Release Notes for Citrix ADC 13.0-92.18 Build

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.0-92.18.

Notes

• This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

What’s New

The enhancements and changes that are available in Build 13.0-92.18.

NetScaler Secure Web Gateway

• Deprecation of URL categorisation in the URL filtering feature

  URL categorisation in the URL filtering feature is deprecated in this release.

  Note: Deprecated features are not removed immediately. Citrix ADC continues to retain the deprecated feature until it is removed in a future release.

  (NSSWG-1370 ]

User Interface

• CVE filter category in the Display Filter Criteria of Signature view page

  CVE is added as one of the categories in theDisplay Filter Criterialist of theSignature viewpage. Use CVE as a filter option to view only the log-related details in theFiltered Resultswindow at the right.

  For more information, seeConfiguring or modifying a signatures object.

  (NSUI-18512, NSCXLCM-616 ]

• Secure RPC communication based on the TLS 1.2 setting for the internal services

  After you upgrade a Citrix ADC appliance to release 13.1 build 33.x or later from one of the following builds, the “secure” option for the RPC node is enabled or disabled on the basis of the TLS 1.2 setting (enabled or disabled) present for the internal RPCS and KRPCS services.

  • Release 13.0 build 64.35 or earlier
  • Release 12.1 build 61.18 or earlier

  The RPC communication is encrypted between the Citrix ADC nodes of the following setups if the “Secure” option is enabled:

  • High availability
  • Cluster
  • GSLB

  The “secure” option uses secure protocol TLS1.2 and port numbers 3008 and 3009 for the RPC connection between the Citrix ADC nodes.

  For ensuring secure RPC communication, Citrix recommends performing the following operations before upgrading these setups:

  • TLS 1.2 must be enabled for the internal RPCS and KRPCS services:
    • nsrpcs-127.0.0.1-3008
    • nskrpcs-127.0.0.1-3009
    • nsrpcs-::1l-3008
  • 3008 and 3009 must be unblocked in firewalls between the Citrix ADC nodes.

  You can enable or disable the secure option using the Citrix ADC CLI or the GUI. For more information, seeChange an RPC node password.

  (NSCONFIG-6485 ]

Fixed Issues

The issues that are addressed in Build 13.0-92.18.

Analytics Infrastructure

• The Citrix ADC might crash if all the following conditions are met:

  • Events, audit logs, or metrics is enabled in analytics profile or AppFlow parameters.
  • A response side rewrite policy is configured.

  (NSHELP-35550 ]

• When a net profile is configured in a non-default traffic domain and used in the AppFlow configuration, the system ports are exhausted and traffic is affected.

  (NSHELP-34544 ]

• A Citrix ADC with multifactor authentication configured crashes during a policy evaluation.

  (NSHELP-33674 ]

• The Citrix ADC appliance might crash if an AppFlow collector of type rest is configured in the admin partition.

  (NSHELP-33600 ]

• Theshow syslogActioncommand displays an unresolved IP address in the output when both of the following conditions are met:

  • SYSLOG action with a domain name on transport mode UDP is used.
  • ICMP is disabled on the server.

  This issue occurs because the ping-default monitor marks the service as DOWN since the server is not reachable through ICMP. Therefore, the IP address is not displayed in the output even if it is resolved.

  (NSHELP-32886, NSHELP-33392 ]

• Thens.logfile generates the debug logs even when the audit log level is set to none and therefore exceeds the configured file size limit. The issue occurs because the advanced policy is bound to local logging even though it is not necessary.

  (NSHELP-32404, NSCXLCM-1374, NSCXLCM-1551, NSCXLCM-1708 ]

• In a cluster environment, Citrix ADC might see nsppe crash when a syslog policy is bound to a lb vserver.

  (NSHELP-30983, NSANINFRA-21 ]

• The timestamps in syslog messages are incorrect during the daylight saving period.

  (NSHELP-30137 ]

Bot Management

• 在罕见的情况下,web页面可能不加载当the device fingerprint detection technique is used.

  (NSHELP-34742 ]

• Bot device fingerprint session replay attacks are dropped when the device fingerprint action is set to LOG, RESET, or REDIRECT.

