Release Notes for Citrix ADC 13.0-91.13 Build

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.0-91.13.

Notes

• This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
• Build 13.0-91.13 and later builds address the security vulnerabilities described inhttps://support.citrix.com/article/CTX561482.
• Build 13.0-91.13 replaces Build 13.0-91.12.

Fixed Issues

The issues that are addressed in Build 13.0-91.13.

AppFlow

• Metrics collector in the Citrix ADC instance stops to respond intermittently. As a result, whenever the metrics collector stops to respond, one interval (30 seconds) of analytics data might not get exported.

  [ NSHELP-34048 ]

Authentication, authorization, and auditing

• When Citrix ADC is used as an OpenID provider (OAuth IdP) and GSLB is configured with it, OAuth authentication with the relying party (RP) fails during token validation which might result in an authentication failure at the OAuth Relaying Party (RP).

  [ NSHELP-33455 ]

• Encryption or decryption of the OTP secret might fail with multi-valued attributes.

  [ NSHELP-31057 ]

Bot Management

• The Citrix ADC appliance might crash if the BOT policy uses a log action with complex policy rules.

  [ NSHELP-34999 ]

Caching

• A Citrix ADC appliance might crash if the following conditions are met:

  • Appliance is serving content from its integrated cache.
  • Cached content is revalidated.
  • 新请求ADC从不同的客户端same cached object.

  [ NSHELP-22596 ]

• In a cluster setup, the cache global policy information displayed in GUI or CLI is incomplete when the cluster setup is accessed using the CLIP address.

  [ NSCACHE-521 ]

Citrix ADC SDX Appliance

• A Citrix ADC SDX appliance might crash while trying to access “Core Allocation” from the Management Service dashboard.

  [ NSHELP-34537, NSCXLCM-8 ]

• Sometimes, a Citrix ADC SDX appliance might not behave as expected if the Asymmetric Crypto Units (ACU) and Symmetric Crypto Units (SCU) that are assigned to a VPX instance are not a multiple of the packet engine (PE) core. That is, 1000* number-of-PE-cores.

  [ NSHELP-34389 ]

• Management service(SVM) might crash while editing any of the properties on a VPX instance from the Management Service UI.

  [ NSHELP-34297 ]

Citrix Gateway

• After an upgrade, the Citrix ADC appliance might crash when HDX Insight is enabled.

  [ NSHELP-35058 ]

• After an upgrade, the Citrix ADC appliance might crash when launching an RDP proxy connection.

  [ NSHELP-33420 ]

• The Always On profile is unset in a VPN session action when the VPN session action is re-configured.

  [ NSHELP-33396 ]

• In a Citrix Gateway high availability setup, the primary and the secondary appliances might crash during a failover.

  [ NSHELP-33198, NSHELP-33483 ]

• After an upgrade, a Citrix ADC appliance might crash during the first HA synchronization.

  [ NSHELP-32957 ]

• When clearing the configurations by using the GUI or CLI, a Citrix ADC appliance might crash when the Secure Token Authority (STA) related entities are cleared.

  [ CGOP-23152 ]

Citrix Web App Firewall

• The Citrix Web App Firewall blocks valid JSON requests with the error “Invalid RFC” when the payload has certain special characters repeated.

  [ NSHELP-34427, NSWAF-9799 ]

• The Citrix ADC appliance might crash during HA deployment, if the Web App Firewall signature rules contain any of the following objects:

  • Patsets
  • Datasets
  • String maps
  • Named expressions

  [ NSHELP-34338 ]

• When exporting relaxation rules, the download takes more time and the file is not fully downloaded. This issue occurs if the file size is above 5MB.

  [ NSHELP-34044 ]

• In the Citrix Web App Firewall, when you enable the streaming and field consistency checks, it delays the transfer of the payload to the origin server. As a result, the POST method for the payload fails.

  [ NSHELP-33700 ]

• The cookie hijacking redirect drops the query parameters from the request URL. As a result, the redirected request might fail.

  [ NSHELP-33633, NSCXLCM-307 ]

• Bot device fingerprint session replay attacks are logged rather than dropped.

  [ NSHELP-31949 ]

Load Balancing

• In rare cases, nsmap crashes. As a result, some of the Citrix ADC appliances that use geolocation databases might not work as intended.

  [ NSHELP-33840 ]

• Creating a wildcard virtual service fails if an unresolved WIHOME configuration exists on the Citrix ADC appliance.

