show gslb domain" command on a non-gslb domain record.


  • If the ACK on PUSH option is disabled in the default TCP profile, the NetScaler appliance might fail while downloading the static proximity database.


  • In the GUI, on the GSLB statistics page, the local site MEP state is always displayed as DOWN instead of as a blank field.


  • For GSLB deployments in a partitioned environment, the options to synchronize the GSLB configuration and view the synchronization status are provided in the GUI.


Integrated Cache

  • The NetScaler can stop responding when cache object persistency is configured in a HA setup.

    Workaround: Unset cache object persistency as follows:

    > set cache parameter -enableHaObjPersist NO


  • Disabling the Media Classification mode, even if the host header is missing in the GET request, does not cause a NetScaler appliance to fail.

    [#616021, 616757, 618970, 624338]

  • A VPX system can repeatedly fail if HA cache persistence is used along with HTML-injection.


  • When the "clear config" command is issued, the NetScaler appliance can become unresponsive if more than one CPU tries to free the same shared memory.


  • When a NetScaler appliance uses a flash cache with HTTPS traffic, only the initial client request is serviced. Subsequent client requests fail.


  • A NetScaler appliance performing integrated caching becomes unresponsive if the length of the URL is 2040 (including the hostname, query parameter, and other specific information).

    [#605831, 612030, 612102]

Load Balancing

  • The NetScaler appliance fails while trying to load balance a request that was received on a recently closed connection. This happens because the server tries to keep the connection alive by sending an RTSP request but the appliance cannot find the corresponding client side connection.


  • Feature DNS

    Due to a memory overwrite issue, the prev value of dns_tot_ServerQueries counter is set to zero everytime during the end of perf collection cycle, that is every 7 seconds. This results in the difference between cur and prev value get accumulated to the global counterpart even if there is no traffic.

    [#615519, 580342]

  • The NetScaler appliance fails because of an incorrect initialization of template size in a stream analytics session info record.


  • In a high availability setup, if a large number of services and service groups are configured, service state updates might fail because of a timer issue.

    [#605596, 609999]

  • Feature; AAA-TM

    If you are using AAA-TM on an HTTP virtual server with no endpoint features enabled, the acknowledgement from the NetScaler appliance might not contain all the data that the client sent. This might cause some page elements to not load completely, or to time out.



  • If the NetScaler appliance receives a logon request that contains both the session token and the request payload with the logon credentials, the appliance creates a new connection without closing the previous connection. If the appliance receives multiple such requests, the following error message appears: CFE limit exceeded.

    [#620458, 619154, 621601]

NetScaler Appliance

  • Different languages use different keyboard layouts, causing problems with using special characters through the LOM console. With this fix, the LOM console supports additional keyboard layouts and keyboard control tools.

    To change the keyboard layout, in the console, navigate to options > preferences and select a language.

    [#583263, 601405]

NetScaler Gateway

  • Destination IP based authorization policies do not work as expected in ICA Proxy Mode. Users see authorization failures despite having an authorization policy that allows traffic destined to Storefront server's IP address. As a workaround, Host header based authorization policy or user membership based policies can be used.


  • When connected to the NetScaler Gateway, NSGClient adds a space before the following IP address: /etc/hosts file. The customer monitors suspicious entries and removes them. The space before the IP address is considered suspicious and is removed, so NSGClient cannot work.


  • If the intranet application feature is enabled, the NetScaler Gateway plug-in intermittently takes more than 2 minutes to complete a logout.


  • If CISCO ACS or any TACACS server is used to authorize command execution for NetScaler, executing lengthy CLI commands (>1460 bytes) results in the following ERROR: "Not authorized to execute this command." This issue occurs most frequently with the "set appfw profile" command, because of the large number of parameters, but it can occur with any lengthy CLI command. Frequently used commands are typically less than 1460 bytes, so the issue does not occur very often.

    [#596184, 519898]

  • The client receiver is not sending an authentication cookie back on previously authenticated connection due to this the NetScaler appliance is sending a 403 error to the client.


  • The packet processing engine fails unexpectedly during an attempt to parse missing content.


  • If Gateway is deployed for a XenMobile use case, the webSSO between AppController and Sharefile fails intermittently due to an incorrect Host header that Gateway sends. As a workaround, a trailing slash (/) needs to be configured in the corresponding wihome configuration.


  • ClientCertPath is not read when a client uses the GUI to connect to NSGClient. The client certificate is repeatedly requested, even if the GUI is configured to provide it.