  (NSBOT-1117 ]

CallHome

• Call Home sends telemetry data to the Citrix ADC technical support server even though the feature is disabled.

  (NSHELP-33240 ]

Citrix ADC SDX Appliance

• On Citrix ADC SDX FIPS, the following error appears when you perform an add or edit operation on VPX:

  “is_fips_enabled is not defined”

  (NSSVM-5786 ]

• Validation on maximum throughput check for LACP channel creation using 25G, 40G, or 100G ports fails.

  (NSHELP-35743 ]

• In rare cases, a Citrix ADC SDX might crash and not be reachable because of junk values in some fields, such as IP address.

  (NSHELP-34925 ]

Citrix Gateway

• Sometimes, a Citrix ADC with VPN and AppFlow configured might crash, resulting in an HA failover.

  (NSHELP-35734, NSCXLCM-1247 ]

• The Citrix Gateway home page might fail to enumerate the apps when you try to access it on clientless VPN mode using a mobile browser.

  (NSHELP-35541, NSCXLCM-1132, NSCXLCM-1212, NSCXLCM-1248, NSCXLCM-1774 ]

• When the advanced clientless VPN access is configured on Citrix Gateway, the pages might fail to load from the bookmarked URLs.

  (NSHELP-33771 ]

• Sometimes, when you establish a VPN connection through Citrix Gateway, you are redirected to the home page with incorrect text in the URL. This issue occurs when Citrix ADC is configured with the RfWebUI portal theme.

  (NSHELP-30097, NSCXLCM-481 ]

• RDP bookmarks added for specific users are displayed for other users who have not bookmarked these URLs.

  (NSHELP-29904 ]

• The Citrix Gateway appliance might crash while processing server-initiated UDP traffic.

  (NSHELP-27611 ]

• When you create a EULA entity, the text appears as a single line on the RfWebUI portal theme of Citrix Gateway. This issue occurs because of the HTML
line break tag. All the HTML tags along with
are temporarily disabled in the EULA text. You can try adding line breaks by using “n”.

  [ CGOP-24534 ]

Citrix Web App Firewall

• The Citrix ADC might crash when “VerboseLogLevel” is set to “patternPayloadHeader“in the Web App Firewall profile.

  [nshelp - 35915]

• In a rare case, Citrix ADC might crash when the configured memory is low and the Web App Firewall profile is used.

  (NSHELP-35463 ]

• The Citrix ADC appliance might crash due to invalid HTTP header information. This issue occurs when the following conditions are met:

  • SQL/XSS violation occurs in the HTTP request body.
  • The verbose logging is set to “patternPayloadHeader”.

  (NSHELP-35297, NSCXLCM-1127 ]

• The Citrix ADC reports a greater number of Web Application Firewall request counters than the total number of request counters, because the request counter is incremented twice for XML requests.

  (NSHELP-34591 ]

Load Balancing

• In a HA setup, the DNS server might send an empty response for a GSLB domain query intermittently when the following conditions are met:

  • Persistence is configured on the GSLB virtual server.
  • A large number of load balancing deployments are configured.
  • HA failover occurs.

  (NSHELP-35981 ]

• In traffic domain deployments, load balancing of DNS queries might fail when netprofile is bound to the DNS virtual server.

  (NSHELP-35675 ]

• In rare cases, a Citrix ADC appliance might crash and generate a core dump when the following conditions are met:

  • TCP-based DNS monitor probe is used to monitor a back-end service.
  • The appliance is running low on memory.

  (NSHELP-35289 ]

• The NTLM monitor does not support the following options:

  • Concurrent probing by monitors of both NTLM version 1 and version 2 configurations.
  • Directing the probe to the IP address of the server when the URL in “scriptArg” parameter resolves to a different IP address.
  • NTLM version 2.

  (NSHELP-35185 ]

• Services that are bound to user monitors might be intermittently unavailable if more than 30 services are bound to a user monitor.

  (NSHELP-34669, NSCXLCM-1373 ]

• In a cluster setup of eight or more nodes, the rate limit identifier feature might not work as intended.

