The issues that exist in Build 65.31.
AAA-TM | Admin Partitions | AppFlow | Application Firewall | Audit Logging | Cache Redirection | Cisco RISE Integration | CloudBridge | Cluster | Clustering | Command Line Interface | Configuration Utility | DNS | GSLB | High Availability | Integrated Cache | Load Balancing | NITRO API | NetScaler Docs | NetScaler GUI | NetScaler Gateway | NetScaler Insight Center | NetScaler Policy | NetScaler SDX Appliance | NetScaler VPX Appliance | Netscaler Unified Gateway | Networking | Platform | Policies | SSL | System | Telco | Web Interface on NetScaler | Web Interface on NetScaler (WIonNS) | load Balancing
In certain cases, if the Traffic Management virtual server is enabled for 401 basic authentication, and the authorization header that the NetScaler appliance receives with a request is corrupted, the header is not removed when sending the request to the back end server.
When a client uses Negotiate Authentication to connect to a NetScaler appliance, the browser remembers the negotiate authorization header and sends it with each request. In such cases the servers might see the negotiate header from the client.
Workaround: Corrupt the negotiate authorization header by using rewrite policies.
The NetScaler appliance exhibits some inconsistency in the way expired cookies (TEMP) are handled:
- On an existing TCP connection, access to backend resources is allowed.
- On a new TCP connection, the request is denied.
Authentication fails if AAA-TM is deployed such that an authentication virtual server is the target of a content switching virtual server.
If you add a Negotiate Server with a Keytab file with a GUI, an error is issued: "Error in retrieving file. Directory does not exist." The error is only issued when it is executed within partition.
The NetScaler appliance fails if authentication is disabled while user authentication is in progress.
Forms based authentication on NetScaler failed once in 11.0 62.x. However, it never resurfaced. Users are advised to use later versions of 11.0.
When the NetScaler appliance is configured as a SAML Identity Provider (IdP) with Negotiate/Kerberos, authentication fails if you are running a client debugger such as Fiddler, that does not send negotiate headers.
Workaround: Do not use Fiddler or a similar client debugger in such use cases.
The NetScaler implementation of Kerberos does not fully implement the ktutil functionality. While this does not affect Kerberos authentication, it restricts some administrative tasks, such as the ability to merge keytab files.
RPCSVR services cannot be configured in admin partitions.
After adding an admin partition, make sure you save the configurations on the default partition. Otherwise, the partition setup configurations will be lost on system reboot.
Admin partitions are not supported on FIPS appliances. However, owing to this issue, you can create admin partitions on FIPS appliances. You are advised against creating such partitions as they will not function properly.
The NetScaler appliance does not perform policy evaluation for traffic other than related to SSL and Load balancing configurations. As a result, the appliance does not create AppFlow records for these traffic.
A POST request with an attached word document is silently blocked by the application firewall for a customized application.
If the server sends less data than the amount specified in the Content-length header, the NetScaler application firewall might send a 9845 response and reset the connection.
In NetScaler 9.3, if there is a standalone application firewall license, the user is able to bind a classic application firewall policy to the load balancing virtual server. However, in NetScaler 10.1, the design is changed. If the load balancing feature is not licensed, binding a classic application firewall policy to the load balancing virtual server now results in an error message.
On a NetScaler appliance that has standalone application firewall license, when you bind a classic application firewall policy to a load balancing virtual server, an error message is displayed in the graphical user interface. The binding operation is successful. The error message is harmless and can be safely ignored.
The Graphical User Interface (GUI) for the NetScaler application firewall has significantly changed to provide enhanced user experience and remove browser plugin dependencies. The GUI steps in the current application firewall documents are in need of revision. Some of them do not match the new GUI display.
When the application firewall signature has upper case or mixed case characters in the name, the configured profile bindings for such a signature are not displayed in the signatures pane in the configuration utility.
The application firewall Graphical User Interface might display a warning when the Qualys signature file is uploaded to the NetScaler appliance. The transformation program that reads the input file is treating a warning message as an error.
Application firewall memory allocation failures might occur, when the integrated cache is also enabled and the memory usage limit for the cache parameter is set to a high value.
The application firewall learning engine is not able to connect to the packet engine in certain circumstances. When this happens, the aslearn process does not start and the application firewall learning functionality stops working.
The NetScaler appliance fails if you enable or disable the IP Reputation feature in any partition other than the default partition.
NetScaler Application Firewall Default Signature object now has rules that can be enabled to protect against Shellshock vulnerability (CVE-2014-6271, CVE-2014-7169) which could allow arbitrary code execution.
When a NetScaler appliance is upgraded from a 10.1 build to a 10.5 build, the application firewall signature names are converted to all lowercase characters. If the name of the signature contains any uppercase character, the conversion affects the binding between profile and signature. Any attempt to modify either the profile or the signature object displays an error message in the configuration utility.
The application firewall learning engine stops recommending new rules when the learning database grows to approximately 20-22 megabytes in size. The database size limit is applied on a per profile basis.
The customer's application does not work when the application firewall is deployed to inspect the request for security check violations. When the application firewall forwards the request to the backend server, the server responds with a 403 HTTP error code, indicating that it cannot properly validate the CORBA session, and sends the page without the expected data in the form fields. The root cause is under investigation.
Workaround: Turn off form field tagging and credit card checks.
If a user request triggers an application firewall policy that is bound to the APPFW_BYPASS profile, the application firewall might fail to generate an SNMP alarm.
In a high availability (HA) deployment with application firewall signatures configured on the NetScaler appliances, a file synchronization issue can lead to mismatched schema versions, which can affect signature management and functionality after a firmware upgrade to install a new build.
