Release Notes for Build 47.22 of Citrix ADC 13.0 Release
April 22, 2020
|
Release notes version: 2.0
This release notes document describes the enhancements and changes, lists the issues that are fixed, and specifies the issues that exist, for the Citrix ADC release 13.0 Build 47.22. SeeRelease history.
Notes
- 这个版本notes文档不包括安全内核ity related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- The known issues section is cumulative. It includes issues newly found in this release, and issues that were not fixed in previous Citrix ADC 13.0 releases.
- The [# XXXXXX] labels under the issue descriptions are internal tracking IDs used by the Citrix ADC team.
Additional Changes/Fixes Available in Versions
Version 2.0
- Fixed Issues:NSHELP-20064
What's New?
The enhancements and changes that are available in Build 47.22.
Authentication, authorization, and auditing
-
Trust renewal support for ADFSPIPYou can now renew the trust of the existing certificates that are nearing to expiry or if the existing certificate is not valid. The trust renewal of certificates is done only when the trust is established between Citrix ADC appliance and the ADFS server.[# NSAUTH-27]
-
Custom authentication class reference support for SAML SPYou can now configure custom authentication class reference attribute in the SAML action command. Using the custom authentication class reference attribute, you can customize the class names in the appropriate SAML tags.[# NSAUTH-603, NSAUTH-58, NSHELP-451]
-
Default cache policy to authentication virtual servers for enhanced performanceA Citrix ADC appliance can now apply default cache policies to all authentication virtual servers. These policies are associated by default when an authentication, authorization, and auditing virtual server is created. As a result, all the GUI pages are cached and served from a Citrix ADC cache module and thus reduces the load on management CPU and HTTP daemon. Also, more number of users can be served concurrently.[# NSAUTH-6654]
Citrix ADC BLX appliance
-
IPv4 OSPF dynamic routing protocol support for Citrix ADC BLX appliancesCitrix ADC BLX appliances now support the IPv4 OSPF (OSPFv2) dynamic routing protocol.[# NSNET-7783]
Citrix ADC GUI
-
Color indications for the disk space usage on the upgrade GUIOn the Check Disk space screen of the Citrix ADC GUI (System > System Information > System Upgrade > Check Disks Space), color indication has been added for the current disk space used.percenta使用的GUI显示当前磁盘空间ge in the following colors:* Green, if the current disk space used is =<80%* Red, if the current disk space used is > 80%[# NSUI-13699]
-
GUI support for bot statisticsThe new Bot section in the Dashboard page displays bot related statistics.[# NSUI-13945]
-
System log for Citrix ADC bot managementThe log viewer GUI page now has an option to filter out bot related operations that are logged.[# NSUI-13722]
Citrix ADC SDX appliance
-
ADC Platinum license with SWG featuresCitrix Secure Web Gateway (SWG) features are now integrated with Citrix ADC Premium license and SWG is no longer offered as a separate instance license. After you upgrade an SDX appliance to 13.0 47.x, an existing SWG instance running on the appliance appears as a Citrix ADC instance in the SDX Management Service dashboard.[# NSSVM-2806]
Citrix ADC VPX appliance
-
Support for Hong Kong region for AWS deploymentYou can now deploy VPX instances in AWS, in Hong Kong region.[# NSPLAT-9166]
-
Citrix ADC VPX metrics in Azure monitorYou can now use metrics of Azure monitor service to monitor a set of Citrix ADC VPX resources such as CPU, memory utilization, and throughput. Metrics service monitors Citrix ADC VPX resources that run on Azure, in real time. You can use Metrics Explorer to access the collected data.[# NSPLAT-10104]
-
New subscription-based offerings for Citrix ADC VPX on GCPFor Google Cloud Platform (GCP), the following subscription-based offerings are now available:- Citrix ADC VPX Express license- Citrix ADC VPX 10 Mbps (Standard/Advanced/Premium) editions[# NSPLAT-8772]
-
A new parameter to move master clock source from CPU0 to CPU1For a Citrix ADC VPX instance, you can now move the master clock source from CPU0 (management CPU) to CPU1. To change the master clock source, the -masterclockcpu1 parameter is added to the "set ns vpxparam" command. This parameter has the following options:- YES – Allow VM to move the master clock source from CPU0 to CPU1.- NO – VM uses CPU0 for the master clock source. By default, CPU0 is the master clock source.[# NSPLAT-10859]
Citrix Gateway
-
VPN client support on Ubuntu 18.04 LTSVPN clients are now supported on Ubuntu 18.04 LTS.[# CGOP-11067]
Citrix Web App Firewall
-
Masking sensitive data using a regex patternThe REGEX_REPLACE advanced policy function in log expression bound to a Web Citrix Web App Firewall (WAF) profile enables you to mask sensitive data in WAF logs.[# NSWAF-3816]
-
Easy and readable IP reputation category namesThe IP reputation bot detection category names are now available as readable names.[# NSWAF-3824]
-
Dynamic profiling to learn Start URLsDynamic profiling is now available for Start URL security check to detect and learn new URLs.[# NSWAF-3934]
Clustering
-
Operational view based on backplane interfaceIn a cluster setup, you can now achieve operational view based on heartbeat messages received only on the backplane interface.Consider an example of a two-node cluster, consisting of Node 1 and Node 2. The two nodes send and receive heartbeat messages to and from each other on all interfaces that are enabled. When backplane-based view is enabled, the operational view is based on heartbeats received only on backplane interface. If Node 1 does not receive the heartbeat messages from Node 2 on backplane interface, then either Node 1 or Node 2 is made operationally INACTIVE, even if Node 1 receives heartbeat from Node 2 over data interface. By default, backplane-based view is disabled. When this option is disabled, a node does not depend on the heartbeat reception only over backplane.[# NSHELP-15871]
GSLB
-
Associate a target virtual server expression to a GSLB content switching actionSupport is now added to associate a target virtual server expression to a GSLB content switching action. This allows GSLB content switching virtual server to use policy expressions to compose the target GSLB virtual server name while processing the DNS requests.[# NSLB-4751]
-
Supporting GSLB for wildcard domainSupport is now added to bind a wildcard DNS domain to a GSLB virtual server. Users accessing the applications behind a wildcard domain are routed to the best optimal data center, which hosts those applications. The wildcard domain handles requests for non-existent domains and subdomains. In a zone, you can redirect queries for all non-existent domains or subdomains to a particular server by using the wildcard domains. You need not create a separate Resource Record (RR) for each such domain.[# NSLB-4792]
-
Determine best performing GSLB service using the API methodAPI-based GSLB method is now supported for GSLB deployments for selecting the best performing GSLB service. In this method, when GSLB receives a DNS request from a client, GSLB triggers a HTTP(S) REST API request to the configured API server. Based on the response from the API, GSLB sends a DNS response that contains the IP address of the best performing GSLB service.[# NSLB-5194]
