ADC

View PDF

Release Notes for Citrix ADC 13.0-47.24 Release

April 1, 2023

Contributed by:

C S

This release notes document describes the enhancements and changes, lists the issues that are fixed, and specifies the issues that exist, for the Citrix ADC release 13.0 Build 47.24.

Notes

This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
The known issues section is cumulative. It includes issues newly found in this release, and issues that were not fixed in previous Citrix ADC 13.0 releases.
The [# XXXXXX] labels under the issue descriptions are internal tracking IDs used by the Citrix ADC team.
Build 47.24 replaces Build 47.22
Build 47.22 includes the fix of CGOP-11856 issue.

What’s New

The enhancements and changes that are available in Build 47.24.

Citrix Gateway

Support to filter user certificates
To filter certificates used for user certificate authentication, administrators can configure the following registry with comma separated list of CAs:
“HKLMSOFTWARECitrixSecure Access ClientUserCertCaList”
[ CGOP-11856]

Fixed Issues

The issues that are addressed in Build 13.0-47.24.

AppFlow

In HDX Insight, uptime for terminated sessions display actual session uptime regardless of selected Interval.
[ NSHELP-21380 ]

Authentication, authorization, and auditing

A Citrix ADC appliance skips the user to consider further groups in the following conditions:
- A user is a direct member of the nested group.
- A user is already a member of previous level groups.
[ NSHELP-21945 ]
In a Citrix ADC high availability and cluster setup, a delay in freeing the memory space leads to piling up the memory.
[ NSHELP-21917 ]
A Citrix ADC appliance might crash during audit logging if the user authentication is prompted with an extra sign-in request such as a password change or a RADIUS challenge.
[ NSHELP-21703 ]
A Citrix Gateway appliance configured as SAML IdP for Workspace login might occasionally return an HTTP 404 error during logout.
[ NSHELP-21650 ]
A Citrix ADC appliance might crash in the connection cleanup if the following conditions are met:
- Traffic is routed from a VPN setup.
- SSO is in progress.
- Rare timing issue closing a client connection.
[ NSHELP-21504 ]
A Citrix ADC appliance deployed for cross-domain Kerberos might fail to perform SSO if the kcdAccount parameter is configured using a keytab file.
[ NSHELP-21406 ]
A Citrix ADC appliance configured as a forward proxy does not allow NTLM authentication with HTTP 1.0 clients.
[ NSHELP-21349 ]
In rare cases, a Citrix Gateway appliance might crash when an invalid HTTP packet is received.
[ NSHELP-21342 ]
A Citrix ADC appliance using an NTLM protocol cannot perform SSO for the Messaging Application Programming Interface (MAPI) clients.
[ NSHELP-21270 ]
A Citrix ADC appliance might crash during authentication, authorization, and auditing when a packet engine generates a duplicate session removal response.
[ NSHELP-21172 ]
A Citrix ADC appliance deployed as SAML might occasionally fail to perform SAML based logout.
[ NSHELP-21093 ]
The nFactor Flows page on the Citrix ADC GUI does not open with Internet Explorer.
[ NSHELP-21065 ]
In rare cases, the Citrix Gateway appliance might fail when users are challenged for a one-time code.
[ NSHELP-20967 ]
A Citrix ADC appliance might fail in the following circumstances:
- Citrix ADC appliance configured with OAuth or SAML IdP actions along with refreshing metadata information from an external source.
- The configuration is changed while data is fetched from the external source or if authentication is in progress. The same issue is observed when you run a clear config command.
[ NSHELP-20646 ]
When the active sync client sends HEAD request, the Citrix ADC appliance does not authenticate the 200 OK response.
[ NSHELP-20125 ]
Protocol switching from HTTP to WebSockets fails when SSO is configured on a Citrix ADC appliance.
[ NSAUTH-6354 ]
If you edit the authentication virtual server using the “End-to-end login test or Test End User Connection options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
[ NSAUTH-6339 ]

Citrix ADC SDX Appliance

When you add an LDAP server under SDX GUI > Configuration > System > Authentication > LDAP, special characters used in form input text box are not decoded before getting displayed. And, the “&” character in the Base DN field is replaced with “&”.
[ NSHELP-21488 ]
After you upgrade the SDX appliance to release 13.0 any build, Citrix ADC instances provisioned without management interfaces (0/1, 0/2) become inaccessible.
[ NSHELP-21412 ]
如果你试图重启同时多个VPX实例taneously, running on an SDX appliance, the channel and data interfaces for VPX instances disappear from the SDX Management Service.
[ NSHELP-21124 ]
After you upgrade an SDX appliance, the SDX Management Service might not list ethernet interfaces. This happens if the post install process part of the upgrade is not successful.
[ NSHELP-21068 ]
On an SDX appliance, you might occasionally see events with high CPU usage. This spike is seen because appliance backup is a CPU intensive process. The high CPU usage is temporary.
[ NSHELP-21063 ]
The appliance loses the interface details when more than three instances are selected for reboot or shutdown.
[ NSHELP-21040 ]

Citrix Gateway

The Windows VPN plug-in crashes if the plug-in clients language is set to Chinese.
[ NSHELP-21946 ]
The Citrix ADC appliance might crash when configured for Advanced Clientless VPN.
[ NSHELP-21819 ]
After an upgrade of Citrix Gateway to release 13.0 build 47.24, DNS resolution through VPN tunnel fails as the local DNS server responds with a false positive.
[ NSHELP-21794 ]
The Enterprise Web apps might display an error if the cookies were set and expire at the same time.
[ NSHELP-21772 ]
The Citrix Gateway logon page becomes unresponsive if RfWebUI based custom themes or nFactor with custom themes are used.
[ NSHELP-21763 ]
The Intranet Application bindings to the authentication, authorization, and auditing group are lost when you restart the Citrix ADC appliance after upgrading to release 13.0 build 47.x.
[ NSHELP-21733 ]
You cannot access links that start with 1https or 0https.
[ NSHELP-21469 ]
You cannot launch an application using advanced clientless VPN through bookmarks if the clientless VPN application’s POST body contains html encoded ‘ (single quotes) or “ (double quotes).
[ NSHELP-21361 ]
Citrix Gateway VPN plug-in might take a long time to establish a tunnel to a machine if proxy PAC file is not reachable.
[ NSHELP-21355 ]
In some cases, Citrix Gateway dumps core if the following conditions are met:
- EDT Insight functionality is enabled for the Citrix Gateway appliance.
- The appliance receives an out of order CGP BINDRESP packet from VDA.
[ NSHELP-21296 ]
On some machines, the EPA prompt window buttons (YES, NO, ALWAYS) do not appear on the EPA plug-in screen.
[ NSHELP-21276 ]
在Citrix网关设置高可用性econdary node crashes during high availability synchronization if logging is enabled on Citrix Web App Firewall global.
[ NSHELP-21254 ]
If you have configured clientless VPN (CVPN) on Citrix Gateway, the appliance might crash because of erroneous rewrite handling.
[ NSHELP-21244 ]
在Citrix网关设置高可用性econdary node might crash if Gateway Insight is enabled.
[ NSHELP-21184 ]
如果两个或两个以上的客户端机器试图建立一个VPN tunnel connection to the same gateway, the ping connectivity from one client machine to another machine fails.
[nshelp - 21169]
Sometimes, the Citrix ADC appliance might crash during transfer login.
[ NSHELP-21134 ]
Users cannot log on to Citrix Gateway if the VPN virtual server host name contains “cvpn” in its name.
[ NSHELP-21119 ]
If you have configured advanced clientless VPN access, SAP application bookmarks cannot be viewed properly if encoding, such as (‘x3a’ or ‘&%23x3a’ for ‘:’), is used in the Enterprise Web apps.
[ NSHELP-21072 ]
Citrix ADC设备可能会崩溃,我核心转储f the memory allocation for client and server process control blocks fails.
[ NSHELP-20961 ]
If reverse split tunneling is enabled, intranet routes are either added with wrong prefix values or not added at all.
[ NSHELP-20825 ]
在Citrix网关设置高可用性econdary node might crash if no policies are configured and you upgrade the node from release 12.0 to release 13.0.
[ NSHELP-20790 ]
When the backend servers are not accessible, clients run out of connections and no new connections to the back end are successful.
[ NSHELP-20535 ]
A Citrix Gateway appliance configured for ICA Proxy might sometimes crash.
[ NSHELP-20478 ]
In some cases, the external facing Citrix Gateway in a double-hop deployment with ICA Insight enabled, dumps core for a particular network traffic pattern.
[ NSHELP-19487 ]
You can now configure the RfWebUI parameters such as loginFormTimeout and Session timeout by editing the plugins.xml.
[ NSHELP-19221 ]
After an upgrade of Citrix ADC and gateway plug-in to release 13.0 build 41.20, users experience continuous blue screen of death (BSOD) error when trying to set up the VPN tunnel.
[ CGOP-12099 ]

Citrix Web App Firewall

The Citrix ADC appliance blocks Closure URLs after two minutes if URL closure protection is enabled.
[ NSWAF-3292 ]
A Citrix ADC appliance might crash if a Web App Firewall profile uses APPFW_DROP and APPFW_RESET policy actions.
[ NSHELP-21283 ]
A Citrix ADC appliance might crash when APPFW_DROP and APPFW_RESET are used as Web App Firewall policy actions.
[ NSHELP-21220 ]
The Citrix ADC appliance might crash because of memory failure if the Citrix Web App Firewall feature is enabled.
[ NSHELP-21201 ]
A Citrix ADC appliance might crash because of memory allocation failure.
[ NSHELP-21071 ]
A Citrix ADC appliance resets the connection if an incoming GWT request has a query string in the URL.
[ NSHELP-20564 ]
After an upgrade from build 12.0-58.15 to 12.0-62.8, the URL transformation feature is not working for some URLs. The issue is caused by incorrect canonicalization when rewriting URLs.
[ NSHELP-20460 ]
A Citrix ADC appliance might crash if you use a slow FTP/HTTP server to download signatures and if the download time is more than 10 minutes.
[ NSHELP-18331 ]

Load Balancing

The Citrix ADC appliance might crash during GSLB synchronization. This issue occurs when the “set gslb service” command is executed on a non-existent GSLB service.
[ NSHELP-21304 ]
After connection failover, when the secondary appliance becomes the new primary appliance, packet loss is observed.
[ NSHELP-21155 ]
When you execute theset service command, the following error message is displayed:
“IP Address cannot be set on a domain based server.”
This error message is displayed when the server is configured with a name greater than 32 characters.
[ NSHELP-20939 ]
For a GSLB setup in a cluster, when you run the set rpcnode command, the Source IP address in a RPC node changes to the NSIP address. Therefore, GSLB uses the NSIP address instead of SNIP address while initiating a MEP connection.
[ NSHELP-20552 ]
In a cluster setup, when you execute the “unset lb vserver test -redirectFromPort” command, the HTTP redirect port for load balancing virtual server does not get cleared from the database.
[ NSHELP-20518 ]
The Citrix ADC appliance might crash when persistence is enabled in the IPv6 high availability setup.
[ NSHELP-20219 ]

Miscellaneous

In a compound URLSet expression such as.URLSET_MATCHES_ANY(URLSET1 || URLSET2)“Urlset匹配”字段在一个演示applow记录reflects only the state of the last evaluated URLSet. For example, if the requested URL belongs only to URLSET1, the URLSet Matched field is set to 0, although the URL belongs to one of the URLSets. As a result, the URLSET1 changes URLSet Matched field to 1 but the URLSET2 sets it back to 0
[ NSSWG-1100 ]
URL filtering categorization fails if an incoming URL has a double slash after the domain name. The “http://” scheme is prepended. For example, www.example.com//index.html
[ NSSWG-1082 ]
以下行为是观察Citrix ADCappliance and Citrix Gateway:
- Citrix ADC appliance might become unresponsive when deployed as a proxy and SSO is enabled for the back-end applications.
- The same behavior is observed in Citrix Gateway with outbound proxy configuration.
[ NSHELP-21437 ]
The Citrix ADC appliance might crash intermittently if device watchdog request
(DWR) probing is enabled for Policy and Charging Rules Function (PCRF), and the PCRF becomes unreachable.
[ NSHELP-20827 ]
When you execute the show techsupport -scope cluster command, the following error is displayed for all the Citrix ADC SDX appliances:
This is a low bandwidth instance
[ NSHELP-20666 ]

Networking

A Citrix ADC BLX appliance with DPDK support fails to start and dumps core if DPDK is misconfigured (for example, if hugepages are not configured) on the Linux host.
For more information on configuring DPDK on a linux host for Citrix ADC BLX appliance, seehttps://docs.citrix.com/en-us/citrix-adc-blx/13/deploy-blx/deploy-blx-dpdk.html
[ NSNET-11349 ]
A Citrix ADC BLX appliance fails to start because of DPDK misconfiguration (for example, if hugepages are not configured) on the Linux host. You need to run the start command (systemctl start blx) twice to start the Citrix ADC BLX appliance.
[ NSNET-11107 ]
sh IP BGP summary command on the VTYSH command line incorrectly displays the 32 bit ASN values as negative values.
[ NSHELP-21234 ]
On a Citrix ADC appliance, management connections to IPv6 Subnet IP addresses might get reset when you perform the clear config basic operation.
[ NSHELP-21206 ]
During the set partition operation, the maximum memory of the partition is now increased up to NS_SYS_MEM_FREE() only. Earlier, it was increased up to the maximum memory available so that the configured partition is not lost after rebooting the Citrix ADC appliance.
[ NSHELP-21159 ]
Citrix ADC未能安装中间体制m to Intermediate System (IS-IS) next-hop because of missing authentication (AUTH) information on the received large Link State PDUs (LSPs).
[ NSHELP-21062 ]
After a system restart, the Citrix ADC appliance advertises routes with a reduced metric for 180 seconds.
[ NSHELP-20842 ]
The FTP data connection in passive mode becomes unresponsive during MAC mode transparent virtual server deployment.
[ NSHELP-20698 ]
The Citrix ADC appliance might skip Policy-based routes (PBR) rules for outgoing monitor packets of type UDP and ICMP.
[ NSHELP-20545 ]

Platform

When you warm reboot the Citrix ADC VPX appliance, the subscription licenses might be lost under the following conditions:
- Using Elastic Network Adapter (ENA) based AWS instances types: C5, C5n, M4, and M5.
- Enabling ENA interface on existing supported AWS instances.
[ NSPLAT-13467 ]
Tx stalls can occur on Citrix ADC MPX appliances that use 10G IXGBE ports and Citrix ADC SDX appliances that use 10G IXGBEVF ports.
[ NSPLAT-13338 ]
Support for new Citrix ADC SDX hardware platformsThis release now supports the following new platforms:
- Citrix ADC SDX 15000. For more information, seehttps://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-15000.html
- Citrix ADC SDX 26000. For more information, seehttps://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-26000.html
- Citrix ADC SDX 26000-50S. For more information, seehttps://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-26000-50s.html
[ NSPLAT-12815 ]
After upgrading Citrix ADC SDX 8900 and SDX 15000 50G appliances to version 11.1 63.9, 10G NICs do not appear on the appliances. This issue prevents the VPX instances from booting up. As a result, the instances become unreachable.
[nsplat - 12093]
In some cases, when you restart one or more VPX instances on a Citrix ADC SDX appliance containing Fortville NICs, LACP on the interfaces might go to the ‘defaulted’ state.
[ NSHELP-21091, NSHELP-20769, NSHELP-23159, NSHELP-23191 ]
In some cases, the SDX 14000 appliance might become unresponsive and needs reboot.
[ NSHELP-21017 ]
In the VPX deployment on Cisco CSP 2100 platform, occasionally packets might get dropped when more than one virtual function (VF) is created out of the physical network interface card (pNIC).
[ NSHELP-20991 ]
Tx stall might be observed on appliances contain Fortville interfaces if a packet spans more than eight descriptors. The stall might cause the interface to go into error-disabled state.
[ NSHELP-20800 ]

Policies

A Citrix ADC appliance might crash if there are few network buffers when rewriting chunked data.
[ NSHELP-20847 ]

SSL

In some cases, the following appliances might crash while running SSL traffic:
- MPX 59xx
- MPX/SDX 89xx
- MPX/SDX MPX 26xxx
- MPX/SDX 26xxx-50S
- MPX/SDX 26xxx-100G
- MPX/SDX 15xxx-50G
[ NSSSL-7606 ]
Policy-based client authentication with mandatory certificate verification fails if client authentication with optional client-certificate is also configured on the virtual server.
[ NSHELP-21190 ]