Workaround: If you have not yet upgraded your firmware, perform the first of the following procedures. If the firmware has already been upgraded, perform the second procedure.
Recommended procedure for upgrading the firmware in an HA deployment if application firewall signatures are configured
1. Before you upgrade the firmware, disable Signature auto-update (if set).
2. Drop into the shell from the CLI and delete the /nsconfig/updated_signatures.xml file (if present) from the primary appliance first, and then from the secondary appliance.
3. Proceed with the recommended HA rolling upgrade procedure
Recommended workaround if you have already done the firmware upgrade without the above steps and have encountered the issue
1. Drop into the shell from the CLI and delete the /nsconfig/updated_signatures.xml file from the primary appliance, and then delete it from the secondary.
2. On the primary, use the GUI to export all user-defined signatures from the primary and save them in a local file.
3. Unbind the signatures from the profile(s) if already bound.
4. Delete all user-defined signatures.
5. Use the GUI to import all the signatures that you saved in the local file.
6. Bind the signatures to the target profiles.
During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:
show appfw JSONContentType
If the default content type is configured, the command output is similar to the following example:
> show appfw JSONContentType
1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX
If it is not, the screen shows only the following:
> show appfw JSONContentType
To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:
add appfw JSONContentType ^application/json$ -isRegex REGEX
show appfw JSONContentType
The cookie consistency behavior has changed in release 11.0. In earlier releases, the cookie consistency check invokes sessionization. The cookies are stored in the session and signed. A "wlt_" suffix is appended to transient cookies and a "wlf_" suffix is appended to the persistent cookies before they are forwarded to the client. Even if the client does not return these signed wlf/wlt cookies, the application firewall uses the cookies stored in the session to perform the cookie consistency check.
In release 11.0, the cookie consistency check is sessionless. The application firewall now adds a cookie that is a hash of all the cookies tracked by the application firewall. If this hash cookie or any other tracked cookie is missing or tampered with, the application firewall strips the cookies before forwarding the request to the back end server and triggers a cookie-consistency violation. The server treats the request as a new request and sends new Set-Cookie header(s).
The application firewall has memory limitations on the size of a WSDL that can be imported into the NetScaler appliance. The import operation might fail if the size of the WSDL file exceeds the allocated memory.
During synchronization and saving a system configuration, if Cache Redirection (CR) policy is configured before an audit message action, it results in an improper sequence of CR policy and audit message actions.
In a cluster deployment, if a request is received by a node other than the node on which the client request is received, a packet loop delays the response to the request.
Cisco RISE now supports the following commands:
- show rise param
- set rise param
Following is the usage of the set rise param command:
set rise param [-directMode ( ENABLED | DISABLED )] [-indirectMode ( ENABLED | DISABLED )]
The show rise param command displays the current setting. For example,
RISE-MPX-194-80> show rise param
DirectMode: ENABLED IndirectMode: ENABLED
RADIUS/TACACS remote server auditing does not work.
When WIonNS is deployed in a cluster setup, an error is thrown when you rename a service that points to the IP address of the cluster configuration coordinator.
When WIonNS is deployed in a cluster setup, an error is thrown if you change the IP address of the WI service to point to the IP address of the cluster configuration coordinator.
When a cluster is connected to more than one upstream router:
- When AS OVERRIDE is not configured on the upstream router, spare nodes will learn VIP routes from one of the routers, but they will be dropped as the path contains its own AS to prevent loop formation.
- When AS OVERRIDE is configured on any upstream router for cluster neighbors, upstream router will change AS path in VIP to its own AS while sending updates to cluster neighbors. Spare nodes will not detect any loop and learnt VIP routes are advertised to other routers.
Spare nodes will not advertise their configured VIP routes but there is no such restriction on BGP learnt routes.
When WIonNS is deployed in a cluster setup, if the service IP address is modified using the "set" command, the "show" command continues to display the previous IP address.
When a node is removed from a L3 cluster, IPv6 SNIP addresses and routes are being erroneously cleared from the appliance. This behavior is seen only for IPv6 entities. IPv4 SNIPs and routes are not being removed from the appliance.
When L2 mode and MBF is enabled in a cluster deployment, access to * 80 services can fail intermittently.
When you use the Net::SSH::Perl library, and execute a command where an argument has a @ character, the NetScaler gives an error message indicating that the argument does not exist.
For example, if you use the @ character in the tacacsSecret parameter of the following command:
> set authentication tacacsAction TACACS-0101 -tacacsSecret Sl4make5f0rd@enc5
Workaround: Use one of the following alternate approaches to execute the command:
- Use Net::SSH::Perl library and include double quotes around the command when calling $ssh->cmd().
- Use the Net::Telnet library.
- Use the Net::SSH::Expect library.
The NetScaler command line interface exits abruptly upon executing the "show dns addRec -format old" command.
[#512526, 527066, 545578]
The NetScaler CLI exhibits the following issues on running the "show" and "stat" commands on a service group.
- When using the "show servicegroup -includeMembers" command: This command lists only one service per service group, although more than 1 service are bound to the service group(s).
- When using the "stat servicegroupMember <ServiceGroupName> <Service-IP-address> <port>" command: This command does not work if you specify the <Service-IP-address>. Instead, you must specify the <Service-Name>.
The subnet mask does not appear after an IPv4 address in the network visualizer.
You cannot upgrade to NetScaler 11 from the following builds by using the Upgrade Wizard of the NetScaler GUI:
- All builds of NetScaler 9.3
- All builds of NetScaler 10.1
- Any build before Build 57.x of NetScaler 10.5
Workaround: Use the command line interface to upgrade the NetScaler appliance.