Load Balancing
-
Support for autoscale APIYou can set the service group from non-autoscale to autoscale type of desired state API (DSA), if all provided conditions match. For this configuration, use the autoscale API argument in the "set serviceGroup" command.[# NSLB-5311]
-
Limit the number of concurrent requests on a client connectionYou can now limit the number of concurrent requests on a single client connection. You can protect the servers from security vulnerabilities by limiting the number of concurrent requests. When the client connection reaches the specified maximum limit, the Citrix ADC appliance drops subsequent requests on the connection till the outstanding request count goes below the limit.[# NSLB-5315]
Networking
-
ISSU statistics supportYou can now view the statistics for monitoring the current ISSU process in a high availability setup. The ISSU statistics displays the following information:* Current status of ISSU migration operation* Start time of the ISSU migration operation* End time of the ISSU migration operation* Start time of the ISSU rollback operation[# NSNET-11457]
-
Connection failover support for FTP connections from FTP server random portConnection failover enables the primary node to duplicate connection and persistence information to the secondary node in a high availability setup. The state information of the connection is shared with the secondary node regularly when connection mirroring is enabled.A Citrix ADC appliance high availability setup supports connection failover for an FTP connection for which the FTP server is using a random data port.主节点发送相关的FTP连接information to the secondary node at regular intervals. The secondary appliance uses this information only in the event of a failover.For enabling connection failover on a load balancing configuration of type FTP, you enable the `connFailover` (`Connection Failover`) parameter of the load balancing virtual server by using either CLI or GUI.Also, for enabling the Citrix ADC appliance to process an FTP connection for which the FTP server is using a random port, you must enable the Citrix ADC global parameter: aftpAllowRandomSourcePort (Enable Random source port selection for Active FTP).[# NSNET-7685, NSNET-9529]
-
Support for reserving the source port for RNAT connections to serversFor a request hitting an RNAT configuration that has one or more RNAT IP addresses and Use Proxy port parameter disabled, the Citrix ADC appliance uses one of the RNAT IP address and the source port of the RNAT request for connecting to servers.Prior to this release, RNAT connection (using the RNAT client’s source port) to the server fails if the same source port is already been used in some other connections.* Source port less than 1024. By default, the Citrix ADC appliance reserves the first 1024 ports of any Citrix ADC owned IP address (including RNAT IP addresses). Prior to this release, RNAT connection (using the RNAT client’s source port) to the server fails if the source port of the RNAT request is less than or equal to 1024. With these release, RNAT connection (using the RNAT client’s source port) to the server will succeed if the source port of the RNAT request is less than or equal to 1024.* Source port greater than 1024. Prior to this release, RNAT connection (using the RNAT client’s source port) to the server fails if the same source port is already been used in some other connections. With this release, you can specify a range of RNAT client source ports in the Retain Source Port range parameter as part of an RNAT configuration. The Citrix ADC appliance reserves these RNAT client source ports on the RNAT IP address to be used only for RNAT connection to servers.[# NSNET-9797]
Policies
-
New policy expression to display GMT time in the local timezoneA new policy expression "SYS.TIME.TO_LOCAL" is now available to display the GMT time in the local timezone.[# NSHELP-16098, NSPOLICY-58]
-
Adding custom headers in respondwithhtmlpage responder actionA Citrix ADC appliance can now respond with a custom header in the responsewithhtmlpage responder action. You can configure up to eight custom headers. Previously, the appliance responded only with static headers such as “Content-type:text/html” and “Content-Length:
”. Note: When you configure custom headers, you can over-write the “Content-Type” header value.[# NSPOLICY-2329]
-
Generate random and unique HMAC key values similar to encryptionParamsYou can now automatically generate random encryption or HMAC key.add ns encryptionKey
-method -keyValue AUTO add ns hmacKey-digest -keyValue AUTO The "AUTO" keyValue can be used in the set commands to generate new keys for existing encrytionKey and hmacKey objects.Automatic key generation is useful if the Citrix ADC appliance is encrypting and decrypting data with the key, or generating and verifying an HMAC key.Note: Since the key value itself is already encrypted when displayed, you cannot retrieve the generated key value for use by any other party.[# NSPOLICY-3287]
-
Option to provide comments for patterns bound to a pattern set or a data set.The “bind policy patset” command now enables you to provide comments for patterns that are bound to a pattern set.bind policy patset
[-index ] [-charset ( ASCII | UTF_8 )] [-comment] Where,Comment. Provide comments about the patterns bound to a pattern set.The “bind policy dataset” command now enables you to provide comments for patterns that are bound to a data set.bind policy dataset[-index ] [-comment ] Where,Comment. Provide comments about the patterns bound to a data set.[# NSPOLICY-3298]
-
Convert classic filter commands to advanced filter commandsThe nspepi tool can now convert commands based on classic filter actions such as add, bind and so forth to advanced filter commands.However, The nepepi tool does not support the following filter commands.- add filter action
FORWARD - add filter actionADD prebody - add filter actionADD postbody Note:- If there are existing rewrite or responder features in ns.conf and their policies are bound globally with GOTO expression as END or USER_INVOCATION_RESULT and bind type is REQ_X or RES_X then the tool converts bind filter commands partially and comments out. A warning will be displayed to put manual effort.- If there are existing rewrite or responder features and their policies are bound to virtual servers(for example, load balancing, content switching or cache redirect) of type HTTPS with GOTO - END or USER_INVOCATION_RESULT, the tool converts bind filter commands partially and then comments out. A warning will be displayed to put manual effort.[# NSPOLICY-509]
-
Allow innocuous SYS functionsSYS functions such as SYS.TIME, SYS.RANDOM, SYS.NSIP, SYS.UUID and so forth are now allowed in the expression evaluator and also in other places that did not previously allow them.However, some SYS functions are still not allowed in the expression evaluator and in other places that did not previously allow them. An example is SYS.HTTP_CALLOUT.[# NSPOLICY-3302]
SSL
-
View the SSL chip utilization on Citrix ADC appliances using Intel Coleto chipsYou can now view the SSL chip utilization on the following Citrix ADC MPX appliances. These appliances contain the Intel Coleto chip. - MPX 5900 - MPX 8900 - MPX 15000-50G - MPX 26000 - MPX 26000-50S - MPX 26000-100G To view the chip utilization, at the command prompt, type: stat ssl.[# NSSSL-5975]