System

Analytics reports do not appear on the Citrix ADM GUI if you:
1. Install ADM 12.1.52.15 or later.
2. Select Logstream transport mode to configure analytics on instances.
[ NSHELP-21618 ]
A Citrix ADC appliance does not reset HTTP/2 streams on a client connection with an HTTP/2 RST_STREAM after an idle timeout.
[ NSHELP-21537 ]
A client connection becomes unresponsive if you enable multiplexing in an HTTP/2 profile on a Citrix ADC appliance.
[ NSHELP-21434 ]
A Citrix ADC appliance does not forward a response to the client if it contains both trailer and content-length headers.
[ NSHELP-21427 ]
A Citrix ADC appliance might crash if there is a memory allocation failure for HTTP/2 secure monitor.
[ NSHELP-21400 ]
A Citrix ADC appliance might crash if appQoE action fails.
[ NSHELP-21393 ]
An HTTP transaction might fail if a Citrix ADC appliance sends an HTTP/2 request with multiple cookie name-value pairs to the back-end server.
[ NSHELP-21373 ]
A Citrix ADC appliance might crash if it receives an HTTP/1.1 request with an HTTP/2.0 version in it. For any client request with an HTTP/2.0 version, the appliance considers it as an HTTP/2.0 request and processes it. This leads to a crash.
[ NSHELP-21187 ]
A Citrix ADC appliance might crash if Appflow Client-Side Measurements is enabled when serving large HTTP responses.
[ NSHELP-21099 ]
The show connectiontable command displays a few entries that do not satisfy the mentioned filter in the following conditions:
- Command is run under high traffic.
- Command is used with an IP or port filter.
[ NSBASE-9509 ]

User Interface

The Citrix ADC pooled capacity licensing might fail if latency is high between ADC and ADM. This issue occurs if latency is greater than 200 ms.
The Citrix ADC licensing client attempts repeatedly to check out the licenses from ADM. In a high availability and cluster setup, licensing configurations are unnecessarily reapplied whenever synchronization is triggered. Propagation and synchronization of the pooled licensing commands are disabled. Each node must be licensed independently by logging in to the NSIP of the node. You can execute only show commands on the Cluster IP.
[ NSUI-14868, NSHELP-22045 ]
After upgrading to build 12.1-55.x, the appliance might boot up unlicensed if pool licensing is configured. As a result, all the features are disabled and any configuration that is license dependent is missing in the running configuration. Perform a warm reboot to restore the pool license and the configuration.
Caution: Do not run “save config” or force an HA failover on an unlicensed appliance.
[ NSUI-7869 ]
KeyError exceptions are observed if the count query is not working in a Citrix ADC appliance.
[ NSHELP-20979 ]
Load balancing server statistics details are misaligned in the Citrix ADC GUI dashboard.
[ NSHELP-20752 ]
During a partition deployment, a partitioned appliance might crash if you run the “uiinternal” commands and then “clear config” in the default partition.
[ NSHELP-20247 ]
In certain scenarios, the user name (specified with a “%u” character) in the prompt string does not display correctly.
[ NSHELP-19991 ]
The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.
[ NSHELP-19958 ]
You cannot retrieve a backup file using the Citrix ADC GUI if the file name is from 61 to 63 characters long even though the maximum limit is 63 characters.
[ NSHELP-11667 ]
The Citrix Gateway appliance sends duplicate RADIUS access-requests to the RADIUS authentication service for each logon to the appliance.
[ NSHELP-11148 ]

Known Issues

The issues that exist in release 13.0.

Appflow

A Citrix ADC appliance might crash if a timing issue is observed when the appflow action is removed after a transaction is completed and before a connection is closed.
[ NSBASE-9345]

Authentication, authorization, and auditing

The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
[ NSAUTH-6106]
ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
show adfsproxyprofile
Workaround: Connect to the primary active Citrix ADC in the cluster and issueshow adfsproxyprofile command. It would display the proxy profile status.
[ NSAUTH-5916]
A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
[ NSHELP-563]

Citrix ADC GUI

If the feature “Force password change for nsroot user when default nsroot password is being used” is enabled and the nsroot password is changed at the first logon to the Citrix ADC appliance, the nsroot password change is not propagated to non-CCO nodes. Therefore, when an nsroot user logs on to non-CCO nodes, the appliance asks for password change again.
[ NSCONFIG-2370]

Citrix ADC SDX appliance

The NTP service of Citrix ADC SDX Management Service responds to NTP queries. However, Management Service does not have any option to configure restrictions for NTP queries.
Workaround:Manually modify /flash/mpsconfig/ntp.conf, and then from Management Service enable NTP Synchronization again to make the change effective. However, this change is lost if the NTP server configurations are changed.
[ NSHELP-12246]
The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
ERROR: Operation timed out
ERROR: Communication error with the packet engine
[ NSNET-4312]

Citrix ADC VPX appliance

A Citrix ADC VPX instance deployed on AWS fails to communicate through the configured IP addresses (VIP, ADC IP, SNIP) if the following conditions are met:
- The AWS instance type is M5/C5, which are KVM hypervisor based
- The VPX instance has more than one networking interface
This is an AWS limitation., and AWS plans to fix the issue soon.
Workaround:Configure separate VLANs for ADC IP, VIP, and SNIP. For more information about configuring VLANs, seehttps://docs.citrix.com/en-us/citrix-adc/13/networking/interfaces/configuring-vlans.html
[ NSPLAT-9830]
After you downgrade a Citrix ADC VPX instance to a lower version, the instance gets stuck during reboot. This issue occurs if your instance has more than one CPU core assigned.
[ NSPLAT-12603]

Citrix Gateway

In Outlook Web App (OWA) 2013, clicking “Options” under the Setting menu displays a “Critical error” dialog box. Also, the page becomes unresponsive.
[ CGOP-7269]
When the StoreFront FQDN resolution takes longer time than expected on the client, Citrix Gateway uses the client IP address as the source IP address to send traffic to the StoreFront server.
[ NSHELP-19476]
In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
[ NSINSIGHT-2059]
The Gateway Insight report incorrectly displays the value “Local” instead of “SAML” in the Authentication Type field for SAML error failures.
[ NSINSIGHT-2108]
The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
Workaround:Upgrade the receiver to the latest version of Citrix Workspace app.
[ NSINSIGHT-924]

Citrix SDX appliance

SDX 26000-100G 15000-50 G appliances might take longer time to upgrade. As a result, the system might display the message “The Management Service could not come up after 1 hour 20 minutes. Contact the administrator.”
Workaround:Ignore the message, wait for some time, and log on to the appliance.
[ NSSVM-3018]

Citrix Web App Firewall

Citrix ADC设备可能崩溃如果有高的h memory usage and memory values are not freed up because of an application failure.
[ NSHELP-18863]

Cloudbridge connector

Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.
Workaround:Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.
[ NSUI-13024]

Load Balancing

A Citrix ADC VPX appliance reboots several times after being unresponsive.
[ NSHELP-20435]

Networking

When the Citrix ADC appliance is cleaning up large number of server connections as part of remove command, the Pitboss process might restart. This Pitboss restart might cause the ADC appliance to crash.
[ NSHELP-136]

Platform

On the Citrix ADC SDX 26000-100G platform, the interface might not come up after you restart the appliance.
Workaround:Ensure auto negotiation is set to ON. To check and edit the auto negotiation status, navigate to SDX GUI > System > Interfaces.
[ NSPLAT-11985]

SSL

In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
[ NSHELP-13466]
Update command is not available for the following add commands:
- add azure application
- add azure keyvault
- add ssl certkey with hsmkey option
[ NSSSL-6484, NSSSL-6379, NSSSL-6380]
The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
ERROR: crl refresh disabled
[ NSSSL-6106]
You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.
[ NSSSL-6213]
You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.
[ NSSSL-6478]
Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
[ NSSSL-4427]

System

Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround:Set the TCP buffer size to maximum size of data that needs to be processed.
[ NSPOLICY-1267]

Web Citrix Web App Firewall

A Citrix ADC appliance might crash if an error case was handled incorrectly for the credit card verification process.
[ NSHELP-20562]

What’s New in Previous Citrix ADC 13.0 Releases

The enhancements and changes that were available in Citrix ADC 13.0 releases prior to Build 47.24. The build number provided below the issue description indicates the build in which this enhancement or change was provided.

AppFlow

Support for Logstream in Admin Partitions
A Citrix ADC appliance can now send Logstream records from Admin Partitions.
[From Build 41.28]
[ NSBASE-4777]
Monitoring Logstream records through NSIP address
A Citrix ADC appliance can now connect to Citrix ADM using NSIP address to send Logstream records.
[From Build 41.28]
[ NSBASE-7400]

Authentication, authorization, and auditing

Trust renewal support for ADFSPIP
You can now renew the trust of the existing certificates that are nearing to expiry or if the existing certificate is not valid. The trust renewal of certificates is done only when the trust is established between Citrix ADC appliance and the ADFS server.
[From Build 47.22]
[ NSAUTH-27]
Name-value attribute support for OAuth authentication
You can now configure OAuth authentication attributes with a unique name along with values. The names are configured in the OAuth action parameter and the values are obtained by querying for the names. By specifying the name attribute value, admins can easily search for the attribute value associated with the attribute name. Also, admins no longer have to remember the attribute by its value alone.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/oauth-authentication.html#name-value-attribute-support-for-oauth-authentication.
[From Build 41.28]
[ NSAUTH-5563]
Custom authentication class reference support for SAML SP
You can now configure custom authentication class reference attribute in the SAML action command. Using the custom authentication class reference attribute, you can customize the class names in the appropriate SAML tags.
[From Build 47.22]
[ NSAUTH-603, NSAUTH-58, NSHELP-451]
nFactor Visualizer enhancements
The following enhancements are made in the nFactor Visualizer:
- Admins can now move the factors, that have no connections, by dragging and dropping the factors into the trash icon.
- The nFactor flows can now be viewed from the Authentication Virtual Server page also.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/multi-factor-nfactor-authentication/nfactor-authentication-simplification.html#enhancements-to-the-nfactor-visualizer.
[From Build 41.28]
[ NSAUTH-6159]
Support for client certificate based authentication for Active Directory Federation Service Proxy Integration Protocol
Client certificate based authentication is now supported for Active Directory Federation Service Proxy Integration Protocol.
注意:This feature is currently in technical preview release.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/adfspip-compliance.html#client-certificate-based-authentication-on-adfs-server.
[From Build 41.28]
[ NSAUTH-6457]
Default cache policy to authentication virtual servers for enhanced performance
A Citrix ADC appliance can now apply default cache policies to all authentication virtual servers. These policies are associated by default when an authentication, authorization, and auditing virtual server is created. As a result, all the GUI pages are cached and served from a Citrix ADC cache module and thus reduces the load on management CPU and HTTP daemon. Also, more number of users can be served concurrently.
[From Build 47.22]
[ NSAUTH-6654]
Support for encrypting OTP data and migrating existing OTP data into an encrypted form
You can now store the OTP secret data in an encrypted format instead of plain text for enhanced security reasons. Starting from Citrix ADC release 13.0 build 41.xx, OTP data is stored in an encrypted format automatically if the required configuration is set. However, for existing OTP data in plain text, you can use the OTP encryption tool to migrate from plain text to encrypted format. Also, the OTP encryption tool can be used to update the existing certificates to new certificates.
The OTP encryption tool is located in the “var
etscalerotptool” directory. You must download the tool from this location and run the tool with the required AD credentials and prerequisites.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/native-otp-authentication/otp-encrypt-secret.htmlandhttps://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/native-otp-authentication/otp-encryption-tool.html.
[From Build 41.28]
[ NSAUTH-74]
Assertion Consumer Service (ACS) URL support for SAML IdP
A Citrix ADC appliance configured as a SAML Identity Provider (IdP) now supports ACS indexing to process SAML Service Provider (SP) request. The SAML IdP imports ACS indexing configuration from SP metadata or allows for entering ACS indexes information manually.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/saml-authentication/citrix-adc-saml-idp.html#assertion-consumer-service-url-support-for-saml-idp.
[From Build 41.28]
[ NSHELP-20228]

Citrix ADC BLX appliance

DPDK support for Citrix ADC BLX appliances
Citrix ADC BLX appliances now supports Data Plane Development Kit (DPDK), which is a set of Linux libraries and network interface controllers for better network performance. Citrix ADC BLX appliance supports DPDK only on dedicated mode.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc-blx/13/deploy-blx/deploy-blx-dpdk.html.
[From Build 41.28]
[ NSNET-2456]
IPv4 OSPF dynamic routing protocol support for Citrix ADC BLX appliances
Citrix ADC BLX appliances now support the IPv4 OSPF (OSPFv2) dynamic routing protocol.
[From Build 47.22]
[ NSNET-7783]
BGP Dynamic routing protocol support for Citrix ADC BLX appliances
Citrix ADC BLX appliances now supports the IPv4 and IPv6 BGP dynamic routing protocols.
[From Build 41.28]
[ NSNET-7785]
Ubuntu Linux host support for Citrix ADC BLX appliances
Citrix ADC BLX appliance now supports running in Ubuntu Linux systems.
[From Build 41.28]
[ NSNET-9259]

Citrix ADC CPX appliance

默认值的monitorConnectionClose parameter value is set to RESET in lighter version of Citrix ADC CPX

For closing a monitor-probe connection using global load balancing parameters, you can configure monitorConnectionClose to FIN or RESET. When you configure the monitorConnectionClose parameter to;

              - FIN: The appliance performs a complete TCP handshake. - RESET: The appliance closes the connection after receiving the SYN-ACK from the service. In lighter version of Citrix ADC CPX, the monitorConnectionClose parameter value is set to RESET by default and cannot be changed to FIN at the global level. However, you can change the monitorConnectionClose parameter to FIN at the service level. [From Build 41.28] [ NSLB-4610]
             

Citrix ADC GUI

Front End Optimization support for Admin Partition
You can now enable Front End Optimization feature from Configure Advanced Features page in partition mode also.
[From Build 41.28]
[ NSUI-12800]
Support to identify the cause because of which a service or a service group state is marked DOWN
You can now view the monitor probe information on the GUI for the services or service groups that are DOWN without navigating to the monitor binding interface.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/load-balancing/load-balancing-manage-setup/managing-services.html#identify-the-cause-for-the-service-state-marked-down-by-using-the-gui.
[From Build 41.28]
[ NSUI-12906]
Support to identify the cause because of which a virtual server state is marked DOWN
You can now view the monitor probe information on the GUI for the virtual server that is DOWN without navigating to the monitor binding interface.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/load-balancing/load-balancing-manage-setup/managing-vserver.html#identify-the-cause-for-the-virtual-server-state-marked-down-by-using-the-gui.
[From Build 41.28]
[ NSUI-13255]
Guided interaction for SSL certificates
The Citrix ADC GUI now provides guided interaction for some common, yet detailed tasks related to creating, importing, and updating SSL certificates. It prompts you to enable the guided interaction when you boot your appliance for the first time. If enabled, you can explicitly disable it at any time by navigating to System > Settings > Change CUXIP Settings and clearing the Enable CUXIP checkbox.
注意:This feature is only available for SSL certificates in the Citrix ADC GUI.
[From Build 41.28]
[ NSUI-13389]
Color indications for the disk space usage on the upgrade GUI
On the Check Disk space screen of the Citrix ADC GUI (System > System Information > System Upgrade > Check Disks Space), color indication has been added for the current disk space used.
The GUI shows the current disk space used percentage in the following colors:
- Green, if the current disk space used is =<80%
- Red, if the current disk space used is > 80%
[From Build 47.22]
[ NSUI-13699]
System log for Citrix ADC bot management
The log viewer GUI page now has an option to filter out bot related operations that are logged.
[From Build 47.22]
[ NSUI-13722]
GUI support for bot statistics
The new Bot section in the Dashboard page displays bot related statistics.
[From Build 47.22]
[ NSUI-13945]

Citrix ADC SDX appliance

ADC Platinum license with SWG features
Citrix Secure Web Gateway (SWG) features are now integrated with Citrix ADC Premium license and SWG is no longer offered as a separate instance license. After you upgrade an SDX appliance to 13.0 47.x, an existing SWG instance running on the appliance appears as a Citrix ADC instance in the SDX Management Service dashboard.
[From Build 47.22]
[# NSSVM-2806]