A NetScaler appliance configured for DNSSEC offloading might fail because of a race condition that can occur when the appliance receives a DNS query for a type A record for a domain that also has a CNAME record, and the canonical name identifies a domain that is in the zone offloaded for DNSSEC processing.
In a deployment with heavy DNS traffic and many DNS cache entries, some entries in the cache might not get updated or deleted, even after the TTL expires.
GSLB force sync option fails, if the following conditions are met:
* The same load balancing (LB) monitor is bound to a GSLB service as well as other LB entities.
* The server IP address already exists in the slave node under non-GSLB entity (the entity with same server IP address but with different server name) and the master node tries to synchronize the configuration.
On a NetScaler appliance, the default memory allocation is 10 MB per partition. In certain use cases, the allotted memory might not be sufficient for adding the maximum number of entities. You can increase the memory allocation by using the following command:
set partition <partition_name> -MaxMemLimit <limit>
For example, To increase the partition memory allocation to 50MB, type:
set partition p1 -MaxMemLimit 50
If you rename a server associated with a GSLB service and then run the sync gslb command, the GSLB configuration might not synchronize with the other GSLB sites.
Workaround: Manually update the server name in the other GSLB sites.
In a typical GSLB deployment, when internal user logon is disabled, GSLB auto sync uses SSH keys to synchronize the configuration. In a partitioned environment, however, GSLB auto sync cannot use SSH keys to synchronize the configuration across the GSLB sites.
Workaround: To use GSLB auto sync in partitioned environment, enable internal user logon and make sure that the partition user name is the same at the local and remote GSLB sites.
If you upgrade a NetScaler appliance in a high availability (HA) setup to the latest build of the same release, HA synchronization and command propagation are disabled during the upgrade process. However, after both the appliances are upgraded to the same NetScaler software version, HA synchronization and command propagation are enabled automatically.
After an upgrade, Content Acceleration feature is not supported.
A NetScaler appliance fails multiple times after a cache parameter is enabled during an HA persistency test.
The IC memory once set for an admin partition, cannot be reduced. An appropriate error message is displayed.
For example, if the IC memory of admin partition is 10 GB, you cannot reduce it to 8 GB. The memory limit can however be increased to a required value.
When displaying the results of the "show lb monitor" command, the numbering of the user-defined monitors restarts from 1 instead of continuing the numbering from the list of built-in monitors.
IPV6 addresses are trimmed when data is retrieved from the packet engine because the prefix length variable is unset during the GET operation.
A subscriber cannot initiate more that eight simultaneous sessions.
If the state of the IPv6 service on which a client's persistent session is running changes to out-of-service, the session might lose persistence before the client's transaction is completed.
If a NetScaler appliance sending a DNSSEC negative response over UDP is not able to include the required records (for example, SOA, NSECs, and RRSIG records) in the Authority section, the appliance might send a truncated response in the wrong packet format.
When using the .NET SDK, the application cannot establish HTTPS connection with the NetScaler appliance. This is a result of some certificate validation issues.
When using the NITRO API to upload a file, make sure that each directory in the file path has the 755 (read, write, execute) permission.
For example, to upload a file to the "/nsconfig/ssl/" directory, the following directories must have the 755 permission:
- flash (because the "/nsconfig" folder is actually a link to "/flash/nsconfig/" directory)
Information published in eDocs states that NSG firmware v11.0 supports NSG Plug-in v10.1. This is misleading and should be corrected/maybe removed). NSG Firmware only supports v11.0.
The Surge protection feature cannot be configured in an admin partition. Since, surge protection parameters are part of the Change Global System Settings (System > Settings) dialog, when you try to update the global settings, the "Operation not supported" message is displayed.
If a policy is bound to or unbound from system global or the priority of the policy is modified, the changes are not reflected automatically. To see the current status, click the Refresh icon at the top right corner of the policy view. After you refresh the view, the policies display their bound status as well as their priorities.
[#452669, 391434, 453555, 453597, 478131, 479434, 481397, 502720, 573976]
An interface does not appear as tagged or untagged in the network visualizer.
The bridge group and VLAN association is not displayed in the network visualizer.
In the network visualizer, if you click a tagged interface that is part of two or more VLANs, only the VLAN at the top of the list of bound VLANs is highlighted.
In the NetScaler GUI, the page at System> Network > IPs does not display the Type for LSN NATIPs, and the value shown for Traffic Domain is incorrect.
Workaround: Run the sh nsip command to display the values in the command line interface.
Users with Microsoft User State Virtualization (roaming profiles + folder redirection + offline folder support) enabled on laptops are having issues using SSL VPN through NetScaler Gateway. Users without MS USV are working with SSL VPN without any issues.
If the STA service goes down, entries are not written to the ns.log/syslog, and SNMP traps are not sent.
If an End User License Agreement (EULA) is bound to the VPN virtual server, the EULA check box does not appear if the nFactor authentication is enabled for Gateway.
If Pre-Auth EPA is configured and the EPA Plugin is installed, the NPAPI prompts a "Launch Application" on "f_ndisagent.html" before the VPN Plugin installation is started.
The EULA feature of NetScaler does not work when Certificate Authentication is configured. EULA works fine with all other Authentication types on NetScaler Gateway.
si_Cur_Clints counter increments whenever we begin a transaction at virtual server, and decrements when the corresponding server transaction is completed. However, this counter does not seem to be decremented correctly resulting in incorrect statistics
The following EPA configuration is not supported on Linux NSGClient.
add preauthenticationaction <name> ALLOW
When the following command is configured on a NetScaler appliance, an empty CSEC string is sent to the client. As a result, browser plug-in or executable is terminated. "Error: Not a privileged User" is displayed and login is blocked.