  (NSHELP-34555 ]

• The “show server name” command displays the service status as unknown even though the service is bound to the server.

  (NSHELP-33668 ]

• Citrix ADC might crash when the following conditions are met:

  • A load balancing virtual server is configured with a redirect URL in multiple partitions.
  • A memory recovery is triggered.

  (NSHELP-33638, NSCXLCM-227, NSCXLCM-509 ]

• In some cases, a memory leak is observed in a Citrix ADC appliance if the DNS rewrite policy is configured with the DROP action.

  (NSHELP-33077 ]

• The Citrix ADC appliance triggers an incorrect SNMP alert for a high server connection due to a wrong calculation of the number of servers.

  (NSHELP-31582 ]

Miscellaneous

• When Citrix ADC removes a NetScaler-generated cookie from an incoming HTTP request before it is sent to an upstream HTTP server, the upstream server might refuse the request. This issue occurs because deleting the cookie name-value pair can result in the cookie header field not meeting the HTTP protocol specification.

  (NSHELP-35855 ]

• Citrix ADC might crash when the following conditions are met:

  • There is an active ICA connection over EDT.
  • A UDP service with the same IP address and port number as that of the Citrix VDA is added.
  • There are connectivity issues between Citrix Gateway and Citrix VDA.

  (NSHELP-35637 ]

• Citrix ADC configured with HDX Insight might reboot when the secondary node receives the packets for processing.

  (NSHELP-34152 ]

• A Citrix ADC with ICA proxy enabled on Citrix Gateway might crash in a double-hop DMZ deployment.

  (NSHELP-33369 ]

• In a clustered Citrix ADC deployment, when the ICA Only parameter is set to ON, Citrix Gateway intermittently fails to disconnect user sessions even when the forced time-out setting is enabled.

  (NSHELP-33014 ]

• In a rare case, the Citrix ADC appliance might crash while fetching a STA monitor in a VPN deployment.

  (NSHELP-32893 ]

• The Citrix ADC appliance sets the buffer size for the web server logging feature to an incorrect default value of 3 MB instead of 16 MB.

  (NSHELP-32429 ]

• Citrix ADC crashes when an EDT ICA connection is launched. This issue occurs when the AppFlow analytics profile for HDX insight is bound to a VPN virtual server.

  [ GOPHDX-5014 ]

Networking

• In a high availability setup, the state of a node takes at least 60 seconds to become UP when all of the following conditions are met:

  • Fail-safe is enabled for the HA setup
  • HA monitoring is enabled on more than one interface
  • One of the HA monitoring enabled interfaces becomes unreachable
  • At least one of the HA monitoring interfaces is reachable

  Now, with this fix, the state of the node immediately becomes UP when all of these conditions are met.

  (NSHELP-32157 ]

SSL

• Citrix ADC might crash while deleting the default CA certificate group if memory usage is high on the Citrix ADC and the config is cleared frequently.

  (NSHELP-35441 ]

• You might see a high memory buildup with DTLS traffic on the Citrix ADC because memory is not properly freed while handling a retransmitted handshake flight from a client.

  (NSHELP-35359, NSCXLCM-999, NSCXLCM-1968 ]

• On a Citrix ADC MPX/SDX 14000 FIPS operating in hybrid mode, key memory might be reset after corrupted data is received as part of a key exchange.

  (NSHELP-35020 ]

• A Citrix ADC appliance, containing Intel Coleto or Intel Lewisburg chips, might crash if DH 512 cipher is used during key exchange.

  (NSHELP-34094 ]

• You might experience momentary performance impact under heavy traffic if the total size of client, server, and CA certificates exchanged in an SSL handshake exceeds the 16K limit.

  (NSHELP-33905 ]

• In a Citrix ADC deployment with an SSL_TCP (front-end) virtual server and a TCP (back-end) service, the client request might intermittently fail. The failure occurs because the Citrix ADC forwards the SSL client hello message received on the front end, but the back end is unable to process it and the request fails.

  (NSHELP-32806 ]

System

• In rare cases, Citrix ADC might crash when the front end optimization (FEO) feature is enabled.