-
Support for heterogeneous cluster deployments with different platformsYou can now form a heterogeneous cluster deployment of Citrix ADC MPX appliances with different number of packet engines by setting the SSL parameter "Heterogeneous SSL HW” to ENABLED. For example, to form a cluster of Cavium chip based appliances (MPX 14000 or similar) and Intel Coleto chip based appliances (MPX 15000 or similar), enable the SSL parameter “Heterogeneous SSL HW”. To form a cluster of platforms using the same chip, keep the default value (DISABLED) for this parameter.The feature is not supported on VPX instances hosted on Citrix ADC SDX appliances.For information about the platforms supported in the formation of a heterogeneous cluster, see[# NSSSL-7149]
-
Support for DTLSv1.2 protocol on the front end of a Citrix ADC VPX applianceDTLS 1.2 protocol is now supported on the front end of a Citrix ADC VPX appliance. While configuring a DTLS virtual server, you must now specify DTLS1 or DTLS12.[# NSSSL-7188]
-
Automated Certificate LinkingSSL certificate linking is now automated. That is, if the intermediate CA certificates and the root certificate are present on the appliance, you no longer have to manually link each certificate to its issuer.If all the certificates are available on the appliance and you click the “Link” button in the end-user certificate, the potential chain appears. In the chain, click “Link Certificate” to link all the certificates.[# NSSSL-7190, NSUI-12903]
System
-
Support for advanced audit-log policyYou can now bind an advanced audit-log policy to a load balancing virtual server.[# CGOP-6824]
-
Rewrite policy expression support for proxy protocol stripped operationThe stripped operation in proxy protocol now uses rewrite policy expressions to add client details such as source IP address, destination IP address, source port, and destination port into the HTTP header. The rewrite policy evaluates the expression and if "true", the corresponding rewrite policy action is triggered and the client details are forwarded to the back-end server in the HTTP header.[# NSBASE-4988]
-
Client IP address in a TCP optionCitrix ADC now uses TCP option configuration for sending the client IP address to the back-end server. The appliance adds a TCP option number that inserts the client IP address in the first data packet and, forwards it to the back-end server. The TCP option configuration can be used in the following scenarios.- learn the original client IP address- select a language for a website- blacklist selected IP addresses[# NSBASE-6553, NSUI-14692]
-
Update for licensing server IP addressYou can now update the licensing server IP address in a VPX instance without any impact on the allocated license bandwidth and data loss. For information, seehttps://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/license-server/adc-vpx-check-in-check-out.html#update-a-licensing-server-ip-address[# NSCONFIG-1974]
Fixed Issues
The issues that are addressed in Build 47.22.
Admin Partition
-
The “stat system memory” command might display an incorrect value for “Free Memory (MB) “ field, whenever the Citrix ADC appliance reaches 100% memory usage in default partition.[# NSHELP-19239]
-
Citrix ADC appliance might not add the packet engine (PE) ID information in the admin partition related SNMP trap messages.[# NSHELP-19966]
-
In a partitioned setup, DNS slows down and times out after creating an admin partition.[# NSHELP-19996]
AppFlow
-
The Citrix ADC appliance might become unresponsive if you remove the AppFlow action while traffic is flowing through the appliance.[# NSHELP-20523, NSHELP-21692]
Authentication, authorization, and auditing
-
The LDAP DN attribute fetched from the AD to Citrix ADC appliance is truncated if the attribute length is greater than 128 bytes.[# NSAUTH-7210]
-
A Citrix ADC appliance fails to obtain Kerberos tickets through a constrained delegation, if one of the following conditions are met:- The enterprise “realm” parameter is configured for the user.- The domain name in the “keytab” parameter is in lower case.[# NSHELP-18946]
-
If the authentication, authorization, and auditing sessions are high in number, it takes a longer time to terminate a user session.[# NSHELP-19131]
-
If a dialogue cookie in the client request is processed before checking for any existing sessions, a Citrix ADC appliance sends a change password page to the client.[# NSHELP-19528]
-
In rare cases, there might be memory leak issues when handling authentication, authorization, and auditing sessions.[# NSHELP-19703]
-
A Citrix ADC appliance might crash in OTP manage flow if the following conditions are met:- OTP login schema is used as the first factor.- Email authentication is used as the second factor.[# NSHELP-19759]
-
In some cases, a Citrix ADC appliance dumps core when "show aaa group -loggedIn" command is issued.[# NSHELP-19793]
-
The SAML attribute value in the SAML response includes multiple SAML AttributeValue lines, instead of one.[# NSHELP-19961]
-
AAA集团页面在Citrix ADC GUI不display the IP address in the Intranet IP Address field.[# NSHELP-20068]
-
A Citrix ADC appliance configured as SAML Identity Provider (IdP) truncates relaystate from Service Provider (SP) if it contains quotes.[# NSHELP-20131]
-
If you do not configure RfWebUI portal theme on a Citrix ADC appliance, you might observe the following changes:- The displayed OTP management pages appear differently or OTP management might not work.- The appliance shows unexpected behavior.[# NSHELP-20144]
-
In rare cases, authentication fails if the connection to the LDAP server is over HTTPS.[# NSHELP-20181]
-
A Citrix Gateway appliance might fail if the following conditions are met:- When a user logs out of a session.- The appliance is deployed in an HDX platform.- SAML authentication is used in Citrix Gateway.[# NSHELP-20206]
-
The login schema profile of the secondary node does not correctly display the labels on the Configure Authentication Login Schema GUI page.[# NSHELP-20234]
-
A Citrix ADC appliance might crash when you use a SAML IdP on a FIPS appliance.[# NSHELP-20282]
-
A Citrix Gateway appliance might occasionally fail if users try to log in when taking VPX snapshot.[# NSHELP-20292]
-
You cannot unbind an authorization policy using the Citrix ADC GUI interface.[# NSHELP-20298]
-
A Citrix ADC appliance configured as SAML Service Provider (SP) might fail to validate assertions sent by certain IdPs if the namespace of SAML is not defined completely.[# NSHELP-20307]
-
A Citrix ADC appliance configured as a SAML Service Provider (SP) on traffic management virtual server does not send post body response to the back-end server after SAML login.[# NSHELP-20348]
-
A memory leak is observed in a Citrix ADC appliance if the following conditions are met:- A second factor is configured as pass-through.- Buffer is not freed up.[# NSHELP-20390]
-
The Citrix ADC appliance crashes after an upgrade to version 13.0 because of a buffer overflow condition.[# NSHELP-20416, NSAUTH-6770]
-
An FQDN in the SSL certificate might crash in a Citrix ADC appliance because of a buffer overflow.[# NSHELP-20476]
-