This issue is seen on 64-bit machine.
When the icon decoupling feature is enabled, the NetScaler Gateway plugin also will quit upon a user issuing the quit command on the Citrix Receiver.
When authprofile and authentication are configured to enable load balancing, the NetScaler appliance displays the /VPN/ Index page when it should display the HTTP Error 401- unauthorized access message. This happens intermittently when forms authentication enabled load balancing is modified for 401 authentication.
When you navigate to Settings > Options > Account in an Outlook Web Access browser, the account information does not appear. This issue occurs on IE 10 and IE 11 browsers.
In the EULA and native client, some French characters do not render properly.
When set in the Authentication Profile of a load balancing virtual server that is behind a Unified Gateway, the Authentication Domain parameter will cause single sign-on to fail when the authentication is performed by a traffic manager in a different traffic domain.
On the Unified Gateway Dashboard, the ICA sessions counter increases when a Full VPN session is established. Although the ICA sessions counter is not configured to collect ICA data, the ICA sessions counter increases.
When using the Smart Control configuration, the ICASESSIONTIMEOUT feature is always enabled. There is not an option to disable it.
[#572386, 609191, 610841]
The NetScaler Gateway URL cannot be added to a Store with Receiver for Windows if only the SHA 384 cipher is enabled in the Receiver OS.
Customized pages are not loaded successfully in Internet Explorer. This is a known limitation of the browser. To get the customized page in IE, open developer tools by pressing F12. Browse to the NetScaler Gateway URL, and access the customized WebFront site. Customized pages are successfully loaded in Chrome.
The NetScaler Gateway client plug-ins will not decouple immediately for previously installed clients after the 'Show VPN Plugin-in icon with Receiver' option is enabled. Users needs to exit the plugin process and restart to complete the decoupling.
If a user adds multiple personal bookmarks with the same URL or fileshare address, but each bookmark has a different name, then deleting one bookmark will delete all of bookmarks with the same address.
The logo image does not display on the home page.
In a HA setup using the GUI wizard to install the WebFront package, we can select files from the local machine. These files get uploaded to /var/ folder in the primary. But they are not uploaded to secondary. The command fails on the secondary, and the package is not installed on it.
Manually, copy the files to the same folder in the secondary node to make it work.
When customizing a portal theme according to older processes, for example using the command "set vpn parameter -UITHEME CUSTOM" the administrator needs to copy the CSS files in the NetScaler shell. Because of the design changes for Portal customization in NetScaler Gateway 11.0, copying the CSS files is required. Complete the steps described in the documentation page at:
The following changes to the steps are needed:
After step 3,
4) At command prompt, type "cd /var/netscaler/logon/themes/ "
If you want to customize the Greenbubble theme, then
"cp -r Greenbubble Custom"
Or if you want to customize the Default theme, then
"cp -r Default Custom"
Now, you can make changes to files under "/var/netscaler/logon/themes/Custom"
Make edits to css/base.css
Copy custom logo to the /var/ns_gui_custom/ns_gui/vpn/media folder
Make changes to labels in the files in resources/ directory. These correspond to different languages.
Note: You can use WinSCP to transfer the files.
After all changes are complete for the files in "/var/ns_gui_custom/ns_gui"
At command prompt, type
"tar -cvzf /var/ns_gui_custom/customtheme.tar.gz /var/ns_gui_custom/ns_gui/*"
5. Use the configuration utility to switch to the custom theme.
The previous Step 5 is not required in NetScaler Gateway 11.0. Once changes are made to one appliance, they propagate to all appliances in HA or cluster configurations.
During VPN session removal, a crash occurs. It happens while detaching the VPN session policies, inherited from VPN virtual server, due to inconsistent data structures
The ICA-Proxy Session Timeout Termination does not work if the app is launched after the authentication session has timed out. If the session times out, or is removed before ICA file is launched, then this feature does not apply.
Currently, only one Gateway virtual server is allowed as a target behind the Content Switching virtual server. We do not allow multiple Gateway virtual servers to be bound to same Content Switching virtual server.
Users are blocked from sending Calendar invitations through the CVPN using owa2013. However, if the user inserts or attaches any type document, they are able to send a calendar invitation.
The install files (JRE and WF package) cannot be synced between the nodes.
The install files (JRE and WF package) have to be present in all the NSes and must be in the same location
A seamless Single Sign-On (SSO) to the same URL domain fails when a plug-in is launched in native mode.
The NetScaler appliance failed to detect the latest Chrome or Firefox browsers with OPSWAT EPA.
WebFront does not work with StoreFront 3.0. WebFront relies on NPAPI to interacting with the Receiver.
The pop-up messages for NetScaler Gateway Plug-in for Windows appear behind the active applications (such as browsers) on Windows 8.
Endpoint analysis (EPA) does not start a security scan on the user's device, and the VPN session does not launch with the proxy configured on a Chrome browser.
The VPN plugin resets the tunneled TCP connection if either party tries to close the connection by sending FIN.
If certificate authentication is configured with renegotiation and if 'Deny SSL Renegotiation' is set to 'All', user connections fail. The 'Deny SSL Renegotiation' parameter must be set to 'No'.
To configure Deny SSL Renegotiation
1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Traffic Management and then expand SSL.
2. In the details pane, under Settings, click 'Change advanced SSL settings'.
3. Select 'No' for 'Deny SSL Renegotiation' and then click OK.
Two-factor off and username extraction is not working when SSL renegotiation is enabled.