  [ NSHELP-25627 ]

Miscellaneous

• When editing a session profile on the Security > Authentication, authorization, and auditing - Application Traffic > Policies > Session Policies and Profiles > Session Profiles page, the “Single Sign-on to Web Applications” option is set to ON even if it was set to OFF when the session profile was created.

  [ NSHELP-33067 ]

Networking

• In Layer-3 mode with PMTU enabled, the Citrix ADC appliance drops instead of forwarding the ICMP packets marked with “fragmentation needed but DF bit set” for ESP traffic.

  [ NSHELP-34318 ]

• The Citrix ADC appliance might crash if all of the following conditions are met:

  • TTL-based ACL times out
  • The Citrix ADC appliance has a large number of ACLs configured.

  [ NSHELP-31307 ]

• In a GSLB setup with one of the GSLB site IP address is configured in an admin partition, ARP requests for this GSLB site IP address from upstream routers fail to reach the admin partition. This issue occurs when all of the following conditions are met:

  • A shared VLAN is bound to the admin partition.
  • A SNIP IP address, say SNIP-1, in the same subnet as the GSLB site IP address is present on the shared VLAN.
  • Another SNIP IP address, say SNIP-2, in the same subnet as the GSLB site IP address is added and SNIP-1 is removed.

  [ NSHELP-30552 ]

Platform

• The Citrix ADC appliance crashes if VRID is bound to an LA channel that does not have member interfaces configured.

  [ NSPLAT-26707 ]

• On an SDX appliance running the BMC firmware version 4.08, when you perform a single bundle upgrade from 13.0 build 84.X, the lights out management (LOM) firmware upgrade to 4.14 during the system boot up may get stuck intermittently and timeout after 30 minutes.

  [ NSPLAT-26148 ]

• When you provide preboot user data in an OVF template from the ESX vSphere client, the ESXi host does not apply the preboot configuration.

  [ NSPLAT-24233, NSPLAT-25551 ]

• On a Citrix ADC SDX appliance, the VPX instances might operate with the minimum throughput value configured as part of burst mode even though sufficient throughput is available in the SDX appliance to handle bursts in traffic.

  [ NSHELP-33875, NSHELP-34667 ]

• When you attempt to shut down a Citrix ADC SDX appliance, the appliance reboots instead of shutting down on the first attempt. This behaviour might occur when the appliance generates a core dump while it is trying to shut down.

  [ NSHELP-33276, NSHELP-33192 ]

• You might experience transmit stalls on a Citrix ADC SDX appliance with a 10G interface when heavy traffic is sent on this interface.

  [ NSHELP-31232 ]

SSL

• The Citrix ADC GUI, when accessed through a Cluster IP (CLIP) address, does not display the server certificate bindings to an SSL service, service group, and internal services.

  [ NSSSL-12191 ]

System

• The HTTP responses compressed by the Citrix ADC appliance might cause failures in some HTTP(S) clients due to leading space characters added in the value of the Content-Length HTTP response header field.

  [ NSHELP-34660 ]

• Citrix ADC appliance configured to log all HTTP headers crashes when an HTTP request or response is received with more than 20 long headers.

  [ NSHELP-34145 ]

• The SYSLOG audit module of a Citrix ADC appliance might crash and dump multiple core files after upgrading the appliance to any build later than the 13.0-88.16 build.

  [ NSHELP-33505 ]

• A Citrix ADC appliance might crash on receiving a 1xx HTTP response (for example 100 Continue”) from the back-end servers when the AppQoE configuration has the retryOnTimeout parameter configured.

  [ NSHELP-33438 ]

User Interface

• Configuring Alternative service for an HTTP profile might fail when you use the Citrix ADC GUI.

  [ NSHELP-34304 ]

• A system user account bound to a set of admin partitions might not be able to access the default partition through the NITRO APIs even if the Allow Default Partition option is enabled as part of the system global settings.

  [ NSHELP-33990 ]

• 在Citrix ADC GUI,当你点击编辑ton for a specific type SNMP trap, the details of a generic-type SNMP trap is displayed instead of the specific-type SNMP trap.

  [ NSHELP-33520 ]

Known Issues

The issues that exist in release 13.0-91.13.

Authentication, authorization, and auditing

• A Citrix ADC configured with OAuth authentication policy might crash when an elliptic curve certificate is bound to the VPN globally.

  [ NSHELP-34795 ]

• The Citrix ADC appliance might crash when the authentication virtual server is used in a non-default partition.