You cannot unbind multiple certificates using the Citrix ADC GUI interface.[# NSHELP-20598]
-
A Citrix Citrix Gateway appliance might fail when Gateway is configured as SAML IdP along with IdP chaining.[# NSHELP-20667]
-
A Citrix ADC appliance might crash if the samlSigningCertName parameter is not configured in a samlAction command.[# NSHELP-20674]
-
A Citrix ADC appliance might fail to authenticate the Microsoft Outlook 2016 users if the password contains Umlaut characters.[# NSHELP-20682]
-
A Kerberos SSO might fail when a Citrix ADC appliance is deployed in a multi-domain environment (parent-child domain) and the users are in parent domain and services are in the child domain.[# NSHELP-20910]
-
The SAML metadataURL parameter does not work after a Citrix ADC appliance is restarted.[# NSHELP-21006]
-
In rare cases, nFactor log on fails if both of the following conditions are met:- Citrix ADC appliance is configured for certificate authentication with a fallback to LDAP.- The certificate authentication fails.[# NSHELP-21118]
-
If Citrix ADC is configured for forms based SSO, and name-value pairs are specified in the configuration, these values are ignored if the values are absent in the form.[# NSHELP-21139]
-
If you bind a SAML IdP policy to authentication, authorization, and auditing virtual server by using the Citrix ADC GUI, you cannot modify the next action.[# NSHELP-479]
BaseCluster
-
Feature: Clustering In a cluster setup, if timestamp is enabled, some of the requests sent to the server might be dropped.[# NSHELP-20394]
Citrix ADC BLX appliance
-
On a Citrix ADC BLX appliance deployed in shared mode, Citrix ADC GUI and NITRO service become unavailable if you change the BLX management HTTP port (mghttpport) or HTTPS port(mghttpport) by using Citrix ADC command line utility ( cli_script.sh set ns param).[# NSNET-10005]
-
Citrix ADC BLX appliances do not support static LA channels. Adding a static LA channel on a Citrix ADC BLX appliance might cause the appliance to crash.[# NSNET-11929]
Citrix ADC CPX
-
You cannot configure an NSIP with /32 bit subnet mask for Citrix ADC CPX.[# NSNET-10968]
-
The following default TCP profiles were not automatically set with the TCP maximum segment size (MSS):——nstcp_default_profile- nstcp_internal_apps[# NSNET-11916]
Citrix ADC GUI
-
In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:“Trace not started”[# NSHELP-18566]
-
In a cluster setup, if you add a cipher group from advanced settings using the GUI, the cipher group does not appear in the main page.[# NSHELP-19704]
-
User authentication to Citrix ADC GUI fails if an issue is observed in VAR file rollover mechanism.[# NSHELP-20229]
-
You cannot search for an entity using the search filter in the ADC GUI if the entity name contains a space.[# NSHELP-20506]
-
If you access the Syslog GUI page, the following error message appears: "Cannot read property '0' of undefined".[# NSHELP-20574]
-
After an upgrade, the Citrix ADC GUI home page does not load for admins with superuser group permission.[# NSHELP-20638]
-
You can now set client authentication to optional, in the SSL parameters of a virtual server, using the GUI. Earlier, client authentication changed to mandatory if you used the GUI to change any SSL parameters.[# NSHELP-21060]
-
Due to some technical issues in the framework, all service groups are not displayed in the ADC GUI.[# NSUI-13754]
Citrix ADC SDX appliance
-
In a VPX HA setup running on SDX appliances, when one of the switches in the virtual port channel (VPC) goes down, all the interfaces that are part of the LACP flap. This triggers HA failover.[# NSHELP-19095]
-
On SDX 22XXX and 24XXX appliances, during system health monitoring, the SDX Management Service raises false alerts.[# NSHELP-19795]
-
If the backup file name has any special character, restoring the SDX appliance to that backup fails. With the fix, an error message appears if the backup file has any special character.[# NSHELP-19951]
-
On an SDX appliance, when you restore a VPX instance provisioned with burst throughput, the restore might fail.[# NSHELP-20013]
-
On an SDX appliance, the “No additional MACs available for members of interface 10/1” error message appears when all the following conditions are met:1. You instantiate 19 VPX instances on the SDX appliance, all with the same network interface2. Then add MAC addresses to the 20th VPX instance that uses the same network interface as the previous instances.3. The number of MAC address on the 20th VPX instance is twice as great as the MAC addresses added to the 1st VPX[# NSHELP-20158]
-
When configuring pooled licensing in SDX 14000 FIPS appliance, the minimum instances you could check out was 25. With this fix, the minimum instances you can check out is two. For more information, see the Citrix ADC pooled capacity document:[# NSHELP-20305]
-
On SDX 26000 and SDX 15000 platforms, management access through SSH to DOM0 might stop when the following conditions are met:- More than one VPX instance is restarted simultaneously.50 - 100通用电气或通用电气interfaces are assigned to the VPX instances.[# NSPLAT-9185]
Citrix ADC VPX appliance
-
You might not be able to access a VPX instance by using the management IP if the instance has a vCPU license. The issue is seen in all VPX instances, on-premises and cloud. If the VPX instance is running on an SDX appliance, you can access the instance from the SDX Management Service GUI.[# NSPLAT-10710]
-
Due to an Azure stack limitation, traffic using morphed MAC address is not supported. Therefore in an Azure stack ADC deployment, MAC-based forwarding (MBF) mode must be disabled.[# NSPLAT-11778]
Citrix Gateway
-
After an upgrade of Citrix ADC and gateway plug-in to release 13.0 build 41.20, users experience continuous blue screen of death (BSOD) error when trying to set up the VPN tunnel.[# CGOP-12099]
-
In a Citrix Gateway cluster setup, the Citrix ADC appliance might crash during cluster upgrade because of some changes in the internal data structures.[# NSAUTH-7153]
-
The following message incorrectly appears when Citrix Gateway is accessed from the Microsoft Edge browser, and EPA or VPN is not used."Full VPN and EPA are not supported in Edge browser. Please use different browser for a better experience."[# NSHELP-19367]
-
In some cases, the Citrix Gateway appliance sets invalid cookie while processing the unauthenticated requests.[# NSHELP-19403]
-
The Citrix Gateway plug-in for macOS cannot resolve internal host names if the Local LAN Access option is enabled on a Citrix ADC appliance.[# NSHELP-19543]
-
In some cases, EPA fails for virtual machines running on Ubuntu operating system.[# NSHELP-19556]
-
In an HA pair setup, the persistent sessions on the primary node are not cleared because of an issue with the session sync code in the VPN server.[# NSHELP-19557]
-
The DTLS service on a VPN virtual server functions with a default set of ciphers that cannot be modified through the bind or unbind cipher commands using CLI.[# NSHELP-19561]
-
The Endpoint Analysis (EPA) scan failed to validate 4096 bit key device certificate.[# NSHELP-19697]
-
The issue is from Linux receivers, where Encryption module (ICA_MODULE_PD) is not received from Receiver in PACKET_INIT_RESPONSE during ICA handshake, and hence there is a null encryption handler in ADC which is leading to crash. ADC to skip pares the connection when there is no encryption parameters received from Receiver.[# NSHELP-19758]