Android devices prior to version 5.0, SSL renegotiation fails when TLS1.2 is enabled.
On Android 4.4.2.devices, after frequent network changes, the VPN session may disconnect. Until the device is rebooted, a new VPN session can not be established. Upgrading the Android version resolves the problem.
A selected certificate does not get saved when SSL renegotiation with two-factor authentication is enabled. The certificate does get saved when certificate authentication is enabled.
Certificate based authentication fails for devices running Android versions before 5.0. This is applicable if only TLSv1.2 is enabled on server.
Certificate authentication does not work from the CLI if the Client Authentication option is not set on the NetScaler Gateway Virtual Server. Using NSGClient, it only works if you do the following: enter Preferences/Configuration, enter the Password for the certificate, and log in.
The issue has been resolved except for the following case:
- When TwoFactor is set to OFF, and SSL Reneg is set.
The Linux NetScaler Gateway client fails to launch its system tray icon after installation in Ubuntu 14.04.
Root cause: Ubuntu has turned off whitelisting since version 13.10.
Steps to fix:
sudo apt-add-repository ppa:gurqn/systray-trusty
sudo apt-get update
sudo apt-get upgrade
Then logoff and log in again.
After login is successful from browser, the VIP URL changes to "localvip:8080".
The DNS resolution fails when connecting a VPN to NetScaler 11 using a MAC.
End users are unable to access some versions (builds) of Outlook Web Access 2013 through NetScaler Gateway after the 11.0.63.x. firmware upgrade.
The NetScaler appliance is not able to connect a Mac computer to the VPN if only SSLv2 is enabled.
During login, the icon present in the dock is changed to the previous version's icon. After the login process is finished, the icon changes to the new icon.
Workaround: Quit the plugin and restart it. The new icon shows normally during the login process.
Internet Explorer shows signature of file is invalid or corrupt when a user downloads EPA or VPN plugin. Users are advised to use a different browser (like Firefox or Google Chrome) for downloading and installing EPA or VPN plugin. After installation, users can use any browser without issues.
The NetScaler appliance was enhanced to support binding a VPN virtual server. It is the default virtual server for content switching.
If you are using IE11 to configure CVPN, security may be compromised when using non-secure sources on a HTTPS page.
If user logs into lower level Traffic Management (TM) vserver and then access ActiveSync on a higher level TM vserver, then despite presenting authorization header, users get 401 prompt. A workaround of using same level TM is recommended.
When logging in from Chrome (with NPAPI disabled) and the plug-in is installed (old plugin that doesn't know the new custom URL implementation) in the machine and is not running, you are prompted to Download instead of auto-upgrade.
The DNS resolution fails through NetScaler Gateway/Plugin when the clients has IPv6 enabled on the adapter, and ISP provides the IPv6 DNS address on the IPv6 stack.
After upgrading to 11.0 from 10.5, users with expired passwords are given the option to change their password despite employing the LDAP plain text policy.
If accessing full OWA through the CVPN, the following options are not rewritten on the NetScaler Gateway Server:
- Set Automatic Replies
- Manage Apps
- Change Passwords
The NetScaler appliance crashes when the corrupted NSB structure member is de-referenced.
The global settings for the graphical user interface are not shown correctly.
The NetScaler AAA daemon can fail during authentication. The error message "kevent: errno =12" was issued under stress conditions when the RADIUS user accounting is turned on. The failure is due to the system limit being reached with respect to timers.
The workaround for this is to increase the system limit for the timers.
After you bind a NetProfile to a DTLS virtual server, DTLS connections between a client and the NetScaler Gateway virtual server might fail at the DTLS handshake stage.
Workaround: Unbind and rebind the SSL certificate-key pair on the NetScaler Gateway virtual server.
The computer termination happened because the server-info corresponding to WI-Home configuration was freed and reused.
[#597647, 593724, 606509, 624072]
The receiver redirects to the URL page after Profile installation.
Web applications do not show the complete name of the bookmark. The VPN URL supports 32 characters, but the portal homepage only supports 8~11 characters.
If 200 or more user access the VPN, it slows to an unacceptable level.
End Point Analysis (EPA) scan to check if the Windows update agent is enabled/disabled fails intermittently.
The connection to Xen Desktop fails when going from external network via Access Gateway on the NetScaler appliance.
If you create a new password that does NOT meet the minimum requirements or use a recent password again.The error message States: Password Expired. Please Enter a new Password.
The Expected error message should be the following: Could not update your password.
The password must meet the length, complexity, and history requirements of the domain.
This issue only occurs if there is more than one policy bound on the Gateway in cascading format. If one of the policies are removed, then the error message is correct.
The Tomcat server fails intermittently after installing Web Front.
NetScaler Gateway will not sync the sessions between the primary and secondary in a HA pair, during rolling upgrade, if one of the appliances is running 11.0-64.x and the other one is running 11.0-65.x.
A device crashed and rebooted. The cause is under investigation.
[#485780, 565487, 571924]
Portal Customization: customization changes take a maximum of 120 seconds to reflect on the browser due to the Integrated Caching feature that polls for updated Gateway resources every 120 secs.
When Unified-Gateway is deployed with GSLB configured with sitePersistence as ConnectionProxy, then access to published applications with -ssotype selfauth will not work when the connection is proxied from one site to another.
Two NSC_AAAC cookies are seen when a request is sent by a Client to the VIP. The value is the same for both cookies. One cookie is for FQDN; the other cookie is for the domain.