Citrix ADC VPX appliance

Citrix ADC VPX metrics in Azure monitor
You can now use metrics of Azure monitor service to monitor a set of Citrix ADC VPX resources such as CPU, memory utilization, and throughput. Metrics service monitors Citrix ADC VPX resources that run on Azure,  in real time. You can use Metrics Explorer to access the collected data.
[From Build 47.22]
[ NSPLAT-10104]
A new parameter to move master clock source from CPU0 to CPU1
For a Citrix ADC VPX instance, you can now move the master clock source from CPU0 (management CPU) to CPU1. To change the master clock source, the -masterclockcpu1 parameter is added to the “set ns vpxparam” command. This parameter has the following options:
- YES – Allow VM to move the master clock source from CPU0 to CPU1.
- NO – VM uses CPU0 for the master clock source. By default, CPU0 is the master clock source.
[From Build 47.22]
[ NSPLAT-10859]
High availability support in Google Cloud Platform
Now you can deploy Citrix VPX instances as an HA pair on Google Cloud Platform, across zones within the same region. For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/deploy-vpx-google-cloud-ha.html.
[From Build 41.28]
[ NSPLAT-7714]
Deploy a VPX HA pair in AWS using private IP migration
现在你可以部署在HA对VPX实例the same zone, in non-independent network configuration (INC) mode, using private IP migration, which reduces failover time significantly. Previously, VPX HA nodes were deployed using network interface (ENI) migration, which has a longer failover time. For more information, see:
https://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/deploy-aws/how-aws-ha-works.html
https://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/deploy-aws/vpx-aws-ha.html
[From Build 41.28]
[ NSPLAT-7718]
Support for new AWS instance type
From this release, the following AWS instance types are supported for VPX deployment, in the existing regions and the newly added region Paris.
- C5: c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge, c5.18xlarge
- C5n: c5n.large, c5n.xlarge, c5n.2xlarge, c5n.4xlarge, c5n.9xlarge, c5n.18xlarge
- M5: m5.large, m5.xlarge,m5.2xlarge,m5.4xlarge, m5.12xlarge,m5.24xlarge
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/deploy-aws.html.
[From Build 41.28]
[ NSPLAT-8729]
Support for Paris region for AWS deployment
Now you can deploy VPX instances in AWS, in Paris region.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/deploy-aws.html.
[From Build 41.28]
[ NSPLAT-8730]
Azure service tags for VPX load balancing service groups
ADC Citrix VPX实例部署到Azure Cloud, now you can create load balancing service groups associated with an Azure tag. The VPX instance constantly monitors Azure virtual machines (VMs) or network interfaces (NICs), or both, with the respective tag and updates the service group accordingly. Whenever a VM or NIC with the appropriate tag is added or deleted, the ADC detects the respective change and adds or deletes the VM or NIC IP address from the service group automatically.
You can add the Azure tag setting to a VPX instance by using the VPX GUI.
For more information about Azure tags, see Microsoft document:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
Fore more information about Azure tags for Citrix ADC VPX deployment, seehttps://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/deploy-vpx-on-azure/tags.html.
[From Build 41.28]
[ NSPLAT-8768]
New subscription-based offerings for Citrix ADC VPX on GCP
For Google Cloud Platform (GCP), the following subscription-based offerings are now available:
- Citrix ADC VPX Express license
- Citrix ADC VPX 10 Mbps (Standard/Advanced/Premium) editions
[From Build 47.22]
[ NSPLAT-8772]
Support for Hong Kong region for AWS deployment
You can now deploy VPX instances in AWS, in Hong Kong region.
[From Build 47.22]
[ NSPLAT-9166]

Citrix Bot Management

Citrix Bot Management
Detecting and mitigating bot threats is a core security need in today’s world. This is achieved by using a bot management system. Citrix Bot Management protects your web applications, apps, and APIs from both basic as well as advanced security attacks. Citrix Bot Management uses the following six detection mechanisms to detect the bot type and, take a mitigation action.
The techniques are bot white list, bot blacklist, IP reputation, device fingerprinting, rate limiting, and static signatures.
IP reputation. This mechanism detects if inbound traffic is a bot by an actively updated database of malicious IP addresses.
Device fingerprinting. Device fingerprinting injects javascript into the HTTP stream, and evaluates properties returned from that javascript to determine whether or not the inbound traffic is a bot or not.
Rate limiting. The detection technique rate limits multiple requests coming from the same client via session, cookie, or IP.
Bot signatures. The detection technique detects and blocks bots based on 3,500+ signatures groomed by the Citrix Threat Research team. Bots could be, e.g., unauthorized URLs that scrape websites, brute forcing logins, or those that probe for vulnerabilities
Bot white list. The whitelist is a customizable list of URLs, IPs, CIDR blocks, and policy expressions that whitelists and permits the inbound traffic matching one of these parameters.
Bot blacklist. The blacklist is a customizable list of URLs, IPs, CIDR blocks, and policy expressions that blacklists and denies the inbound traffic matching one of these parameters.
Citrix Bot Management mitigates automated threats and unwanted bot traffic against your public apps, APIs, and websites. If incoming traffic is determined to be a bot, the system takes an action assigned by the ADC administrator and generates robust reporting for accountability and auditability.
Bot Management provides the following benefits:
- Defend against bots, scripts, and toolkits — Static-signature based defence and device fingerprinting provide threat mitigation against both basic and advanced bots.
- Neutralize basic and advanced attacks — Prevent attacks such as App layer DDoS, password spraying, password stuffing, price scrapers, content scrapers, and more.
- Protect your APIs and investments — Protect your APIs from misuse, probing, and data leaks, and protects infrastructure investments from unwanted traffic.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/bot-management.html.
[From Build 41.28]
[ NSWAF-2900]

Citrix Gateway

AlwaysON before logon for Windows
AlwaysON before logon for Windows enables users to establish a VPN tunnel even before a user logs in to a Windows system. This persistent VPN connectivity is achieved by an automatic establishment of a device-level VPN tunnel once the device boots up.
For more information, seehttps://docs.citrix.com/en-us/citrix-gateway/13/vpn-user-config/alwayson-service-for-windows.html.
[From Build 41.28]
[ CGOP-10791]
Selectively using legacy or latest logon protocols for clients
Customers using Workspace app with Citrix Gateway can now selectively use legacy or latest logon protocol based on the policies. Customers can use old network protocols for certain clients and also allow clients to use native Intune integration with Citrix Gateway clients using legacy protocol, primarily Intune compliancy check using device unique identifier.
[From Build 41.28]
[ CGOP-10879]
VPN client support on Ubuntu 18.04 LTS
VPN clients are now supported on Ubuntu 18.04 LTS.
[From Build 47.22]
[ CGOP-11067]

Citrix Web App Firewall

Allowable file upload formats
Citrix Web App Firewall now allows you to configure the allowable file upload formats in an Citrix Web App Firewall profile. By doing this, you restrict file uploads to specific formats and protect the appliance against malicious uploads during a multi-form submission.
注意:The feature works only when you disable the “ExcludeFileUploadFormChecks” option in the WAF profile.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/application-firewall/profiles/file-upload-protection.html
[From Build 41.28]
[ NSWAF-2579]
Detailed logging of violation pattern
You can now configure the Web App Firewall profile for providing a detailed violation pattern when an attack happens. By configuring the Verbose log level option, you can log different parts of the payload along with attack pattern for forensic analysis or troubleshooting.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/application-firewall/profiles/detailed-troubleshooting-with-waf-logs.html
[From Build 41.28]
[ NSWAF-2892]
JSON content protection
Citrix Web App Firewall now provides JSON protection for DOS, XSS, and SQL attacks. The JSON denial-of-service (DoS), SQL, and XSS rules examine the incoming JSON request and validate if there is any data matching the characteristics of a DoS, SQL, or XSS attack. If the request had JSON violations, the appliance blocks the request, logs the data, sends an SNMP alert, and also displays a JSON error page. The purpose of the JSON protection check is to prevent an attacker from sending JSON request to launch DoS, XSS or SQL attacks on your JSON applications or website.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/application-firewall/json-content-protection.html
[From Build 41.28]
[ NSWAF-2894]
Auto deploying learnt data using dynamic profiles.
You can now auto-deploy learnt data as relaxation rules. In dynamic profiling, if Web App Firewall records learnt data within a user-defined threshold, the appliance sends an SNMP alert to the user. If the user does not skip the data within a grace period, the appliance auto deploys the data as a relaxation rule. Previously, the user had to manually deploy the learnt data as relaxation rules.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/application-firewall/profiles/dynamic-profiling.html
[From Build 41.28]
[ NSWAF-2895]
WAF POST body threshold to reduce CPU utilization
The application firewall signature file now includes the CPU usage, latest applicable year, and severity level. You can see the CPU usage, latest year, and CVE severity level every time a signature file is modified and uploaded periodically. After observing these values, you can decide to enable or disable the signature on the appliance.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/application-firewall/profiles/app-firewall-profile-settings.html
[From Build 41.28]
[ NSWAF-2932]
Masking sensitive data using a regex pattern
The REGEX_REPLACE advanced policy function in log expression bound to a Web Citrix Web App Firewall (WAF) profile enables you to mask sensitive data in WAF logs.
[From Build 47.22]
[ NSWAF-3816]
Easy and readable IP reputation category names
The IP reputation bot detection category names are now available as readable names.
[From Build 47.22]
[ NSWAF-3824]
Dynamic profiling to learn Start URLs
Dynamic profiling is now available for Start URL security check to detect and learn new URLs.
[From Build 47.22]
[ NSWAF-3934]

Clustering

Operational view based on backplane interface
In a cluster setup, you can now achieve operational view based on heartbeat messages received only on the backplane interface.
Consider an example of a two-node cluster, consisting of Node 1 and Node 2. The two nodes send and receive heartbeat messages to and from each other on all interfaces that are enabled. When backplane-based view is enabled, the operational view is based on heartbeats received only on backplane interface. If Node 1 does not receive the heartbeat messages from Node 2 on backplane interface, then either Node 1 or Node 2 is made operationally INACTIVE, even if Node 1 receives heartbeat from Node 2 over data interface. By default, backplane-based view is disabled. When this option is disabled, a node does not depend on the heartbeat reception only over backplane.
[From Build 47.22]
[ NSHELP-15871]
ARP owner support for striped IP
In a cluster setup, you can now configure a specific node to respond to the ARP request for a striped IP. The configured node will respond to the ARP traffic. A new attribute “arpOwner” is introduced in the “add, set, and unset ip” CLI commands.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/clustering/cluster-overview/cluster-config-type.html#arp-owner-support-for-striped-ip.
[From Build 41.28]
[ NSNET-3050]
Clear trap SNMP for cluster version mismatch
The version mismatch in a cluster setup is now cleared using a clear trap SNMP.
[From Build 41.28]
[ NSNET-8545]

DNS

DNS flag day 2019 compliance
The Citrix ADC appliance is now fully compliant with DNS flag day 2019.
[From Build 41.28]
[ NSLB-4275]

GSLB

Associate a target virtual server expression to a GSLB content switching action
Support is now added to associate a target virtual server expression to a GSLB content switching action. This allows GSLB content switching virtual server to use policy expressions to compose the target GSLB virtual server name while processing the DNS requests.
[From Build 47.22]
[ NSLB-4751]
Supporting GSLB for wildcard domain
Support is now added to bind a wildcard DNS domain to a GSLB virtual server. Users accessing the applications behind a wildcard domain are routed to the best optimal data center, which hosts those applications. The wildcard domain handles requests for non-existent domains and subdomains. In a zone, you can redirect queries for all non-existent domains or subdomains to a particular server by using the wildcard domains. You need not create a separate Resource Record (RR) for each such domain.
[From Build 47.22]
[ NSLB-4792]
Determine best performing GSLB service using the API method
API-based GSLB method is now supported for GSLB deployments for selecting the best performing GSLB service. In this method, when GSLB receives a DNS request from a client, GSLB triggers a HTTP(S) REST API request to the configured API server. Based on the response from the API, GSLB sends a DNS response that contains the IP address of the best performing GSLB service.
[From Build 47.22]
[ NSLB-5194]

Licensing

Dynamic routing protocols in standard license
Citrix ADC的标准licence now includes the Citrix ADC dynamic routing protocols. Citrix ADC supports the following dynamic protocols:
- RIP (IPv4 and IPv6)
- OSPF (IPv4 and IPv6)
- BGP (IPv4 and IPv6)
- IS-IS (IPv4 and IPv6)
[From Build 41.28]
[ NSNET-12256]
Dynamic routing protocols in standard license
Citrix ADC的标准licence now includes the Citrix ADC dynamic routing protocols. Citrix ADC supports the following dynamic protocols:
- RIP (IPv4 and IPv6)
- OSPF (IPv4 and IPv6)
- BGP (IPv4 and IPv6)
- IS-IS (IPv4 and IPv6)
[From Build 41.28]
[ NSPLAT-6179]
New values for SDX minimum bandwidth and minimum instances
The minimum bandwidth and minimum instances values for SDX appliances that support Citrix ADC pooled capacity have changed. For more information, see:
https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/license-server/adc-pooled-capacity.html
[From Build 41.28]
[ NSSVM-2770]

Load Balancing

Support for secure NTLM monitor
You can now use the nsntlm-lwp.pl script to create a monitor for monitoring a secure NTLM server.
[From Build 41.28]
[ NSLB-4806]
Support for autoscale API
You can set the service group from non-autoscale to autoscale type of desired state API (DSA), if all provided conditions match. For this configuration, use the autoscale API argument in the “set serviceGroup” command.
[From Build 47.22]
[ NSLB-5311]
Limit the number of concurrent requests on a client connection
You can now limit the number of concurrent requests on a single client connection. You can protect the servers from security vulnerabilities by limiting the number of concurrent requests. When the client connection reaches the specified maximum limit, the Citrix ADC appliance drops subsequent requests on the connection till the outstanding request count goes below the limit.
[From Build 47.22]
[ NSLB-5315]

NITRO

Restricting system users to a specific management interface
Citrix ADC设备现在允许您限制user access to a specific management interface (CLI or API). You can configure the allowed management interface list for a particular user or a group of users at the user level.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/restricted-management-interface-access.html.
[From Build 41.28]
[ NSCONFIG-1376]
Update service group with desired member set seamlessly using Desired State API
You can now use Desired State API to update a service group with a desired set of service group members. Using Desired State API, you can provide a list of service group members along with their weight and state (optional) in a single PUT request on the “servicegroup_servicegroupmemberlist_binding” resource. The Citrix ADC appliance compares the requested desired member set with the configured member set. Then, it automatically binds the new members and unbinds the members that are not present in the request.
[From Build 41.28]
[ NSLB-4543]

Networking

ISSU statistics support
You can now view the statistics for monitoring the current ISSU process in a high availability setup. The ISSU statistics displays the following information:
- Current status of ISSU migration operation
- Start time of the ISSU migration operation
- End time of the ISSU migration operation
- Start time of the ISSU rollback operation
[From Build 47.22]
[ NSNET-11457]
Connection failover support for FTP connections from FTP server random port
Connection failover enables the primary node to duplicate connection and persistence information to the secondary node in a high availability setup. The state information of the connection is shared with the secondary node regularly when connection mirroring is enabled.
A Citrix ADC appliance high availability setup supports connection failover for an FTP connection for which the FTP server is using a random data port.
The primary node sends the FTP related connection information to the secondary node at regular intervals. The secondary appliance uses this information only in the event of a failover.
For enabling connection failover on a load balancing configuration of type FTP, you enable theconnFailover(Connection Failover) parameter of the load balancing virtual server by using either CLI or GUI.
Also, for enabling the Citrix ADC appliance to process an FTP connection for which the FTP server is using a random port, you must enable the Citrix ADC global parameter: aftpAllowRandomSourcePort (Enable Random source port selection for Active FTP).
[From Build 47.22]
[ NSNET-7685, NSNET-9529]
Support for reserving the source port for RNAT connections to servers
For a request hitting an RNAT configuration that has one or more RNAT IP addresses and Use Proxy port parameter disabled, the Citrix ADC appliance uses one of the RNAT IP address and the source port of the RNAT request for connecting to servers.
Prior to this release, RNAT connection (using the RNAT client’s source port) to the server fails if the same source port is already been used in some other connections.
- Source port less than 1024. By default, the Citrix ADC appliance reserves the first 1024 ports of any Citrix ADC owned IP address (including RNAT IP addresses). Prior to this release, RNAT connection (using the RNAT client’s source port) to the server fails if the source port of the RNAT request is less than or equal to 1024. With these release, RNAT connection (using the RNAT client’s source port) to the server will succeed if the source port of the RNAT request is less than or equal to 1024.
- Source port greater than 1024. Prior to this release, RNAT connection (using the RNAT client’s source port) to the server fails if the same source port is already been used in some other connections. With this release, you can specify a range of RNAT client source ports in the Retain Source Port range parameter as part of an RNAT configuration. The Citrix ADC appliance reserves these RNAT client source ports on the RNAT IP address to be used only for RNAT connection to servers.
[From Build 47.22]
[nsnet - 9797]

Platform

Setting the receive ring size and ring type for an interface
You can now increase the receive ring size and ring type for IX, F1X, F2X, and F4X interfaces on Citrix ADC MPX and SDX platforms.
An increased ring size provides more cushion to handle burst traffic, but might impact the performance. A ring size of up to 8192 is supported on IX interfaces. A ring size of up to 4096 is supported on F1X, F2X, and F4X interfaces. The default ring size continues to be 2048.
Interface ring types are elastic by default. They increase or decrease in size based on packet arrival rate. You can configure the ring type as “fixed” so that it does not change based on traffic rate.
[From Build 41.28]
[ NSPLAT-9264]