  (NSHELP-34861 ]

• When the back end server sends a 464 error for an HTTP request, the Citrix ADC does not forward the same to the client and therefore the connection on the client side is stalled.

  (NSHELP-33571, NSCXLCM-1098 ]

• The Citrix ADC appliance configured with an SSL service crashes when the appliance receives a TCP FIN control packet followed by a TCP RESET control packet.

  (NSHELP-31656 ]

• A gRPC client fails to parse the gRPC status header, when the following condition is met:

  • The gRPC status header is added both in the leading header and the trailing header instead of adding only in the trailing header.

  (NSHELP-31640 ]

User Interface

• You cannot select the HTTP profile while creating an HTTP_QUIC virtual server by using the GUI. This issue occurs because the HTTP profile is disabled for creating an HTTP_QUIC virtual server.

  (NSUI-18816 ]

• User sessions are wrongly computed if the same user is bound to two different partitions. The two partitions can be default, non-default, or both.

  (NSHELP-34971 ]

• When uploading the geolocation database using the Citrix ADC GUI, a timeout error might occur due to low throughput.

  (NSHELP-34677 ]

• The HTTPD daemon might crash when it faces an exception, while processing a NITRO API bulk-bindings HTTP GET request.

  (NSHELP-34399 ]

• When a user views the binding on a content switching policy, the content switching virtual server details are not displayed in the same row underShow Bindings.

  (NSHELP-33149 ]

• The following error appears on the Citrix ADC UI when there is a huge difference between the saved and the running configuration:

  “Error in fetching the configuration”

  (NSHELP-32752 ]

• The NITRO Python SDK GET by name calls fail with the error message “local variable ‘response’ referenced before assignment” for the following resources:

  • appfwhtmlerrorpage

  • appfwjsonerrorpage

  • appfwprotofile

  • appfwsignatures

  • appfwwsdl

  • appfwxmlerrorpage

  • appfwxmlschema

  • botsignature

  • responderhtmlpage

  (NSHELP-32525 ]

• Modifying a static route by using the Citrix ADC GUI (system > network > routes) might incorrectly fail with the following error message:

  • “Required argument missing [gateway]”

  (NSHELP-32024 ]

• When you configure the admin partition feature on Citrix ADC and continuously execute configuration commands inside the secondary node partition, saving the configurations on the secondary node partition by using thesave ns configcommand might fail.

  (NSHELP-31663 ]

• On the Citrix ADC GUI, the Saved vs Running configuration screen (System > Diagnostics) incorrectly displays HTML tags instead of displaying plain text.

  (NSHELP-27169 ]

• The Citrix ADC GUI displays less number of cached objects when compared to the command interface.

  (NSHELP-24337 ]

Known Issues

The issues that exist in release 13.0-92.18.

Analytics Infrastructure

• In a cluster deployment, a non-CCO node does not send the TCP syslog messages to an external syslog server when you perform the “force cluster sync” or “reboot” operation on the node.

  (NSHELP-32925 ]

• A Citrix ADC appliance might crash when the following condition is met:

  • Both analytics profile and AppFlow policy are bound, and the profile has the “httpAllHdrs” option enabled.

  (NSHELP-30628 ]

• A mismatch in logstream records is observed in the Citrix ADC appliance and the dataloader.

  (NSHELP-25796 ]

• When you install Citrix ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.

  Workaround : Reboot the Management pod.

  (NSANINFRA-1504 ]

Authentication, authorization, and auditing

• A Citrix ADC configured with an OAuth authentication policy might crash when an elliptic curve certificate is bound to the VPN globally.

  (NSHELP-34795 ]

• Kerberos SSO might fail when there are large number of incoming requests at the same time.

  (NSHELP-34177 ]

• In a clustered Citrix ADC deployment, you cannot bind an assignment action to an authentication policy.

  (NSHELP-33974 ]

• The Citrix ADC appliance might crash when the authentication virtual server is used in a non-default partition.

  (NSHELP-32054, NSCXLCM-640, NSCXLCM-1577 ]

• Single sign-on (SSO) fails if SSO is enabled for the traffic that does not have the required bearer token to handle SSO.