Two NSC_AAAC cookies are no longer seen after the version 11.0 beta.
When Unified Gateway is deployed with seamless SSO enabled for virtual server authentication, then the authentication servers and policy realms bound at the authentication virtual server will be ignored. Instead, those authentication policies at Gateway are utilized for authentication. Authentication policies at the authentication virtual server are used when step-up authentication is configured using authentication profiles. Increasing the authentication profile's "authentication level" is the method used to step-up authentication.
Active user sessions GUI view shows Client IP as 0.0.0.0 and Server IP as 0.0.0.0 in the first row of each active user session.
[#447670, 504936, 521963, 571041, 585030, 586840]
If NetScaler Gateway is configured with Pre-authentication End Point Analysis and Client Certificate Authentication policy, the policies configured with REQ.SSL.CLIENT.CERT expression does not evaluate to true.
DTLS is currently not supported as a Unified Gateway feature.
Once the Unified Gateway wizard completes, it does not enable the SSO for the session action, bound to the newly created VPN virtual server. Also, the NT Domain is not set. Manually, go to the session action and configure both, the SSO parameter and the NT Domain to achieve Single Sign-on.
The wizard does not support the creation of two Intranet Application type seamless SSO URLs using same LB with different site relative string.
The NetScaler Gateway Client icon in Launchpad is not updated with the new client installation. Launchpad continues to show the previous Black Lock icon even though the new Blue Lock icon is shown elsewhere in the Finder. This happens because the Finder caches application icons and their aliases. As a result, the Launcher does not update the alias icon when the application's icon has been changed.
Workaround - Clear the Finder's icon cache using following article's instructions: http://apple.stackexchange.com/questions/151549/symbolic-link-icons-dont-update (requires reboot) OR modify the application aliias name in /Applications/Citrix by adding few spaces (minimum two).
In NetScaler Insight Center, the Postgres database might become unresponsive if there are any hardware related faults in the Insight Center system.
If NetScaler Insight Center does not get a connection closure update for a particular connection ID, and the ID is reused, the source IP address of the previous connection might be displayed.
If you define an application in the CloudBridge application classifier that contains a colon (":") in the name, it is not exported correctly to the AppFlow collector.
If you change the GUI access setting from HTTPS (the default) to HTTP, NetScaler Insight Center might not display CloudBridge reports.
On the NetScaler Insight Center dashboard, the latency values displayed on the graph and the network topology diagram might not match due to time synchronization issues.
The current-connection details displayed on the NetScaler Insight Center dashboard have a latency of about 2 minutes.
Gateway Insight does not provide a summary view for ICA Desktops, although it does provide a summary view of ICA Applications.
If you export CSV files of WAN Insight reports, many of the fields in the CSV files might be empty.
To generate HDX Insight reports in a Netscaler Gateway deployment in which a content switching virtual server is bound to a VPN virtual server, a valid SSL certificate must be bound to the VPN virtual server, and the virtual server must be UP.
Any port other than 1494 and 2598, that needs to be considered as an ICA or CGP port, needs to be explicitly configured as a global ICA port to get the HDX Insight LAN user configuration working.
NetScaler Insight Center does not report an application-launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
NetScaler Insight Center displays the latency value between two hops as 0 ms, though the minimum latency value is 1 ms.
If you perform a factory reset on a CloudBridge SDX appliance that is included in the Netscaler Insight Center Inventory, the CloudBridge accelerator instance gets locked out and provisioning fails.
If you upgrade NetScaler Insight Center to release 10.5, build 55.8xxx.e, the compression ratio values are displayed as -NA-.
Geo report is only available for daily, weekly, and monthly reports for Web Insight.
Feature NetScaler Insight Center
If you access a NetScaler Gateway appliance by using the IP address instead of the FQDN, single sign-on (SSO) fails, and NetScaler Insight Center fails to display Gateway Insight reports.
Insight Agent should only be added after configuring and deploying Insight DB Cluster.
In a Scale-out deployment, after two or more days of receiving heavy traffic, the NetScaler Insight Center dashboard might stop displaying reports.
Workaround: Restart any of the connectors or database nodes. After all the database nodes and connectors are restored to service, restart the NetScaler Insight Center server, and then restart the agent.
In NetScaler Insight Center, some countries are not displayed on the Google geo chart.
Adding a new data node is now driven by Auto Registration. When a kernel is imported, it requests for input from user and does an auto registration with the Insight Server. This allows the Insight Deployment Manager GUI to display the same. Removing a datanode is not presently supported.
[#543632, 565706, 567628, 570264]
In Security Insight, there might be a delay in receiving the safety profile configuration data for some applications.
Hiding or displaying a URL, and some configuration changes might take longer than expected.
If Appflow for ICA is enabled on a NetScaler appliance, fragmented ICA packets might cause the appliance to become unresponsive under some traffic conditions.
If the ICA Rtt column is the column in extreme left of the session details table, the pop-up box gets cropped in display.
Security Insight might display an incorrect total-violations count for some applications, because of a delay in receiving the safety profile configuration data.
The size of the graphs displayed by NetScaler Insight Center is not consistent.
Gateway Insight displays the Total Byte count as 0 for remote users who have logged on to the NetScaler Gateway appliance but have not launched any application.
When Web Insight displays URL records, the maximum size of a URL is limited to 1472 bytes.
HDX Insight reports are not generated for Linux VDAs.
Gateway Insight does not report DNS lookup failures.
If you have configured the ICA session timeout value to a high value, say 10 minutes or more, and there is no traffic flow from the NetScaler appliances, neither the timeline chart nor the tabular chart displays any data. However, the Active sessions and Active Desktops columns display the data until the ICA session timeout occurs.