Policies

New policy expression to display GMT time in the local timezone
A new policy expression “SYS.TIME.TO_LOCAL” is now available to display the GMT time in the local timezone.
[From Build 47.22]
[ NSHELP-16098, NSPOLICY-58]
Adding custom headers in respondwithhtmlpage responder action
A Citrix ADC appliance can now respond with a custom header in the responsewithhtmlpage responder action. You can configure up to eight custom headers. Previously, the appliance responded only with static headers such asContent-type:text/htmlandContent-Length:.
注意:When you configure custom headers, you can over-write the “Content-Type” header value.
[From Build 47.22]
[ NSPOLICY-2329]
Enhanced nspepi tool for policy conversion
The nspepi tool is now been improved to support the following:
- Conversion of Tunnel policies and its bindings.
- Conversion of built-in classic policy bindings in CMP, CR and Tunnel.
- Conversion of authentication policy and its bindings to authentication virtual server but not for other entity bindings.
- Fixes for various bugs.
注意:if cmd policies are used and the name of the command is converted then any associated cmd policies will need to be changed manually.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/appexpert/policies-and-expressions/introduction-to-policies-and-exp/converting-policy-expressions-nspepi-tool.html
[From Build 41.28]
[ NSPOLICY-3159]
Generate random and unique HMAC key values similar to encryptionParams
You can now automatically generate random encryption or HMAC key.
add ns encryptionKey -method -keyValue AUTO
add ns hmacKey -digest -keyValue AUTO
The “AUTO” keyValue can be used in the set commands to generate new keys for existing encrytionKey and hmacKey objects.
Automatic key generation is useful if the Citrix ADC appliance is encrypting and decrypting data with the key, or generating and verifying an HMAC key.
注意:Since the key value itself is already encrypted when displayed, you cannot retrieve the generated key value for use by any other party.
[From Build 47.22]
[ NSPOLICY-3287]
Option to provide comments for patterns bound to a pattern set or a data set.
The “bind policy patset” command now enables you to provide comments for patterns that are bound to a pattern set.
bind policy patset [-index ]
[-charset ( ASCII | UTF_8 )] [-comment ]
Where,
发表评论。提供关于模式的评论to a pattern set.
The “bind policy dataset” command now enables you to provide comments for patterns that are bound to a data set.
bind policy dataset [-index ] [-comment ]
Where,
发表评论。提供关于模式的评论to a data set.
[From Build 47.22]
[ NSPOLICY-3298]
Allow innocuous SYS functions
SYS functions such as SYS.TIME, SYS.RANDOM, SYS.NSIP, SYS.UUID and so forth are now allowed in the expression evaluator and also in other places that did not previously allow them.
However, some SYS functions are still not allowed in the expression evaluator and in other places that did not previously allow them. An example is SYS.HTTP_CALLOUT.
[From Build 47.22]
[ NSPOLICY-3302]
Convert classic filter commands to advanced filter commands
The nspepi tool can now convert commands based on classic filter actions such as add, bind and so forth to advanced filter commands.
However, The nepepi tool does not support the following filter commands.
- add filter action FORWARD
- add filter action ADD prebody
- add filter action ADD postbody
注意:
- If there are existing rewrite or responder features in ns.conf and their policies are bound globally with GOTO expression as END or USER_INVOCATION_RESULT and bind type is REQ_X or RES_X then the tool converts bind filter commands partially and comments out. A warning will be displayed to put manual effort.
- If there are existing rewrite or responder features and their policies are bound to virtual servers(for example, load balancing, content switching or cache redirect) of type HTTPS with GOTO - END or USER_INVOCATION_RESULT, the tool converts bind filter commands partially and then comments out. A warning will be displayed to put manual effort.
[From Build 47.22]
[ NSPOLICY-509]

SSL

Support for displaying RSA 3072-bit key values in stat ssl command
The output of the stat ssl now includes the RSA 3072-bit key exchange values.
stat ssl -detail
SSL Offloading
SSL cards present 8
SSL cards UP 8
SSL engine status 1
SSL sessions (Rate) 0
…
Key Exchanges
RSA 512-bit key exchanges 0 0
RSA 1024-bit key exchanges 0 0
RSA 2048-bit key exchanges 0 0
RSA 3072-bit key exchanges 0 106380
RSA 4096-bit key exchanges 0 0
…
Done
[From Build 41.28]
[ NSSSL-1954]
Support for fragmented TLS messages
The Citrix ADC appliance now supports fragmentation of server certificate messages and certificate request messages. The maximum supported size of these messages across all records is 32 KB. Earlier, fragmentation was not supported and the maximum supported size of the messages was 16 KB.
[From Build 41.28]
[ NSSSL-5971]
SSL Title: View the SSL chip utilization on Citrix ADC appliances using Intel Coleto chips You can now view the SSL chip utilization on the following Citrix ADC MPX appliances. These appliances contain the Intel Coleto chip. - MPX 5900 - MPX 8900 - MPX 15000-50G - MPX 26000 - MPX 26000-50S - MPX 26000-100G To view the chip utilization, at the command prompt, type: stat ssl.
[From Build 47.22]
[ NSSSL-5975]
Support for longer names of SSL entities
To help customers maintain a standard naming convention across all ADC entities, the Citrix ADC appliance now supports a certificate name of up to 63 characters. Earlier, the limit was 31 characters.
[From Build 41.28]
[ NSSSL-5976]
Intel Coleto chip health check enhancements
Citrix ADC appliances with the Intel Coleto chip now support enhanced health checks for symmetric (SYM) and asymmetric (ASYM) operations.
[From Build 41.28]
[ NSSSL-6299]
Support for optional client certificate verification with policy based client authentication
You can set client certificate verification to optional when you have configured policy based client authentication. Previously, mandatory was the only option. Now both optional and mandatory options are available, and configurable.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/ssl/ssl-actions-and-policies/config-built-in-ssl-actions.html#client-certificate-verification-with-policy-based-client-authentication.
[From Build 41.28]
[ NSSSL-690]
Support for heterogeneous cluster deployments with different platforms
You can now form a heterogeneous cluster deployment of Citrix ADC MPX appliances with different number of packet engines by setting the SSL parameter “Heterogeneous SSL HW” to ENABLED. For example, to form a cluster of Cavium chip based appliances (MPX 14000 or similar) and Intel Coleto chip based appliances (MPX 15000 or similar), enable the SSL parameter “Heterogeneous SSL HW”. To form a cluster of platforms using the same chip, keep the default value (DISABLED) for this parameter.
The feature is not supported on VPX instances hosted on Citrix ADC SDX appliances.
For information about the platforms supported in the formation of a heterogeneous cluster, see
https://docs.citrix.com/en-us/citrix-adc/13/clustering/support-for-heterogeneous-cluster.html.
[From Build 47.22]
[ NSSSL-7149]
Support for DTLSv1.2 protocol on the front end of a Citrix ADC VPX appliance
DTLS 1.2 protocol is now supported on the front end of a Citrix ADC VPX appliance. While configuring a DTLS virtual server, you must now specify DTLS1 or DTLS12.
[From Build 47.22]
[ NSSSL-7188]
Automated Certificate Linking
SSL certificate linking is now automated. That is, if the intermediate CA certificates and the root certificate are present on the appliance, you no longer have to manually link each certificate to its issuer.
If all the certificates are available on the appliance and you click the “Link” button in the end-user certificate, the potential chain appears. In the chain, click “Link Certificate” to link all the certificates.
[From Build 47.22]
[ NSSSL-7190, NSUI-12903]

System

Support for advanced audit-log policy
You can now bind an advanced audit-log policy to a load balancing virtual server.
[From Build 47.22]
[ CGOP-6824]
Implementing ICAP request timeout and response timeout
For handling ICAP response timeout issue, you can configure the ICAP request timeout value for ‘reqTimeout’ parameter in the ICAP Profile. By doing this, you can set a request timeout Action for the appliance to take any action when there is delayed ICAP response from the ICAP-Server. If the appliance does not receive any ICAP response within the configured request timeout, the appliance can perform one of the following actions according to the ‘ReqTimeoutAction’ parameter configured on the Icapprofile.
ReqTimeoutAction: Possible values are BYPASS, RESET, DROP.
BYPASS: If the ICAP response with Encapsulated headers is not received within the timeout value, this Ignores the remote ICAP server’s response and sends the Full request/response to Client/Server
RESET (default): Reset the client connection by closing it.
DROP: Drop the request without sending a response to the user
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/content-inspection/icap-for-remote-content-inspection.html
[From Build 41.28]
[ NSBASE-3040, NSBASE-2264]
Handling ICAP server downtime during the content inspection
For handling ICAP server downtime during content inspection, the Citrix ADC appliance now enables you to configure the ifserverdown parameter and assign of the following actions.
CONTINUE: If the User wants to bypass the contentinspection if the remote server is down, this action can be chosen.
RESET (default): This action responds to the client by closing the connection with RST.
DROP: This action silently drop the packets without sending a response to the user.
[From Build 41.28]
[ NSBASE-4936]
Rewrite policy expression support for proxy protocol stripped operation
The stripped operation in proxy protocol now uses rewrite policy expressions to add client details such as source IP address, destination IP address, source port, and destination port into the HTTP header. The rewrite policy evaluates the expression and if “true”, the corresponding rewrite policy action is triggered and the client details are forwarded to the back-end server in the HTTP header.
[From Build 47.22]
[ NSBASE-4988]
Client IP address in a TCP option
Citrix ADC now uses TCP option configuration for sending the client IP address to the back-end server. The appliance adds a TCP option number that inserts the client IP address in the first data packet and, forwards it to the back-end server. The TCP option configuration can be used in the following scenarios.
- learn the original client IP address
- select a language for a website
- blacklist selected IP addresses
[From Build 47.22]
[ NSBASE-6553, NSUI-14692]
Intrusion Detection System (IDS) integration with L3 connectivity
A Citrix ADC appliance is now integrated with passive security devices such as Intrusion Detection System (IDS). In this setup, the appliance sends a copy of the original traffic securely to remote IDS devices. These passive devices store logs and trigger alerts when it detects a bad or non-compliant traffic. It also generate reports for compliance purpose. If Citrix ADC appliance is integrated with two or more IDS devices and when there is a high volume of traffic, the appliance can load balance the devices by cloning traffic at the virtual server level.
For advanced security protection, a Citrix ADC appliance is integrated with passive security devices such as Intrusion Detection System (IDS) deployed in detection-only mode. These devices store log and trigger alerts when it sees a bad or non-compliant traffic. It also generates reports for compliance purpose. Following are some of the benefits of integrating Citrix ADC with an IDS device.
1. Inspecting encrypted traffic – Most security devices bypass encrypted traffic, thereby leaving servers vulnerable to attacks. A Citrix ADC appliance can decrypt traffic and send it to IDS devices for enhancing customer’s network security.
2. Offloading IDS devices from TLS/SSL processing – TLS/SSL processing is expensive and it results in high system CPU in intrusion detection devices if they decrypt the traffic. As encrypted traffic is growing at a fast pace, these systems fail to decrypt and inspect encrypted traffic. Citrix ADC helps in offloading traffic to IDS devices from TLS/SSL processing. This way of offloading data results in an IDS device supporting a high volume of traffic inspection.
3. Loading balancing IDS devices – The Citrix ADC appliance load balances multiple IDS devices when there is a high volume of traffic by cloning traffic at the virtual server level.
4. Replicating traffic to passive devices – The traffic flowing into the appliance can be replicated to other passive devices for generating compliance reports. For example, few government agencies mandate every transaction to be logged in some passive devices.
5. Fanning traffic to multiple passive devices – Some customers prefer to fan out or replicate incoming traffic into multiple passive devices.
6. Smart selection of traffic – Every packet flowing into the appliance might not be need to be content inspected, for example download of text files. User can configure the Citrix ADC appliance to select specific traffic (for example .exe files) for inspection and send the traffic to IDS devices for processing data.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/content-inspection/intrusion-detection-system-for-l3.html
[From Build 41.28]
[ NSBASE-6800]
New entity counter for debugging load balancing virtual servers
A new entity counter is added for debugging virtual servers and analytics purpose.
[From Build 41.28]
[ NSBASE-8087]
Update for licensing server IP address
You can now update the licensing server IP address in a VPX instance without any impact on the allocated license bandwidth and data loss. For information, seehttps://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/license-server/adc-vpx-check-in-check-out.html#update-a-licensing-server-ip-address
[From Build 47.22]
[ NSCONFIG-1974]
Changing default RPC node passwords
In HA, cluster, and GSLB deployments, a warning message appears for the nsroot and superuser login if the default RPC node password is not changed.
[From Build 41.28]
[ NSCONFIG-2224]
Rollback for In Service Software Upgrade process
High availability setups now support rollback of the In Service Software Upgrade (ISSU) process. The ISSU rollback feature is helpful if you observe that the HA setup after or during the ISSU process is not stable, or is not performing at an optimum level as expected.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/upgrade-downgrade-citrix-adc-appliance/issu-high-availability.html.
[From Build 41.28]
[ NSNET-9958]
SNMP traps for In Service Software Upgrade process
The In Service Software Upgrade (ISSU) process for a high availability setup now supports sending SNMP trap messages at the start and end of the ISSU migration operation.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/upgrade-downgrade-citrix-adc-appliance/issu-high-availability.html.
[From Build 41.28]
[ NSNET-9959]

Video Optimization

Video Optimization feature is now supported in Cluster topology.
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/citrix-adc-support-for-telecom-service-providers/citrix-adc-Video-Optimization.html
[From Build 41.28]
[ NSVIDEOOPT-772]

Fixed Issues in Previous Citrix ADC 13.0 Releases

在Citrix ADC 13.0中解决的问题releases prior to Build 47.24. The build number provided below the issue description indicates the build in which this issue was addressed.

Admin Partition

The “stat system memory” command might display an incorrect value for “Free Memory (MB) “ field, whenever the Citrix ADC appliance reaches 100% memory usage in default partition.
[From Build 47.22]
[ NSHELP-19239]
在一个高可用性的设置与管理分区configuration, the audit logs generated from the secondary node are sent to SYSLOG or NSLOG server only when the SYSLOG or NSLOG server is reachable from the admin partition.
[From Build 41.28]
[ NSHELP-19399]
In a partitioned setup, the “diff ns config” CLI command displays misleading information.
[From Build 41.28]
[ NSHELP-19530]
Citrix ADC appliance might not add the packet engine (PE) ID information in the admin partition related SNMP trap messages.
[From Build 47.22]
[ NSHELP-19966]
In a partitioned setup, DNS slows down and times out after creating an admin partition.
[From Build 47.22]
[ NSHELP-19996]

AppFlow

An AppFlow policy is not triggered if it is bound to a load balancing virtual server that is behind a content switching virtual server.
[From Build 41.28]
[ NSHELP-18782, NSBASE-8180]
The Citrix ADC appliance crashes if you bind a user-defined analytics profile, other than the internally bound profile, to an AppFlow action.
[From Build 41.28]
[ NSHELP-19362]
When the AppFlow “client side measurements” feature is enabled, the Citrix ADC appliance unexpectedly parses the CSS files of an HTML page. Any error during the CSS parse can cause the HTML page to load incorrectly.
[From Build 41.28]
[ NSHELP-19375]
The Citrix ADC appliance might crash if AppFlow is disabled but front-end optimization (FEO) is enabled with client side measurements, in the FEO action.
[From Build 41.28]
[ NSHELP-19531]
A Citrix ADC appliance might reboot if the AppFlow collector closes in Logstream transport mode.
[From Build 41.28]
[ NSHELP-19837]
Citrix ADC设备可能会变得反应迟钝if you remove the AppFlow action while traffic is flowing through the appliance.
[From Build 47.22]
[ NSHELP-20523, NSHELP-21692]