-
In isolated cases, there is a memory corruption causing a core dump while clearing a corrupted SSL VPN authentication, authorization, and auditing session entry after the timeout.[# NSHELP-19775]
-
The Transfer Login page for an existing user does not work in languages other than English.[# NSHELP-19859]
-
In rare cases, Citrix ADC appliances deployed in a high availability (HA) setup might crash resulting in frequent HA failover, if both of the following conditions are met:- Gateway Insight is enabled.- SSO fails.[# NSHELP-19922]
-
If ICA insight is enabled for EDT sessions, you might experience a frozen screen or a delay in the application screen operations.[# NSHELP-19934]
-
In rare cases, the Citrix Gateway crashes while GSLB updates VPN services statistics.[# NSHELP-19992]
-
Audio clarity for VOIP applications is negatively impacted when multiple applications or connections are tunneled over the VPN.[# NSHELP-20097]
-
Finding URLs to rewrite for advanced clientless VPN processing results in high CPU usage. As a results, the system slows down.[# NSHELP-20122]
-
In a high availability setup, the secondary node crashes whenever an authentication, authorization, and auditing session or a VPN session containing SAML related information is propagated to the primary node.[# NSHELP-20230]
-
The Citrix ADC appliance might become unresponsive if HDX Insight is enabled.[# NSHELP-20280]
-
A client machine fails to reconnect to a Citrix Gateway appliance because the appliance sends an incorrect STA ticket upon STA refresh.[# NSHELP-20285]
-
EPA scans are not completed and become unresponsive.[# NSHELP-20319]
-
Users are unable to add client-less access policies from the policy manager by using the Citrix Gateway GUI.[# NSHELP-20333]
-
When adding domains for clientless access profile, a horizontal scrollbar appears when the FQDN is long.[# NSHELP-20341]
-
The VPN plug-in unblocks all TCP traffic until captive portal authentication if both of the following conditions are met:• The client machine is in configured for AlwaysOn, onlyToGateway mode.•客户端机器被连接到一个俘虏的几率tal network.[# NSHELP-20360]
-
AlwaysON service intermittently fails to establish a VPN tunnel when the networkAccessONVPNFailure parameter is set to “Only to Gateway.”[# NSHELP-20369]
-
You might experience a delay in the keyboard and mouse responses to your actions in a launched desktop if DTSL is enabled.[# NSHELP-20447]
-
The Network Level Authentication (NLA) service is restarted every time a user logs in or logs out. This happens because the settings configured by using the nsapimgr knobs are not honored.[# NSHELP-20494]
-
Citrix Windows plug-in is unable to connect to Citrix Gateway using Mozilla Firefox 68.0.[# NSHELP-20503]
-
In a high availability setup, during Citrix ADC failover, icons of some of the apps in the /var/netscaler/logon folder are not visible.[# NSHELP-20573]
-
A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:- SplitTunnel is set to ON.- IP address pool (Intranet IP) option is set to NoSpillOver.[# NSHELP-20584]
-
A Citrix ADC appliance fails to decode rewritten URLs for clientless VPN if the URLs contain "%2E" in the FQDN.[# NSHELP-20603]
-
Users cannot access Microsoft Office documents from SharePoint over advanced clientless VPN access.[# NSHELP-20611]
-
After you upgrade the Citrix ADC appliance to release 12.1 build 54.13 and later, the following message might appear when accessing the RDP resources."error :not a privileged user"[# NSHELP-20678]
-
The Citrix ADC appliance might become unresponsive if HDX Insight is enabled and there is a low memory condition.[# NSHELP-20707]
-
The Citrix virtual adapter remains connected even when the VPN machine is in sleep mode and a logout is triggered. Users must terminate the application or restart the VPN machine to gain access to the network.[# NSHELP-20755]
-
The Citrix ADC appliance might become unresponsive if the appliance is configured for proxy EDT connections and there is a low memory condition.[# NSHELP-20761]
-
nFactor authentication fails if Online Certificate Status Protocol (OCSP) is enabled for device certificate check.[# NSHELP-20855]
-
The apps configured on the StoreFront do not appear on the Citrix Gateway home page if all of the following conditions are met:- WiHome is configured.- Advanced clientless VPN access is enabled.- User logs on either from an Internet Explorer or Firefox.[# NSHELP-20888]
-
Users cannot access internal resources even if VPN is successfully connected, but the DNS servers are not correctly configured for the Citrix Virtual Adapter.[# NSHELP-20892]
-
Users intermittently get the "Error 403 Access Denied" error message when loading a Citrix Gateway URL with RfWebUI theme.[# NSHELP-20895]
-
AlwaysOn service with user persona fails to establish a user tunnel if there are multiple device certificates in the device store.[# NSHELP-20897, NSHELP-21583]
-
An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.[# NSHELP-7872]
Citrix Web App Firewall
-
A Citrix ADC appliance might crash if the following features are enabled in the Web App Firewall profile.- XML processing.- Security insight.[# NSHELP-18869, NSHELP-21691]
-
After you add a relaxation rule, similar URLs are not getting deleted from the learned rules list.[# NSHELP-19298]
-
Web Requests with many query parameters might receive no response if the field consistency protection parameter is enabled.[# NSHELP-19811]
-
In a high availability setup, enabling IP reputation feature might result in high availability command propagation failures.[# NSHELP-20010]
-
On a Citrix ADC SDX appliance, a Citrix ADC VPX instance might crash because of an internal issue in WAF module.[# NSHELP-20096]
-
A Citrix ADC appliance might crash if there is an internal communication error with the sqlite library.[# NSHELP-20173]
-
After an upgrade, if you bind a signature to the Web App Firewall profile, the appliance silently drops an incoming request.[# NSHELP-20201, NSWAF-3427, NSHELP-20599]
-
Citrix ADC设备加工时可能崩溃signature file regex patterns and if bigstack is unavailable.[# NSHELP-20359]
-
A Citrix ADC appliance might crash if the following conditions are observed:- IP reputation policy expression is used in a load balancing virtual server of type TCP.- Security Insight is enabled.[# NSHELP-20410]
-
A Citrix ADC appliance might crash if the signature feature is enabled and a specific request pattern is detected.[# NSHELP-20884, NSHELP-19583]
-
Requests coming from Tor proxy IP addresses are not blocked by the IP reputation Tor proxy category using CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(PROXY) policy expression.[# NSWAF-3611]
Client AG-EE
-
Feature: Citrix Gateway A group of computers are unable to access internal and external resources when connected over VPN only and Intranet IP is configured.[# NSHELP-20011]
Clustering
-
A high CPU usage is observed on a Citrix ADC appliance or in a cluster setup if “show ns ip” command displays many IP addresses.[# NSHELP-11193]
-
A linkset-member interface or channel is added as part of a new static ND6 entry to the Citrix ADC appliance. For the Citrix ADC appliance to accept the new static ND6 entry, you must provide the linkset VLAN.[# NSHELP-19453]