  • When a user in the INTL domain logs on through a NetScaler appliance (a dual factor with RADIUS) by entering only a user name (no domain information on the logon page), the logon fails. However, the same kind of logon attempt by a user in the Corp domain is successful. This behavior is expected. Storefront needs the domain and user-name information from a user in the INTL domain. When entering domain\\username format on the NetScaler login page, RADIUS rejects the login, and it does not pass the domain and user-name information to the Storefront server, so the logon fails.


  • The DNS server fails to resolve internal URLs without an FQDN when using WorxWeb on Android devices.


  • If the network between the RDP client and the NetScaler appliance is substandard, users can get a blank screen when launching a RDP desktop using Netscaler Gateway.


  • Users appear to lose their connections to Storefront. The user has to disconnect and reconnect to the server.


  • The user's session cookie is no longer accessible to rewrite and other modules. Customers cannot insert the session cookie as an HTTP header and send it to back-end servers. This change provides an alternative way to check for AAA cookie presence by using HTTP.REQ.USER.SESSIONID expression. It results in a non-empty string if an AAA session exists. This is equivalent to checking for a valid AAA cookie.

    [#593256, 624882]

  • The clear config function does not clear the default DNS profile or the comand, tm sessionpolicy, from the packet engine. When the bulletins are applied as part of clear config command, the add dns profile and add tm sessionpolicy command fail.

    [#607413, 597550, 602417, 611607, 615573]

  • Destination IP based expressions cannot be used for traffic policies that use SecureBrowse and CVPN modes.


  • If group extraction authentication policies are configured, and the Authentication Subsystem is unexpectedly restarted, the group extraction policies are not sent to the Authentication Subsystem on restart. The group extraction policies won't be evaluated during authentication attempts.


  • When encryption is enabled for client security expressions (in the VPN session action parameter), the device might fail occasionally.

    [#607555, 616311]

  • If the HTTP connection stats are printed from a CPU other than the one from which the session originated, the TCP port for the HTTP traffic sent over the VPN is displayed incorrectly.


  • Smart access policies based on smart group rules do not work for existing sessions after HA failover, because Smartgroups and externalgroups are not synced to the secondary during session transfer.


  • The NetScaler Gateway plug-in for windows issues a force timeout warning with an incorrect timeout value. Even though the incorrect time is shown in the warning, the session is terminated correctly after a forced timeout.


  • After the user name is extracted from a certificate, the UserName field is not grayed out in GUI and is open for editing.

    WorkAround: The Username field should not be manually edited.


  • If the new session entry points to the same memory that was used for a previous session entry earlier, some of the values have to be reset.


  • The minimum and maximum value checks for RDP Cookie validity do not work as expected.


  • If a user on a substandard network launches an RDP Desktop through a NetScaler appliance, the user's screen might not display anything.


  • Single-sign-on to backend servers through an MPX-FIPS device sometimes fails.

    [#611109, 612407, 613885, 614514]

  • The secondary page for radius authentication does not load the appropriate fonts when using the X1 theme.


  • If group extraction authentication policies are configured and the Authentication subsystem is unexpectedly restarted, the group extraction policies are not sent to the Authentication subsystem. Therefore, the group extraction policies are not evaluated during authentication attempts.

    [#456724, 606332]

  • The EPA plugin window is now at the top of the screen. Its new position facilitates the user-consent step, especially for new users. The change does not affect EPA scanning.


  • If the client timeout interval is too long (for example, 12 hours), a memory allocation problem results in user disconnections and login failures.

    [#590561, 598429]

  • If Storefront has been configured as WIHome parameter, then accessing the Store Apps in Applications tab in the homepage over Full vpn mode with Windows does not work and an error message "Cannot complete your request" is returned.


  • This is a summary of how NS 11.0 behaves on FIPS systems with respect to RADIUS and TACACS policies. RADIUS & TACACS use non-FIPS algorithms which are not permitted if fipsUserMode is ENABLED. The default setting for fipsUserMode is DISABLED.

    In 55.x/62.x/63.x GA builds:

    - Config behavior: RADIUS & TACACS policies can be created.

    - Runtime behavior: Possible system failure if fipsUserMode is ENABLED and a RADIUS or TACACS action is attempted.

    In 64.34 GA build, 64.35 LCM build:

    - Config behavior: RADIUS & TACACS policies cannot be created.

    - Runtime behavior: no system failure.

