Release Notes for Build 51.24 of NetScaler 12.0 Release

Additional Changes/Fixes Available in Versions

Points to Note

What's New?

• Support for Autofill of username from SAML Service Provider (SP)

  A NetScaler appliance used as a SAML Service Provider (SP) with Multi-Factor (nFactor) authentication now prepopulates the user-name field on the login page. The appliance sends a NameID attribute as part of an SAML authorization request, retrieves the NameID attribute value from the NetScaler SAML Identity Provider (IdP), and prepopulates the user-name field.
  [# 677540]

NetScaler CPX

• Support for Licensing the NetScaler CPX with Multiple Cores

  You can use NetScaler MAS to pool your NetScaler CPX licenses, and use NetScaler MAS as a licensing server. You can use the NetScaler GUI to install licenses in MAS by uploading the license files or using the License Access Codes (LACs) that you purchased from Citrix. If you are provisioning a NetScaler CPX deployment with multiple vCPU cores, each core is allocated a CPX license from the license pool. For more information, see http://docs.citrix.com/en-us/netscaler-cpx/12/cpx-licensing.html.
  [# 673368]

• Ability to Control the Throughput Performance of NetScaler CPX

  When a NetScaler CPX container does not receive any incoming traffic to process, it yields CPU cycles, which causes low throughput performance. When provisioning the NetScaler CPX container, you can now use the CPX_CONFIG environment variable to control the throughput performance of the NetScaler CPX container in such cases. For more information, see http://docs.citrix.com/en-us/netscaler-cpx/12/deploy-using-docker-image-file.html.
  [# 687896]

NetScaler Gateway

• Support for One Time Password (OTP)

  NetScaler Gateway now supports one-time passwords (OTPs) without having to use a third-party server. In addition to reducing capital and operating expenses, this feature enhances the administrator's control by keeping the entire configuration on the NetScaler appliance.

  Note that, since third-party servers are no longer needed, the gateway administrator has to configure an interface to manage and validate user devices.

  To use the OTP feature, a user must be registered with a NetScaler Gateway virtual server. Registration is required only once per unique device, and typically is restricted to certain environments. Configuring validation of a registered user is similar to configuring an additional authentication policy. For more information about this feature, see http://docs.citrix.com/en-us/netscaler-gateway/12/native-otp-support.html
  [# 603663]

• Support for End-point analysis and VPN plugins for Firefox

  End-point analysis and VPN plug-ins get launched from Firefox browser, build 52.0 or later, even though the browser no longer supports NPAPI plug-ins.
  [# 679998, 682798]

NetScaler SDX Appliance

• Support for FQDN as External Server Name

  For LDAP and RADIUS servers, you can now use Fully Qualified Domain Names (FQDNs) to specify external servers. Previously you had to specify IP addresses for all external servers.

  For more information, see http://docs.citrix.com/en-us/sdx/12/configuring-management-service/configuring-external-authentication-server.html.
  [# 684417]

NetScaler Secure Web Gateway

• Support for a new product called NetScaler Secure Web Gateway

  The NetScaler Secure Web Gateway (SWG) implementation supports the following features:

  * SSL Interception - Intercept HTTPS traffic and apply policies to enforce compliance rules and security checks. The traffic is intercepted, blocked, or bypassed on the basis of the configured policies.

  * Forward Proxy - Support for transparent and explicit proxy modes. In explicit proxy mode, an IP address must be specified in the client's browser, unless the organization pushes the setting onto the client's device. This address is the IP address and port of a proxy server that is configured on the SWG appliance. All client requests are sent to this IP address. In transparent proxy mode, a proxy is not configured on the client's device. The SWG appliance is configured in an inline deployment, and the appliance transparently accepts all HTTP and HTTPs traffic.

  * Identity Management - Tag traffic to the users so that administrators can take user based actions. Authentication is explicitly enabled, or user information from the active directory is extracted and tagged to the traffic.

  * URL Threat Intelligence - Enable the appliance to categorize internet sites to more effectively enforce compliance policies around internet usage. URL threat intelligence also provides the reputation score of the URLs that are being accessed, to protect the users from exposure to harmful (malware/phishing) internet sites. You can also deploy custom URL lists that are managed by independent internet organizations, such as the Internet Watch Foundation (IWF), or create blacklists and whitelists of URLs by using pattern sets.

  * Analytics - The transaction-level records are exported from Secure Web Gateway to NetScaler MAS by using the Logstream transport mechanism. In NetScaler MAS, the User Behaviour Analytics dashboard displays user internet-usage information. It also shows the transaction-level details per user. From the Outbound Traffic Dashboard, you can view the overall network details, and the top websites in terms of maximum bandwidth consumption.

  Using the above features, an administrator can protect the enterprise network from external threats coming from the web in the form of malware, by defining policies to do the following:

  - Block access to URLs identified as serving harmful content.

  - Identify end users in the enterprise (employees) who are accessing malicious websites, and categorize them as high-risk users.

  For more information about this feature, see http://docs.citrix.com/en-us/netscaler-secure-web-gateway/12.html.

  Important! Secure Web Gateway requires its own platform license. Contact your local Citrix sales representative to purchase your license.
  [# 653661]

NetScaler VPX Appliance

• Support for AWS Auto Scaling Service

  AWS Auto Scaling in now supported on VPX instances.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-aws/configuring-aws-auto-scaling-service.html.
  [# 432348, 432345, 487534]

• Two New Commands to Control CPU Usage Behavior

  Two new commands, set ns vpxparam and show ns vpxparam, control the CPU-usage behavior of VPX instances in VMWare ESX and Citrix XEN environments:

  1. set ns vpxparam -cpuyield (YES | NO | DEFAULT)

  Allow each VM to use CPU resources that have been allocated to another VM but are not being used.

  Set ns vpxparam parameters:

  -cpuyield: Release or do not release of allocated but unused CPU resources.

  YES: Allow allocated but unused CPU resources to be used by another VM.

  NO: Reserve all CPU resources for the VM to which they have been allocated. This option shows higher percentage in hypervisor for VPX CPU usage.

  DEFAULT: NO

  Note: On all NetScaler VPX platforms, the vCPU usage on the host system will be 100 percent. Type the set ns vpxparam –cpuyield YES command to override this usage.

  2. show ns vpxparam

  Display the current vpxparam settings.
  [# 625698]

• Support for Subscription-Based Licensing Model

  A subscription based licensing model is now supported for NetScaler VPX in the Azure Marketplace. When creating a NetScaler VPX instance on Azure, you can choose either subscription (pay by hour) or Bring Your Own License (BYOL).

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/deploy-vpx-on-azure.html.
  [# 683144, 644004]

• Support for NetScaler Pooled Capacity Licensing Framework

  The NetScaler pooled-capacity licensing framework is now supported on Microsoft Azure and Hyper-V, and Amazon Web Services. A pooled-capacity enabled NetScaler VPX instance can check out licenses from a bandwidth pool of any NetScaler software edition (Platinum/Enterprise/Standard) hosted on and served by NetScaler MAS server. The bandwidth pool is the total bandwidth that can be shared by NetScaler instances. You can dynamically modify the bandwidth of a VPX instance as appropriate for the available pool.

  For more information, see http://docs.citrix.com/en-us/netscaler-mas/12/netscaler-pooled-capacity.html.
  [# 684408]

Networking

• Support for Bidirectional Forwarding Detection Protocol

  Bidirectional Forwarding Detection (BFD) protocol is a mechanism for fast detection of failures of forwarding paths. BFD detects path failures in the order of milliseconds. BFD is used in conjunction with dynamic routing protocols.

  In BFD operation, routing peers exchange BFD packets at a negotiated interval. If a packet is not received from a peer within the negotiated interval plus grace interval, the peer is considered to be dead and a notification will be sent to the set of registered routing protocols. In turn, the routing protocols recalculate the best path and reprogram the routing table. BFD supports smaller time interval, when compared to the timers provided by the routing protocols, thus resulting in faster detection of failures.

  The NetScaler appliance supports BFD for the following routing protocols: BGP (IPv4 and IPv6), OSPFv2 (IPv4), and OSPFv3 (IPv6). BFD support in the NetScaler appliance is compliant with RFCs 5880, 5881, and 5883.

  For more information about this feature, see http://docs.citrix.com/en-us/netscaler/12/networking/ip-routing/configuring-dynamic-routes/configuring-bidirectional-forwarding-detection.html.
  [# 647447]

• Removing RNAT Sessions

  You can remove any unwanted or inefficient RNAT sessions from the NetScaler appliance. The appliance immediately releases resources (such as a port of the NAT IP address, and memory) allocated for these sessions, making the resources available for new sessions. The appliance also drops all the subsequent packets related to these removed sessions. You can remove all or selected RNAT sessions from the NetScaler appliance.

  For more information about this feature, see http://docs.citrix.com/en-us/netscaler/12/networking/ip-addressing/configuring-network-address-translation/configuring-rnat.html.
  [# 672953]

• Using the Client IP address in the Outer Header of Tunnel Packets in DSR IP tunneling mode

  The NetScaler supports using the client IP address as the source IP address in the outer header of tunnel packets related to direct server return mode using IP tunneling. This feature is supported for DSR with IPv4 and DSR with IPv6 tunneling modes. For enabling this feature, enable the use client source IP address parameter for IPv4 or IPv6. This setting is applied globally to all the DSR configurations that use IP tunneling.

  For more information about this feature, see the section "Using the Client IP address in the Outer Header of Tunnel Packets" at http://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-dsrmode-tos-ipoverip.html.
  [# 677829]

• Increase in Maximum Value for VRRP Dead Interval

  In an active-active setup of NetScaler appliances using Virtual Router Redundancy Protocol (VRRP), VRRP dead interval is the time interval after which the master VIP address is marked down if the VRRP advertisements are not received from the node of the master VIP address.

  The maximum value that can be set for VRRP dead interval has been increased from 3 to 60 seconds.
  [# 679999]

System

• Call Home Support for NetScaler Services in Citrix Service Provider (CSP) Deployments

  In a Citrix Service Provider (CSP) environment where NetScaler services are deployed on VPX instances, the call home feature can now monitor and track the license specific information and securely send it to Citrix Insight Services (CIS). The CIS in turn sends the information to the License Usage Insights (LUI) portal for accounting purposes and for CSP customers to review their license usage. Currently, CSP environments support NetScaler services on VPX instances only, not on MPX or SDX appliances. The VPX instances can be deployed in either standalone or high availability mode.