  (NSHELP-31362, NSCXLCM-533 ]

• After an upgrade of Citrix SSO for iOS, the push notifications that you receive for authentication might not come with a sound.

  (NSHELP-27525 ]

• Non-ASCII characters are recorded in nsvpn.log when the LDAP action is configured to an FQDN instead of an IP address.

  (NSHELP-27281 ]

• In certain scenarios, the Bind Authentication, authorization, and auditing group command might fail if the policy name is longer than the intranet application name.

  (NSHELP-25971 ]

• The Citrix ADC appliance dumps core when NOAUTH is configured as the first factor and Negotiate as the subsequent factor in the 401 based authentication flow.

  (NSHELP-25203 ]

• If the admin password for LDAP, RADIUS or TACACS services contains the double quotes (“) character, the Citrix ADC appliance strips it during the “Test Connectivity” check, resulting in connection failure.

  (NSHELP-23630 ]

• A Citrix ADC crashes when the following conditions are met:

  • 401-based certificate authentication happens through a load balancing virtual server.
  • There is no authentication policy that is bound to an authentication virtual server.
  • Debug logging is enabled.

  (NSAUTH-13259 ]

• Administrators cannot perform custom logging for authentication failures that happen due to invalid credentials. This issue occurs because the Citrix ADC responder policies fail to detect errors for login failures.

  (NSAUTH-11151 ]

• ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
  show adfsproxyprofile

  Workaround: Connect to the primary active Citrix ADC in the cluster and run theshow adfsproxyprofile command. It would display the proxy profile status.

  (NSAUTH-5916 ]

Citrix ADC SDX Appliance

• When you upgrade a Citrix ADC SDX appliance, in rare cases the following incorrect event appears in the Management Service GUI:

  “SVM version and Hypervisor version are not compatible”

  (NSHELP-32949 ]

• On a Citrix ADC SDX GUI, displaying the NTP servers can freeze the user interface if the NTP configuration file (ntp.conf) has only spaces in any of the lines.

  (NSHELP-31530 ]

Citrix Gateway

• The Citrix Gateway appliance might crash if async is blocked and you modify the content switching policy configuration.

  (NSHELP-27570 ]

• The Citrix Gateway appliance might crash if an unknown VPN client option is set in the session policy.

  (NSHELP-27380 ]

• While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:

  • A default pre-shared key (PSK) is configured.
  • You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.

  (NSHELP-25694 ]

• Theshow tunnel globalcommand output includes advanced policy names. Previously, the output did not display the advanced policy names.

  Example:

  New output:

  show tunnel global
  Policy Name: ns_tunnel_nocmp Priority: 0

  Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
  Priority: 1
  Global bindpoint: REQ_DEFAULT

  Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
  Priority: 100
  Global bindpoint: RES_DEFAULT
  Done

  Previous output:

  show tunnel global
  Policy Name: ns_tunnel_nocmp Priority: 0 Disabled

  Advanced Policies:

  Global bindpoint: REQ_DEFAULT
  Number of bound policies: 1

  Done

  (NSHELP-23496 ]

• Sometimes while browsing through schemas, the error message “Cannot read property ‘type’ of undefined” appears.

  (NSHELP-21897 ]

• The Windows OS option is not listed in the Expression Editor drop-down list for pre-authentication policies and authentication actions on the Citrix ADC GUI. However, if you have already configured the Widows OS scan on a previous Citrix ADC build using the GUI or the CLI, the upgrade does not impact the functionality. You can use the CLI to make changes, if required.

  Workaround:

  Use the CLI commands for the configuration.

  • To configure advanced EPA action in nFactor authentication, use the following command.
    add authentication epaAction adv_win_scan -csecexpr “sys.client_expr(“sys_0_WIN-OS_NAME_anyof_WIN-10[COMMENT: Windows OS]”)”
  • To configure a classic pre-authentication action, use the following commands.
    add aaa preauthenticationaction win_scan_action ALLOW
    add aaa preauthenticationpolicy win_scan_policy “CLIENT.SYSTEM(‘WIN-OS_NAME_anyof_WIN-10[COMMENT: Windows OS]’) EXISTS” win_scan_action

  [ CGOP-22966 ]

• An error message appears when you add or edit a session policy from the Citrix ADC GUI.