-
In a single-node cluster, sometimes, you cannot SSH to CLIP under the following conditions:- USIP mode is enabled.- State of the cluster node is set to passive.[# NSHELP-20210]
-
In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.[# NSHELP-20366]
-
ACL6 list of type DFD might be corrupted when you add ACLs in descending order and delete any one of the ACL6 entry.[# NSHELP-20587]
-
In a cluster setup, the Citrix ADC appliance might crash for a new MPTCP connection, if the 4 tuples are reused with a different MPTCP key before the original connection has timed out on the Citrix ADC appliance.[# NSHELP-20844, NSHELP-20726]
DNS
-
Feature: DNS A Citrix ADC appliance might crash If DNS logging is enabled and the appliance receives a large DNS response.?[# NSHELP-18926]
GSLB
-
GSLB网站备份父配置列表lost if both of the following conditions are met:- The triggerMonitor option is set to either MEPDOWN or MEPDOWN_SVCDOWN.- The Citrix ADC appliance is restarted.[# NSCONFIG-1760]
-
A Citrix ADC appliance might crash when all of the following conditions are met:- A backend server is DOWN.- An ADC appliance collects information on server, such as RTT and proximity, for selecting a new backend.[# NSHELP-11969]
-
In a GSLB cluster setup, MEP connection might get terminated resulting in a MEP flap when a node joins the cluster.[# NSHELP-19532]
-
A Citrix ADC appliance crashes when a set command is issued on a CNAME-based GSLB service.[# NSLB-5433, NSLB-5562]
Gateway
-
Feature: Citrix Gateway In rare cases, the Citrix Gateway appliance crashes if AAA user session is transferred and Intranet IP is enabled.[# NSHELP-20680]
Gateway Insight
-
In a high availability (HA) setup, the primary node might crash if AppFlow is enabled and there is a failover.[# NSHELP-19363]
-
Citrix ADC appliances deployed in a high availability (HA) setup crash if both of the following conditions are met:- AppFlow is enabled- There is a high availability synchronization failure.[# NSHELP-19490]
Licensing
-
If the SDX appliance is in grace period for pooled licensing, the remaining grace period shows zero instead of 30 days.[# NSHELP-19615]
-
After upgrading an MPX perpetual license to Pooled Capacity license, the ADM GUI prompts to save the config and restart the instance. With this fix, the GUI prompts only to restart the instance.[# NSHELP-20137]
Load Balancing
-
A Citrix ADC appliance crashes if the virtual server is of type ANY and spillover persistence is enabled on the virtual server.[# NSHELP-19540]
-
Redirecting an HTTPS URL fails if the URL contains the % special character.[# NSHELP-19993]
-
You might run out of disk space on a Citrix ADC VPX appliance because the appliance generates multiple temporary files. When an rsync operation occurs for a particular location file, a temporary file is created for that location file. These files fill up the /var directory.[# NSHELP-20020]
-
A Citrix ADC appliance might crash if traffic domain is configured on a load balancing virtual server of type SIP.[# NSHELP-20286]
-
Citrix ADC设备时可能崩溃了following conditions are met:• Rule-based persistence is configured on the appliance.• Multiple IPv6 servers respond with the same values for the parameters configured in the rule-based persistence.[# NSHELP-20490]
NITRO
-
The Citrix ADC appliance responds with an internal error message for show routerdynamicrouting NITRO API call.[# NSCONFIG-1325]
-
HTTP daemon on a Citrix ADC appliance might crash if all of the following conditions are true:* The appliance receives an idempotent NITRO API request for adding a resource on the appliance.* the idempotent NITRO API request does not have any settable properties.* the resource already exists on the Citrix ADC appliance.[# NSCONFIG-2298]
-
The first login using NITRO API fails for a partition user. However, the subsequent login succeeds.[# NSHELP-20159, NSCONFIG-2054]
Networking
-
The ADC appliance might not update the ECMP routes in an optimised way when an associated interface is disabled, or an associated IP address is deleted.[# NSHELP-19891]
-
The BGP daemon on a Citrix ADC appliance might incorrectly install learned routes with next-hops as 0.0.0.0/0.[# NSHELP-19900]
-
The Citrix ADC appliance might crash if you add a listen policy that has a dependency for a certain internal FTP service lookup.[# NSHELP-20002]
-
For traffic accessing a load balancing setup through a Citrix ADC Access Gateway, the Citrix ADC appliance might apply MAC Based Forwarding (MBF) on this traffic even without properly adding the Layer 2 information to the connection table entry.[# NSHELP-20064]
-
The Citrix ADC appliance might skip Policy-based routes (PBR) rules for outgoing monitor packets of type UDP and ICMP.[# NSHELP-20112]
-
On restart, the Citrix ADC appliance establishes BGP session with the peer devices before assigning a subnet IP (SNIP) address on the interface resulting in next-hop validation failure. Because of this issue, the Citrix ADC appliance might not learn the routes advertised from these peer devices.[# NSHELP-20211]
-
A Citrix ADC appliance, acting as a proxy server, might apply a PBR rule based on Layer 2 information to a traffic even though the traffic does not match the PBR rule.[# NSHELP-20317]
-
“An existing route relies on the presence of this subnet” error message is seen, if all of the below conditions occur:- Two or more SNIP addresses with the first octet greater than 127 are added- A route for the SNIP addresses is added on that network- You try to delete any one of the added SNIP addresses[# NSHELP-20492]
-
32-bit ASN values appear as negative values in the “sh ip bgp summary” command output.[# NSHELP-20540]
-
A Citrix ADC appliance might crash if it receives IPv6 traffic that matches both of the following conditions:* Source MAC address of IPv6 traffic matches the MAC address of a service bound to a virtual server with type ANY and redirection mode set to MAC based forwarding (-m MAC)* The IPv6 traffic matches an RNAT6 rule with TCP proxy option enabled[# NSHELP-20548]
-
The Citrix ADC appliance might not update ECMP routes properly when multiple BGPsessions go to "DOWN" state simultaneously.[# NSHELP-20664]
-
The BGP daemon might display duplicate warning messages for a route removed from the Citrix ADC routing table.[# NSHELP-20906]
Platform
-
On the following Citrix ADC SDX platforms, connectivity to a VPX instance might fail if it receives heavy multicast traffic when a management port is not assigned to a VPX instance and instance management is done through the data ports.- SDX 8900- SDX 14000-40G- SDX 14000-40S- SDX 15000-50G- SDX 25000-40G- SDX 25000T- SDX 25000T-40G[# NSHELP-19861]
-
On SDX platforms with Fortville interfaces, the 10G & 40G Fortville interfaces can run into TX stalls when Jumbo is enabled on them.[# NSHELP-20605]
Policies
-
After an upgrade, the rewrite policy does not work for CVPN homepage2.html[# NSHELP-19481]
-
In a Citrix ADC appliance, if you unbind default advanced global policies and save the configuration, the changes are not reflected on the next reboot.[# NSHELP-19867]
-
When you convert policies from classic to advanced using nspepi tool, syntax errors are observed for port and netmasks.[# NSHELP-20720]
Portal
-