  For more information about this feature, see http://docs.citrix.com/en-us/netscaler/12/system/configuring-call-home.html.
  [# 637763]

Fixed Issues

• The NetScaler appliance might fail if you use Kerberos authentication and the cached ticket incorrectly points to NULL, because the Kerberos ticket has expired and removed from the Distributed Hash Table (DHT).
  [# 678865]

• The NetScaler appliance crashes because of a failure to access the NetScaler AAA logon credentials. The failure occurs while attempting to match the rewrite policy against an AAA group.
  [# 680099]

• NetScaler fails to perform SAML Single Logout, if NetScaler is configured for SAML Authentication with an Identity Provider (IdP) that sends session index of 64 bytes. If the session index is less than 64 bytes, Single Logout is performed as expected.
  [# 683429]

• Client logons are delayed by 15 seconds if Kerberos Constrained Delegation (KCD) is used on a NetScaler appliance. The delay occurs during the process of issuing a Kerberos ticket to the client.
  [# 683869]

• In rare scenarios, NetScaler dumps core if dialogue mode operation like password change operation happens during RBA authentication.
  [# 684648]

• In some authentication modes, a NetScaler appliance configured for NetScaler AAA becomes unresponsive if a “Max Login Attempt” value is configured on an authentication virtual server.
  [# 688463]

Admin Partitions

• When you access a partitioned appliance through the NetScaler GUI, the Dashboard does not display the "CPU vs. Memory Usage and HTTP Requests Rate" graph in the left pane.
  [# 676700]

• When you configure an administrative partition, validation of the partition's VMAC address might fail, causing the NetScaler appliance to crash.
  [# 677765]

• On a partitioned NetScaler appliance, the system memory counters are not updated properly unless they are cleared during partition deletion.
  [# 681422, 682240]

AppExpert

• When a NetScaler appliance receives a client request for evaluating a responder policy, it might not log the responder data. Before evaluation, the appliance sets the ns_auditlog_module_id global variable and uses the data for log processing. If during the evaluation you block the log action and wait for more data, and while you are waiting the appliance receives another client request to evaluate a different policy, the responder log data is not recorded for the responder module.
  [# 687140]

AppFlow

• The NetScaler appliance crashes, dumps core, and restarts if a certificate is unbound from an SSL virtual server while an SSL transaction is in progress.
  [# 679995]

• When ClientSide Measurements is enabled, and you access the NetScaler Gateway, then the Microsoft Internet Explorer browser displays an error.
  [# 680567, 688758]

• A NetScaler appliance crashes and dumps core if an ECDSA certificate is bound to the SSL virtual server that processes an SSL transaction.
  [# 683567, 686195]

• When both Logstream and IPFIX (AppFlow) collectors are configured on a NetScaler instance, NSBs leak while trying to send an IPFIX msg on a Logstream collector.
  [# 687908, 686407]

Application Firewall

• On a NetScaler appliance running release 11.1 build 64, SQL and cross-site scripting relaxations might not work for application or json content types. The AppFW logs display the following message, even when the relaxation rules are applied for User-Agent:

  SQL Keyword check failed for header User-Agent.
  [# 651054]

• A large number of DHT operations causes high CPU usage when StartURLClosure is enabled. Packet per engine (PPE) operations consume over 95% of the CPU cycles after an upgrade to NetScaler 11.1.
  [# 672807, 672753]

• Form based NetScaler AppFirewall checks can be bypassed by a multipart POST request in which the Content-type header has been tampered with.
  [# 674658]

• The NetScaler AppFirewall appliance crashes while copying form data if the form field consistency check is enabled.
  [# 678297, 689073]

• A NetScaler appliance running release 11.1 and build 52 might fail because of a mismatch during memory allocation and display the following error message:

  userspace_panic as_free().
  [# 681746, 683564, 684632]

• Since release 11.1 build 41, the ImportSizeLimit parameter in the AppFW settings can be set to limit the size of the objects that are imported to the NetScaler appliance. This limit is now extended from 128 MB to 256 MB. Execute the following set command from the CLI to change the value to meet your requirement:

  set appfw setting -importsizelimit

  Maximum value: 268435456

  Minimum value: 1

  Default: 134217728

  Example

  > set appfw setting -importsizelimit 268435457
  [# 682219]

• The application firewall signature-update warning messages are not delivered in standard syslog message format. Therefore, NetScaler MAS does not process them. The warning messages do not include the module name or a time stamp, both of which are part of the syslog standard. Signature update messages are also not in standard syslog format.
  [# 682416]

• Applying cross-site scripting checks to complete URLs causes applications to stop after an upgrade. With this fix, cross-site scripting checks run only on the URL's base path if the CrossSiteScriptingCheckCompleteURLs option is enabled in the AppFw profile.
  [# 682770]

• Application firewall log messages generated when data is dropped because of Unknown Content-Type do not include the Content-Type Header value, which would facilitate tracking and monitoring.

  This issue has been fixed now. The application firewall logs allows requests which have multiple charsets with same value in the content-type header.
  [# 682778]

• On a NetScaler AppFirewall appliance, URL global pages cause memory buildup on the secondary node when the URL closure protection feature is enabled.
  [# 683366]

• When you attempt to export learned data for an application firewall profile, the appliance fails because of improper initialization of a stack variable. The Aslearn process restarts continuously because of connection failure.
  [# 684988]

• Traffic to a back-end application is blocked by the HTML cross-site scripting check when the profile type is XML. The cross-site scripting check fails for field with following tags; &lt;?xml version="Bad tag: ?xml" <blocked>.

  When you have cross-site scripting enabled, the application firewall makes the following changes to requests that match the HTML Cross-Site Scripting check:

  Left angle bracket (<) to HTML character entity equivalent (&lt;) Right angle bracket (>) to HTML character entity equivalent (&gt;) This prevents browsers from interpreting unsafe html tags, such as <script>, and thereby executing malicious code. If you enable both request-header checking and XSS transformation, any special characters found in request headers are also modified as described above. If scripts on your protected web site contain cross-site scripting features, but your web site does not rely upon those scripts to operate correctly, you can safely disable blocking and enable transformation. This configuration allows legitimate web traffic while stopping any potential cross-site scripting attacks.
  [# 685775]

• The NetScaler packet processing engine fails to start when URL transform regression scripts are executed during a low-memory condition.
  [# 687625]

Clustering

• When secure connection is enabled on CCO, config sync doesn't work.
  [# 525671]

DNS

• In a cluster setup, the default DNS policy is not made available to packet engines. With this fix, the default DNS policy is loaded into the packet engine.
  [# 669829]

• If a NetScaler appliance receives a CNAME chain that includes some entries that are currently cached, the appliance returns a valid address record instead of reporting that the bailiwick check failed.
  [# 675553]

• When a NetScaler appliance in resolver mode receives a DNS response from a name server and forwards it to an alternative name server, the NetScaler appliance goes DOWN.
  [# 682730, 683138, 680141]

Front End Optimization

• The NetScaler appliance dumps core when the front end optimization (FEO) feature is enabled for one virtual server and an AppFlow action with client-side measurement is enabled for another virtual server.
  [# 686146]

GSLB

• In a new cluster deployment or when the NetScaler firmware in a cluster deployment is upgraded to build 11.1-53.11, management CPU usage spikes to up to 99% on every cluster node. This issue occurs in the absence of any additional configuration, management, or data traffic.
  [# 682766, 683601, 685391]

Integrated Cache

• The integrated cache does not have enough memory to accommodate the policy updates required when all policies bound to a content group have to be updated because of a change in the cache configuration. This fix increases the cache memory allocation from 4 Kb to 80 KB.
  [# 675025, 675504]

• The NetScaler Integrated Cache might delay processing of client requests if you enable the flash cache.
  [# 681664]

Load Balancing

• The NetScaler appliance crashes, because an issue in the internal timer logic in stream analytics causes the system to spend more time than expected for ageing tasks.
  [# 672899]

• A spillover trap might be sent even though a backup virtual server is not configured.

  With this fix, a spillover trap is sent only if one of the following conditions applies:

  - A spillover method or policy is configured.

  - No spillover method or policy is configured, but a backup virtual server is configured to accept the traffic when the primary virtual server is DOWN.
  [# 679991]

• NetScaler: AAA

  A cached ticket is expired before server receives it. This happens when a NetScaler is used as a kerberos SSO to backend servers. This usually happens just around the time ticket expires, which is typically 10 hours.
  [# 681026]

• When you rename an HTTPS virtual server that is associated with an internal HTTP virtual server, the internal virtual server's name is not changed correctly.
  [# 681559, 674427]

• The maximum string size of Target Vserver Expression is 1500. If the configuration includes an expression greater than 1500, the NetScaler appliance crashes. With this fix, the maximum string size of Target Vserver Expression is limited to 1499.
  [# 684131]

• The RADIUS shared secret key is now an optional configuration for all RADIUS load balancing and RADIUS Listener deployments. All existing configurations continue to function as they did before.

  The validation of the RADIUS shared secret key happens in the following scenarios:

  - RADIUS shared secret key is configured for both the radius client and the radius server: The NetScaler appliance uses the RADIUS secret key for both the client side and the server side. If the verification succeeds, the appliance allows the RADIUS message to go through. Otherwise, it drops the RADIUS message.

  - RADIUS shared secret key is not configured for either the radius client or the radius server: The NetScaler appliance drops the RADIUS message, because shared-secret-key validation cannot be performed on a node that has no radkey configured.

  - RADIUS shared secret key is not configured for both the RADIUS client and the RADIUS server: The NetScaler appliance bypasses the RADIUS secret key validation and allows the RADIUS messages to go through.
  [# 687326, 688713, 690164]

NITRO

• In a partitioned NetScaler appliance, you can add authentication loginschemas with inbuilt schemas through the NetScaler command line interface only.

  To add authentication login schemas through the NetScaler CLI, use the switch partition command. For example:

  > switch partition p1

  Done

  p1> add loginSchema ls1 -authenticationSchema LoginSchema/DualAuth.xml

  Done
  [# 687133]

NetScaler 1000V Appliance

• TCP services that go through tagged VLAN interfaces might go down.
  [# 683196]

NetScaler GUI

• Certificate bundles are not supported in cluster setups.
  [# 644199]

NetScaler Gateway

• When encryption is enabled for client security expressions (in the VPN session action parameter), the device might fail occasionally.
  [# 607555, 616311]

• When HTTP Strict Transport Security (HSTS) is enabled on a virtual server and on a NetScaler appliance, the appliance adds an STS header to the response. An HSTS-enabled response advertises that the appliance accepts only HTTPS requests. It does not accept plain-text HTTP. This option prevents privacy leaks and downgrade attacks and uses trusted certificates to establish a secure connection to the server.

  When HSTS is enabled on a NetScaler appliance, a browser that supports HSTS does the following:

  - Automatically redirects the HTTP requests to HTTPS for the target domain. For example, http://example.com/some/page/ is changed to https://example.com/some/page/ before the appliance accesses the server.