  [ CGOP-11830 ]

• In Outlook Web App (OWA) 2013, clickingOptionsunder theSettingmenu displays aCritical errordialog box. Also, the page becomes unresponsive.

  [ CGOP-7269 ]

Load Balancing

• In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

  (NSLB-7679 ]

• The Citrix ADC might crash when you reference a domain-name based service (DBS) after the following sequence of conditions is met:
  1. 一个位置入口配置IP地址to which the DBS domain name resolves.
  2. The DBS domain name is removed resulting in an NXDOMAIN response from the name server.
  3. The location entry is removed.

  (NSHELP-35370 ]

• In an HA setup, the static proximity database might fail to load when the secondary node is rebooted.

  (NSHELP-35271 ]

• HA故障转移之后,持久性会话条目are not removed from the primary node even after the persistence timeout period expires. The session entries are retained until the secondary node is up and running.

  (NSHELP-34378 ]

• The secondary Citrix ADC might crash when the following conditions are met:

  • In a high availability setup, a large number of load balancing servers are configured with load balancing groups.
  • While synchronisation is in progress, the set operation is performed on one of the load balancing servers in the load balancing group.

  (NSHELP-34225 ]

• In an HA setup, the Citrix ADC appliance crashes when the service group that is bound to multiple vservers is removed.

  (NSHELP-34029 ]

• The Citrix ADC might crash due to a timing issue between the retrieval of rate-limiting records and the record aging process.

  (NSHELP-33349 ]

• During connection mirroring, the Citrix ADC appliance crashes when the rewrite policy is greater than 30 bytes.

  (NSHELP-32902 ]

• In a GSLB setup, the SSL certificate is missing from the subordinate sites. This issue occurs when the auto-sync option is enabled, and the subordinate sites have SSL certificates that are not available on the master site.

  (NSHELP-29309 ]

• In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.

  (NSHELP-21196 ]

• In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

  (NSHELP-20406 ]

Miscellaneous

• When you run thens_hw_err.bashscript on the Citrix ADC appliance, the following error message appears:
  error: can't open file 'ns_hw_plugins.py': [Errno 2] No such file or directory

  (NSHELP-32991 ]

• Citrix ADC CPX instance, running on a Linux system with 64-bit architecture and 1 TB of file storage, can load certificate and key files now.

  (NSHELP-28986 ]

• In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

  [ GOPHDX-1050 ]

NetScaler Secure Web Gateway

• In rare cases, Citrix ADC might crash during packet capture. This issue might occur when a TCP profile variable in the PCB structure has a NULL value.

  (NSHELP-36081 ]

Networking

• In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.

  (NSNET-18586 ]

• The following interface operations are not supported for IntelX710 10G (i40e)interfaces on a Citrix ADC BLX appliance with DPDK:

  • Disable
  • Enable
  • Reset

  (NSNET-16559 ]

• On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file (“/etc/blx/blx.conf”) settings. This issue occurs because “mawk”, which is present by default on Debian based Linux systems, does not run some of the awk commands present in the “blx.conf” file.

  Workaround: Install “gawk” before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install “gawk”:

  • apt-get install gawk

  (NSNET-14603 ]

• Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

  “The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable”

  Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

  • dpkg –add-architecture i386
  • apt-get update
  • apt-get install libc6:i386

  (NSNET-14602 ]

• When you delete one of the admin partitions, Citrix ADC might also delete the packet buffer of other partitions. As a result, Citrix ADC might crash when you delete a partition for which the packet buffer was deleted.

  (NSHELP-35595 ]

• In a high availability setup, the secondary node crashes when a route is removed from the node as part of the HA synchronization while you are modifying it.

  (NSHELP-34927 ]

• In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • The LSN module does not find the service while decrementing the reference count or deleting the service.

  (NSHELP-29134 ]

• In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • Because of stale filtering entry.

  (NSHELP-28895 ]

• In a Large scale NAT44 deployment, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • The LSN module accessed the memory location of an already deleted service.