  [ NSHELP-32054, NSCXLCM-640 ]

• Single sign-on (SSO) fails if SSO is enabled for the traffic that does not have the required bearer token to handle SSO.

  [ NSHELP-31362, NSCXLCM-533 ]

• Non-ASCII characters are recorded in nsvpn.log when LDAP action is configured to an FQDN instead of an IP address.

  [ NSHELP-27281 ]

• In certain scenarios, the Bind Authentication, authorization, and auditing group command might fail if policy name is longer than intranet application name.

  [ NSHELP-25971 ]

• The Citrix ADC appliance dumps core when NOAUTH is configured as the first factor and Negotiate as the subsequent factor in the 401 based authentication flow.

  [ NSHELP-25203 ]

• If the admin password for LDAP, RADIUS or TACACS services contains the double quotes (“) character, the Citrix ADC appliance strips it during the “Test Connectivity” check, resulting in connection failure.

  [ NSHELP-23630 ]

• A Citrix ADC crashes when the following conditions are met:

  • 401-based certificate authentication happens through a load balancing virtual server.
  • There is no authentication policy that is bound to an authentication virtual server.
  • Debug logging is enabled.

  [ NSAUTH-13259 ]

• Administrators cannot perform custom logging for authentication failures that happen due to invalid credentials. This issue occurs because the Citrix ADC responder policies fail to detect errors for login failures.

  [ NSAUTH-11151 ]

• ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
  show adfsproxyprofile

  Workaround: Connect to the primary active Citrix ADC in the cluster and run theshow adfsproxyprofile command. It would display the proxy profile status.

  [ NSAUTH-5916 ]

Citrix ADC SDX Appliance

• When you upgrade a Citrix ADC SDX appliance, in rare cases the following incorrect event appears in the Management Service GUI:

  “SVM version and Hypervisor version are not compatible”

  [ NSHELP-32949 ]

• On a Citrix ADC SDX GUI, displaying the NTP servers can freeze the user interface if the NTP configuration file (ntp.conf) has only spaces in any of the lines.

  [ NSHELP-31530 ]

Citrix Gateway

• After an upgrade, Citrix SSO for iOS client devices cannot establish per-app VPN connections.

  [ NSHELP-35224 ]

• Intranet resources overlapping with a spoofed IP address range cannot be accessed with split-tunnel set to OFF on the Citrix Secure Access client.

  [ NSHELP-34334 ]

• Always-On VPN connection fails intermittently on start up due to Gateway server reachability.

  [ NSHELP-33500 ]

• If the Citrix Secure Access related registry values are greater than 1500 characters, then the log collector fails to gather the error logs.

  [ NSHELP-33457 ]

• The Citrix Secure Access client, version 21.7.1.2 and later, fails to upgrade to later versions for users with no administrative privileges. This issue is applicable only if the Citrix Secure Access client upgrade is done from a Citrix ADC appliance.

  [ NSHELP-32793 ]

• When users click the Home Page tab on the Citrix Secure Access screen for Windows, the page displays the connection refused error.

  [ NSHELP-32510 ]

• On a Mac device using Chrome, the VPN extension crashes while accessing two FQDNs.

  [ NSHELP-32144 ]

• Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always-On service mode. The machine tunnel does not transition to the user tunnel and the message “Connecting…” is displayed in the VPN plug-in UI.

  [ NSHELP-31357, CGOP-21192, NSCXLCM-612 ]

• When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.

  [ NSHELP-30662 ]

• Users cannot connect to the Citrix Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.

  [ NSHELP-30236 ]

• The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully. To fix this issue, the following registry value is introduced.

  HKLMSoftwareCitrixSecure Access ClientSecureChannelResetTimeoutSeconds
  Type: DWORD

  默认情况下,此注册表值没有设置或中d. When the value of “SecureChannelResetTimeoutSeconds” is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).

  [ NSHELP-30189 ]

• The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.

  [ NSHELP-29675 ]

• Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

  [ NSHELP-28551 ]

• Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

  [ NSHELP-28404 ]

• The Citrix Gateway appliance might crash if async is blocked and you modify the content switching policy configuration.

  [ NSHELP-27570 ]

• The Citrix Gateway appliance might crash if an unknown VPN client option is set in the session policy.

  [ NSHELP-27380 ]

• While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:

  • A default pre-shared key (PSK) is configured.
  • You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.