  - Does not allow access to the server unless the connection is secure. For example, the server's TLS certificate must be valid, trusted, and not expired.
  [# 654092]

• The NetScaler appliance becomes unresponsive if you change the NTLM path from HTTP to HTTPS.
  [# 657633]

• The Certificate Revocation Lists (CRL) checks and Online Certificate Status Protocol (OCSP) validation are not done on a NetScaler appliance through an SSL renegotiation as part of certificate based authentication.
  [# 658120, 684909]

• In rare cases, a NetScaler appliance dumps core if the server-side connection closes while NTLM Authentication is in progress..
  [# 670062, 657633, 684467, 686139, 672074, 681078]

• When you run the "sh icaconnection summary" command, the columns in the output are misaligned.
  [# 670277]

• Memory leak in SSLVPN pool is encountered when connection to AAAD daemon is closed at the time of authentication.
  [# 670586, 683809, 671944]

• If you configure TACACS authentication in “password*OTP” format, and a user types an invalid credential, the following incorrect error message appears:

  Error in retrieving Versions. Cannot read property ‘replace’ of undefined.

  You can ignore the message.
  [# 672001]

• With this enhancement, Storefront server can be used to validate user credentials instead of Active Directory server. This simplifies Gateway configuration in XA/XD deployments where StoreFront server is mandatory.

  This is applicable only for end user login with password. This feature cannot be used for group extraction without user password. Please check documentation for details.
  [# 672398]

• User session exists on NetScaler appliance after client machine logs out of VPN because of SmartCard removal.
  [# 675596]

• In rare cases, upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), NetScaler Gateway dumps core if SSO and Proxy are configured in Traffic policy.
  [# 676545]

• NetScaler Gateway dumps core in case SingleSignOn (SS0) is disabled and the connection to server is removed or gatetimeout happens during TCP handshake with the back-end server.
  [# 678251]

• The NetScaler appliance dumps core when a user connected, through Unified Gateway, to a VPN virtual server bound to an AppFlow policy does the following:

  1. Changes the content switching (CS) action to connect to another VPN virtual server, which is not bound to an Appflow policy.

  2. Then removes the first VPN virtual server.

  3. Continues to access resources over the initial VPN session.
  [# 678847]

• DTLS feature must not be enabled on a virtual server configured with "listen" policy. Using command "add vpn vser" on a virtual server with the DTLS feature enabled and "listen" policy configured returns success but the DTLS feature does not get enabled on the virtual server.
  [# 679025]

• In rare scenarios, NetScaler dumps core while accessing virtual server information when the RDP traffic is handled by separate RDP listener on NetScaler and the virtual server information is not present.
  [# 679360]

• In rare situations, the Windows plug-in fails during VPN session logout.
  [# 679570]

• Upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), back-end sites take too long to open.
  [# 679582]

• In rare cases, a NetScaler Gateway appliance in a Unified Gateway (UG) deployment dumps core if the traffic management (TM) virtual server behind the UG is configured for SAML with advanced policies and the content switching (CS) policies are not properly configured to route SAML responses to TM.
  [# 679768]

• If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN) and the Gantt chart option under Tasks is selected, some of the options in the Tasks section (for example, Completed, and Late Task) are not accessible.
  [# 681689]

• If Gateway is configured for certificate authentication in primary cascade with ldap group extraction in secondary, Gateway is disregarding errors from aaad when group extraction is attempted.
  [# 681913]

• In rare scenarios, blue screen appears (BSOD) when NetScaler VPN plug-in is installed along with Pulse Secure plug-in.
  [# 683009]

• If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN), you can't access the "OneDrive" and "Sites" options on the home page if Clientless Mode URL Encoding is set to ENCRYPT.
  [# 683390]

• In rare cases, the NetScaler appliance dumps core when a client sends a FIN event without an HTTP body.
  [# 683452]

• HTML5 Receiver app launch fails while accessing a NetScaler Gateway bound with RfWebUI theme portal.
  [# 683987]

• In rare scenarios, after rebooting the system, AlwaysON enabled VPN plugin fails to connect to Gateway.
  [# 684709]

• When hundreds of users try to log on to NetScaler Gateway at about the same time, the logon page might stop loading, or it might load very slowly, in which case the logon process takes a very long time to complete.
  [# 684774]

• Mail synchronization fails on iOS and Android devices if secure mail is configured to use secure ticket authority (STA).

  As written in the XenMobile Server known issue doc: http://docs.citrix.com/en-us/xenmobile/server/known-issues.html

  With NetScaler 12.0.41.16, when Secure Mail is configured with STA, mail sync fails on iOS and Android devices. The issue is fixed in NetScaler 10.0 build 41.22. For details and updates, see this Support Knowledge Center article. [#685075]
  [# 685075]

• If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN) and upload a form that has a post body exceeding 8 KB, NetScaler rewrite policies do not decode the form content beyond 8 KB.
  [# 685215]

• In rare cases, a NetScaler Gateway appliance dumps core when the single-sign-on feature tries to access an authentication resource that has been removed.
  [# 685389]

• A secure load balancing virtual server on a NetScaler appliance processes both secure and insecure cookies.
  [# 685421]

• The client detection logic for Citrix Receiver does not work in Firefox, because the browser no longer supports NPAPI plug-ins.
  [# 686337]

• The NetScaler appliance fails to access the gateway home page after an upgrade to software release 11.1 build 51.21. The cause of the failure is the presence of an unexpected parameter (/ilearn).
  [# 686715, 687092]

• In rare cases, while accessing Gateway via proxy, NetScaler dumps core if KCD based Single Sign-On is attempted to back-end servers.
  [# 686858]

• In rare situations, VPN plug-in installation fails and a "Citrix Access Gateway is not supported on this platform" error message appears on a machine running a 64-bit operating system.
  [# 687139]

• The NetScaler appliance dumps core during Core2Core communication as resetting the TCP connection closes the connection without cleaning the connection structure.
  [# 687211]

• The NetScaler appliance fails when it tries to authenticate an invalid incoming HTTP packet.
  [# 688215]

NetScaler SDX Appliance

• When you use a single-bundle image file to upgrade a NetScaler SDX appliance, the upgrade-progress page might become unresponsive.
  [# 672042, 686510]

• A NetScaler SDX appliance does not propagate a global MAC address to the VPX instances if you do both of the following:

  - Assign a global base MAC address in generated mode to a manual channel or an LACP channel.

  - Reset the global base MAC address.
  [# 682573]

• If system logs are not rotated properly, over time they consume too much disk space. This causes the XenServer server to run out of disk space and creates unexpected system behavior.
  [# 683171, 684959, 685535]

• A NetScaler VPX instance's configuration is deleted if you use the Management Service to force a reboot of the instance.
  [# 683743]

NetScaler VPX Appliance

• In a NetScaler VPX HA deployment running on AWS, when a failover makes the secondary node primary, the network interfaces are attached to the new primary in the wrong order.

  For example, if the primary node has NICS 1/2 (AA:BB:CC:DD:EE:FF), 1/3 (12:34:56:78:90:12), and 1/4 (1A:2B:3C:4D:5E:6F), upon failover the new primary would have 1/2 (1A:2B:3C:4D:5E:6F), 1/3(AA:BB:CC:DD:EE:FF), 1/4(12:34:56:78:90:12). Here, the interface MAC order has changed. However, this behavior does not apply to the NIC that's configured with the NetScaler management IP address.
  [# 675746]

• In a NetScaler cluster, the configuration coordinator (CCO) node does not support the set ns vpxparam -cpuyield command for controlling CPU-usage behavior.
  [# 678401]

Networking

• A NetScaler appliance might become unresponsive or a high CPU is observed during the following scenario:

  * The appliance resolves a domain into two IP addresses, one of the IP addresses is a NetScaler owned IP address and the other is an external IP address.

  * The appliance sends a packet destined to the external IP address from LO/1.

  * The response packet keeps looping after the appliance receives it.
  [# 669754, 669977, 687943]

• In a high availability setup, when a critical interface goes to DOWN state because of TX stall, HA failover might not happen.
  [# 677815, 679068, 680001]

• In a high availability setup, when a critical interface goes to DOWN state because of TX stall, HA failover might not happen.
  [# 679068]

• Memory allocated for a TCP session might not get free after a failure in reassembling fragments of a size of more than 1500 bytes. This accumulation over a period of time depletes available memory.
  [# 680185, 680186]

• Interfaces in MUTED state might drop the LLDP packets instead of processing them.
  [# 682769]

• The NetScaler appliance drops ND6 solicitation packets received on interfaces that are in muted state.
  [# 684119]

• The NetScaler appliance updates the ND entry of a next hop router with its MAC address after learning it from the router advertisement packets received from the router. The appliance might not update the state of the ND entry from INCOMPLETE to STALE. This update failure results in looping the outgoing packets ( destined through the next hop router) in the NetScaler queue. As a result, the NetScaler appliance becomes unresponsive.
  [# 684126]

• The NetScaler appliance does not process the BGP remote-as configuration for an IPv6 peer after a reboot resulting in the loss of BGP configuration for this peer.
  [# 685123]

• In a NetScaler telco deployment, the NetScaler appliance reuses the outgoing probe connection information for two different incoming connections with the same 4-tuple that are destined to the same server. This reuse of probe connection might cause the NetScaler appliance to become unresponsive.
  [# 685344]

Optimization

• With this fix, the built-in video detection policies have new names, which more clearly represent the purposes of the policies.
  [# 681308]

• When configuring the NetScaler video optimization feature, you cannot bind built-in detection policies or custom optimization policies to multiple virtual servers. An attempt to do so produces the following error message, "ERROR: CVPN Policies cannot be bound to multiple entities."