Authentication, authorization, and auditing

A Citrix ADC appliance might allow unauthorized access if the following conditions are met:
- Appropriate authorization policies are not configured.
- The defaultAuthorizationAction parameter in the “set tm sessionParameter” command is ALLOW by default.
[From Build 41.28]
[ NSAUTH-6013]
The LDAP DN attribute fetched from the AD to Citrix ADC appliance is truncated if the attribute length is greater than 128 bytes.
[From Build 47.22]
[ NSAUTH-7210]
The SNMP sends traps even after the SSH public key authentication is succeeded.
[From Build 41.28]
[ NSHELP-18303]
The probe server command provides an appropriate message when the TACACS server closes the TCP connection with FIN or RST packets without sending an authentication response.
[From Build 41.28]
[ NSHELP-18399]
When upgrading Citrix ADC cluster setup that is on release 10.5 to a higher version, the system login to a non-CCO node on the higher version fails.
[From Build 41.28]
[ NSHELP-18511, NSAUTH-5561]
A Citrix ADC appliance configured as SAML SP fails if the server sends a large RelayState parameter name along with assertion.
[From Build 41.28]
[ NSHELP-18559]
A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.
[From Build 41.28]
[ NSHELP-18751]
A Citrix ADC appliance fails to obtain Kerberos tickets through a constrained delegation, if one of the following conditions are met:
- The enterprise “realm” parameter is configured for the user.
- The domain name in the “keytab” parameter is in lower case.
[From Build 47.22]
[ NSHELP-18946]
A Citrix ADC appliance fails to obtain Kerberos tickets through a constrained delegation, if one of the following conditions are met:
- The enterprise “realm” parameter is configured for the user.
- The domain name in the “keytab” parameter is in lower case.
[From Build 41.28]
[ NSHELP-18946]
The buffer gets corrupted if the following conditions are met:
- The data in the buffer is overwritten.
- Core-to-core message processing results in a buffer recycle condition.
[From Build 41.28]
[ NSHELP-18952]
A Citrix ADC appliance does not drop unauthenticated HTTP OPTIONS requests if User-Agent contains one of the patterns mentioned in ns_aaa_activesync_useragents.
[From Build 41.28]
[ NSHELP-19024]
WebAuth authentication fails after multiple failovers on a Citrix Gateway appliance.
[From Build 41.28]
[ NSHELP-19050]
A Citrix ADC appliance might crash if the following conditions are met:
- Password change option is enabled in an LDAP action command.
- LDAP action with authentication, authorization, and auditing session run into session propagation issue.
[From Build 41.28]
[ NSHELP-19053]
The memory usage of a Citrix ADC appliance increases when Citrix Gateway or traffic management virtual server uses Kerberos authentication.
[From Build 41.28]
[ NSHELP-19085]
If the authentication, authorization, and auditing sessions are high in number, it takes a longer time to terminate a user session.
[From Build 47.22]
[ NSHELP-19131]
If the metadataURL parameter is configured and the Citrix appliance is rebooted, then the SAMLAction command is not saved and the configuration is lost.
[From Build 41.28]
[ NSHELP-19140]
If you set “Import Metadata URL” and later edit it by providing the redirect URL from Citrix ADC GUI, the Redirect URL is set but the Import Metadata URL is not unset. Because of this, the Citrix ADC appliance uses the metadata URL.
[From Build 41.28]
[ NSHELP-19202]
A Citrix ADC appliance might crash if the input to Citrix GUI or NITRO API login request has an invalid username or password value.
[From Build 41.28]
[ NSHELP-19254]
The Citrix appliance might crash if an authentication login schema policy is set to noschema.
[From Build 41.28]
[ NSHELP-19292]
A Citrix ADC appliance occasionally fails if a defaultAuthenticationGroup parameter is configured in a samlIdPProfile command.
[From Build 41.28]
[ NSHELP-19301]
System user login from Citrix GUI or NITRO API using role-based access (RBA) authentication fails when the Citrix ADC management is accessed through load balancing virtual server and load balancing service.
[From Build 41.28]
[ NSHELP-19385]
Active Directory Federation Services (ADFS) fails to import metadata generated by the Citrix ADC SAML Service Provider (SP).
[From Build 41.28]
[ NSHELP-19390]
The base64 decoding fails if a digital signature has HTML entity encoded characters.
[From Build 41.28]
[ NSHELP-19410]
A Citrix ADC appliance configured for SAML Identity Provider (IdP) fails to authenticate incoming authentication request for certain applications.
[From Build 41.28]
[ NSHELP-19443]
If a dialogue cookie in the client request is processed before checking for any existing sessions, a Citrix ADC appliance sends a change password page to the client.
[From Build 47.22]
[ NSHELP-19528]
If a dialogue cookie in the client request is processed before checking for any existing sessions, a Citrix ADC appliance sends a change password page to the client.
[From Build 41.28]
[ NSHELP-19528]
If the URL contains “;” special character, the TASS cookie encodes the URL redirect at the time of login.
[From Build 41.28]
[ NSHELP-19634]
If user group extraction is done during an administrator login, the memory usage of Citrix ADC AAA increases gradually.
[From Build 41.28]
[ NSHELP-19671]
In rare cases, there might be memory leak issues when handling authentication, authorization, and auditing sessions.
[From Build 47.22]
[ NSHELP-19703]
Authentication might fail when a Citrix ADC appliance configured as SAML with WS-Fed protocol contains a special character “&” in the password.
[From Build 41.28]
[ NSHELP-19740]
A Citrix ADC appliance might crash in OTP manage flow if the following conditions are met:
- OTP login schema is used as the first factor.
- Email authentication is used as the second factor.
[From Build 47.22]
[ NSHELP-19759]
In some cases, a Citrix ADC appliance dumps core when “show aaa group -loggedIn” command is issued.
[From Build 47.22]
[ NSHELP-19793]
A 500 error message is observed if the following conditions are met:
- Authentication, authorization, and auditing enabled traffic management virtual server gets post request without the cookie.
- The post body contains newline characters.
[From Build 41.28]
[ NSHELP-19852]
A Citrix ADC appliance processes unauthenticated HTTP requests with OPTIONS method received from authentication, authorization, and auditing traffic management virtual server. At this point, the appliance responds with a corresponding HTTP 401 error message.
[From Build 41.28]
[ NSHELP-19916]
A Citrix ADC appliance sends a negative value if the maximum age value for HSTS header is set above 2,147,483,647.
[From Build 41.28]
[ NSHELP-19945]
The SAML attribute value in the SAML response includes multiple SAML AttributeValue lines, instead of one.
[From Build 47.22]
[ NSHELP-19961]
The SAML attribute value in the SAML response includes multiple SAML AttributeValue lines, instead of one.
[From Build 41.28]
[ NSHELP-19961]
In an OpenID-Connect mechanism, OAuth Relying Party (RP) does not encode username or password properties while making password grant API call.
[From Build 41.28]
[ NSHELP-19987]
AAA集团页面在Citrix ADC GUI不display the IP address in the Intranet IP Address field.
[From Build 47.22]
[ NSHELP-20068]
A Citrix ADC appliance configured as SAML Identity Provider (IdP) truncates relaystate from Service Provider (SP) if it contains quotes.
[From Build 47.22]
[ NSHELP-20131]
A Citrix ADC appliance configured as SAML Identity Provider (IdP) truncates relaystate from Service Provider (SP) if it contains quotes.
[From Build 41.28]
[ NSHELP-20131]
If you do not configure RfWebUI portal theme on a Citrix ADC appliance, you might observe the following changes:
- The displayed OTP management pages appear differently or OTP management might not work.
- The appliance shows unexpected behavior.
[From Build 47.22]
[ NSHELP-20144]
In rare cases, authentication fails if the connection to the LDAP server is over HTTPS.
[From Build 47.22]
[ NSHELP-20181]
A Citrix Gateway appliance might fail if the following conditions are met:
- When a user logs out of a session.
- The appliance is deployed in an HDX platform.
- SAML authentication is used in Citrix Gateway.
[From Build 41.28]
[ NSHELP-20206]
A Citrix Gateway appliance might fail if the following conditions are met:
- When a user logs out of a session.
- The appliance is deployed in an HDX platform.
- SAML authentication is used in Citrix Gateway.
[From Build 47.22]
[ NSHELP-20206]
The login schema profile of the secondary node does not correctly display the labels on the Configure Authentication Login Schema GUI page.
[From Build 47.22]
[ NSHELP-20234]
A Citrix ADC appliance might crash when you use a SAML IdP on a FIPS appliance.
[From Build 41.28]
[ NSHELP-20282]
A Citrix ADC appliance might crash when you use a SAML IdP on a FIPS appliance.
[From Build 47.22]
[ NSHELP-20282]
A Citrix Gateway appliance might occasionally fail if users try to login when taking VPX snapshot.
[From Build 41.28]
[ NSHELP-20292]
A Citrix Gateway appliance might occasionally fail if users try to log in when taking VPX snapshot.
[From Build 47.22]
[ NSHELP-20292]
You cannot unbind an authorization policy using the Citrix ADC GUI interface.
[From Build 47.22]
[ NSHELP-20298]
A Citrix ADC appliance configured as SAML Service Provider (SP) might fail to validate assertions sent by certain IdPs if the namespace of SAML is not defined completely.
[From Build 47.22]
[ NSHELP-20307]
A Citrix ADC appliance configured as a SAML Service Provider (SP) on traffic management virtual server does not send post body response to the back-end server after SAML login.
[From Build 47.22]
[ NSHELP-20348]
A Citrix ADC appliance configured as a SAML Service Provider (SP) on traffic management virtual server does not send post body response to the back-end server after SAML login.
[From Build 41.28]
[ NSHELP-20348]
A memory leak is observed in a Citrix ADC appliance if the following conditions are met:
- A second factor is configured as pass-through.
- Buffer is not freed up.
[From Build 47.22]
[ NSHELP-20390]
The Citrix ADC appliance crashes after an upgrade to version 13.0 because of a buffer overflow condition.
[From Build 47.22]
[nshelp - 20416 NSAUTH-6770]
An FQDN in the SSL certificate might crash in a Citrix ADC appliance because of a buffer overflow.
[From Build 47.22]
[ NSHELP-20476]
You cannot unbind multiple certificates using the Citrix ADC GUI interface.
[From Build 47.22]
[ NSHELP-20598]
A Citrix Citrix Gateway appliance might fail when Gateway is configured as SAML IdP along with IdP chaining.
[From Build 47.22]
[ NSHELP-20667]
A Citrix ADC appliance might crash if the samlSigningCertName parameter is not configured in a samlAction command.
[From Build 47.22]
[ NSHELP-20674]
A Citrix ADC appliance might fail to authenticate the Microsoft Outlook 2016 users if the password contains Umlaut characters.
[From Build 47.22]
[ NSHELP-20682]
A Kerberos SSO might fail when a Citrix ADC appliance is deployed in a multi-domain environment (parent-child domain) and the users are in parent domain and services are in the child domain.
[From Build 47.22]
[ NSHELP-20910]
The SAML metadataURL parameter does not work after a Citrix ADC appliance is restarted.
[From Build 47.22]
[ NSHELP-21006]
In rare cases, nFactor log on fails if both of the following conditions are met:
- Citrix ADC appliance is configured for certificate authentication with a fallback to LDAP.
- The certificate authentication fails.
[From Build 47.22]
[ NSHELP-21118]
If Citrix ADC is configured for forms based SSO, and name-value pairs are specified in the configuration, these values are ignored if the values are absent in the form.
[From Build 47.22]
[ NSHELP-21139]
The following behavior is observed in the Citrix ADC GUI:
- You cannot edit the OAuth Policies.
- You can edit only OAuth Actions.
- The OAuth Policies option must only be under Advanced Policies not under Basic Policies.
[From Build 41.28]
[ NSHELP-2131]
If you bind a SAML IdP policy to authentication, authorization, and auditing virtual server by using the Citrix ADC GUI, you cannot modify the next action.
[From Build 47.22]
[ NSHELP-479]
Occasionally, a Citrix Gateway appliance might fail when it receives /vpns/services.html request from a client.
[From Build 41.28]
[ NSHELP-8513]

BaseCluster

Clustering In a cluster setup, if timestamp is enabled, some of the requests sent to the server might be dropped.
[From Build 47.22]
[ NSHELP-20394]

CPXCPX-Infra

Citrix ADC CPX
The following default TCP profiles were not automatically set with the TCP maximum segment size (MSS):
- nstcp_default_profile
- nstcp_internal_apps
[From Build 41.28]
[ NSNET-11916]

Citrix ADC BLX appliance

On a Citrix ADC BLX appliance deployed in shared mode, Citrix ADC GUI and NITRO service become unavailable if you change the BLX management HTTP port (mghttpport) or HTTPS port(mghttpport) by using Citrix ADC command line utility ( cli_script.sh set ns param).
[From Build 47.22]
[ NSNET-10005]
On a Citrix ADC BLX appliance, you cannot bind interface 0/1 to a VLAN because this interface is used for internal communication between the BLX appliance and Linux host applications.
[From Build 41.28]
[ NSNET-10014]
Citrix ADC BLX appliances do not support static LA channels. Adding a static LA channel on a Citrix ADC BLX appliance might cause the appliance to crash.
[From Build 47.22]
[ NSNET-11929]
Interface features (for example, Rx, Tx, GRO, GSO, and LRO) are disabled for interfaces (Linux host) allocated to the Citrix ADC BLX appliance. These features continue to remain in the disabled state even after these BLX interfaces are released to the default namespace when the BLX appliance is stopped.
[From Build 41.28]
[ NSNET-9697]

Citrix ADC CLI

When logged in as nsrecover user, nscli -U commands are throwing error.
[From Build 41.28]
[ NSCONFIG-1414]
A Citrix ADC appliance becomes unresponsive, if it hits the maximum number of user sessions (approximately 1000 sessions) and if the management interface stops responding.
[From Build 41.28]
[ NSHELP-19212, NSCONFIG-1369]

Citrix ADC CPX

The lighter version of Citrix ADC CPX instance was not getting registered on Citrix ADM.
[From Build 41.28]
[ NSCONFIG-2232]
You cannot configure an NSIP with /32 bit subnet mask for Citrix ADC CPX.
[From Build 41.28]
[ NSNET-10968]
You cannot configure an NSIP with /32 bit subnet mask for Citrix ADC CPX.
[From Build 47.22]
[ NSNET-10968]
The following default TCP profiles were not automatically set with the TCP maximum segment size (MSS):
- nstcp_default_profile
- nstcp_internal_apps
[From Build 47.22]
[ NSNET-11916]

Citrix ADC GUI

In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:
“Trace not started”
[From Build 47.22]
[ NSHELP-18566]
An error message, “Cannot read property ‘get’ of undefined.” appears when you click Action in the Stream Identifiers GUI page.
[From Build 41.28]
[ NSHELP-19369]
The following error message appears after you perform steps 1 through 4.
“Ambiguous argument value []”
1. Create an SSL profile with default values.
2. Bind the profile to an SSL virtual server.
3. Edit SSL parameters, but do not change any values.
4. Select OK to close the SSL parameters dialog box.
[From Build 41.28]
[ NSHELP-19402]
In a cluster setup, if you add a cipher group from advanced settings using the GUI, the cipher group does not appear in the main page.
[From Build 47.22]
[ NSHELP-19704]
User authentication to Citrix ADC GUI fails if an issue is observed in VAR file rollover mechanism.
[From Build 47.22]
[ NSHELP-20229]
You cannot search for an entity using the search filter in the ADC GUI if the entity name contains a space.
[From Build 47.22]
[ NSHELP-20506]
If you access the Syslog GUI page, the following error message appears: “Cannot read property ‘0’ of undefined”.
[From Build 47.22]
[ NSHELP-20574]
After an upgrade, the Citrix ADC GUI home page does not load for admins with superuser group permission.
[From Build 47.22]
[ NSHELP-20638]
You can now set client authentication to optional, in the SSL parameters of a virtual server, using the GUI. Earlier, client authentication changed to mandatory if you used the GUI to change any SSL parameters.
[From Build 47.22]
[ NSHELP-21060]
Due to some technical issues in the framework, all service groups are not displayed in the ADC GUI.
[From Build 47.22]
[ NSUI-13754]
Due to some technical issues in the framework, all service groups are not displayed in the ADC GUI.
[From Build 41.28]
[ NSUI-13754]

Citrix ADC SDX appliance

The maximum number of cores that you can configure now on a VPX instance depends on the available cores on the particular SDX platform. Earlier, you could configure a maximum of only five cores even if more cores were available.
For information about maximum number of cores you can assign to a VPX instance, seehttps://docs.citrix.com/en-us/sdx/13/provision-netscaler-instances.html
[From Build 41.28]
[ NSHELP-18632]
After an SDX appliance is restored, partition MACs from the backup file were not restored on the respective VPX instances running on the SDX appliance.
[From Build 41.28]
[ NSHELP-19008]
In a VPX HA setup running on SDX appliances, when one of the switches in the virtual port channel (VPC) goes down, all the interfaces that are part of the LACP flap. This triggers HA failover.
[From Build 47.22]
[ NSHELP-19095]
In a VPX HA setup running on SDX appliances, when one of the switches in the virtual port channel (VPC) goes down, all the interfaces that are part of the LACP flap. This triggers HA failover.
[From Build 41.28]
[ NSHELP-19095]
SDX 8900 appliances might crash while you are applying the SSL configuration to set client certificate verification to optional with policy-based client authentication.
[From Build 41.28]
[ NSHELP-19297]
After upgrading an SDX appliance, the LA channel and VLAN configuration on the appliance might be lost.
[From Build 41.28]
[ NSHELP-19392, NSHELP-19610]
On SDX 22XXX and 24XXX appliances, during system health monitoring, the SDX Management Service raises false alerts.
[From Build 47.22]
[ NSHELP-19795]
If the backup file name has any special character, restoring the SDX appliance to that backup fails. With the fix, an error message appears if the backup file has any special character.
[From Build 47.22]
[ NSHELP-19951]
On an SDX appliance, when you restore a VPX instance provisioned with burst throughput, the restore might fail.
[From Build 47.22]
[ NSHELP-20013]
On an SDX appliance, the “No additional MACs available for members of interface 10/1” error message appears when all the following conditions are met:
1. You instantiate 19 VPX instances on the SDX appliance, all with the same network interface
2. Then add MAC addresses to the 20th VPX instance that uses the same network interface as the previous instances.
3. The number of MAC address on the 20th VPX instance is twice as great as the MAC addresses added to the 1st VPX
[From Build 47.22]
[ NSHELP-20158]
When configuring pooled licensing in SDX 14000 FIPS appliance, the minimum instances you could check out was 25. With this fix, the minimum instances you can check out is two. For more information, see the Citrix ADC pooled capacity document:
https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/license-server/adc-pooled-capacity.html.
[From Build 41.28]
[ NSHELP-20305]
When configuring pooled licensing in SDX 14000 FIPS appliance, the minimum instances you could check out was 25. With this fix, the minimum instances you can check out is two. For more information, see the Citrix ADC pooled capacity document:
https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/license-server/adc-pooled-capacity.html.
[From Build 47.22]
[ NSHELP-20305]
After a reset operation, the transmit rate drops.
[From Build 41.28]
[ NSPLAT-7792]
On SDX 26000 and SDX 15000 platforms, management access through SSH to DOM0 might stop when the following conditions are met:
- More than one VPX instance is restarted simultaneously.
- 100 GE or 50 GE interfaces are assigned to the VPX instances.
[From Build 47.22]
[ NSPLAT-9185]
On SDX 26000 and SDX 15000 platforms, management access through SSH to DOM0 might stop when the following conditions are met:
- More than one VPX instance is restarted simultaneously.
- 100 GE or 50 GE interfaces are assigned to the VPX instances.
[From Build 41.28]
[ NSPLAT-9185]
An SDX appliance might hang at the end of its reboot cycle when all of the following conditions are met:
- The SDX appliance is booting up.
- All the VPX instances running on the SDX appliance are yet to come up.
- Warm reboot commands are run on the SDX appliance.
On the Citrix hypervisor console, as a result, the SDX appliance goes through regular cleanup and stops at the line “Reached target Final Step.”
[From Build 41.28]
[ NSPLAT-9417]
After you have configured a VLAN from the allowed VLAN list (AVL) on a VPX instance running on an SDX appliance, the instance fails to restart automatically. As a result, communication between the VPX instance and AVL stops.
[From Build 41.28]
[ NSSVM-135]