  [ NSHELP-25694 ]

• The “show tunnel global” command output includes advanced policy names. Previously, the output did not display the advanced policy names.

  Example:

  New output:

  show tunnel global
  Policy Name: ns_tunnel_nocmp Priority: 0

  Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
  Priority: 1
  Global bindpoint: REQ_DEFAULT

  Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
  Priority: 100
  Global bindpoint: RES_DEFAULT
  Done

  Previous output:

  show tunnel global
  Policy Name: ns_tunnel_nocmp Priority: 0 Disabled

  Advanced Policies:

  Global bindpoint: REQ_DEFAULT
  Number of bound policies: 1

  Done

  [ NSHELP-23496 ]

• Sometimes while browsing through schemas, the error message “Cannot read property ‘type’ of undefined” appears.

  [ NSHELP-21897 ]

• In a Citrix ADC cluster setup, HDX Insight and Gateway Insight cannot be enabled simultaneously.

  [ CGOP-23570 ]

• The Windows OS option is not listed in the Expression Editor drop-down list for pre-authentication policies and authentication actions on the Citrix ADC GUI. However, if you have already configured the Widows OS scan on a previous Citrix ADC build using the GUI or the CLI, the upgrade does not impact the functionality. You can use the CLI to make changes, if required.

  Workaround:

  Use the CLI commands for the configuration.

  • To configure advanced EPA action in nFactor authentication, use the following command.
    add authentication epaAction adv_win_scan -csecexpr “sys.client_expr(“sys_0_WIN-OS_NAME_anyof_WIN-10[COMMENT: Windows OS]”)”
  • To configure a classic pre-authentication action, use the following commands.
    add aaa preauthenticationaction win_scan_action ALLOW
    add aaa preauthenticationpolicy win_scan_policy “CLIENT.SYSTEM(‘WIN-OS_NAME_anyof_WIN-10[COMMENT: Windows OS]’) EXISTS” win_scan_action

  [ CGOP-22966 ]

• In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

  [ CGOP-13511 ]

• While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

  [ CGOP-13050 ]

• The text “Home Page” in the Citrix SSO app > Home page is truncated for some languages.

  [ CGOP-13049 ]

• An error message appears when you add or edit a session policy from the Citrix ADC GUI.

  [ CGOP-11830 ]

• In Outlook Web App (OWA) 2013, clickingOptionsunder the Setting menu displays aCritical errordialog box. Also, the page becomes unresponsive.

  [ CGOP-7269 ]

Load Balancing

• In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

  [ NSLB-7679 ]

• In a cluster setup of eight or more nodes, the rate limit identifier feature might not work as intended.

  [ NSHELP-34555 ]

• The Citrix ADC might crash when you reference a domain-name based service (DBS) after the following sequence of conditions is met:

  1. A location entry is configured for the IP address to which the DBS domain name resolves.
  2. The DBS domain name is removed resulting in an NXDOMAIN response from the name server.
  3. The location entry is removed.

  [ NSHELP-35370 ]

• In an high-availability setup, the Citrix ADC appliance crashes when the service group that is bound to multiple vservers is removed.

  [ NSHELP-34029 ]

• During connection mirroring, the Citrix ADC appliance crashes when the rewrite policy is greater than 30 bytes.

  [ NSHELP-32902 ]

• The Citrix ADC appliance triggers an incorrect SNMP alert for a high server connection due to a wrong calculation of the number of servers.

  [ NSHELP-31582 ]

• In a GSLB setup, the SSL certificate is missing from the subordinate sites. This issue occurs when the auto-sync option is enabled, and the subordinate sites have SSL certificates that are not available on the master site.

  [ NSHELP-29309 ]

• In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.

  [ NSHELP-21196 ]

• In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

  [ NSHELP-20406 ]

Miscellaneous

• When you run the “ns_hw_err.bash” script on the Citrix ADC appliance, the following error message appears:
  “error: can’t open file ‘ns_hw_plugins.py’: [Errno 2] No such file or directory”

  [ NSHELP-32991 ]

• The Citrix ADC appliance sets the buffer size for the web server logging feature to an incorrect default value of 3MB instead of 16MB.

  [ NSHELP-32429 ]

• AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.

  [ NSHELP-31836 ]

• Citrix ADC CPX instance, running on a Linux system with 64-bit architecture and 1 TB of file storage, can load certificate and key files now.