  For example:

  > bind lb vserver IPv4_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 600 -gotoPriorityExpression 3300 -type RESPONSE

  > bind lb vserver IPv6_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 601 -gotoPriorityExpression 3301 -type REQUEST

  ERROR: CVPN Policies cannot be bound to multiple entities
  [# 682864]

• A NetScaler appliance crashes if you generate AppFlow or ULFD records for clear-text video transactions.
  [# 682947]

Policies

• In some cases, the system encounters a fault if, when adding an entry to a pattern set, you experience errors such as too long patset strings, bad UTF-8 characters, or bad regular expressions.
  [# 675677]

• When an Advanced expression function in an ALT expression blocks the current evaluation of the expression, then upon resumption it may cause the NetScaler appliance to crash.
  [# 687345]

SSL

• Even though TLS protocol versions 1.1 and 1.2 are not supported by firmware version 1.1, the protocols appear as enabled by default on an SSL virtual server.
  [# 576274]

• A configuration loss, such as the ECC curve and ciphers unbinding from an SSL virtual server or service, might occur after you upgrade to this build.
  [# 613912, 643135, 647100]

• If you add a partition and later remove it, the state of all the SSL virtual servers configured on the appliance changes to DOWN.
  [# 660319, 667130, 671887]

• A NetScaler appliance might dump core and restart if you have configured policy based SSL renegotiation and a client sends multiple SSL records before renegotiation is initiated.
  [# 673348, 682192, 682160, 684547, 684992, 687515]

• In rare cases, a NetScaler appliance might dump core and restart if you add a certificate revocation list (CRL) larger than 256 KB.
  [# 674278, 678890]

• The NetScaler appliance might occasionally send a wrong certificate if SNI is enabled.
  [# 675158]

• If an OCSP responder URL incorrectly resolves to a NetScaler reserved IP address, the appliance dumps core memory and restarts.
  [# 675887]

• If the destination IP address in an OCSP request is an IPv6 address, the NetScaler appliance dumps core memory and restarts.
  [# 678474]

• If both OCSP stapling and session ticket are enabled on an SSL virtual server, and a client sends a session reuse request that contains an OCSP stapling status extension, the appliance dumps core memory and restarts.
  [# 678743, 678740]

• You cannot modify the internal OCSP responder parameters in this build.
  [# 679708]

• The value for days to expiration of a certificate appears incorrectly on a cluster IP (CLIP) address.
  [# 682493]

• In a cluster setup, if you remove a service group, the corresponding entries on the CCO node are not deleted.
  [# 682767]

• The NetScaler appliance dumps core and restarts if a wildcard SSL virtual server has the -m mac option enabled.
  [# 682775]

• In a cluster setup, if you rename a service group, the corresponding entries on the CCO node are not updated.
  [# 682784]

• On a NetScaler MPX or SDX 14000 FIPS appliance, requests are not forwarded to the back-end server if virtual-server based transparent access with a wildcard IP address (*:443) is configured in a transparent SSL acceleration setup.
  [# 684413]

• Memory usage might continuously increase on a partitioned NetScaler VPX appliance processing SSL traffic. As a result, the appliance might become unresponsive after some time.
  [# 685669]

• The NetScaler appliance dumps core and restarts if it receives a request while both session-ticket and SSL-session persistence are enabled.
  [# 687575]

• The NetScaler appliance dumps core and restarts if both client authentication and session ticket are enabled and a session ticket reuse request is continuously received on the appliance.
  [# 687777]

System

• Enabling both the AppFlow option and the AppQoE option might cause a memory leak, which can degrade performance and eventually cause the appliance to fail.
  [# 640545, 685334, 686832, 687603]

• If the integrated cache (IC) memory limit is set to a value greater than 4 GB and front end optimization (FEO) is enabled, the NetScaler appliance crashes.
  [# 666208]

• A NetScaler appliance adds an SNMP trap for TCP-level synflood if the Varbindings are incorrect for the synflood trap.
  [# 671128]

• Snmpd communicates with nsaggregatord to process the requests it receives. The SNMP Code also maintains a cache of the responses from aggregator in the form of a CacheTable. If the CacheTable is corrupted, a crash might result.
  [# 675631]

• If you enable Front End Optimization (FEO) and configure Integrated Cache (IC) with cache selectors, the NetScaler appliance might crash.
  [# 677943]

• In a high availability setup, the following command-propagation warning message appears when a backup is created for a large configuration file on the primary node: "Warning: There is no response from secondary. Propagation Timed out” However, propagation of the backup file succeeds after some time.
  [# 679376]

• A NetScaler appliance crashes if the content-type header is missing from an HTTP responder.
  [# 681284]

• If a client sends an HTTP/2 header continuation frame, the NetScaler appliance dumps core.
  [# 681361, 683274]

• If a load balancing virtual server configured with a backup server is down, the si_cur_Client counter underflows, causing client connections for the virtual server to display abnormal values in the NetScaler GUI.
  [# 682762]

• If multiple trap destinations have the same IP address but different SNMP versions, one of which is SNMPv3, modifying an SNMPv3 trap message leads to an appliance failure.
  [# 683622, 683806]

• If the MSS value in a client TCP handshake with a NetScaler appliance is from 1322 to 1329, the appliance sends 1330-byte segments, which cause packet drops, and the TCP connection fails.
  [# 684148, 687638]

• A NetScaler appliance in a high availability configuration crashes when using TCP transport to send log messages.
  [# 685898]

• The NetScaler appliance does not send buffered log messages when the SYSLOG server is ready to accept them.
  [# 686751]

Known Issues

• SHA256 digest algorithm is not supported on a NetScaler FIPS appliance configured for SAML authentication or as a SAML IDP. However, an appropriate error message does not appear in the browser.
  [# 639349]

• The TACACS attribute or group extraction is supported only if the back end is Cisco ACS TACACS+ Server. For TACACS server other than Cisco, the attribute or group extraction is not supported. For more information, see https://support.citrix.com/article/CTX220024.
  [# 651719]

• A NetScaler appliance configured for NetScaler AAA with LDAP over SSL becomes unresponsive when the connection to the NetScaler AAA daemon is used to its full capacity. At that point, the packet engine is unable to process any more authentication requests.
  [# 660065, 674005]

• If the back-end server's domain name does not include a dot, DNS resolution fails during Kerberos Single Sign-ON (SSO).
  [# 667953]

• In rare scenarios, response cookie from OWA 2013 server is not greater than 70 bytes when the NetScaler appliance is configured with Forms Based SSO. Hence, length check for cookie value in success-rule configured in Forms SSO action on the NetScaler appliance needs to be updated with an appropriate value.
  [# 676450]

• When SAML authentication is employed as the log on method for Gateway users on FIPS hardware, and an encrypted assertion is sent from IdP, then the NetScaler appliance dumps core memory.

  This is applicable only for FIPS hardware platforms.
  [# 677458]

• If the primary and secondary passwords in a logon request are the same, and the first-factor authentication server prompts the user to change the password, the second-factor server uses the password that was sent in the logon request.

  Workaround: Configure the second-factor authentication server to use the http.req.user.passwd expression if the first-factor server requests a password change.
  [# 678553]

• In an nFactor EPA configuration, if EPA is configured in secondary factors and requires conditional access, a passthrough factor must be configured to select EPA factors for required users. Otherwise, EPA flow starts even for users that do not require EPA.

  Workaround: Configure EPA factor only for users requiring it. This could be achieved by configuring passthrough factors to make logic decisions.
  [# 680519]

• If forms based Single Sign-On (SSO) is configured for Outlook Web Access (OWA) 2013 servers, the "successRule" configured in the forms SSO action must be corrected, because the server sends 64 byte cookie upon successful SSO.
  [# 681730]

• In an nFactor EPA configuration, if EPA is configured in secondary factors and requires conditional access, a passthrough factor must be configured to select EPA factors for required users. Otherwise, EPA flow starts even for users that do not require EPA.

  Workaround: Configure EPA factor only for users requiring it. This could be achieved by configuring passthrough factors to make logic decisions.
  [# 683224]

• The back-end is not accessible through a clientless VPN (CVPN). The issue occurs when SSO is ON, the proxy is specified in a traffic action, and the back-end credentials are different from the logon credentials.

  Workaround: Create a traffic policy based on back-end URL and create a trafficAction with SSO OFF and No Proxy. The back-end should be accessible.
  [# 689153]

• A NetScaler appliance can add multiple NetScaler AAA groups, but the “save config” operation saves only the first group.
  [# 689212, 689457]

• In release 12.0, nFactor authentication supports end point analysis (EPA) as one of the factors for VPN Gateway, but not for AAA traffic management (AAA-TM). Therefore, an EPA enabled authentication virtual server is not supported for AAA-TM.

  Workaround: For AAA-TM, create an authentication virtual server that does not include EPA as one of the factors.
  [# 691242]

AppFlow

• If multiple AppFlow policies are bound to the same bind point, only the last policy is chosen.
  [# 603177, 647386]

• If there are more than 300 embedded objects in a web page, and if client-side-measurements is enabled, the NetScaler instance might become unresponsive.
  [# 686027]

Application Firewall

• A NetScaler AppFirewall appliance with the compression feature enabled sometimes puts blank lines in HTTP response headers, resulting in garbled page rendering by the browser.
  [# 629128]

• In the Visualizer, some buttons might not work if you use Mozilla Firefox or Internet Explorer.

  Workaround: Use the Google Chrome browser.
  [# 648272]

• The information that the GUI displays for the application firewall web services interoperability (WSI) check does not say that it is a prerequisite and cannot be disabled.
  [# 650789, 650317, 658472]

• The NetScaler application firewall should bypass requests from application firewall processing after the system reaches a specified CPU/memory usage limit, but there is currently no policy for reviewing CPU and memory capacity and bypassing the application firewall.
  [# 660546]

• An alert is generated when you set the NetScaler AppFirewall session limit to a value of 0 or lower, because such a setting affects advanced protection check functionality that requires a properly functioning application firewall session.
  [# 668892]

• If you upgrade a NetScaler appliance in a high availability (HA) setup from version 10.5.56.15 to version 11.1.51.1901 and skip 250 rules with active traffic, the GUI or CLI displays a "failed to skip some rules" error message and an operation time-out error message.

  Workaround: Turn off the Learning feature when skipping learned rules.
  [# 671807]

• In an HA environment, a NetScaler appliance running release 11.0 does not learn new rules when the application firewall feature is enabled.
  [# 672864]

• When a third-party version-0 signature object is merged with a user-defined signature that is not version 0 and has both native and user-defined rules, the resulting signatures are all version 0 and do not include the native rules.

  To include the native rules, you must update both signature objects (third-party and user-defined) before the merge. The update changes the version from 0. If you then perform the merge operation, the Native rules are included.
  [# 672970]

• Application Firewall port information about open ports, such as port 443, is not suppressed. It can therefore be detected by port scan tools such as NMAP in targeted hacker attacks.
  [# 674864]

• If you have multiple application firewall policies configured on a load balancing virtual server, and a policy has a GotoPriority Expression of NEXT, the NetScaler AppFirewall policy order bypasses all security checks in that policy's profile and moves to the next policy.
  [# 682935]

• The IP address of a content switching virtual server cannot be accessed after an upgrade from a previous release to the current release. The POST request results in a 302 redirect error.
  [# 687314]

• After an upgrade from release 11.0 build 63.13 to release 11.1 build 52.13, processing of the query parameter in an HTTP GET request enters a loop. For example:

  GET /webcenter/portal?_afrLoop=877791362281928 HTTP/1.1\r\n
  [# 687973]

• The NetScaler appliance restarts if it attempts to process an invalid incoming HTTP packet.

  Workaround: Run the following command from the shell, and add it to the /nsconfig/rc.netscaler file: nsapimgr_wr.sh -ys invalidwaitqdbg=0
  [# 688479]

• Turning on the logging feature on a NetScaler Application Firewall appliance stops NStrace from generating reports for the logs.
  [# 689215]

Clustering

• For validating a Citrix NetScaler cluster setup against IPv6 ready logo suite, Citrix recommends to use cluster link aggregation (CLAG) consisting of only one interface per cluster node.
  [# 679468]

• The NetScaler appliance might fail to reestablish a connection if both of the following conditions are met:

  • The policy engine (PE) receiving the traffic is in the DOWN state.