Citrix ADC VPX appliance

You might not be able to access a VPX instance by using the management IP if the instance has a vCPU license. The issue is seen in all VPX instances, on-premises and cloud. If the VPX instance is running on an SDX appliance, you can access the instance from the SDX Management Service GUI.
[From Build 41.28]
[ NSPLAT-10710]
You might not be able to access a VPX instance by using the management IP if the instance has a vCPU license. The issue is seen in all VPX instances, on-premises and cloud. If the VPX instance is running on an SDX appliance, you can access the instance from the SDX Management Service GUI.
[From Build 47.22]
[ NSPLAT-10710]
Due to an Azure stack limitation, traffic using morphed MAC address is not supported. Therefore in an Azure stack ADC deployment, MAC-based forwarding (MBF) mode must be disabled.
[From Build 47.22]
[ NSPLAT-11778]
If you set MTU size through Citrix ADC VPX GUI, the error message “Operation not supported” appears.
[From Build 41.28]
[ NSPLAT-9594]

Citrix Gateway

Citrix Gateway intranet applications now support comma-separated host names for FQDN based tunneling.
[From Build 41.28]
[ CGOP-10855]
如果macOS的Citrix网关插件不是installed and if the user tries to access VPN from Safari, an error message appears.
[From Build 41.28]
[ CGOP-11240]
An error message appears when you add or edit a session policy from the Citrix ADC GUI.
[From Build 41.28]
[ CGOP-11830]
After an upgrade of Citrix ADC and gateway plug-in to release 13.0 build 41.20, users experience continuous blue screen of death (BSOD) error when trying to set up the VPN tunnel.
[From Build 47.22]
[ CGOP-12099]
In a Citrix Gateway cluster setup, the Citrix ADC appliance might crash during cluster upgrade because of some changes in the internal data structures.
[From Build 47.22]
[ NSAUTH-7153]
Encapsulating Security Payload (ESP) packets in transit are dropped if LSN configuration is not enabled on the Citrix ADC appliance.
[From Build 41.28]
[ NSHELP-18502]
In a high availability setup, the secondary node might crash if SAML is configured.
[From Build 41.28]
[ NSHELP-18691]
If an RDP server profile is set to the same port number and IP address as that of the content switching virtual server, the content switching configuration is lost after reboot.
[From Build 41.28]
[ NSHELP-18818]
In some cases, upon accessing the Citrix Gateway appliance using an IE browser, the Citrix Gateway logon page appears only after a refresh.
[From Build 41.28]
[ NSHELP-18938]
In Citrix ADM, the Analytics > Gateway Insight page reports the terminated VPN sessions incorrectly.
[From Build 41.28]
[ NSHELP-19037]
In a high availability setup, the secondary node crashes if the removed user information is not synced with the node.
[From Build 41.28]
[ NSHELP-19065]
Server busy dialog box is displayed on the VPN plugin window on the client machine if the machine remains inactive for more than two hours.
[From Build 41.28]
[ NSHELP-19072]
UDP, DNS, and ICMP authorization policies do not get applied for the connections between a client in the internal network and a VPN client (server initiated connections).
[From Build 41.28]
[ NSHELP-19142]
In some cases, the login script configured on the Citrix Gateway server fails to run on the client machines.
[From Build 41.28]
[ NSHELP-19163]
Advanced End-point Analysis (EPA) scan fails for the macOS devices.
[From Build 41.28]
[ NSHELP-19328]
In some cases, a Citrix ADC appliance dumps core, if the following conditions are met.
- Two-factor authentication is enabled for the native VMware horizon client.
- Radius is configured as the first factor of authentication.
- Radius server responds with the group names upon successful authentication.
[From Build 41.28]
[ NSHELP-19333]
The following message incorrectly appears when Citrix Gateway is accessed from the Microsoft Edge browser, and EPA or VPN is not used.
“Full VPN and EPA are not supported in Edge browser. Please use different browser for a better experience.”
[From Build 47.22]
[ NSHELP-19367]
In some cases, log out from Windows VPN plug-in takes longer than expected.
[From Build 41.28]
[ NSHELP-19394]
In some cases, the Citrix Gateway appliance sets invalid cookie while processing the unauthenticated requests.
[From Build 47.22]
[ NSHELP-19403]
In some cases, the Citrix Gateway appliance sets invalid cookie while processing the unauthenticated requests.
[From Build 41.28]
[ NSHELP-19403]
In some cases, a Citrix Gateway appliance dumps core, if PCOIP virtual server profile is set on a VPN virtual server but pcoipProfile is not set under session action.
[From Build 41.28]
[ NSHELP-19412]
In some cases, the Citrix Gateway appliance dumps core if the appliance is accessed in
the Full VPN tunnel mode.
[From Build 41.28]
[ NSHELP-19444]
The Citrix Gateway plug-in for macOS cannot resolve internal host names if the Local LAN Access option is enabled on a Citrix ADC appliance.
[From Build 41.28]
[ NSHELP-19543]
The Citrix Gateway plug-in for macOS cannot resolve internal host names if the Local LAN Access option is enabled on a Citrix ADC appliance.
[From Build 47.22]
[ NSHELP-19543]
In some cases, EPA fails for virtual machines running on Ubuntu operating system.
[From Build 47.22]
[ NSHELP-19556]
In an HA pair setup, the persistent sessions on the primary node are not cleared because of an issue with the session sync code in the VPN server.
[From Build 47.22]
[ NSHELP-19557]
迪泰服务虚拟服务器上的功能with a default set of ciphers that cannot be modified through the bind or unbind cipher commands using CLI.
[From Build 47.22]
[ NSHELP-19561]
迪泰服务虚拟服务器上的功能with a default set of ciphers that cannot be modified through the bind or unbind cipher commands using CLI.
[From Build 41.28]
[ NSHELP-19561]
Audio clarity for Skype calls is negatively affected when multiple applications/connections are tunneled over the VPN. This happens because of an improper memory management.
[From Build 41.28]
[ NSHELP-19630]
A Citrix Gateway does not recognize the logon expression policy in a Windows plug-in during nFactor authentication.
[From Build 41.28]
[ NSHELP-19640]
The “Location based awareness” functionality doesn’t work on client machines when the machine is brought into a network connected zone [Internet or intranet] from a no-network zone.
[From Build 41.28]
[ NSHELP-19657]
The Endpoint Analysis (EPA) scan failed to validate 4096 bit key device certificate.
[From Build 47.22]
[ NSHELP-19697]
The issue is from Linux receivers, where Encryption module (ICA_MODULE_PD) is not received from Receiver in PACKET_INIT_RESPONSE during ICA handshake, and hence there is a null encryption handler in ADC which is leading to crash. ADC to skip pares the connection when there is no encryption parameters received from Receiver.
[From Build 47.22]
[ NSHELP-19758]
In isolated cases, there is a memory corruption causing a core dump while clearing a corrupted SSL VPN authentication, authorization, and auditing session entry after the timeout.
[From Build 47.22]
[ NSHELP-19775]
If an authentication factor hosted in Azure is used in Citrix MFA, logon to Citrix Gateway using Windows plug-in fails. This happens because the MFA HTTP timeout value is lesser than the Citrix Gateway Windows plug-in timeout value.
With this fix, Citrix Gateway Windows plug-in timeout value is increased to avoid logon failure. Also, the HTTP timeout value can now be configured by setting the below registry value (in seconds):
ComputerHKEY_LOCAL_MACHINESOFTWARECitrixSecure Access ClientHttpTimeout
[From Build 41.28]
[ NSHELP-19848]
The Transfer Login page for an existing user does not work in languages other than English.
[From Build 47.22]
[ NSHELP-19859]
In some cases EPA scan fails on Windows machines.
[From Build 41.28]
[ NSHELP-19865]
In rare cases, Citrix ADC appliances deployed in a high availability (HA) setup might crash resulting in frequent HA failover, if both of the following conditions are met:
- Gateway Insight is enabled.
- SSO fails.
[From Build 47.22]
[ NSHELP-19922]
In rare cases, Citrix ADC appliances deployed in a high availability (HA) setup might crash resulting in frequent HA failover, if both of the following conditions are met:
- Gateway Insight is enabled.
- SSO fails.
[From Build 41.28]
[ NSHELP-19922]
If ICA insight is enabled for EDT sessions, you might experience a frozen screen or a delay in the application screen operations.
[From Build 47.22]
[ NSHELP-19934]
Windows Intune enrollment check cannot be disabled on the client machines. The check is enabled by default.
With this fix, Windows Intune enrollment check can be disabled.
To disable the check, set the following registry entry to 1:
ComputerHKEY_LOCAL_MACHINESOFTWARECitrixSecure Access ClientDisableIntuneDeviceEnrollment
[From Build 41.28]
[ NSHELP-19942]
In rare cases, the Citrix Gateway crashes while GSLB updates VPN services statistics.
[From Build 47.22]
[ NSHELP-19992]
Audio clarity for VOIP applications is negatively impacted when multiple applications or connections are tunneled over the VPN.
[From Build 41.28]
[ NSHELP-20097]
Audio clarity for VOIP applications is negatively impacted when multiple applications or connections are tunneled over the VPN.
[From Build 47.22]
[ NSHELP-20097]
Finding URLs to rewrite for advanced clientless VPN processing results in high CPU usage. As a results, the system slows down.
[From Build 41.28]
[ NSHELP-20122]
Finding URLs to rewrite for advanced clientless VPN processing results in high CPU usage. As a results, the system slows down.
[From Build 47.22]
[ NSHELP-20122]
In a high availability setup, the secondary node crashes whenever an authentication, authorization, and auditing session or a VPN session containing SAML related information is propagated to the primary node.
[From Build 47.22]
[ NSHELP-20230]
Citrix ADC设备可能会变得反应迟钝if HDX Insight is enabled.
[From Build 47.22]
[ NSHELP-20280]
A client machine fails to reconnect to a Citrix Gateway appliance because the appliance sends an incorrect STA ticket upon STA refresh.
[From Build 41.28]
[ NSHELP-20285]
A client machine fails to reconnect to a Citrix Gateway appliance because the appliance sends an incorrect STA ticket upon STA refresh.
[From Build 47.22]
[ NSHELP-20285]
EPA scans are not completed and become unresponsive.
[From Build 47.22]
[ NSHELP-20319]
Users are unable to add client-less access policies from the policy manager by using the Citrix Gateway GUI.
[From Build 47.22]
[ NSHELP-20333]
When adding domains for clientless access profile, a horizontal scrollbar appears when the FQDN is long.
[From Build 41.28]
[ NSHELP-20341]
When adding domains for clientless access profile, a horizontal scrollbar appears when the FQDN is long.
[From Build 47.22]
[ NSHELP-20341]
The VPN plug-in unblocks all TCP traffic until captive portal authentication if both of the following conditions are met:
• The client machine is in configured for AlwaysOn, onlyToGateway mode.
• The client machine is connected to a captive portal network.
[From Build 47.22]
[ NSHELP-20360]
AlwaysON service intermittently fails to establish a VPN tunnel when the networkAccessONVPNFailure parameter is set to “Only to Gateway.”
[From Build 47.22]
[ NSHELP-20369]
You might experience a delay in the keyboard and mouse responses to your actions in a launched desktop if DTSL is enabled.
[From Build 47.22]
[ NSHELP-20447]
The Network Level Authentication (NLA) service is restarted every time a user logs in or logs out. This happens because the settings configured by using the nsapimgr knobs are not honored.
[From Build 47.22]
[ NSHELP-20494]
Citrix Windows plug-in is unable to connect to Citrix Gateway using Mozilla Firefox 68.0.
[From Build 47.22]
[ NSHELP-20503]
In a high availability setup, during Citrix ADC failover, icons of some of the apps in the /var/netscaler/logon folder are not visible.
[From Build 47.22]
[ NSHELP-20573]
A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:
- SplitTunnel is set to ON.
- IP address pool (Intranet IP) option is set to NoSpillOver.
[From Build 47.22]
[ NSHELP-20584]
A Citrix ADC appliance fails to decode rewritten URLs for clientless VPN if the URLs contain “%2E” in the FQDN.
[From Build 47.22]
[ NSHELP-20603]
Users cannot access Microsoft Office documents from SharePoint over advanced clientless VPN access.
[From Build 47.22]
[ NSHELP-20611]
After you upgrade the Citrix ADC appliance to release 12.1 build 54.13 and later, the following message might appear when accessing the RDP resources.
“error :not a privileged user”
[From Build 47.22]
[ NSHELP-20678]
Citrix ADC设备可能会变得反应迟钝if HDX Insight is enabled and there is a low memory condition.
[From Build 47.22]
[ NSHELP-20707]
Citrix虚拟适配器保持连接when the VPN machine is in sleep mode and a logout is triggered. Users must terminate the application or restart the VPN machine to gain access to the network.
[From Build 47.22]
[ NSHELP-20755]
Citrix ADC设备可能会变得反应迟钝if the appliance is configured for proxy EDT connections and there is a low memory condition.
[From Build 47.22]
[ NSHELP-20761]
nFactor authentication fails if Online Certificate Status Protocol (OCSP) is enabled for device certificate check.
[From Build 47.22]
[ NSHELP-20855]
The apps configured on the StoreFront do not appear on the Citrix Gateway home page if all of the following conditions are met:
- WiHome is configured.
- Advanced clientless VPN access is enabled.
- User logs on either from an Internet Explorer or Firefox.
[From Build 47.22]
[ NSHELP-20888]
Users cannot access internal resources even if VPN is successfully connected, but the DNS servers are not correctly configured for the Citrix Virtual Adapter.
[From Build 47.22]
[ NSHELP-20892]
Users intermittently get the “Error 403 Access Denied” error message when loading a Citrix Gateway URL with RfWebUI theme.
[From Build 47.22]
[ NSHELP-20895]
AlwaysOn service with user persona fails to establish a user tunnel if there are multiple device certificates in the device store.
[From Build 47.22]
[ NSHELP-20897, NSHELP-21583]
In a high availability setup, the secondary Citrix ADC appliance might crash if session reliability on a high availability setup is enabled.
[From Build 41.28]
[ NSHELP-5257, NSINSIGHT-1208, NSHELP-3807, NSHELP-3808, NSHELP-5414, NSHELP-5417, NSHELP-5428, NSHELP-17883, NSHELP-17894, NSHELP-17904]
An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.
[From Build 41.28]
[ NSHELP-7872]
An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.
[From Build 47.22]
[ NSHELP-7872]
In some cases, a Citrix Gateway appliance dumps core because the pending STA refresh operations build up infinitely.
[From Build 41.28]
[ NSHELP-8684]