  [ NSHELP-28986 ]

• Citrix Gateway reports authorized access requests as SSO failures to Citrix ADC ADM. As a result, theGateway > Gateway Insightpage on the Citrix ADC ADM UI displays incorrect SSO failure reports causing false alarms.

  [ NSHELP-27992 ]

Networking

• In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.

  [ NSNET-18586 ]

• The following interface operations are not supported for IntelX710 10G (i40e)interfaces on a Citrix ADC BLX appliance with DPDK:

  • Disable
  • Enable
  • Reset

  [ NSNET-16559 ]

• On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file (“/etc/blx/blx.conf”) settings. This issue occurs because “mawk”, which is present by default on Debian based Linux systems, does not run some of the awk commands present in the “blx.conf” file.

  Workaround: Install “gawk” before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install “gawk”:

  • apt-get install gawk

  [ NSNET-14603 ]

• Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

  “下面的包有未满足的依赖关系:blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable”

  Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

  • dpkg –add-architecture i386
  • apt-get update
  • apt-get install libc6:i386

  [ NSNET-14602 ]

• In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • The LSN module does not find the service while decrementing the reference count or deleting the service.

  [ NSHELP-29134 ]

• In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • Because of stale filtering entry.

  [ NSHELP-28895 ]

• In a Large scale NAT44 deployment, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • The LSN module accessed the memory location of an already deleted service.

  [ NSHELP-28815 ]

• The Citrix ADC appliance might not generate “coldStart” SNMP trap messages after a cold restart.

  [ NSHELP-27917 ]

• In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:

  • A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.

  As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition

  [ NSHELP-24000 ]

Platform

• The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:

  1. During the first boot of the Citrix ADC appliance, you do not save the prompted password.
  2. Subsequently, you reboot the Citrix ADC appliance.

  [ NSPLAT-22013, NSCXLCM-544 ]

• Some python packages are not installed, when you downgrade the Citrix ADC appliance from 13.1-4.x version and higher versions to any of the following versions:

  • Any 11.1 build
  • 12.1-62.21 and earlier
  • 13.0-81.x and earlier

  [ NSPLAT-21691 ]

• On the Citrix ADC SDX 8015/8400/8600 platform, you might see increased memory consumption on Xen Server.
  Workaround: Run the following command on Xen Server, and then reboot the appliance.
  /opt/xensource/libexec/xen-cmdline –set-xen “dom0_mem=1024M,max:1024M”

  [ NSHELP-32260 ]

• During the Citrix ADC VPX HA failover, the Elastic IP address movement in the AWS cloud fails if you configure an IPset without binding the IPset to any IP address.

  [ NSHELP-29425 ]

• The HA failover for Citrix ADC VPX instance on the GCP and AWS cloud fails when the password of an RPC node contains a special character.

  [ NSHELP-28600 ]

Policies

• In the Citrix ADC GUI, you can see the rewrite actions only when you click Show Built-in Rewrite action inAppExpert > Rewrite > Actions.

  [ NSPOLICY-4843 ]

• Connections might hang if the size of processing data is more than the configured default TCP buffer size.

  Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

  [ NSPOLICY-1267 ]

• In an HA setup, the REGEX_REPLACE expression might go into a loop if configured with the ALL option and empty replacement string, leading to failover.

  [ NSHELP-34640 ]

SSL

• When a virtual server receives a TLS 1.3 record with invalid padding, it sends a fatal “decode_error” alert instead of an “unexpected_message” alert.

  [ NSSSL-11890 ]

• On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

  Workaround:

  1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example,set ssl vserver -SSL3 DISABLED.
  2. Save the configuration.

  [ NSSSL-9572 ]

• You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

  [ NSSSL-6478 ]

• You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

  [ NSSSL-6213 ]

• The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
  ERROR: crl refresh disabled

  [ NSSSL-6106 ]

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

  [ NSSSL-4427 ]

• An incorrect warning message, “Warning: No usable ciphers configured on the SSL vserver/service,” appears if you try to change the SSL protocol or cipher in the SSL profile.

  [ NSSSL-4001 ]

• On a Citrix ADC MPX/SDX 14000 FIPS operating in hybrid mode, you might face a BleichenBacher attack scenario.

  [ NSHELP-35020 ]

• A Citrix ADC appliance, containing Intel Coleto or Intel Lewisburg chips, might crash during the back-end renegotiation phase if the peer server negotiates a different cipher than the one it initially negotiated.