  • The NetScaler buffer (NSB) is kept on hold by a recovery mechanism.
  [# 685979, 687732]

GSLB

• When a remote GSLB service is configured with an external monitor on a GSLB site node, the state of this service might become inconsistent across packet engines, because of core-to-core message failures. In that case, the NetScaler appliance might generate incorrect replies to GSLB domain queries.
  [# 658108, 679822]

Load Balancing

• In a high availability (HA) setup, if domain-based services are configured and the secondary node does not receive any Service State Sync (SSS) update for the services for more than 247 days, a packet engine might crash when this node becomes the primary node.
  [# 673446, 684550, 688305]

• In a high availability (HA) setup, an unusually large spike in the number of persistent connections might result in underperformance of the Secure Socket Funneling (SSF) channel between the primary node and the secondary node. The underperformance can eventually lead to session buildup on the primary node and cause persistence to fail.
  [# 685179, 684834]

• If an add lb monitor command specifies an httprequest argument value of more than 77 characters, a subsequent show command shows an incorrect httprequest value for the HTTP requests that the monitor sends to the CLIP address. The NetScaler appliance's ns.conf file also contains the incorrect httprequest value for the monitor. Also, the other nodes (non-CCO) in the cluster are updated with the incorrect httprequest value by the configsync process.
  [# 685856, 687784]

NITRO

• Restarting a NetScaler appliance after upgrading it to release 12.0 might cause the appliance to fail to respond to NITRO requests.
  [# 686434, 672544, 689415, 690265]

NetScaler CPX

• Modifying the nf_conntrack_max sysctl variable to get better network performance can cause unexpected behavior. In that case, you have to increase the size of the connection-tracking and/or the hash table, and/or decrease timeout values. For more information, see http://antmeetspenguin.blogspot.in/2011/01/high-performance-linux-router.html.
  [# 658734, 658736]

• Modifying the nf_conntrack_max sysctl variable to get better network performance can cause unexpected behavior. In that case, you have to increase the size of the connection-tracking and/or the hash table, and/or decrease timeout values. For more information, see http://antmeetspenguin.blogspot.in/2011/01/high-performance-linux-router.html.
  [# 680693]

NetScaler GUI

• In older versions of Internet Explorer version 7, the browser incompatibility message does not appear for NetScaler build 11.1. The logon page directly appears, and you can log on successfully.
  [# 649052]

• When using the XenApp and XenDesktop wizard, the Retrieve Stores functionality intermittently fails on the first click.

  Workaround: Click the option again.
  [# 655159]

• If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled, and you log on as nsroot user, an extra session is created.
  [# 657924]

• If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled and the nsroot password is changed at the first logon to the NetScaler appliance, the nsroot password change is not propagated to non-CCO nodes. Therefore, when an nsroot user logs on to non-CCO nodes, the appliance asks for password change again.
  [# 658132]

NetScaler Gateway

• An error message appears when a user logs off of a Storefront session, if Gateway logon uses SAML based authentication for ICA Proxy mode.

  Workaround: Log off by closing the browser.
  [# 646706]

• The Internet Explorer 8 browser does not display the Gateway portal if the portal theme is set to Default, Greenbubble, or X1. The portal does appear if the portal theme is set to RfWebUI.
  [# 669942]

• If custom theme is applied for NetScaler 11.1 build 50.10, text for password field is not displayed.
  [# 671802]

• After a NetScaler HA failover, Citrix Receiver takes a few seconds to reconnect.
  [# 672067, 689973]

• RfWebUI based theme is not supported for an Authentication virtual server configured with Classic Authentication policies
  [# 672333]

• When nFactor authentication is configured with multiple factors having custom password expressions, default password for all secondary factors is passwd1.

  Users need to configure passwordExpression in loginSchema to pick the right password for the given factor if the logon flow is non-trivial.
  [# 675401]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), hyperlinks listed under "Sites" are nonfunctional.

  Workaround: Either copy the link, paste it to a new tab, and click the new copy of the link, or right-click the link to automatically open it on a new tab.
  [# 679117]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot upload a Profile Picture.

  Workaround: Use Chrome or Firefox.
  [# 679176]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you can't drag and drop files.

  Workaround: Upload the document instead of using drag and drop.
  [# 679193]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to open a word (.doc) document.

  Workaround: Use Firefox to open the document.
  [# 679713]

• If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN), "Stop Following a Site" functionality is not available.
  [# 679744]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to add a new item to the calendar.

  Workaround: Use Chrome or Firefox.
  [# 679747]

• If nFactor authentication is configured on a NetScaler Gateway appliance running release 11.1 build 11.1 51.x or later, native clients use authentication policies configured on the authentication virtual server. See https://support.citrix.com/article/CTX223386 for details.
  [# 680378]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), a link is broken on the Setting > Master Pages screen. The link to Folders on Site is nonfunctional.

  Workaround: Either copy the link, paste it to a new tab, and click the new copy of the link, or right-click the link to automatically open it on a new tab.
  [# 680403]

• If you log on to a VPN in a cluster Deployment, the value of Total Connected Users is shown incorrectly for the NSIP addresses of all the nodes. The correct value is shown for the CLIP address.
  [# 681247]

• When a VPN virtual server is configured with RfWebUI as a portal theme, the NetScaler Gateway Windows plug-in does not automatically reconnect after the upgrade.
  [# 682689]

• You cannot edit an uploaded document on SharePoint 2013 if you log on to SharePoint 2013 through NetScaler Gateway which has Single Sign-On (SSO) enabled.
  [# 683017]

• In rare scenarios, NetScaler Gateway dumps core if you have an SSL-Proxy configured at NetScaler Gateway and you access the intranet web application through a Clientless Virtual Private Network (CVPN) via Gateway that has proxy-authentication configured at proxy.
  [# 684488]

• Responder policies are not supported for a Gateway virtual server configured with a portal theme based on RfWebUI.
  [# 684658]

• In rare scenarios, NetScaler dumps core while binding Classic session polices to an existing binding entity, when you have multiple VPN policies configured to the NetScaler.
  [# 685463]

• Citrix Receiver fails to launch ICA sessions using Client Certificate based authentication at Gateway.

  Workaround: Use browser for login.
  [# 685862]

• If you use the NetScaler Gateway plug-in for Windows, a simultaneous download of 128 or more files fails upon accessing NetScaler Gateway.
  [# 685971]

• In a double-hop deployment, a NetScaler Gateway appliance intermittently dumps core when the first-hop server receives a TCP RST event from the second-hop server.
  [# 686508]

• When a user configures a NetScaler appliance for SAML Authentication, duplicate apps appear on the home page if the RfWeb UI portal theme is bound to the appliance.
  [# 686516]

• Some traffic patterns cause application launch through NetScaler Gateway to fail if EDT is enabled on virtual desktop applications.
  [# 686774, 686960, 687587]

• An end-point analysis scan request fails if a redirect from the SAML Service Provider (SP) to the SAML Identity Provider (IdP) is in progress.
  [# 687684]

• The NetScaler appliance deletes the JSESSIONID cookie from the HTTP request before sending the request to the origin server.
  [# 689472]

NetScaler ICA

• If AppFlow for ICA is enabled on a NetScaler appliance, applications might disconnect intermittently under certain network traffic conditions.
  [# 650607]

• The session reliability on HA Failover feature is not supported between 64-bit and 32-bit kernels in an HA pair.
  [# 681628]

NetScaler SDX Appliance

• When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.

  Workaround: Delete the 10G LACP/static channel that has this issue and create it again.
  [# 600152]

• The Rx/Tx Flow Control configuration is lost if you manually set the Rx/Tx Flow Control for a 1000BASE-T copper interface to OFF, and the interface is reset.

  Workaround: Enable Flow Control Auto Negotiation (ON).
  [# 643853]

• You can only assign 22 partition MAC addresses to the following SDX platforms and the virtual machine will not start, if you assign more than 22 partition MAC addresses:

  * 11500

  * 13500

  * 14500

  * 16500

  * 18500

  * 20500

  * 115xx series
  [# 647534]

• The current software driver for 1Gbe ports does not support hot-swap capability for 1G SFP transceivers on NetScaler SDX 115xx models.

  Workaround: After replacing the 1G SFP transceiver, reset the interface from Management Service. If the issue still persists, restart the appliance.
  [# 668696]

• In some cases, a client is unable to connect to the TCP-related VIP address of a NetScaler VPX instance on a NetScaler SDX appliance.
  [# 684106]

NetScaler Secure Web Gateway

• In a transparent proxy setup, classic policies cannot be used for authentication.
  [# 670198]

• The default certificate bundle is not listed when you run the show certbundle command.
  [# 685789]

• An authentication virtual server that is created by using the Secure Web Gateway wizard appears DOWN, because an SSL certificate is not bound to it. This does not affect the functionality.
  [# 686077]

• Connections using TCP protocols other than HTTP/HTTPS are dropped if SSL interception is enabled.

  Workaround: Add a policy with the following expression and bind it to a content switching virtual server of type PROXY.

  (CLIENT.TCP.DSTPORT.EQ(80)||CLIENT.TCP.DSTPORT.EQ(443))

  Example:

  add policy expression exp1 "(CLIENT.TCP.DSTPORT.EQ(80) || CLIENT.TCP.DSTPORT.EQ(443))"

  add cs vserver starcs PROXY * * -cltTimeout 180 -Listenpolicy exp1 -Listenpriority 1 -authn401 ON -authnVsName swg-auth-vs-trans
  [# 686346]

• If you create a negotiate action by using a keytab file, the SWG wizard displays the domain name and user name instead of the service principal name (SPN).
  [# 686741]

• User authentication does not fail in transparent proxy mode even though an application firewall policy to block specific traffic is configured.
  [# 687328]

• You cannot send or receive multimedia messages by using WhatsApp in a NetScaler Secure Web Gateway deployment.
  [# 687748]

• An incorrect warning "No usable ciphers configured" appears if you change the SSL settings in a profile by using the Secure Web Gateway wizard.
  [# 689581]

NetScaler VPX Appliance

• Due to a limitation of the XenServer platform, if NetScaler virtual appliances with different interfaces, such as SR-IOV and Para-virtualized (PV) mode interfaces, use the same physical NIC, traffic between the virtual appliances with different interfaces fails.
  [# 652640]

• The NetScaler virtual appliance might fail to start if you have configured 15 or more SR-IOV and PCI passthrough interfaces.
  [# 657492]

• Due to a limitation in Linux-KVM and VMware ESX platforms, if you add new PCI passthrough interfaces to an existing NetScaler virtual appliance configured with SR-IOV interface, the PCI passthrough interfaces might take precedence over the existing SR-IOV interfaces.
  [# 660000]

• Compatibility issues between Linux-KVM and the Intel XL710 interface might cause a NetScaler virtual appliance configured with a PCI passthrough to become unresponsive during startup.