    In 64.36, 65.x GA Build:

    - Config behavior: RADIUS & TACACS policies cannot be created if fipsUserMode is ENABLED. If fipsUserMode is DISABLED then RADIUS & TACACS policies can be created.

    - Runtime behavior: no system failure.


  • After the upgrade, a parsing error occurred with packets on the mux channel. Because of the error, a new mux packet was tracked from a wrong offset and caused a failure.

    [#619321, 622466]

  • The NetScaler appliance inserts an NS_ESNS cookie for page tracking (for showing a waterfall chart) when AppFlow is enabled. Cookie insertion was controlled by the clientSideMeasurements option in the appflow action in release 10.5, but in release 11.0 the default became to always insert the cookie when appflow is enabled. Android receiver (HTTP client) was not able to handle this cookie. This fix adds the Enable/Disable page tracking (cookie insertion) option to the appflow action.

    [#613351, 598478, 608448]

NetScaler Insight Center

  • The network panel in the XenDesktop Director GUI does not display a graph with the session details for the selected user.


  • If you use the refresh button, it does not have any effect on the slider. Refresh operation does not have any affect on the time shown in the slider. Also, when you change tabs, it does not impact the slider. You can change the time by changing the time duration.


  • The network panel in the XenDesktop Director GUI does not display a graph with the session details when you select another user.


  • For some elements on the dashboard, NetScaler Insight Center does not fetch records for the specified time frame.

    [#611532, 612283]

  • NetScaler Insight Center does not cache reports after you enable database caching.


  • Adding a private IP block in NetScaler Insight Center fails if you select a country name that has special characters.

    [#609646, 620408]

  • If you click on a country in the Geo Maps in the XenDesktop Director GUI, the GEO maps are not displayed.


  • The NetScaler appliance might become unresponsive if Appflow reporting is enabled for ICA traffic on the NetScaler appliance.


  • The network panel in the XenDesktop Director GUI displays session details of all users, instead of for just the selected user.


  • The NetScaler appliance might sometimes become unresponsive or experience intermittent HA failovers based on a particular ICA network condition.

    [#623729, 623379]

  • In NetScaler Insight Center, updating fields in a private IP block fails.


  • NetScaler Insight Center might intermittently become unresponsive and not populate any reports.

    [#618370, 622539]

  • The network panel in the XenDesktop Director GUI displays the details of all of the administrative user's sessions, instead of just the details for the selected session.


  • The NetScaler appliance might become unresponsive if you attempt to delete an AppFlow action while the traffic is flowing.

    [#585914, 613238]

  • If the two NetScaler appliances in a double hop deployment are running different NetScaler software editions (Platinum, Enterprise, or Standard), NetScaler Insight Center fails to generate reports for these appliances on the NetScaler Insight Center dashboard.


  • NetScaler Insight Center restarts intermittently, and HDX insight reports might not show any data.


  • The whitelist of Citrix Receiver versions used by HDX Insight now includes version of Citrix Receiver for Linux.

    [#614558, 606817]

  • In the network panel in the XenDesktop Director GUI, the time slider for selecting the time period for a graph is not properly displayed.


  • NetScaler Insight Center fails to generate the technical support file, because the namedpipe file causes an error in the creation of the technical support file.


NetScaler SDX Appliance

  • On an SDX appliance, if a NetScaler instance is provisioned with more than 3.5 GB memory,

    the state of the interfaces might continuously change between UP and DOWN (flap) when the instance processes traffic.

    [#541222, 548301, 626380]

  • The warning message before a factory reset does not say anything about the physical connection to the appliance. With this fix, the warning message includes information about the physical connection.


  • If an nsroot user uses the Management Service to edit the resource attributes of devices, and the resource validation is done from the tenant to which the device belongs, the resource validation fails while validating the CPU cores.

    [#587187, 587318]

  • When a user with nsroot or similar privileges modifies a VPX instance that was originally created by a user from admin domain, the modification might fail because of inadequate resources, even though the admin domain has enough resources.


  • In the SDX GUI, the Management Service virtual instance displays incorrect memory usage information, because it does not consider the inactive memory.

    [#612042, 618530]

  • A memory leak in the event subsystem causes all the subsystems in the Management Service virtual instance to go down. As a result, you cannot log onto the SDX appliance through either the GUI or the CLI.



  • When you remove an admin partition, the NetScaler appliance fails or corrupts an SNMPD packet queue.

    [#613457, 614545, 617179, 621236]


  • On a NetScaler appliance, connections might get reset between routing processes. As a result, the dynamic routes are occasionally deleted and added back.