  [ NSHELP-34324 ]

• A Citrix ADC appliance, containing Intel Coleto or Intel Lewisburg chips, might crash if DH 512 cipher is used during key exchange.

  [ NSHELP-34094 ]

System

• High RTT is observed for a TCP connection if the following condition is met:

  • a high maximum congestion window (>4 MB) is set
  • TCP NILE algorithm is enabled

  For a Citrix ADC appliance to use the NILE algorithm for congestion control, the conditions must exceed the slow start threshold, which is coupled with the maximum congestion window

  So, until the maximum configured congestion window is reached, the Citrix ADC continues to accept data and ends up with high RTT.

  [ NSHELP-31548 ]

• A Citrix ADC appliance might crash when the following condition is met:

  • Both analytics profile and AppFlow policy are bound, and the profile has the “httpAllHdrs” option enabled.

  [ NSHELP-30628 ]

• The Citrix ADC appliance reports a false SNMP alarm on the service SYN flood counters.

  [ NSHELP-28710, NSHELP-28713 ]

• 增加了publi的数据包重发料c cloud MPTCP cluster deployments if linkset is disabled.

  [ NSHELP-27410 ]

• A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.

  [ NSHELP-27179 ]

• A mismatch in Logstream records is observed in the Citrix ADC appliance and the dataloader.

  [ NSHELP-25796 ]

• When you install Citrix ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.

  Workaround : Reboot the Management pod.

  [ NSBASE-15556 ]

• In a cluster configuration, a node with CCO priority gets disconnected from Open vSwitch (OVS) because of network issues. After the node rejoins to the cluster configuration, it does not receive the latest SYN cookie.

  [ NSBASE-14419 ]

User Interface

• Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

  Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

  [ NSUI-13024 ]

• The HTTPD daemon might crash when it faces an exception, while processing a NITRO API bulk-bindings HTTP GET request.

  [ NSHELP-34399 ]

• Modifying a static route by using the Citrix ADC GUI (system > network > routes) might incorrectly fail with the following error message:

  • “Required argument missing [gateway]”

  [ NSHELP-32024 ]

• In an HA / Cluster setup, configuration synchronization fails if you have configured SSH keys other than RSA. For example, ECDSA or DSA keys.

  [ NSHELP-31675 ]

• In a Citrix ADC appliance, binding the cache policy to override global or default global using the GUI interface fails with the following error:

  • Required argument missing.

  This error is not seen while binding the cache policy using the CLI interface.

  [ NSHELP-30826 ]

• Due to an incorrect upgrade installation sequence, the following issue occurs in the Citrix ADC appliance.

  • The kernel image is updated first and after a few steps, encryption keys are copied. In between these steps some failure happens and the ADC appliance comes up with a new image. The missing encryption keys in the new image lead to decryption failure and missing configuration.

  [ NSHELP-30755 ]

• Citrix ADC GUI might incorrectly generate a cluster technical support bundle of only one node instead of all the cluster nodes.

  [ NSHELP-28606 ]

• Generating a cluster technical support bundle by using Citrix ADC GUI might fail with an error.

  [ NSHELP-28586 ]

• After upgrading a high availability setup or a cluster setup to release 13.0 build 74.14 or later, config synchronization might fail because of the following reason:

  • Both “ssh_host_rsa_key” private and public keys are an incorrect pair.

  Workaround: Regenerate “ssh_host_rsa_key”. For more information, seehttps://support.citrix.com/article/CTX322863.

  [ NSHELP-27834 ]

• You cannot bind a service or a service group to a priority load balancing virtual server using the Citrix ADC GUI.

  [ NSHELP-27252 ]

• While viewing the policies bound to a content switching policy label in the Citrix ADC GUI, only 25 policies are displayed even though there are more policies bound to that policy label.

  [ NSHELP-23428 ]

• Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.

  [ NSCONFIG-4330 ]

• If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

  1. Upgrade the Citrix ADC appliance to one of the builds
     • 13.0 52.24 build
     • 12.1 57.18 build
     • 11.1 65.10 build
  2. Add a system user, or change the password of an existing system user, and save the configuration, and
  3. Downgrade the Citrix ADC appliance to any older build.

  To display the list of these system users by using the CLI:
  At the command prompt, type:

  query ns config -changedpassword [-config ]

  Workaround: To fix this issue, use one of the following independent options:

  • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
  • 任何系统管理员的密码不是changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
  • If none of the above options work, a system administrator can reset the system user passwords.

  For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html.

  [ NSCONFIG-3188 ]