  Workaround: Restart the Linux-KVM host.
  [# 660139]

• The physical link status of a PCI passthrough interface of a NetScaler VPX appliance is not updated when the state of the link is changed (for example, when the link is enabled, disabled or reset), because of a limitation in the Intel XL710 NIC. As a result, any active traffic over the PCI passthrough interface fails during this time.
  [# 660159]

• If you use the IP link set command to change the VLAN ID to zero, or any valid value, on the virtual function (VF) on the host, the physical function (PF) processes the tagged packets with the original tag and does not reflect the new VLAN ID.

  Workaround: Run a reset command on the NetScaler VF, after changing the VLAN ID or removing it from the host. For example:

  reset interface 10/1
  [# 672441]

• If you configure an MTU value on a NetScaler VPX appliance running on Citrix XenServer and save the value, and force a shutdown, the saved MTU value is lost, and the appliance displays the old value.
  [# 676417]

Networking

• While responding to a VXLAN broadcast (for example, ARP and ND6), the NetScaler appliance does not look up the bridge table to populate the VNI field in the VXLAN header. The VNI field in the VXLAN header of the response is same as that of the incoming broadcast. This results in the peer VTEP dropping the response packets.
  [# 675626]

• The NetScaler appliance becomes unresponsive when it accesses memory that was not properly freed and therefore contains stale information about a session.
  [# 685233]

• When you remove a static route, the NetScaler appliance does not advertise the connected route that has the same prefix as that of the removed static route and for which the DRADV mode is enabled.
  [# 686058]

• The NetScaler appliance drops non-SYN TCP packets, which match an INAT rule, and a RESET is sent.
  [# 688642]

Optimization

• For the NetScaler video optimization feature to work properly, you must not delete the built-in policies that have an "ns_videoopt" prefix (for example, ns_videoopt_http_abr_netflix).
  [# 670449]

• The Video Optimization feature is supported on 32-bit NetScaler platforms only. If you deploy the feature on a 64-bit platform, the appliance displays an error message and crashes.
  [# 676593, 677838, 679578, 681853]

• The new video optimization feature is not supported on a partitioned NetScaler appliance.
  [# 677320]

• The NetScaler video optimization feature does not display the optimization statistics on the Dashboard or in the Reporting section of the NetScaler GUI.
  [# 678095]

• The video insight option cannot be enabled for a specific virtual server. You can only enable it as a global setting (set appflow param -videoInsight ENABLED).
  [# 678625]

• If a response from the StoreFront server does not have a Content Type field in the header, but the appliance expects a value in the Content Type field, the appliance crashes.
  [# 688412]

Platform

• Interfaces on NetScaler VPX instances are not hot-pluggable, except on NetScaler VPX appliances running on Amazon AWS.

  Workaround: Shut down the NetScaler VPX instances before adding or deleting the interfaces.
  [# 578198, 682586, 680889]

Policies

• The HTTP.REQ.TXID and HTTP.RES.TXID policy expressions return the same "universally unique identifier" (UUID) for different transactions.
  [# 663414, 675873]

• If you use classic expressions to filter the output of the show connectiontable command, only a warning message appears.

  Workaround: Use advanced expressions instead.
  [# 680916]

• When the appliance receives a client request, it blocks it for log action in the Responder module and upon receiving another request, if the appliance processes policies for other modules, the log messages do not get logged for the Responder module
  [# 685375]

Rewrite

• The NetScaler appliance can sometimes time out while restoring context for the rewrite feature.

  Workaround: Modify the rewrite action to use regular (regex) expressions.
  [# 675347]

SSL

• In a cluster setup, a certificate update fails, with the following error, if the certificate is in DER format.

  Error :: No such resource
  [# 583715]

• If you run the "sh ssl service group" command on the cluster IP (CLIP) address and on nodes of a cluster setup, ECC curves are displayed as unbound from the CLIP.
  [# 660257]

• In a cluster setup, if a client certificate is bound to a back-end SSL service or service group, it appears as a "Server Certificate" instead of a "Client Certificate" when you run the "show ssl service" or the "show ssl servicegroup" command on the CLIP address.
  [# 667389]

• The service group members do not appear in the output of the "show lb vserver <name>" command if it is run on a cluster IP address.
  [# 668935, 642802, 463835, 684073, 684892]

• The SSL entities to which an SSL profile is bound do not appear when you run the show ssl profile <Default-Profile> command on a cluster IP (CLIP) address.

  Workaround: You can view the bound entities from the NetScaler IP (NSIP) address.
  [# 673458]

• Some client authentication connections might be dropped if OCSP check is set to mandatory and an OCSP domain name entry is not found in the NetScaler DNS cache.
  [# 675882, 677473]

• Secure implementation of session tickets is supported only in release 11.1 build 54.x. Configuration loss occurs, if you upgrade from release 11.1 build 54.x to release 12.0 build 41.x or 51.x, in any one of the following scenarios:

  Scenario 1:

  1. Your deployment uses an SSL profile.

  2. In the SSL profile, sessionTicket is enabled and one or more of the following new secure session ticket parameters have non-default values:

  - sessionTicketKeyRefresh

  - sessionTicketKeyData

  - sessionKeyLifeTime

  - prevSessionKeyLifeTime

  Do not upgrade because there is no workaround.

  Scenario 2:

  1. Your deployment uses a custom SSL profile.

  2. In the SSL profile, sessionTicket is disabled.

  Use the following workaround to avoid configuration loss during upgrade.

  Workaround:

  1. Before upgrading, first enable and then disable sessionTicket. At the command prompt, type:

  set ssl profile <profile name> -sessionTicket ENABLED

  set ssl profile <profile name> -sessionTicket DISABLED

  2. Upgrade to release 12.0 build 41.x or 51.x.
  [# 678514, 677813]

• An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
  [# 682859]

• Information about internal service parameters is lost when you restart the appliance.
  [# 684152]

• A NetScaler appliance might run out of memory and crash if it receives a non-handshake record, such as an alert message, before a DTLS handshake is complete.
  [# 685145]

• The connection with the back-end server is terminated if OCSP validation for the server certificate fails, even though OCSP validation is optional.
  [# 686998]

• You cannot set the previous session-key life time to its minimum value (0 seconds).
  [# 687135]

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
  [# 687208]

• If you try to add a certificate-key pair containing an unsupported OID in the Subject Alternative Name (SAN) field of the certificate, the following error message appears:

  ERROR: Invalid OID for SAN entry in certificate
  [# 688416]

System

• If a wildcard virtual server's redirection mode is set to IP (-m IP), the NetScaler appliance cannot forward a TCP connection request to a service bound to that virtual server if the back-end server is down.
  [# 331889]

• If a NetScaler appliance sends a large number of packets on a TCP connection, and the network randomly drops a few of the packets, multiple sets of continuous packet loss ("holes") are created. When the appliance retransmits the packets, the network interface card (NIC) drops packets.
  [# 643929]

• On a partitioned NetScaler appliance, you can no longer use the same command to bind a system user and a command policy to a system group. Instead, you must use two different commands. For example:

  "bind system group grpX -userName userX"

  "bind system group grpX -policyName superuser 1"

  If you try to bind both arguments with a single command, the appliance displays an error message: Arguments cannot both be specified [policyName, userName.]
  [# 652345]

• The initial probe connection that a NetScaler appliance makes with the back-end internet server to check for server availability is now reusable for actual server connection with the internet server.
  [# 654087]

• A NetScaler appliance might not initiate a rewrite action correctly if data is modified in adjacent fields in the message.
  [# 657565, 686496]

• When you run the set command on a NetScaler appliance, the ns.log file stores the command with all parameter values, including customer provided values.
  [# 674165]

• If the session ID maintained for clients exceeds the threshold of 16 million entries, the configuration engine might crash. That affects the management traffic. As a result, the management connection closes and the manager must log back on to the NetScaler appliance.
  [# 676599]

• The NetScaler appliance crashes if the total number of TimeWait connections exceeds 7000 while the MPTCP feature is enabled.
  [# 678015]

• Some packets become invalid and are dropped when policies are applied. If HTTP/2 packets are dropped, the NetScaler appliance fails to send a rst_stream frame to the client, which causes the appliance to crash when new packets arrive.
  [# 684370]

• The NetScaler appliance does not send the HTTP response body for some POST requests.
  [# 685510]

• When a client times out and sends a message longer than one packet, TCP sends a FIN packet to the application handler (for example, SSL). When TCP receives the second packet, it directly sends the packet to the application handler. As a result, the application handler generates a close notify alert for the first packet and an RST alert for the second packet.
  [# 686390]

• In a SYSLOG action, setting the netProfile parameter during a log transfer causes multiple SYSLOGTCP connections to be established but only one connection serves the log traffic.

  Workaround: Set the netProfile parameter while adding the SYSLOG action, not during the log transfer.

  Example:

  add audit syslogAction -netprofile -loglevel all [-options ...]
  [# 687042]

• In a cluster setup, if you use the SET operation to specify the server domain name in a SYSLOG action command, the appliance displays a "Cannot allocate memory" error message.

  Workaround:

  Delete the existing command and add a new SYSLOG action command that specifies the server domain name specified instead of the server IP address.

  Example

  rm syslogaction

  add syslogaction -loglevel [-options ...]
  [# 687067]

• A NetScaler appliance might crash if it receives a FIN packet with multiple invalid SACK blocks from the origin server and tries to forward the packet to an MPTCP client.
  [# 687118, 687352, 687351]

Telco

• In a high availability setup, forcing synchronization does not synchronize Port Control Protocol (PCP) mappings to the secondary node.
  [# 647630]

Upgrade and Downgrade

• When you upgrade the NetScaler firmware by using the NetScaler GUI, the appliance restarts in the background as soon as the upgrade is complete, but the GUI does not show that the upgrade has been completed.

  Workaround: Log off and log back on to the NetScaler appliance to check the firmware version.
  [# 646046]

• The auto cleanup option (/installns -c) is not supported in NetScaler release 12.0.