  (NSHELP-28815 ]

• In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:

  • A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.

  As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition

  (NSHELP-24000 ]

Platform

• The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:

  1. During the first boot of the Citrix ADC appliance, you do not save the prompted password.
  2. Subsequently, you reboot the Citrix ADC appliance.

  (NSPLAT-22013, NSCXLCM-544 ]

• Some python packages are not installed, when you downgrade the Citrix ADC appliance from 13.1-4.x version and higher versions to any of the following versions:

  • Any 11.1 build
  • 12.1-62.21 and earlier
  • 13.0-81.x and earlier

  (NSPLAT-21691 ]

• You can no longer access a Citrix Hypervisor hosted on Citrix ADC SDX by using legacy SSL protocols, such as SSLv3, TLS 1.0, and TLS 1.1.

  (NSHELP-33196 ]

• On the Citrix ADC SDX 8015/8400/8600 platform, you might see increased memory consumption on Xen Server.
  Workaround: Run the following command on Xen Server, and then reboot the appliance.
  /opt/xensource/libexec/xen-cmdline –set-xen “dom0_mem=1024M,max:1024M”

  (NSHELP-32260 ]

• During the Citrix ADC VPX HA failover, the Elastic IP address movement in the AWS cloud fails if you configure an IPset without binding the IPset to any IP address.

  (NSHELP-29425 ]

• The HA failover for Citrix ADC VPX instance on the GCP and AWS cloud fails when the password of an RPC node contains a special character.

  (NSHELP-28600 ]

Policies

• In the Citrix ADC GUI, you can see the rewrite actions only when you click Show Built-in Rewrite action inAppExpert > Rewrite > Actions.

  (NSPOLICY-4843 ]

• Connections might hang if the size of processing data is more than the configured default TCP buffer size.

  Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

  (NSPOLICY-1267 ]

• In an HA setup, the REGEX_REPLACE expression might go into a loop if configured with the ALL option and empty replacement string, leading to failover.

  (NSHELP-34640 ]

SSL

• When a virtual server receives a TLS 1.3 record with invalid padding, it sends a fatal “decode_error” alert instead of an “unexpected_message” alert.

  (NSSSL-11890 ]

• On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

  Workaround:

  1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example,set ssl vserver -SSL3 DISABLED.
  2. Save the configuration.

  (NSSSL-9572 ]

• You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

  (NSSSL-6478 ]

• You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

  (NSSSL-6213 ]

• The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
  ERROR: crl refresh disabled

  (NSSSL-6106 ]

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

  (NSSSL-4427 ]

• An incorrect warning message, “Warning: No usable ciphers configured on the SSL vserver/service,” appears if you try to change the SSL protocol or cipher in the SSL profile.

  (NSSSL-4001 ]

• A Citrix ADC appliance, containing Intel Coleto or Intel Lewisburg chips, might crash during the back-end renegotiation phase if the peer server negotiates a different cipher than the one it initially negotiated.

  (NSHELP-34324 ]

System

• Citrix ADC might send incorrect responses when both AppFlow and HTTP Compression features are enabled.

  (NSHELP-35862 ]

• Citrix ADC might stop the data transfer if the following conditions are met:

  • Multiple features are enabled.
  • More than one feature tries to delete the same part of the TCP or HTTP payload.

  (NSHELP-33793, NSCXLCM-1512, NSCXLCM-1954 ]

• Citrix ADC might stall the data transfer on an HTTP/2 connection when an HTTP-based feature tries to buffer a large amount of application data.

  (NSHELP-32612 ]

• High RTT is observed for a TCP connection if the following condition is met:

  • a high maximum congestion window (>4 MB) is set
  • TCP NILE algorithm is enabled

  For a Citrix ADC appliance to use the NILE algorithm for congestion control, the conditions must exceed the slow start threshold, which is coupled with the maximum congestion window

  So, until the maximum configured congestion window is reached, the Citrix ADC continues to accept data and ends up with high RTT.

  (NSHELP-31548 ]

• The Citrix ADC appliance reports a false SNMP alarm on the service SYN flood counters.

  (NSHELP-28710, NSHELP-28713 ]

• Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.