Citrix Web App Firewall

The Citrix Web App Firewall original settings are overridden to default.
For example, if you have selected the “enable” option for some signatures, the setting gets overridden to “disable” during the signature merge operation.
[From Build 41.28]
[ NSHELP-17841]
A configuration loss is observed when you reboot a high availability or cluster setup with rfcprofile option enabled in the running configuration.
[From Build 41.28]
[ NSHELP-18856]
A Citrix ADC appliance might crash if the following features are enabled in the Web App Firewall profile.
- XML processing.
- Security insight.
[From Build 47.22]
[ NSHELP-18869, NSHELP-21691]
A Citrix ADC appliance might crash if the Citrix Web App Firewall configuration changes are not handled properly in a cluster setup.
[From Build 41.28]
[ NSHELP-18870]
After you add a relaxation rule, similar URLs are not getting deleted from the learned rules list.
[From Build 41.28]
[ NSHELP-19298]
After you add a relaxation rule, similar URLs are not getting deleted from the learned rules list.
[From Build 47.22]
[ NSHELP-19298]
A Citrix ADC appliance might crash when processing large form bodies and if the field consistency parameter is enabled on the Citrix Web App Firewall profile.
[From Build 41.28]
[ NSHELP-19299]
A Citrix ADC appliance might reset client connections when there is a high XML traffic.
[From Build 41.28]
[ NSHELP-19314]
If you enable the URL transform policy and if the response from a body attribute value contains special characters, the ContentSwitching in an SSL offload might replace the special characters as entity encoded values.
[From Build 41.28]
[ NSHELP-19356]
A Citrix ADC appliance might crash when CONNECT requests are received. The issue occurs if you set the default profile settings to any value other than APPFW_BYPASS, APPFW_RESET, APPFW_DROP, APPFW_BLOCK.
[From Build 41.28]
[ NSHELP-19603]
Web Requests with many query parameters might receive no response if the field consistency protection parameter is enabled.
[From Build 41.28]
[ NSHELP-19811]
Web Requests with many query parameters might receive no response if the field consistency protection parameter is enabled.
[From Build 47.22]
[ NSHELP-19811]
A Citrix ADC appliance fails, if the following conditions are observed:
- Web App Firewall policies use HTTP body based rule, for example, HTTP.REQ.BODY(..)),
- Web App Firewall feature is disabled.
[From Build 41.28]
[ NSHELP-19879]
In a high availability setup, enabling IP reputation feature might result in high availability command propagation failures.
[From Build 47.22]
[ NSHELP-20010]
On a Citrix ADC SDX appliance, a Citrix ADC VPX instance might crash because of an internal issue in WAF module.
[From Build 47.22]
[ NSHELP-20096]
A Citrix ADC appliance might crash if there is an internal communication error with the sqlite library.
[From Build 47.22]
[ NSHELP-20173]
After an upgrade, if you bind a signature to the Web App Firewall profile, the appliance silently drops an incoming request.
[From Build 47.22]
[ NSHELP-20201, NSWAF-3427, NSHELP-20599]
A Citrix ADC appliance might crash when processing signature file regex patterns and if bigstack is unavailable.
[From Build 47.22]
[ NSHELP-20359]
A Citrix ADC appliance might crash if the following conditions are observed:
- IP reputation policy expression is used in a load balancing virtual server of type TCP.
- Security Insight is enabled.
[From Build 47.22]
[ NSHELP-20410]
A Citrix ADC appliance might crash if the signature feature is enabled and a specific request pattern is detected.
[From Build 47.22]
[ NSHELP-20884, NSHELP-19583]
New option to limit post body bytes inspected by signature
After you upgrade your appliance to Citrix ADC version 13.0, you can now see a new profile option, “Signature Post Body Limit (Bytes)” with a default value of 8192 bytes. Your appliance upgrade will set the option to the default value. You can change this option to limit the request payload (in bytes) inspected for signatures with the location specified as ‘HTTP_POST_BODY’.
Previously, Web Citrix Web App Firewall had no option to limit payload inspection and keep CPU under check.
Navigation: Configuration > Security > Citrix Web App Firewall > Profiles > Profile Settings.
[From Build 41.28]
[ NSWAF-2887, NSUI-13251]
Requests coming from Tor proxy IP addresses are not blocked by the IP reputation Tor proxy category using CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(PROXY) policy expression.
[From Build 47.22]
[ NSWAF-3611]

Client AG-EE

Citrix网关无法的一组计算机access internal and external resources when connected over VPN only and Intranet IP is configured.
[From Build 47.22]
[ NSHELP-20011]

Clustering

A high CPU usage is observed on a Citrix ADC appliance or in a cluster setup if “show ns ip” command displays many IP addresses.
[From Build 47.22]
[ NSHELP-11193]
A linkset-member interface or channel is added as part of a new static ND6 entry to the Citrix ADC appliance. For the Citrix ADC appliance to accept the new static ND6 entry, you must provide the linkset VLAN.
[From Build 47.22]
[ NSHELP-19453]
In a cluster setup with ACL6 configuration, the ICMPv6 error packets loop between the nodes causing high CPU usage.
[From Build 41.28]
[ NSHELP-19535]
In a cluster setup, the cluster propagation might fail if one of the following condition is met:
- Connection fails between cluster daemon and configuration daemon.
- 分辨ase in memory usage in cluster daemon.
[From Build 41.28]
[ NSHELP-19771]
In a cluster setup, the Citrix ADC GUI fails to upload an SSL certificate in the following conditions:
• Commands are executed from the CLIP.
• “sh partition” command responds with an invalid response.
[From Build 41.28]
[ NSHELP-19905]
In a single-node cluster, sometimes, you cannot SSH to CLIP under the following conditions:
- USIP mode is enabled.
- State of the cluster node is set to passive.
[From Build 47.22]
[ NSHELP-20210]
In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.
[From Build 47.22]
[ NSHELP-20366]
ACL6 list of type DFD might be corrupted when you add ACLs in descending order and delete any one of the ACL6 entry.
[From Build 47.22]
[ NSHELP-20587]
In a cluster setup, the Citrix ADC appliance might crash for a new MPTCP connection, if the 4 tuples are reused with a different MPTCP key before the original connection has timed out on the Citrix ADC appliance.
[From Build 47.22]
[ NSHELP-20844, NSHELP-20726]
In a cluster setup, you might observe continuous failure logs that indicate connection failure between ZebOS dynamic routing IMI daemon and internal cluster daemon. This issue occurs when either the ZebOS dynamic routing IMI daemon or internal cluster daemon is restarted.
[From Build 41.28]
[ NSNET-10655]
The following behavior is observed in a cluster setup:
- There is a configuration mismatch if you execute enable/disable servicegroupmember, service group, and server command.
- The unset command does not reset the netprofile for service/service group.
[From Build 41.28]
[ NSNET-9599]

DNS

DNS A Citrix ADC appliance might crash If DNS logging is enabled and the appliance receives a large DNS response.?
[From Build 47.22]
[ NSHELP-18926]
The Citrix ADC appliances might crash when filling cached negative response for a DNS ANY query for an authoritative zone.
[From Build 41.28]
[ NSHELP-19496]
You can add a wildcard domain for the zone you own.
[From Build 41.28]
[ NSHELP-19498]
A Citrix ADC VPX instance running on an SDX appliance might crash if an invalid DNS request is received on a Jumbo enabled interface.
[From Build 41.28]
[ NSHELP-19854]

GSLB

The GSLB site backup parent list configuration is lost if both of the following conditions are met:
- The triggerMonitor option is set to either MEPDOWN or MEPDOWN_SVCDOWN.
- The Citrix ADC appliance is restarted.
[From Build 41.28]
[ NSCONFIG-1760]
The GSLB site backup parent list configuration is lost if both of the following conditions are met:
- The triggerMonitor option is set to either MEPDOWN or MEPDOWN_SVCDOWN.
- The Citrix ADC appliance is restarted.
[From Build 47.22]
[ NSCONFIG-1760]
A Citrix ADC appliance might crash when all of the following conditions are met:
- A backend server is DOWN.
- An ADC appliance collects information on server, such as RTT and proximity, for selecting a new backend.
[From Build 47.22]
[ NSHELP-11969]
In a GSLB cluster setup, MEP connection might get terminated resulting in a MEP flap when a node joins the cluster.
[From Build 47.22]
[ NSHELP-19532]
In a GSLB cluster setup, MEP connection might get terminated resulting in a MEP flap when a node joins the cluster.
[From Build 41.28]
[ NSHELP-19532]
A Citrix ADC appliance crashes when a set command is issued on a CNAME-based GSLB service.
[From Build 47.22]
[ NSLB-5433, NSLB-5562]

Gateway

Citrix Gateway In rare cases, the Citrix Gateway appliance crashes if AAA user session is transferred and Intranet IP is enabled.
[From Build 47.22]
[ NSHELP-20680]

Gateway Insight

In a high availability (HA) setup, the primary node might crash if AppFlow is enabled and there is a failover.
[From Build 47.22]
[ NSHELP-19363]
Citrix ADC appliances deployed in a high availability (HA) setup crash if both of the following conditions are met:
- AppFlow is enabled
- There is a high availability synchronization failure.
[From Build 47.22]
[ NSHELP-19490]

Licensing

If the SDX appliance is in grace period for pooled licensing, the remaining grace period shows zero instead of 30 days.
[From Build 47.22]
[ NSHELP-19615]
After upgrading an MPX perpetual license to Pooled Capacity license, the ADM GUI prompts to save the config and restart the instance. With this fix, the GUI prompts only to restart the instance.
[From Build 47.22]
[ NSHELP-20137]
After upgrading an MPX perpetual license to Pooled Capacity license, the ADM GUI prompts to save the config and restart the instance. With this fix, the GUI prompts only to restart the instance.
[From Build 41.28]
[ NSHELP-20137]

Load Balancing

When LRTM is enabled on a monitor bound to a service group, response time is not shown.
[From Build 41.28]
[ NSHELP-12689]
In rare cases, a Citrix ADC appliance might fail when the service is marked DOWN before the SSL session is received from the server that has the following configuration.
- A load-balancing virtual server of type SSL_BRIDGE
- Persistence type is set to SSLSESSION ID
- Backup persistence type is set to SOURCEIP
[From Build 41.28]
[ NSHELP-18482]
The inactive services number for a load balancing virtual server might return a large value for few seconds after some services or service group members are unbound from the load balancing virtual server. This is a display issue and does not impact any functionality.
[From Build 41.28]
[ NSHELP-19400]
A Citrix ADC appliance crashes if the virtual server is of type ANY and spillover persistence is enabled on the virtual server.
[From Build 47.22]
[ NSHELP-19540]
A Citrix ADC appliance crashes if the virtual server is of type ANY and spillover persistence is enabled on the virtual server.
[From Build 41.28]
[ NSHELP-19540]
In a high availability setup in INC mode, the GUI and CLI of the secondary node incorrectly displays the following status message for some load balancing monitors:
“Probe skipped - node secondary”
[From Build 41.28]
[ NSHELP-19617]
Redirecting an HTTPS URL fails if the URL contains the % special character.
[From Build 47.22]
[ NSHELP-19993]
You might run out of disk space on a Citrix ADC VPX appliance because the appliance generates multiple temporary files. When an rsync operation occurs for a particular location file, a temporary file is created for that location file. These files fill up the /var directory.
[From Build 47.22]
[ NSHELP-20020]
You might run out of disk space on a Citrix ADC VPX appliance because the appliance generates multiple temporary files. When an rsync operation occurs for a particular location file, a temporary file is created for that location file. These files fill up the /var directory.
[From Build 41.28]
[ NSHELP-20020]
A Citrix ADC appliance might crash if traffic domain is configured on a load balancing virtual server of type SIP.
[From Build 47.22]
[ NSHELP-20286]
The Citrix ADC appliance might crash when both the following conditions are met:
• Rule-based persistence is configured on the appliance.
• Multiple IPv6 servers respond with the same values for the parameters configured in the rule-based persistence.
[From Build 47.22]
[ NSHELP-20490]
Path monitoring for autoscale servicegroups is not supported in a cluster deployment.
[From Build 41.28]
[ NSLB-4660]

NITRO

The Citrix ADC appliance responds with an internal error message for show routerdynamicrouting NITRO API call.
[From Build 41.28]
[ NSCONFIG-1325]
The Citrix ADC appliance responds with an internal error message for show routerdynamicrouting NITRO API call.
[From Build 47.22]
[ NSCONFIG-1325]
HTTP daemon on a Citrix ADC appliance might crash if all of the following conditions are true:
- The appliance receives an idempotent NITRO API request for adding a resource on the appliance.
- the idempotent NITRO API request does not have any settable properties.
- the resource already exists on the Citrix ADC appliance.
[From Build 47.22]
[ NSCONFIG-2298]
The first login using NITRO API fails for a partition user. However, the subsequent login succeeds.
[From Build 47.22]
[ NSHELP-20159, NSCONFIG-2054]

Networking

In a high availability setup with OSPF dynamic routing configured, the new primary node does not generate the OSPF MD5 sequence number in an increasing order after a failover.
这个问题已经被修复。修复工作的职业perly, you must synchronize the time between the primary and secondary nodes either manually or by using NTP.
[From Build 41.28]
[ NSHELP-18958]
When a PBR rule with next hop parameter set to NULL is added for a load balancing service or a monitor, the Citrix ADC appliance might become unresponsive.
[From Build 41.28]
[ NSHELP-19245]
A Citrix ADC appliance might create an SYN+ACK packet loop, which in turn cause high CPU usage, when all the following conditions are true:
- If an outstanding RNAT probe connection to an IP address, which is not currently Citrix ADC owned IP address, is present in the ADC appliance.
- If you make this IP address as ADC owned IP address as part of the ADC configuration. For example, adding a load balancing virtual server with this IP address.
[From Build 41.28]
[ NSHELP-19376]
The Citrix ADC appliance allows configuration through NITRO APIs even before the protocol modules are not completely initialised. Because of this reason, the write memory command fail with the following error message:
“save config denied – modules not ready”
[From Build 41.28]
[ NSHELP-19431]
In some rare cases in a high availability setup, the secondary node might establish BGP session over the Citrix ADC IP address (NSIP).
[From Build 41.28]
[ NSHELP-19720]
The BGP process might fail due to memory corruption if it receives bgp updates with multiple 4-byte AS numbers in the path.
[From Build 41.28]
[ NSHELP-19860]
The ADC appliance might not update the ECMP routes in an optimised way when an associated interface is disabled, or an associated IP address is deleted.
[From Build 47.22]
[ NSHELP-19891]
The BGP daemon on a Citrix ADC appliance might incorrectly install learned routes with next-hops as 0.0.0.0/0.
[From Build 47.22]
[ NSHELP-19900]
The Citrix ADC appliance might crash if you add a listen policy that has a dependency for a certain internal FTP service lookup.
[From Build 47.22]
[ NSHELP-20002]
For traffic accessing a load balancing setup through a Citrix ADC Access Gateway, the Citrix ADC appliance might apply MAC Based Forwarding (MBF) on this traffic even without properly adding the Layer 2 information to the connection table entry.
[From Build 47.22]
[ NSHELP-20064]
The Citrix ADC appliance might skip Policy-based routes (PBR) rules for outgoing monitor packets of type UDP and ICMP.
[From Build 47.22]
[ NSHELP-20112]
重启,Citrix ADC设备建立了BGP session with the peer devices before assigning a subnet IP (SNIP) address on the interface resulting in next-hop validation failure. Because of this issue, the Citrix ADC appliance might not learn the routes advertised from these peer devices.
[From Build 47.22]
[ NSHELP-20211]
A Citrix ADC appliance, acting as a proxy server, might apply a PBR rule based on Layer 2 information to a traffic even though the traffic does not match the PBR rule.
[From Build 47.22]
[ NSHELP-20317]
“An existing route relies on the presence of this subnet” error message is seen, if all of the below conditions occur:
- Two or more SNIP addresses with the first octet greater than 127 are added
- A route for the SNIP addresses is added on that network
- You try to delete any one of the added SNIP addresses
[From Build 47.22]
[ NSHELP-20492]
32-bit ASN values appear as negative values in the “sh ip bgp summary” command output.
[From Build 47.22]
[ NSHELP-20540]
A Citrix ADC appliance might crash if it receives IPv6 traffic that matches both of the following conditions:
- Source MAC address of IPv6 traffic matches the MAC address of a service bound to a virtual server with type ANY and redirection mode set to MAC based forwarding (-m MAC)
- The IPv6 traffic matches an RNAT6 rule with TCP proxy option enabled
[From Build 47.22]
[ NSHELP-20548]
The Citrix ADC appliance might not update ECMP routes properly when multiple BGP
sessions go to “DOWN” state simultaneously.
[From Build 47.22]
[ NSHELP-20664]
The BGP daemon might display duplicate warning messages for a route removed from the Citrix ADC routing table.
[From Build 47.22]
[ NSHELP-20906]
与useproxyport参数disabl RNAT规则ed, and RNAT clients accessing INAT public IP address, the Citrix ADC appliance might incorrectly allocate/de-allocate ports for sessions related to the RNAT rule. This incorrect allocation/de-allocation of ports results in port leak.
[From Build 41.28]
[ NSNET-10089]
On the Citrix ADC GUI, when you go to Configuration > Network > Interfaces, and click Interface Statistics, the Interface Summary is not displayed and the “Invalid value [arg]” error message appears.
[From Build 41.28]
[ NSUI-13043]

优化

The Lazy Loading mode does not load images in a simple web page that are above the fold with no attributes such as height or width.
[From Build 41.28]
[ NSHELP-19193]
A Citrix ADC appliance restarts by itself if the following conditions are observed:
- Front end optimization feature is enabled.
- Cached objects are re-optimized.
[From Build 41.28]
[ NSHELP-19428]