  Clean up flash manually if space is insufficient when upgrading or downgrading a NetScaler appliance.
  [# 683380]

What's New in Previous NetScaler 12.0 Releases

• SAMLIDP Single Logout Support for Redirect and Post Bindings

  SAMLIDP single logout support for Redirect and Post bindings is now available.
  [From Build 35.6] [# 642105]

Admin Partitions

• VXLAN Support for Admin Partitions

  A partitioned NetScaler appliance now supports Virtual eXtensible Local Area Networks (VXLANs) protocol. A VXLAN can be created in the default partition and bound to any administrative partition. When you extend a VXLAN to a VLAN, binding a VLAN to a partition will also bind the VXLAN to the same partition. However, the appliance does not support shared VXLAN and does not allow you to extend a VXLAN to a shared VLAN.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 651332]

• Configurable Partition Resource Limit

  When you create an administrative partition, you can now set a partition resource (such as memory, bandwidth, or connections) limit to zero, which specifies that use of the resource is unlimited. The partition can consume up to the system limit. For a previously created partition, you can increase or decrease the limit or set the limit to zero.
  [From Build 35.6] [# 652187]

• Memory Management in Admin Partitions

  In a partitioned NetScaler appliance, the partition connections are now accounted from the partition quota memory. Previously, the connections were accounted from the default partition quota memory.
  [From Build 35.6] [# 652198]

• Blocking VRRP on Shared VLANs in Admin Partitions

  On a partitioned NetScaler appliance, Virtual Router Redundancy Protocol (VRRP) protocol is now supported only on non-shared VLANs. It is blocked on shared VLANs (tagged or untagged type) bound to a default or an administrative partition.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 655514]

• SNMP Traps for Admin Partition Rate Limiting

  On a partitioned NetScaler appliance, a SNMP-RATE-LIMIT alarm can generate six new SNMP traps for notification that a partition resource (such as connection or memory) has reached its limit or returned to normal. Previously, only three SNMP traps were available for rate limiting partition resources.

  Note: To enable generation of the SNMP trap messages, you must enable the SNMP-RATE-LIMIT alarm on the appliance and then configure the destination device to which the appliance can send the trap messages.

  The threshold and limit values for partition rate limiting are:

  Highest threshold = 80% (applicable for all partition rate limit traps)

  Lowest threshold = 60 % (applicable for all partition rate limit traps)

  Memory limit = 95% (applicable only for partition memory traps)

  The six new SNMP traps are:

  partitionCONNThresholdReached. Number of active connections for a partition exceeds its high threshold.

  partitionCONNThresholdNormal. Number of active connections are less than or equal to the configured normal threshold percentage.

  partitionBWThresholdReached. Partition's bandwidth usage reaches configured high threshold percentage.

  partitionMEMThresholdReached. Current memory usage of the partition exceeds its high threshold percentage.

  partitionMEMThresholdNormal. Current memory usage of the partition is less than or equal to the configured normal threshold percentage.

  partitionMEMLimitExceeded. Current memory usage of the partition exceeds its memory limit percentage
  [From Build 35.6] [# 655560]

AppExpert

• Blacklisting Up to One Million URLs by Using URL Sets

  To prevent access to restricted websites, a NetScaler appliance uses a specialized URL matching algorithm. The algorithm uses a URL set that can include up to one million (1,000,000) blacklisted URLs. Each entry can include metadata that defines URL categories and category groups as indexed patterns. The appliance can also periodically download highly sensitive URL sets managed by internet enforcement agencies (with government websites) or independent internet organizations such as the Internet Watch Foundation (IWF). After downloading and importing the URL set, the appliance encrypts it (as required by these agencies) and keeps it confidential so that the entries are not tampered with.

  The NetScaler appliance uses advanced policies to determine whether an incoming URL should be blocked, allowed, or redirected. These policies use advanced expressions to evaluate incoming URLs against blacklisted entries. An entry can include metadata. For entries that have no metadata, you can use an expression that evaluates the URL on the basis of an exact string match. For URLs that have metadata, you can use an expression that evaluates the URL's metadata, in addition to an expression that checks for an exact string match.
  [From Build 35.6] [# 628124]

Application Firewall

• Generate SNMP alarm and log message when application firewall Session limit is reached

  When NetScaler reaches appfw_session_limit and CSRF checks are enabled, the web application freezes.

  To prevent web application freeze, decrease the session timeout and increase the session limit by using the following commands:

  From CLI: > set appfw settings -sessiontimeout 300

  From shell: root@ns# nsapimgr_wr.sh -s appfw_session_limit=200000

  Logging and generating SNMP alarm when appfw_session_limit is reached assists users in troubleshooting and debugging issues.
  [From Build 35.6] [# 589567]

• Application Firewall GUI - Signature Editor

  When using the signature editor to perform an import and merge operation from the NetScaler GUI, you can now see the new, updated, duplicate, and invalid rules.

  The signature editor displays the following four new rows:

  1. New Rules

  2. Updated Rules

  3. Duplicate Rules

  4. Invalid Rules

  The output of the New Rules Only and Updated Rules Only filters also appears in the Category filter pane of the Edit window in signature editor.
  [From Build 35.6] [# 656279]

• Configure Application Firewall Session Limit Through the CLI

  You can now use the CLI to configure the Application Firewall session limit. Enter the following command:

  set appfw settings -sessionLimit <value>

  Where <value> is the maximum number of sessions allowed for each packet engine. Minimum value: 0. Maximum value: 500000. Default: 100000.
  [From Build 35.6] [# 662582]

Clustering

• SNMP MIB Support for Cluster Nodes

  In a cluster setup, you can now configure the SNMP MIB on any node by including the ownerNode parameter in the set snmp mib command. Without this parameter, the set snmp mib command applies only to the cluster coordinator node.

  To display the MIB configuration for an individual node other than the cluster coordinator node, include the ownerNode parameter in the show snmp mib command.
  [From Build 35.6] [# 628136, 623888]

• Disabling Steering for Forwarding Sessions in a Cluster Setup

  The default behavior of a NetScaler cluster is to direct the traffic that it receives (flow receiver) to another node (flow processor) that must then process the traffic. This process of directing the traffic from flow receiver to flow processor occurs over the cluster backplane and is called steering. This steering can be an overhead for real time processing or when high latency links are present in the setup.

  Steering for forwarding sessions can now be disabled so that the processing becomes local to the flow receiver and therefore makes the flow receiver the flow processor.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 636825]

• Monitor Static Route (MSR) Support for Inactive Nodes in a Spotted Cluster Configuration

  In a spotted cluster configuration, you can now configure an inactive or spare node to monitor a static route for which the MSR option is enabled. From a SNIP address owned exclusively by an inactive node, the node can send PING and ARP probes to an IPv4 route or ping5 and nd6 probes to an IPv6 route. Previously, only active nodes could monitor a static route.
  [From Build 35.6] [# 648194]

• VRID/VRID6 support for cluster

  When you migrate a high availability (HA) setup to a cluster setup, all configurations must be compatible and must be supportable in the cluster. To achieve this, you can now configure virtual router IDs (VRIDs and VRID6s) on a single-node cluster interface.
  [From Build 35.6] [# 655726]

• Managing Cluster Heartbeat Messages

  In a cluster configuration, you can now disable the heartbeat option on node interfaces. However, the heartbeat option on the backplane interface cannot be disabled, because it is required for maintaining connectivity among the cluster nodes.
  [From Build 35.6] [# 655842]

• TFTP Support in a Cluster Setup

  Trivial File Transfer Protocol (TFTP) is now supported in a NetScaler cluster setup. TFTP is a simple form of file transfer protocol and is based on the UDP protocol. TFTP does not provide any security features and is generally used for automated transfer of configuration and boot files between devices in a private network. TFTP support on a NetScaler cluster setup is compliant with RFC 1350. A server listens on port 69 for any TFTP request.

  The following features are supported:

  * INAT processing compliant with TFTP. If a NetScaler cluster receives a request packet whose destination is port 69 and that matches an INAT rule with the TFTP option enabled, the cluster's processing of the request and the corresponding response is compliant with the TFTP protocol. For an INAT configuration for a TFTP server, only spotted SNIP addresses are supported for the server-side communication.

  * RNAT processing compliant with TFTP. When a request packet generated by a server is destined to a TFTP server, and the packet matches an RNAT rule on a NetScaler cluster, the cluster's processing of the request and the corresponding response from the TFTP server is compliant with the TFTP protocol. In an RNAT configuration of TFTP servers, only spotted NAT IP addresses are supported for the TFTP server-side communication.
  [From Build 35.6] [# 658631]

• Audit-Log Support in Cluster

  A cluster setup of NetScaler appliances now supports the audit-log feature.
  [From Build 35.6] [# 669938]

DNS

• Support for Wildcard DNS Domains

  You can now use wildcard DNS domains to handle requests for a nonexistent domains and subdomains. In a zone, if you want to redirect queries for all nonexistent domains or subdomains to a particular server, you can use wildcards rather than creating a separate Resource Record (RR) for each such domain. The wildcard RRs synthesize the responses to queries for a nonexistent domain or a subdomain name.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 558993]

• Caching of EDNS0 Client Subnet (ECS) Data when the NetScaler Appliance is in Proxy Mode

  In NetScaler Proxy mode, if a back-end server that supports ECS sends a response containing the ECS option, the NetScaler appliance forwards the response as-is to the client and stores it in the cache, along with the client subnet information. Further DNS requests that are from the same subnet of the same domain, and for which the server would send the same response, are then served from the cache instead of being directed to the server.
  [From Build 35.6] [# 626837]

• Securing DNS Keys with Passwords on a Partitioned NetScaler Appliance

  You can now secure the DNS keys with passwords on a partitioned NetScaler appliance.

  Specify the password in the create dns key command, and then specify the same password in the add dns key command when adding the DNS key to the NetScaler appliance.
  [From Build 35.6] [# 655295]

GSLB

• Configuring GSLB by Using a Wizard in the NetScaler GUI

  You can now use a wizard to configure the GSLB deployment types (active-active and active-passive) and parent-child topologies. In the NetScaler GUI, navigate to Configuration > Traffic Management > GSLB, and click Get Started.

  You can also start the GSLB configuration wizard from the dashboard. The dashboard provides the overall status of the GSLB sites participating in GSLB. You can also synchronize the sites and test the GSLB setup from the dashboard. To access the GSLB dashboard, navigate to Configuration > Traffic Management > GSLB > Dashboard.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 664467]

Load Balancing

• SNMP OID for Tracking Persistence Sessions on a Per-Vserver Basis

  The vsvrCurPersistenceSessions (1.3.6.1.4.1.5951.4.1.3.1.1.76) SNMP OID provides the number of current persistence sessions on each virtual server.
  [From Build 35.6] [# 346825]

• Setting alertRetries to a Value Higher than the Retries Value

  The alertRetries parameter, which specifies the maximum number of consecutive monitoring-probe failures after which the NetScaler appliance generates an SNMP trap called monProbeFailed, can now be set to a value higher than the Retries value (which specifies the maximum number of probes to send to establish the state of a service for which a monitoring probe failed). If the alertRetries value is higher than the Retries value, the SNMP trap is not sent until after the service is DOWN.