In NetScaler Insight Center, the Google geo chart sometimes does not display all regions.
In NetScaler Insight Center, email notifications about client and server reports are always sent in PDF format.
If you enable the Appflow feature for ICA traffic on a NetScaler appliance running release 11.0, build 64.x, the appliance might become unresponsive.
In NetScaler Insight Center, export functionality is not supported in Security Insight.
Gateway Insight might fail to report session and application information for some ICA applications.
If you log on to a Netscaler Gateway appliance that is deployed in a full tunnel mode and access numerous URLs and IP addresses, Gateway Insight reports these URLs and IP addresses as Applications on the Application tab.
The HDX Insight dashboard might display the host delay value for XenDesktop 7.5 as zero.
A memory leak occurs when a responder or ICA action has blocking expressions (for example, stream analytics, HTTP callout) and body or payload based expressions.
[#598252, 623764, 624637, 624759, 629247]
In SDX systems, sometimes interface or channel binding to a VLAN fails. This happens only if the interface is down or one of the member interfaces of a channel is down.
On adding many VPX instances, you may hit the default cache memory limit which could result in unexpected behavior.
Workaround: Increase the default cache memory limit.
If you are upgrading NetScaler SDX 11.0 beta to NetScaler SDX 11.0 GA, then the information displayed on the screen is not proper. This does not affect the upgrade process.
Certificates and keys uploaded by the nsroot user can be used by any administrative domain user.
Updated Encryption Method
The management service now uses the SHA512 encryption method to encrypt the nsrecover passwords stored on the SDX appliance.
Changing interface Base MAC to a new MAC from the management service will not happen on 10G interface.
NetScaler cluster on a NetScaler SDX appliance does not support Jumbo Frames.
If you configure Jumbo MTU with MTU greater than 1500 on an interface which is used by cluster nodes or instances on NetScaler SDX, the management service does not display any error and also the Jumbo MTU functionality does not work.
When adding or removing 10G interfaces from a channel, one of the interfaces may intermittently fail to get initialized on the NetScaler virtual appliance.
Note: This issue cannot be reproduced consistently.
In rare circumstances, a NetScaler VPX instance deployed on Microsoft Azure cloud can dump kernel core after a warm restart.
The NetScaler VPX appliance is now supported on VMware ESX server version 6.0.
A NetScaler VPX instance that is deployed on the Hyper-V may crash or unexpectedly reboot if it uses three or more virtual interfaces in the VPX instance.
[#467734, 469552, 471601, 476833, 484210, 489880, 587441, 595651, 597960, 611879, 620079]
In a Unified Gateway deployment, if the first policy that's configured in an authentication cascade is SAML, the user is taken to the NetScaler logon page instead of to SAML IDP. Redirect to SAML IDP happens after authentication on NetScaler fails. To redirect the user to SAML IDP, the administrator must configure a load balancing virtual server with a SAML configuration similar to that of a classic AAA-TM deployment.
The NetScaler appliance might fail if secure management access (HTTPS) is enabled on a SNIP6 address that is configured for a traffic domain.
An active FTP connection might get reset for no apparent reason, regardless of the state of the random source port.
[#507908, 609496, 611357, 615638]
A TCP connection involved in INAT times out at 120 seconds, regardless of what global timeout value you set for TCP client and server connections. For example, the connection times out at 120 seconds even after you run the following command:
set ns timeout -anyTcpClient 50 -anyTcpServer 50
If you configure an INAT rule with the useproxyport parameter disabled, connections to the server fail if the source port is in the reserve port range (0-1023).
For an RNAT connection, the NetScaler appliance drops the first packet that the server sends to the client.
In a cluster environment, vPath encapsulation may fail when MAC based forwarding is enabled.
RNAT source IP persistency is not supported on a virtual server configured for link load balancing.
In an active-active high availability configuration using Virtual Router Redundancy Protocol (VRRP) protocol, a ping to a virtual IP address (VIP) might fail from a node that is a backup node for this VIP address.
In a high availability (HA) setup, high latency might occur during configuration synchronization, resulting in some configurations not getting synchronized to the secondary node. In this situation, an HA failover results in loss of configuration.
For a NetScaler MPX 115xx series appliance, the configuration utility and the command line interface do not display the type of small form-factor pluggable (SFP) transceivers for 10G interfaces.
Workaround: Restart the appliance.
With heavy traffic, some MPX 7500 appliances might either spontaneously restart (MCE panic) or become unresponsive. In extreme cases, you might have to power down and restart the appliance.
MPX-9500 and MPX-10500 systems can also be affected.
[#615476, 616057, 625303]
Interfaces on NetScaler VPX appliances are not hot-pluggable, except on NetScaler VPX appliances running on Amazon AWS.
Workaround: Shut down the NetScaler VPX appliances before adding or deleting the interfaces.
If you add an NTP time server by specifying the server name (host name), and the ns.conf file is very large, the result is a race condition in which the NTP daemon (NTPD) is started before host name services are ready.
Workaround: Do one of the following:
-Restart the NTP daemon after starting the NetScaler appliance.
-Add the NTP server by specifying the IP address of the server instead of specifying the host name.
The command for configuring a content filtering action is being saved in a wrong order in the ns.conf file. Service is a mandatory parameter for adding a add content filtering action, but the add content filter action command is saved before the command that adds the service. As a result, when the build is upgraded, the content filtering action is not configured as required.