Platform

The SDX 14000 FIPS appliance might crash and restart while configuring a FIPS HSM partition.
[From Build 41.28]
[ NSHELP-18503]
On the following Citrix ADC SDX platforms, connectivity to a VPX instance might fail if it receives heavy multicast traffic when a management port is not assigned to a VPX instance and instance management is done through the data ports.
- SDX 8900
- SDX 14000-40G
- SDX 14000-40S
- SDX 15000-50G
- SDX 25000-40G
- SDX 25000T
- SDX 25000T-40G
[From Build 47.22]
[ NSHELP-19861]
On SDX platforms with Fortville interfaces, the 10G & 40G Fortville interfaces can run into TX stalls when Jumbo is enabled on them.
[From Build 47.22]
[ NSHELP-20605]

Policies

After an upgrade, the rewrite policy does not work for CVPN homepage2.html
[From Build 47.22]
[ NSHELP-19481]
In a Citrix ADC appliance, if you unbind default advanced global policies and save the configuration, the changes are not reflected on the next reboot.
[From Build 47.22]
[ NSHELP-19867]
In a Citrix ADC appliance, if you unbind default advanced global policies and save the configuration, the changes are not reflected on the next reboot.
[From Build 41.28]
[ NSHELP-19867]
When you convert policies from classic to advanced using nspepi tool, syntax errors are observed for port and netmasks.
[From Build 47.22]
[ NSHELP-20720]
A Citrix ADC appliance might crash if the configuration has responder action with respondwithhtmlpage as an action type.
[From Build 41.28]
[ NSHELP-5821]
A Citrix ADC appliance might crash if you use responder action of redirect action type.
[From Build 41.28]
[ NSPOLICY-3196]
Classic policy-based features and functionalities are deprecated from Citrix ADC 12.0 build 56.20 onwards. As an alternative, Citrix recommends you to use the Advanced policy infrastructure.
These features and functionalities will no longer be available from Citrix ADC 13.1 release in 2020. Also, other smaller features will be deprecated.
[From Build 41.28]
[ NSPOLICY-3228]

Portal

Citrix Gateway Users are incorrectly prompted to enter the user name and password when nFactor Logon form is customized to display the dynamic Logon Type menu and OAuth is selected from the list.
[From Build 47.22]
[ NSHELP-20300]

SNMP

After an upgrade in a high availability set up from release 12.1 build 49.23 to release 12.1 build 49.37, the primary node does not send an SNMP coldstart trap message during a restart.
[From Build 41.28]
[ NSHELP-18631]

SSL

The ADC appliance might occasionally send extra data to the client if both of the following conditions are met:
- The appliance is connected to the backend server through SSL.
- The size of the data received from the server exceeds 9k.
[From Build 41.28]
[ NSHELP-11183]
You cannot create an RSA key by using the GUI if the PEM algorithm is DES or DES3.
[From Build 47.22]
[ NSHELP-13018]
You cannot create an RSA key by using the GUI if the PEM algorithm is DES or DES3.
[From Build 41.28]
[ NSHELP-13018]
For SNI enabled sessions, the ADC appliance can control how the host header is validated. A new parameter “SNIHTTPHostMatch” is added to SSL profile and SSL global parameters to have better control on this validation. This parameter can take three values; CERT, STRICT, and NONE. SNI must be enabled on the SSL virtual server or the profile bound to the virtual server, and the HTTP request must contain the host header.
[From Build 47.22]
[ NSHELP-13370]
Safenet directory is missing when you install a VPX instance on Citrix XenServer, VMware ESX, or Linux-KVM platform.
[From Build 41.28]
[ NSHELP-14582]
The DTLS handshake might fail if DTLS records of different message types are received out of order. For example, a “Server Hello Done” message is received before a “Server Hello” message.
[From Build 47.22]
[ NSHELP-18512]
当你execut Citrix ADC设备可能会崩溃e an audit log message action based on the expression “ssl.origin.server_cert”. The log action is bound to a responder policy.
[From Build 41.28]
[ NSHELP-19014]
If the client and CA certificates have different encoding, the client certificate is incorrectly rejected when -clientAuthUseBoundCAChain is ENABLED, even though the client and server certificates are issued by the same CA.
[From Build 41.28]
[ NSHELP-19077]
A Citrix ADC appliance might crash intermittently if both of the following conditions are met:
- OCSP check and SSL interception are enabled on an SSL profile.
- The SSL profile is bound to a content switching virtual server of type PROXY.
[From Build 47.22]
[ NSHELP-19194]
A Citrix ADC appliance might crash while executing the SSL action “clientcertFingerprint” to insert the client certificate’s fingerprint into the HTTP header of the request to be sent to the server, if both of the following conditions are met:
- Session ticket is enabled.
- SSL policy is bound at request bind point.
[From Build 41.28]
[ NSHELP-19331]
An SSL virtual server may reset the connection with reset code 9820 instead of fragmenting the record into multiple TCP packets as expected, if the following conditions are met:
- A TLSv1.3 enabled virtual server encrypts application data from the backend application server to send to a TLSv1.3 client.
- The resulting encrypted record length is exactly one byte larger than the TCP maximum segment size.
[From Build 41.28]
[ NSHELP-19466]
The handshake fails on a Citrix ADC SDX appliance with N2 chips, because ECDSA ciphers are not supported on this platform. With this fix, ECDSA ciphers are not advertised on this platform.
[From Build 41.28]
[ NSHELP-19614, NSHELP-20630]
CRL refresh takes the old IP address instead of the new one, if the URL is changed from IP-based address to domain name-based address.
[From Build 41.28]
[ NSHELP-19648]
The internal SSL service state appears UP even after you unbind the certificate from the service.
[From Build 47.22]
[ NSHELP-19752]
The ssl_tot_enc_bytes counter reports incorrect plain text bytes to be encrypted.
[From Build 41.28]
[ NSHELP-19830]
An error message appears when you assign a DH parameter file to an SSL profile in an admin partition setup.
[From Build 47.22]
[ NSHELP-19838]
The following appliances might crash if they receive the “ChangeCipherSpec” message from a client but not the “Finished” message:
- MPX 5900/8900
- MPX 15000-50G
- MPX 26000-100G
[From Build 41.28]
[ NSHELP-19856]
If you add a certificate with an AIA extension on a cluster IP (CLIP) address, the following error message appears when you try to remove the certificate from the CLIP:
‘Internal Error’.
[From Build 41.28]
[ NSHELP-19924]
When TLS 1.3 and SNI are both enabled on a front-end virtual server, the appliance crashes during the TLS handshake if the following sequence of events occur:
1. A TLS 1.3 client includes the server_name extension in its initial ClientHello message.
2. The server responds with a HelloRetryRequest message.
3. The client responds with an illegal ClientHello message that omits the server_name extension.
[From Build 47.22]
[ NSHELP-20245]
When TLS 1.3 and SNI are both enabled on a front-end virtual server, the appliance crashes during the TLS handshake if the following sequence of events occur:
1. A TLS 1.3 client includes the server_name extension in its initial ClientHello message.
2. The server responds with a HelloRetryRequest message.
3. The client responds with an illegal ClientHello message that omits the server_name extension.
[From Build 41.28]
[ NSHELP-20245]
If the SSL default profile is enabled and bound to an SSL service group, a warning message appears when you unbind a cipher from the SSL profile and bind a service to this service group. The service is also not bound to the service group.
[From Build 47.22]
[ NSHELP-20332]
A Citrix ADC appliance might show different profiles on cluster IP (CLIP) address and Citrix ADC IP (NSIP) address if a legacy SSL profile is bound to SSL entities, and later the default (enhanced) SSL profile is enabled.
[From Build 47.22]
[ NSHELP-20335]
If your ADC appliance is integrated with an unsupported version of Thales HSM, the appliance crashes after generating the HSM key and certificate, installing the certificate-key pair on the appliance, and binding it to the SSL virtual server. With this fix, the appliance reports an error instead of crashing.
[From Build 47.22]
[ NSHELP-20352]
An error message “Error- File Too Large” appears in both of the following cases:
- You first upgrade the Citrix ADC software to version 13.0 and then upgrade the FIPS firmware.
[From Build 47.22]
[ NSHELP-20522]
An error message “Error- File Too Large” appears in both of the following cases:
- You first upgrade the Citrix ADC software to version 13.0 and then upgrade the FIPS firmware.
[From Build 41.28]
[ NSHELP-20522]
A Citrix ADC VPX appliance might crash if ChaChaPoly cipher is used and the client sends a truncated record to the appliance.
[From Build 47.22]
[ NSHELP-20684]
The DTLS handshake might fail if DTLS record fragments are received out of order.
[From Build 47.22]
[ NSHELP-20703]
The SSL handshake fails on the following platforms if the Client Key Exchange and Client Verify messages come in a single record.
- MPX 59xx
- MPX/SDX 89xx
- MPX/SDX 261xx-100G
- MPX/SDX 15xxx-50G
[From Build 41.28]
[ NSSSL-3359, NSSSL-1608]
TLS and DTLS handshakes with RSA based key exchange fail on the front end of N3-based Citrix ADC MPX and SDX appliances when the following conditions are met.
1. TLS handshake fails when the TLS Client Hello message contains TLSv1.2 as the protocol version, but TLSv1.2 is disabled on the Citrix ADC appliance. Therefore, the appliance negotiates a lower version (TLSv1.1, TLSv1.0, or SSLv3.0)
2. DTLS handshake fails when the DTLS Client Hello message contains DTLSv1.2 as the protocol version, but the Citrix ADC appliance negotiates DTLSv1.0.
Use the ‘show hardware’ command to identify whether your appliance has N3 chips.
[From Build 41.28]
[ NSSSL-6630]
In a NITRO call for a virtual server that has a profile bound to it, some entities of the virtual server, such as HSTS and OCSP_stapling that are part of the profile, are also displayed.
[From Build 41.28]
[ NSSSL-6673]
The Citrix ADC appliance might crash while running the SSL forward action at REQUEST bind point. With this fix, you cannot bind a policy with action type FORWARD to REQUEST bind point.
[From Build 47.22]
[ NSSSL-6688]
The Citrix ADC appliance might crash and dump core when it tries to access the deleted default DTLS profile while configuring a new DTLS virtual server or service.
[From Build 47.22]
[ NSSSL-6886]
The forward action in SSL policy did not allow virtual server of type SSL_TCP. With this fix, you can forward SSL traffic based on SSL policy to an SSL_TCP virtual server. This feature helps customers who want SSL offloading but do not want to parse application data for the forwarded connection.
[From Build 47.22]
[ NSSSL-7133]

SWG URL Filtering

During content filtering, a rare race condition occurs between policy evaluation and obfuscation of a private URL set. This issue generates an AppFlow record that contains the URL as a clear text and not as “ILLEGAL”.
[From Build 41.28]
[ NSSWG-890]

System

High memory issue occurs in partitioned Citrix ADC appliance.
[From Build 47.22]
[ NSBASE-8780, NSBASE-8763]
In client IP header insertion (for example, -X-Forwarded-for) if the IP address to be inserted is not as long as the buffer, the header pads spaces at the end of the client IP address.
[From Build 47.22]
[ NSHELP-10079]
Display actual status of high availability synchronization process
In a high availability set up, by default, the status of HA synchronization is shown asSUCCESSeven if some commands fail on the secondary node as part the HA synchronization process.
For example, a command related to binding an interface to a VLAN fails if the interface with the same number is not present on the secondary node.
You can configure the high availability setup to indicate the actual status of the HA synchronization process.
When you enable theStrict Synchronization modeparameter on both the nodes of a high availability set, the status of HA synchronization is shown asPartial Successif one or more commands fail on the secondary node as part the HA synchronization process.
注意:TheStrict Synchronization modeparameter on both the nodes must be set to the same option, that is, either enabled or disabled on both the nodes. The high availability setup does not display the correct status of the HA synchronization if Strict Synchronization mode parameter is enabled on one node and disabled on other.
[From Build 47.22]
[ NSHELP-11953]
SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).
[From Build 47.22]
[ NSHELP-18541, NSHELP-19313]
A Citrix ADC appliance crashes if the current_tcp_profile and current_adtcp_profile is not set.
[From Build 41.28]
[ NSHELP-18889]
Memory issue occurs in a Citrix ADC appliance if closed connections are not flushed completely.
[From Build 41.28]
[ NSHELP-18891]
Memory issue occurs in a Citrix ADC appliance if closed connections are not flushed completely.
[From Build 47.22]
[ NSHELP-18891, NSHELP-20778]
In a corner case, A Citrix ADC appliance terminates zombie connections without a reset. When the peer side connections send packets if they are active and the appliance resets the connection when processing them.
[From Build 41.28]
[ NSHELP-18998]
The policy evaluation might fail if the following conditions are met:
- 256 policy expressions have reference to a same custom header.
- Custom header reference counter wraps to 0 (8 bits counter).
[From Build 41.28]
[ NSHELP-19082]
In a Citrix ADC appliance, the timezone configuration fails if there is a change in Daylight Savings Time (DST).
[From Build 47.22]
[ NSHELP-19128]
A configuration loss occurs every time a high availability configuration synchronization happens along with a high availability failure.
[From Build 41.28]
[ NSHELP-19210]
SNMPv3 queries work only for a few minutes after changing the password.
[From Build 47.22]
[ NSHELP-19313]
The primary node is unable to read the response from the secondary causing the connection to reset. As a result, the connection closes on the secondary node.
[From Build 41.28]
[ NSHELP-19432]
A Citrix ADC appliance crashes if you set the TCP profile value to NULL.
[From Build 41.28]
[ NSHELP-19555]
Strong password validation is done on MONITOR passwords created for external servers. When you enable Strong password configuration (system > global setting) on a Citrix ADC appliance, you do not allow the appliance to configure a weak password for LDAP monitor.
[From Build 41.28]
[ NSHELP-19582]
SNMP alarm on SDX device does not work for disk, memory, or temperature parameters but works only for CPU.
[From Build 41.28]
[ NSHELP-19713]
In some cases, you will see a delay or timeout in connecting to the backend server. This happens because the appliance has freed the connection and released the port. When the appliance reuses the same port to establish a new connection with the server there is a delay or timeout because the connection is in TIME_WAIT state on the server.
[From Build 41.28]
[ NSHELP-19772]
In some cases, you will see a delay or timeout in connecting to the backend server. This happens because the appliance has freed the connection and released the port. When the appliance reuses the same port to establish a new connection with the server there is a delay or timeout because the connection is in TIME_WAIT state on the server.
[From Build 47.22]
[ NSHELP-19772]
In rare cases, a cluster node might crash when a client or server sends an out-of-order packet followed by an in-sequence packet with the FIN message.
[From Build 41.28]
[ NSHELP-19824]
The Citrix ADC appliance might crash if a retransmitted TCP segment is received on an interface with MTU > 1500 bytes as:
- Jumbo frames or
- Set of IP fragments.
[From Build 47.22]
[ NSHELP-19920, NSHELP-20273]
The Citrix ADC appliance might crash, when a retransmitted TCP segment is received on an interface with MTU > 1500 bytes as:
- Jumbo frames, or
- Set of IP fragments
[From Build 41.28]
[ NSHELP-19920, NSHELP-20273]
SNMPWalk gets query response from a subnet IP (SNIP) address even if SNMP feature is disabled.
[From Build 47.22]
[ NSHELP-20254]
Role based authentication (RBA) does not allow group names to start with “#” character.
[From Build 47.22]
[ NSHELP-20266]
A Citrix ADC appliance initiates an HTTP/1.1 connection instead of an HTTP/2 connection if the complete request body is not received for a POST request.
[From Build 47.22]
[ NSHELP-20289]
In rare cases, the Call Home process might crash resulting in the appliance to restart. The issue occurs if a Call Home sub process uses the same internal process id (PID) of the previous sub process.
[From Build 47.22]
[ NSHELP-20334]
Memory usage increases if you enable proxy protocol and if retransmission occurs because of network congestion.
[From Build 47.22]
[ NSHELP-20613]
A Citrix ADC appliance resets MPTCP subflows if a subflow is alive and active for more than the idle timeout period.
[From Build 47.22]
[ NSHELP-20648]
A Citrix ADC appliance resets an MPTCP subflow if it receives a plain acknowledgment before the subflow is confirmed as MTPCP.
[From Build 47.22]
[ NSHELP-20649]
Configuration loss is detected if you bind both classic policy and advanced policy to an aaa user and an aaa user group.
[From Build 47.22]
[ NSHELP-20744]
A TCP transaction delay is observed if a Citrix ADC appliance is unable to use the TCP connection to connect to the back-end server. In this case, the appliance opens a new connection to forward the client requests to the back-end server after some waiting period. The waiting period ranges from 400 ms to 600 ms.
[From Build 41.28]
[ NSHELP-9118]
The Global Binding and Show Binding options are not working on the Content Inspection Policy GUI page. As an alternative, you can configure these parameters through the command interface.
[From Build 41.28]
[ NSUI-13193, NSUI-11561]

Telco

A Citrix ADC appliance might crash if both of the following conditions are met:
• The appliance receives two HTTP requests when retrieving subscriber information.
• There is an incorrect operation to resume normal traffic flow.
[From Build 41.28]
[ NSHELP-18955]

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Release Notes for Citrix ADC 13.0-47.24 Release

April 1, 2023

Contributed by:

C S

April 1, 2023

Contributed by:

C S