  • A clear config operation does not remove VXLANS. The configuration utility and the CLI continue to show the VXLANs, but with incorrect IDs.


  • For extended ACL rules that are associated in NAT configurations (for example, RNAT rules, Large Scale NAT configurations), the configuration utility displays the TCP established parameter as enabled for these ACL rules.


  • A customer using the NetScaler Gateway wizard to configure Storefront through "XenApp and Xen Desktop" might get Invalid Argument error messages.


  • If an IPv6 virtual server with persistency enabled is removed from a traffic domain, the traffic domain information for the existing persistency sessions is lost, and the NetScaler appliance hosting the virtual server becomes unresponsive.


  • After the clear config operation, reconfiguring a VXLAN entity fails to retrieve the VXLAN SNMP counters.

    [#572525, 574734, 614924]

  • In a GSLB deployment of NetScaler appliances configured with OSPF routing protocol, the OSPF process running in one of the NetScaler appliances sources OSPF hello packets from the GSLB site IP address configured on the appliance. As a result, neighbour adjacency does not get established.


  • For backend TCP connections, a NetScaler appliance might allocate the subnet IP address and port of an active connection to a new connection. As a result, the new TCP connection fails.


  • The NetScaler appliance fails when it processes invalid UDP packets received at port 500 or port 4500.

    [#609537, 489498]

  • The dynamic routing module on a NetScaler appliance might incorrectly save the command "redistribute intranet" as "redistribute trill" in the ZebOS configuration file. Because the appliance does not support the "redistribute trill" command, after a failover in a high availability setup, the new primary node treats the "redistribute trill" command as an error and does not apply the subsequent commands in the ZebOS configuration file. This results in loss of configuration.


  • For a sessionless virtual server configuration, the NetScaler appliance might forward packets for an incoming connection without changing their source MAC address with the MAC address of one of its interfaces. As a result, the connection fails.

    [#603477, 583499]

  • Forwarding sessions do no work as expected with bridge groups, because packets are not forwarded to the correct VLAN.



  • The RAID controller is frequently reset. With this fix the, RAID controller's driver has been modified and the firmware upgraded to version 23.33.0-0023. The frequent resets no longer occur.

    [#577075, 521790]


  • Under certain conditions, a NetScaler appliance does not insert an X-Forwarded-For field in the HTTP header for an HTTP CONNECT requests that are forwarded to server.


  • The default timeouts for Rewrite Processing and for Advanced Expression Regex Evaluation have changed from 1 millisecond to less than the pitboss timeout of 5 seconds. This restores the default behavior for releases prior to 11.0. In addition, an optional -timeout parameter to "set the re-write param " CLI command was added. The time is measured in milliseconds - see the man page. A "set policy param -timeout <value>" command has been added to the CLI. These ways of setting the timeout work for all partitions.

    In release 11.0, the default timeouts for Rewrite Processing and for Advanced Expression Regex Evaluation have also changed from 1 millisecond to less than the pitboss timeout. This restores the default behavior from releases prior to 11.0. However, neither the CLI command, nor the GUI, nor the Nitro call is available. Instead, for 11.0, an nsapimgr command is available from the shell. This will only change the timeout on the default partition when Partitioning is used. Other partitions will only use the default. The syntax is as follows: " -ys arg1=<value> -ys call=ns_pixl_regex_set_time_limit" to set the time limit on regular expression evaluation in Advanced expressions. " -ys arg1=<value> -ys call=ns_rw_set_eval_time_limit" to set the time limit on Rewrite processing. For either of these, setting the value to 0 resets the limit to the default. These nsapimgr commands will not be supported after 11.0, and the CLI, GUI, or Nitro must be used.

    [#577016, 578214]


  • When clearing the NetScaler configuration, user-defined cipher groups that are bound to an internal SSL service might get corrupted. Subsequent cipher bind or unbind operations with that service will cause the appliance to become unresponsive.

    [#611894, 622042]

  • The NetScaler appliance fails if it parses the value of an unknown certificate extension while the certificate is loading.


  • You cannot install a certificate on the appliance if the certificate is not in the /nsconfig/ssl directory. With this fix, you can install a certificate in the appliance's default partition from any location. For other partitions, the certificate must be in the /nsconfig/partitions/ssl/ directory.



  • In a high availability setup with stateful connection failover option enabled on a virtual sever, if a network link that is used for synchronizing connection information between the nodes becomes DOWN.