  (NSHELP-27410 ]

• A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.

  (NSHELP-27179 ]

• In a cluster configuration, a node with CCO priority gets disconnected from Open vSwitch (OVS) because of network issues. After the node rejoins to the cluster configuration, it does not receive the latest SYN cookie.

  (NSBASE-14419 ]

User Interface

• Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

  Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

  (NSUI-13024 ]

• When you create or delete multiple partitions, duplicate partition IDs might be generated. As a result, the following error might appear when creating a partition.

  “Partition-id is already in use by another partition”

  (NSHELP-35042 ]

• When modifying an authorization policy expression on the Citrix Gateway UI, the Authentication, authorization, and auditing option does not appear on the “Expression Editor” drop-down list.

  (NSHELP-33509 ]

• In an HA / Cluster setup, configuration synchronization fails if you have configured SSH keys other than RSA. For example, ECDSA or DSA keys.

  (NSHELP-31675 ]

• In a Citrix ADC appliance, binding the cache policy to override global or default global using the GUI interface fails with the following error:

  • Required argument missing.

  This error is not seen while binding the cache policy using the CLI interface.

  (NSHELP-30826 ]

• Due to an incorrect upgrade installation sequence, the following issue occurs in the Citrix ADC appliance.

  • The kernel image is updated first and after a few steps, encryption keys are copied. In between these steps some failure happens and the ADC appliance comes up with a new image. The missing encryption keys in the new image lead to decryption failure and missing configuration.

  (NSHELP-30755 ]

• Citrix ADC GUI might incorrectly generate a cluster technical support bundle of only one node instead of all the cluster nodes.

  (NSHELP-28606 ]

• Generating a cluster technical support bundle by using Citrix ADC GUI might fail with an error.

  (NSHELP-28586 ]

• After upgrading a high availability setup or a cluster setup to release 13.0 build 74.14 or later, config synchronization might fail because of the following reason:

  • Bothssh_host_rsa_keyprivate and public keys are an incorrect pair.

  Workaround: Regeneratessh_host_rsa_key. For more information, seehttps://support.citrix.com/article/CTX322863.

  (NSHELP-27834 ]

• You cannot bind a service or a service group to a priority load balancing virtual server using the Citrix ADC GUI.

  (NSHELP-27252 ]

• While viewing the policies bound to a content switching policy label in the Citrix ADC GUI, only 25 policies are displayed even though there are more policies bound to that policy label.

  (NSHELP-23428 ]

• Users might fail to log in to the downgraded Citrix ADC appliance if the following sequence of conditions is met:

  1. You perform one of the following steps:
     • After upgrading to the current build, you add a system user or change the password of an existing system user, and save the configuration.
     • Provision a new Citrix ADC VPX, BLX, or CPX instance with the current build.
  2. Downgrade the appliance to one of the following builds:
     • 13.1-4.x
     • 13.0-82.x or earlier
     • 12.1-62.x or earlier

  To view the list of users affected after the downgrade, at the command prompt, type:
  query ns config -changedpassword [-config ]
  Workaround: Reset the password of the affected users. For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html.
  Note: If you are downgrading a previously upgraded build, then while downgrading use the backed up configuration file (ns.conf) of the earlier build to avoid this issue.

  [nsconfig - 8068]

• Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.

  (NSCONFIG-4330 ]

• Users might fail to log in to the downgraded Citrix ADC appliance if the following sequence of conditions is met:

  1. You perform one of the following steps:
     • After upgrading to the current build, you add a system user or change the password of an existing system user, and save the configuration.
     • Provision a new VPX, BLX, or CPX instance with the current build.
  2. Downgrade the appliance to one of the following builds:
     • 13.0 -47年。x或更早
     • 12.1-56.x or earlier
     • 11.1-64.x or earlier

  To view the list of users affected after the downgrade, at the command prompt, type:

  query ns config -changedpassword [-config ]

  Workaround: Reset the password of the affected users. For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html.

  Note: If you are downgrading a previously upgraded build, then while downgrading use the backed up configuration file (ns.conf) of the earlier build to avoid this issue.

  (NSCONFIG-3188 ]