Feature: Citrix Gateway Users are incorrectly prompted to enter the user name and password when nFactor Logon form is customized to display the dynamic Logon Type menu and OAuth is selected from the list.[# NSHELP-20300]
SSL
-
You cannot create an RSA key by using the GUI if the PEM algorithm is DES or DES3.[# NSHELP-13018]
-
For SNI enabled sessions, the ADC appliance can control how the host header is validated. A new parameter “SNIHTTPHostMatch” is added to SSL profile and SSL global parameters to have better control on this validation. This parameter can take three values; CERT, STRICT, and NONE. SNI must be enabled on the SSL virtual server or the profile bound to the virtual server, and the HTTP request must contain the host header.[# NSHELP-13370]
-
The DTLS handshake might fail if DTLS records of different message types are received out of order. For example, a “Server Hello Done” message is received before a “Server Hello” message.[# NSHELP-18512]
-
A Citrix ADC appliance might crash intermittently if both of the following conditions are met:- OCSP check and SSL interception are enabled on an SSL profile.- The SSL profile is bound to a content switching virtual server of type PROXY.[# NSHELP-19194]
-
The internal SSL service state appears UP even after you unbind the certificate from the service.[# NSHELP-19752]
-
An error message appears when you assign a DH parameter file to an SSL profile in an admin partition setup.[# NSHELP-19838]
-
When TLS 1.3 and SNI are both enabled on a front-end virtual server, the appliance crashes during the TLS handshake if the following sequence of events occur:1. A TLS 1.3 client includes the server_name extension in its initial ClientHello message.2. The server responds with a HelloRetryRequest message.3. The client responds with an illegal ClientHello message that omits the server_name extension.[# NSHELP-20245]
-
If the SSL default profile is enabled and bound to an SSL service group, a warning message appears when you unbind a cipher from the SSL profile and bind a service to this service group. The service is also not bound to the service group.[# NSHELP-20332]
-
Citrix ADC设备可能显示不同的资料es on cluster IP (CLIP) address and Citrix ADC IP (NSIP) address if a legacy SSL profile is bound to SSL entities, and later the default (enhanced) SSL profile is enabled.[# NSHELP-20335]
-
If your ADC appliance is integrated with an unsupported version of Thales HSM, the appliance crashes after generating the HSM key and certificate, installing the certificate-key pair on the appliance, and binding it to the SSL virtual server. With this fix, the appliance reports an error instead of crashing.[# NSHELP-20352]
-
An error message “Error- File Too Large” appears in both of the following cases:- You first upgrade the Citrix ADC software to version 13.0 and then upgrade the FIPS firmware.[# NSHELP-20522]
-
A Citrix ADC VPX appliance might crash if ChaChaPoly cipher is used and the client sends a truncated record to the appliance.[# NSHELP-20684]
-
The DTLS handshake might fail if DTLS record fragments are received out of order.[# NSHELP-20703]
-
The Citrix ADC appliance might crash while running the SSL forward action at REQUEST bind point. With this fix, you cannot bind a policy with action type FORWARD to REQUEST bind point.[# NSSSL-6688]
-
The Citrix ADC appliance might crash and dump core when it tries to access the deleted default DTLS profile while configuring a new DTLS virtual server or service.[# NSSSL-6886]
-
The forward action in SSL policy did not allow virtual server of type SSL_TCP. With this fix, you can forward SSL traffic based on SSL policy to an SSL_TCP virtual server. This feature helps customers who want SSL offloading but do not want to parse application data for the forwarded connection.[# NSSSL-7133]
System
-
High memory issue occurs in partitioned Citrix ADC appliance.[# NSBASE-8780, NSBASE-8763]
-
In client IP header insertion (for example, -X-Forwarded-for) if the IP address to be inserted is not as long as the buffer, the header pads spaces at the end of the client IP address.[# NSHELP-10079]
-
Display actual status of high availability synchronization processIn a high availability set up, by default, the status of HA synchronization is shown as `SUCCESS` even if some commands fail on the secondary node as part the HA synchronization process.For example, a command related to binding an interface to a VLAN fails if the interface with the same number is not present on the secondary node.You can configure the high availability setup to indicate the actual status of the HA synchronization process.When you enable the `Strict Synchronization mode` parameter on both the nodes of a high availability set, the status of HA synchronization is shown as `Partial Success` if one or more commands fail on the secondary node as part the HA synchronization process.Note: The `Strict Synchronization mode` parameter on both the nodes must be set to the same option, that is, either enabled or disabled on both the nodes. The high availability setup does not display the correct status of the HA synchronization if Strict Synchronization mode parameter is enabled on one node and disabled on other.[# NSHELP-11953]
-
SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).[# NSHELP-18541, NSHELP-19313]
-
Memory issue occurs in a Citrix ADC appliance if closed connections are not flushed completely.[# NSHELP-18891, NSHELP-20778]
-
In a Citrix ADC appliance, the timezone configuration fails if there is a change in Daylight Savings Time (DST).[# NSHELP-19128]
-
SNMPv3 queries work only for a few minutes after changing the password.[# NSHELP-19313]
-
In some cases, you will see a delay or timeout in connecting to the backend server. This happens because the appliance has freed the connection and released the port. When the appliance reuses the same port to establish a new connection with the server there is a delay or timeout because the connection is in TIME_WAIT state on the server.[# NSHELP-19772]
-
The Citrix ADC appliance might crash if a retransmitted TCP segment is received on an interface with MTU > 1500 bytes as:- Jumbo frames or- Set of IP fragments.[# NSHELP-19920, NSHELP-20273]
-
SNMPWalk gets query response from a subnet IP (SNIP) address even if SNMP feature is disabled.[# NSHELP-20254]
-
Role based authentication (RBA) does not allow group names to start with "#" character.[# NSHELP-20266]
-
A Citrix ADC appliance initiates an HTTP/1.1 connection instead of an HTTP/2 connection if the complete request body is not received for a POST request.[# NSHELP-20289]
-
In rare cases, the Call Home process might crash resulting in the appliance to restart. The issue occurs if a Call Home sub process uses the same internal process id (PID) of the previous sub process.[# NSHELP-20334]
-
Memory usage increases if you enable proxy protocol and if retransmission occurs because of network congestion.[# NSHELP-20613]
-
A Citrix ADC appliance resets MPTCP subflows if a subflow is alive and active for more than the idle timeout period.[# NSHELP-20648]
-
A Citrix ADC appliance resets an MPTCP subflow if it receives a plain acknowledgment before the subflow is confirmed as MTPCP.[# NSHELP-20649]
-
Configuration loss is detected if you bind both classic policy and advanced policy to an aaa user and an aaa user group.[# NSHELP-20744]
Known Issues
The issues that exist in release 13.0.