If you try to add a certificate bundle with the complete path to a certificate-bundle file, an error message appears. For example,
> add ssl certkey bundle -cert /nsconfig/ssl/bundle3.pem -key /nsconfig/ssl/bundle3.pem -bundle YES
ERROR: Processing of certificate bundle file failed.
Workaround: Specify only the file name. For example,
> add ssl certkey bundle -cert bundle3.pem -key /nsconfig/ssl/bundle3.pem -bundle YES
If importing a certificate-key file fails because of a wrong file, and you run the command again with the correct file, the operation fails and the following error message appears:
"ERROR: Import failed. Another resource with the same name being processed"
Workaround: Import the file with a different name.
FIPS keys that are created on firmware version 2.2 are lost after you downgrade to firmware version 1.1.
Workaround: Export the FIPS keys before you downgrade the firmware. Import the FIPS keys after the downgrade.
In both, default or admin partitions, when trying to import a password-protected key file, you get an error indicating that the key file is invalid. This error occurs because the NetScaler cannot import such key files.
If you bind a certificate-key pair to a DTLS virtual server, the following incorrect error message might appear. Ignore it. No usable ciphers configured on the SSL vserver
Server Name Indication (SNI) is not supported on a DTLS virtual server. However, if you enable SNI on a DTLS virtual server, an appropriate error message does not appear.
If you use the add crl command in release 9.3 to add a certificate revocation list (CRL) with refresh enabled, and you don't specify a method, the add crl command returns an error after an upgrade to a later release. Unlike 9.3, later releases do not have a default method.
Secure renegotiation using SSLv3 protocol fails on MPX-FIPS appliances running firmware version 2.2.
A certificate signing request (CSR) created by using the configuration utility might not be usable if you have not specified a common name.
Even though the clientAuthUseBoundCAChain parameter can be enabled and disabled in the backend profile, it is supported only on the front end profile.
Even though TLS protocol versions 1.1 and 1.2 are not supported by firmware version 1.1, the protocols incorrectly appear as enabled by default on an SSL virtual server.
Workaround: Disable TLS1.1/1.2 explicitly on the virtual server.
After an upgrade, a system user is unable to log on to a NetScaler appliance.
After the 11.0 upgrade, frequently the secondary node becomes unreachable and goes into an 'unknown' state. The NetScaler appliance must be rebooted from the LOM to get back connectivity.
[#609401, 601816, 616054]
The initial client connection on the NetScaler appliance might fail if a wildcard virtual server is configured and the useProxyPort option is disabled globally on the appliance.
In previous releases, evaluation of an interface-based expression was based on the information available in the connection block as well as the information available in the individual frame. Now, only the information in the frame is considered, and this information can change during the course of a transaction. As a result, the evaluation might be incorrect.
Workaround: Use VLAN-based expressions instead.
Connection failover might fail, if it is enabled on virtual servers that have the same IP address and port, but different listen policies.
The updated host name for a NetScaler appliance does not appear on the LCD panel until after the appliance is restarted.
For a client connection to a TCP virtual server, the NetScaler appliance incorrectly decrements the current number of client connections counter even when the TCP connection is terminated before the 3-way handshake is completed. The appliance incorrectly displays a large positive number of client connections even when there are no clients connected to the virtual server.
In an Openstack Environment, if a custom flavor with an Ephemeral Disk of Size of less than 8GB is used to a start a NetScaler VPX or Cisco Nexus 1000v instance, the config drive is not attached to the instance.
A NetScaler appliance fails when an MPTCP subflow receives an Infinite DSS mapping in a partially retransmitted packet.
FTP connections through a TCP wildcard virtual server on the NetScaler appliance might fail for one of the following reasons:
- A mismatch in TCP parameters is preventing the appliance from reusing the probe connection.
- The server is sending data before the client-side TCP connection is established.
In a high availability setup, command propagation and configuration synchronization using secure RPC might fail if SSLv3 and TLS1.0 protocols are disabled for SSL internal services.
On a NetScaler VPX appliance provisioned on Microsoft Hyper-V servers, if more than 4 interfaces are assigned to the appliance, the interfaces might get scrambled and appear in a different order in both the NetScaler command line and the NetScaler GUI.
In a DS-Lite configuration with a server behind the B4 device, the NetScaler appliance does not properly process FTP packets that have the following set of characteristics:
* Are from clients on the Internet
* Are destined to the server
* Match DS-Lite static NAT maps configured on the NetScaler appliance
For a DS-Lite configuration with more than 90 million sessions, the NetScaler appliance might fail if you remove LSN pools.
In a Large Scale NAT deployment, the NetScaler appliance does not generate and send an ICMP error message to the subscriber in the event of a port allocation failure.
If the provisional response to a SIP REGISTER message does not contain an expiry value, the NetScaler appliance drops the message.
Where there are over 140K SIP calls over UDP, the NetScaler appliance can fail during ALG processing.
In the output of the "show lsn sipalgcall -callid" command, the port value of the SIP control channel is incorrect.
An RTSP request might be logged on two different Syslog servers.
In an LSN deployment, FTP over Jumbo interfaces might not work.
If a SNIP address is added to subnet other than the one that includes the NSIP address, loop-back services go down.
Since the install wi package command takes more than usual time to complete, it is not possible to return the status from other nodes. Hence it is required that all the WI related packages, that is, JRE+WI be present on system on the same path for all the nodes.
If the NetScaler appliance is upgraded from version 10.1 to 10.5 and the maxSite setting of WIonNS is 3, the system does not have sufficient memory to handle 5000 users accessing WIonNS.
The NetScaler appliance does not support an outbind operation. That is, the appliance does not support an operation in which the message center initiates an SMPP session to an ESME.