    Both nodes take a lot a time to reestablish connection information synchronization through the remaining active links, as a result some connection information might not get synchronize to the secondary node.


  • A warning error message "Error =80000004 in nsagg_process_stat_request, closing connection" displays when a nscollect module requests counter information from a nsagregator daemon at every 5 minute interval. The nsaggregator daemon prints the warning message as response to the request received from nscollect module for more than 256 counters.

    [#610809, 577474, 579560]

  • A NetScaler appliance becomes unresponsive when passing an HTML response with the HTML tag exceeding 16 characters.


  • Commands entered in the NetScaler CLI or GUI might fail because of a shortage of system resources or failure of system socket connections.

    With this fix, the NetScaler appliance attempts to reestablish the socket connections. After the socket connections are established, the appliance runs the failed commands internally.


  • Due to a bug in Hard Disk Drive (HDD) monitoring logic, if a message in /var/log/messages matches "*ad* Device not configured" string pattern, it results in producing false positive errors.

    [#611774, 598774]

  • You cannot access the NetScaler VPX appliance from a VM that is in the same subnet and running on the same host as the NetScaler appliance.


  • If, when establishing an MPTCP connection, a NetScaler appliance receives a duplicate acknowledgment in the 3-way handshake process, the appliance reverts to a normal TCP connection.


  • A NetScaler appliance fails when an MPTCP subflow receives an Infinite DSS mapping in a partially retransmitted packet.

    [#614842, 623426]

  • A NetScaler appliance fails when it encounters an HTTP/2 connection level error on a TCP connection.


  • A NetScaler appliance might fail because of a segmentation fault if it receives a large HTTP/2 request Header that evicts the dynamic header table entry.


  • If, when processing a URL, the parser encounters a tag that has "#"as a source attribute, the URL is considered to be empty as # is a fragment identifier. This leads to corrupted values because we continue processing the empty URL.


  • The NetScaler Weblog client intermittently fails because of incorrect indexing, leading to segmentation failure

    [#615895, 620767]

  • A NetScaler appliance does not support Base64 decoded TASS cookie IDs of more than 64 characters. If Security Assertion Markup Language (SAML) or federation results in an ID longer than 64 characters, the appliance does not support the cookie ID.

    [#594603, 607019, 615811]

  • In certain cases, the NetScaler appliance might not retransmit the lost TCP segments resulting in a transaction failure.

    [#565938, 560394, 592227, 597160, 607864, 609068]

  • Management access to the NetScaler appliance can slow down or become unavailable when the traffic domain identifier is not initialized for jumbo frames. However, virtual servers continue to serve traffic.

    [#583579, 594722, 626120]

  • You cannot shut down or restart the virtual machine by using the VMware vSphere tool.


  • A T1200 appliance that is used in a NetScaler deployment can become unresponsive or fail when generating the NetScaler tech support logs.

    [#606247, 624369, 624385]

  • With the default TCP congestion control, a NetScaler appliance recovering from packet loss reduces the congestion window to half its previous length. With multiple packet loss events, the congestion window becomes small and delays transactions.

    [#606493, 601655, 623185]

  • A NetScaler appliance fails when it receives an MP_CAPABLE final acknowledgement in a single packet with the FIN flag set.

    [#583853, 583855, 588078, 601746, 602955]

  • Support restore operation on the NetScaler Appliance by using a remotely stored backup

    You can now use a remotely saved backup to restore a NetScaler appliance through the "add system backup <filename>", that adds the metadata to the remote backup package, so that the restore operation can successfully use the backup package.


  • When a NetScaler appliance is integrated with ESP or VPX devices functioning as E100 devices, it encounters buffer-allocation failure and packet-reception failure.

    [#604971, 611176]


  • With a large number of active subscribers, and a high traffic rate for SIP over TCP, the NetScaler appliance can fail during ALG processing.


  • In a high availability deployment with LSN and DS-Lite configuration, LSN and DS-Lite mappings for active FTP connections are not removed from the secondary node even after they time out or are flushed.

    [#601920, 619864]

Unified Gateway

  • The default expression to route Unified Gateway VPN traffic does not include all of the necessary expressions which can cause a Receiver connection failure.

    Work Around

    The remedy is to create a compound expression using "is_vpn_url" along with "Citrix/Roaming/Accounts" to match the addition target URL: add cs policy <policy name> -rule "is_vpn_url || HTTP.REQ.URL.STARTSWITH(\\"/Citrix/Roaming/Accounts\\")" -action <gateway vserver>