Appflow
-
A Citrix ADC appliance might crash if a timing issue is observed when the appflow action is removed after a transaction is completed and before a connection is closed.[# NSBASE-9345]
Authentication, authorization, and auditing
-
ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command."show adfsproxyprofile
" Work Around: Connect to the primary active Citrix ADC in the cluster and issue "show adfsproxyprofile" command. It would display the proxy profile status. [# NSAUTH-5916]
-
A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[# NSHELP-563]
-
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.[# NSAUTH-6106]
Citrix ADC GUI
-
When you use the scroll bar in the Syslog dashboard in Citrix ADC GUI, the page either scrolls fast or displays whitespace.[# NSHELP-21267]
-
If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled and the nsroot password is changed at the first logon to the Citrix ADC appliance, the nsroot password change is not propagated to non-CCO nodes. Therefore, when an nsroot user logs on to non-CCO nodes, the appliance asks for password change again.[# NSCONFIG-2370]
Citrix ADC SDX appliance
-
Citrix ADC的国家结核控制规划服务管理就是对有关ce responds to NTP queries. However, Management Service does not have any option to configure restrictions for NTP queries.Workaround:Manually modify /flash/mpsconfig/ntp.conf, and then from Management Service enable NTP Synchronization again to make the change effective. However, this change is lost if the NTP server configurations are changed.[# NSHELP-12246]
-
The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:ERROR: Operation timed outERROR: Communication error with the packet engine[# NSNET-4312]
Citrix ADC VPX appliance
-
A Citrix ADC VPX instance deployed on AWS fails to communicate through the configured IP addresses (VIP, ADC IP, SNIP) if the following conditions are met:- The AWS instance type is M5/C5, which are KVM hypervisor based- The VPX instance has more than one networking interfaceThis is an AWS limitation., and AWS plans to fix the issue soon.Workaround:Configure separate VLANs for ADC IP, VIP, and SNIP. For more information about configuring VLANs, seehttps://docs.citrix.com/en-us/citrix-adc/13/networking/interfaces/configuring-vlans.html[# NSPLAT-9830]
Citrix Gateway
-
In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a “Critical error” dialog box. Also, the page becomes unresponsive.[# CGOP-7269]
-
When the StoreFront FQDN resolution takes longer time than expected on the client, Citrix Gateway uses the client IP address as the source IP address to send traffic to the StoreFront server.[# NSHELP-19476]
-
In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[# NSINSIGHT-2059]
-
The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).Workaround:Upgrade the receiver to the latest version of Citrix Workspace app.[# NSINSIGHT-924]
-
The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.[# NSINSIGHT-2108]
Citrix SDX appliance
-
SDX 26000-100G 15000-50 G appliances might take longer time to upgrade. As a result, the system might display the message “The Management Service could not come up after 1 hour 20 minutes. Contact the administrator.”Workaround:Ignore the message, wait for some time, and log on to the appliance.[# NSSVM-3018]
Citrix Web App Firewall
-
A Citrix ADC appliance might crash if there is high memory usage and memory values are not freed up because of an application failure.[# NSHELP-18863]
Cloudbridge connector
-
创建/监控CloudBridge连接器向导become unresponsive or fails to configure a cloudbridge connector.Workaround:Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.[# NSUI-13024]
GSLB
-
In an Admin Partition set up, the “-saveconfig” and “-cmd" options are not supported for the "sync gslb config” command. Therefore, when an ADC appliance is rebooted, the new configuration state of the peer parent is ignored and the changes are lost.[# NSHELP-22063]
HTTP2
-
我们收到了一个从客户端请求时重置in a queue to be serviced. After receiving the reset we cleared some of the fields of the request and retured. But as the flash cache was enabled we continued to service the request as part of caching it on netscaler during which it crashed.[# NSHELP-21872]
Load Balancing
-
A Citrix ADC VPX appliance reboots several times after being unresponsive.[# NSHELP-20435]
-
The Citrix ADC appliance load balances all the traffic that is destined to a particular load balancing virtual server to the same backend server, when all of the following conditions occur:- Load balancing virtual server is configured with hash-based LB method.- Service group with autoscale mode DNS is bound to the load balancing virtual server.Work Around: Configure the load balancing virtual server with the Round Robin LB method.[# NSHELP-21952]
Networking
-
When the Citrix ADC appliance is cleaning up large number of server connections as part of remove command, the Pitboss process might restart. This Pitboss restart might cause the ADC appliance to crash.[# NSHELP-136]
Platform
-
On the Citrix ADC SDX 26000-100G platform, the interface might not come up after you restart the appliance.Workaround:Ensure auto negotiation is set to ON. To check and edit the auto negotiation status, navigate to SDX GUI > System > Interfaces.[# NSPLAT-11985]
SDX-VPX
-
Feature: Citrix ADC VPX applianceAfter you downgrade a Citrix ADC VPX instance to 11.1-63.15, 12.0-62.10, and 12.1-55.18 and lower versions, the instance gets stuck during reboot. This issue occurs if your instance has more than one CPU core assigned.Workaround:Before you start your downgrade, change the CPU to single core. After the downgrade is complete, update the core according to your requirement.[# NSPLAT-12603]
SSL
-
In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.[# NSHELP-13466]
-
Update command is not available for the following add commands:- add azure application- add azure keyvault- add ssl certkey with hsmkey option[# NSSSL-6484, NSSSL-6379, NSSSL-6380]
-
The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.ERROR: crl refresh disabled[# NSSSL-6106]
-
You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.[# NSSSL-6213]
-
You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.[# NSSSL-6478]
-
Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[# NSSSL-4427]
System
-
High memory usage is observed in a Citrix ADC appliance if the HTTP/2 feature is enabled and if there is a large file download (typically if the file size is greater than or equal to 1 Gb). The issue is observed with slow clients if the downloaded data is buffered leading to excessive resource utilization.[# NSHELP-20531]
-
Connections might hang if the size of processing data is more than the configured default TCP buffer size.Workaround:Set the TCP buffer size to maximum size of data that needs to be processed.[# NSPOLICY-1267]
Web Citrix Web App Firewall
-
A Citrix ADC appliance might crash if an error case was handled incorrectly for the credit card verification process.[# NSHELP-20562]
Release history
For details of a specific release, see the corresponding release notes.
- Build 47.22 (2020-02-27) (Current build)