  For example, if you set Retries to 3, alertRetries to 12, and the time interval to 5 seconds, the service is marked DOWN after 15 seconds (3*5), but no alert is generated. If the monitor probes are still failing after 60 seconds (12*5), the NetScaler appliance generates a monProbeFailed trap. If a probe succeeds at some time between 15 and 60 seconds, the service is marked UP and no alert is generated.
  [From Build 35.6] [# 422816]

• Connection Failover Support for IPv6 Load Balancing Configurations

  Connection failover support has been extended for IPv6 load balancing configurations. Connection failover helps prevent disruption of access to applications deployed in a distributed environment. In a NetScaler High Availability (HA) setup, connection failover (or connection mirroring) refers to keeping an established TCP or UDP connection active when a failover occurs. The new primary NetScaler appliance has information about the connections established before the failover and continues to serve those connections. After failover, the client remains connected to the same physical server. The new primary appliance synchronizes the information with the new secondary appliance by using the SSF framework. If the L2Conn parameter is set, Layer 2 connection parameters are also synchronized with the secondary.

  You can set up connection failover in either stateless or stateful mode. In the stateless connection failover mode, the HA nodes do not exchange any information about the connections that fail over. This method has no runtime overhead. In the stateful connection failover mode, the primary appliance synchronizes the data of the failed-over connections with the new secondary appliance. Connection failover is helpful if your deployment has long lasting connections.

  For example, if you are downloading a large file over HTTP and a failover occurs during the download, the connection breaks and the download is aborted. However, if you configure connection failover in stateful mode, the download continues even after the failover.
  [From Build 35.6] [# 472611]

• Configuring Backup Persistence

  You can now configure a virtual server to use source IP persistence as the backup persistence type when the primary persistence type is rule-based. If the primary persistence lookup fails, the appliance uses source-IP based persistence when the parameter specified in the rule is missing in the incoming request.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 519440]

• Support for RADIUS Shared Secret

  A shared secret must now be configured in RADIUS load balancing deployments. A RADIUS client and server communicate with each other by using a shared secret that is configured on the client and the server. Transactions between the client and RADIUS server are authenticated through the use of a shared secret. This secret is also used to encrypt some of the information in the RADIUS packet.

  You can configure a default RADIUS shared secret, or you can configure a shared secret on a per-node basis. The appliance uses the client IP address or the server IP address in the RADIUS packet to decide which shared secret to use.

  In telco deployments, you must now configure a RADIUS client when you configure a RADIUS listener service. If a shared secret is not configured, the RADIUS message is silently dropped.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 564185]

NITRO

• Prevent XSS and CSRF Attacks by Disabling Basic Authentication

  As an administrator or a root user, you can now prevent users from making API calls after using basic authentication (such as one-time credentials) to log on. You can use this feature to prevent Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and other types of attacks.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 611690, 570838]

• View Individual Counter Information

  To view global counters that are not otherwise shown by the NetScaler CLI or the NITRO API, you can now use the following URL format.

  URL: http://<NSIP>/nitro/v1/stat/nsglobalcntr?args=counters:<counter1>;<counter2>

  Previously, these counter values could be viewed only through the "nsconmsg" Shell command.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 622976]

NetScaler GUI

• PHP Version Upgraded from Version 5.3.17 to 7.0.13

  PHP has been upgraded from version 5.3.17 to version 7.0.13 on the NetScaler appliance to resolve security vulnerabilities and stability issues with PHP.
  [From Build 35.6] [# 572765]

• NetScaler GUI Masks Full Path

  To enhance security, the NetScaler GUI no longer displays the full path to an admin partition when a file browser is opened for an activity such as SSL certificate installation. Everything except the last part of the path is masked.
  [From Build 35.6] [# 661475]

• Support for Atomocity in Wizards

  The new atomicity feature removes the residual configuration left by an unsuccessful configuration attempt, so that you can successfully reconfigure the entity by using a wizard in Citrix XenMobile, XenApp, NetScaler Gateway, NetScaler Unified Gateway, or GSLB. Previously, co-entities and other unwanted configurations left by the unsuccessful configuration attempt caused error messages to appear.
  [From Build 35.6] [# 669990]

NetScaler Gateway

• Configuring Separate Ports of a RADIUS Server for Accounting and Authentication Functionalities

  You can now configure separate ports of a RADIUS server (other than the default ports) for accounting and authentication functionalities.
  [From Build 35.6] [# 355523, 634307]

• Proxy Auto Configuration for Outbound Proxy

  You can now configure the NetScaler Gateway appliance to support Proxy Auto Configuration (PAC). Upon configuration, a PAC file URL is pushed to the client browser, the traffic initiated from browser is then redirected to the respective proxies based on the conditions defined in the PAC file.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 378411]

• Support for EPA in GSLB Active-Active deployment

  EPA now functions reliably on GSLB Active-Active deployment.
  [From Build 35.6] [# 619596]

• PCoIP Proxy Support for VMware View

  NetScaler Gateway now supports the PCoIP protocol which is the core building block for several VDI solutions, including VMware Horizon View solution. This enables the solution to deliver desktops and applications and secure data on a variety of endpoint devices more efficiently.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 632624]

• Support for Logon Lockdown Control

  Logon lockdown control is now supported on a NetScaler cluster. Unsuccessful logon attempts are recorded in a distributed hash table (DHT). The advantage of using the DHT is that both n2n (node to node) and c2c (cluster to cluster) messaging are supported.
  [From Build 35.6] [# 635415]

• Support for Logon Lockdown Control

  The User Lockdown Control feature is now available for system role-based access control users on a cluster.
  [From Build 35.6] [# 650547, 490670]

• Support for logging out from a VPN session upon removal of smart-card from the logged on device.

  You can now optionally log out from a VPN session if you remove smart-card from the logged on device.
  [From Build 35.6] [# 654943]

• EDT as a Data Transmission Path Support for NetScaler Gateway

  The NetScaler Gateway appliance now supports the HDX Enlightened Data Transport (EDT) as a data transmission path. EDT provides a high definition in-session user experience of virtual desktops for users running a Citrix Receiver.
  [From Build 35.6] [# 659795, 666135]

• Logging "Destination IP address" and "ICA Proxy policy name" for Outbound ICA Proxy

  Now "Destination IP address" and "ICA Proxy policy name" are logged additionally along with other information logged earlier for Outbound ICA Proxy.
  [From Build 35.6] [# 661832]

• Support for SAML ForceAuthn Parameter and Artifact Binding (when NetScaler is SP) using GET HTTP Method

  NetScaler SAML SP (Service Provider) module now sends additional attribute called 'ForceAuth' in the authentication request to external IDP (Identity Provider). By default, the ForceAuthn carries a value of 'false'. It can be set to 'true' to provide a hint to IDP to force authentication despite existing authentication context.

  Additionally, NetScaler SP does authentication request in query parameter when configured with artifact binding.
  [From Build 35.6] [# 665828]

• Inter-operability with OAuth

  NetScaler Gateway is now able to process JWT (Json Web Tokens) during logon. Gateway is required to be configured with an OAuth action that contains a URL to fetch the certificates to verify incoming JWT. This enables Gateway to inter-operate with OAuth providers.
  [From Build 35.6] [# 671380]

• Multi-Stream ICA Functionality Support for EDT

  NetScaler Gateway now supports multi-stream ICA functionality while using HDX Enlightened Data Transport (EDT) as a data transmission path.
  [From Build 35.6] [# 671878]

NetScaler VPX Appliance

• Support for Key-Pair Based Authentication

  For VPX deployment on KVM OpenStack, you can now use key-pair based authentication to log on and access a VPX instance in a more secure way. You can also execute custom scripts with a userdata file.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 617478]

• Two New Commands to Control CPU Usage Behavior

  Two new commands, set ns vpxparam and show ns vpxparam, control the CPU-usage behavior of VPX instances in VMWare ESX and Citrix XEN environments:

  1. set ns vpxparam -cpuyield (YES | NO | DEFAULT)

  Allow each VM to use CPU resources that have been allocated to another VM but are not being used.

  Set ns vpxparam parameters:

  -cpuyield: Release or do not release of allocated but unused CPU resources.

  YES: Allow allocated but unused CPU resources to be used by another VM.

  NO: Reserve all CPU resources for the VM to which they have been allocated.

  DEFAULT: Reset -cpuyield to its factory default value based on license.

  - If license <= 8G, release CPU resources.

  - If license > 8G, use up all the CPU resources allocated to it.

  2. show ns vpxparam

  Display the current vpxparam settings.
  [From Build 35.6] [# 625698]

• Support for VMware ESXi 6.5 server

  NetScaler VPX appliances now support VMware ESXi 6.5 server.
  [From Build 35.6] [# 643974]

• Support for High-Performance VPX on OpenStack

  You can now deploy high-performance NetScaler VPX instances that use single-root I/O virtualization (SR-IOV) technology, on OpenStack. Also, on the OpenStack host, you can configure VLAN tagging on the SR-IOV virtual functions.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 660055]

Networking

• IPv6 Virtual Router Redundancy Protocol Support for a Cluster Setup

  IPv6 Virtual Router Redundancy Protocol (VRRP6) protocol is now supported on a cluster setup.

  The following are the two VRRP6 features supported on a cluster setup:

  * Interface based VRRP6: This feature is only applicable to a two-node cluster where one of node is in active state and the other in Spare. In this feature, same VMAC address is configured on both the nodes of a cluster setup. This VMAC address is used in GARP advertisements and ARP responses for the IPv6 addresses configured on a node. This feature is useful in an active-spare two-node cluster setup that has external devices/routers that do not accept GARP advertisements. By configuring a same VMAC address on both cluster nodes, when the active node goes down and the spare node takes over as active, the MAC address for the IP addresses in the new active node remain unchanged and the ARP tables on the external devices/ routers do not need to be updated.

  * IP based VRRP6: In this feature, striped VIP6 addresses bound to the same VRID6 are configured on all nodes of a cluster setup. These VIP6 addresses are active on all the nodes One of the cluster nodes acts as the VRID6 owner and sends out the VRRP6 advertisement to other nodes. In case of failure of the VRID6 owner node, another node in the cluster assumes the ownership of the VRID6 and starts sending VRRP6 advertisements.
  [From Build 35.6] [# 657315]

SSL

• Support for AES-GCM and SHA2 Ciphers at the Front End of MPX/SDX 14000 FIPS Appliances

  The NetScaler MPX/SDX 14000 FIPS appliance now supports AES-GCM and SHA2 ciphers at the front end.

  The following AES-GCM and SHA2 ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:

  - TLS1.2-AES256-GCM-SHA384

  - TLS1.2-AES128-GCM-SHA256

  - TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

  - TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

  - TLS1.2-AES-256-SHA256

  - TLS1.2-AES-128-SHA256
  [From Build 35.6] [# 579751]

• Support for New FIPS Platform

  This release supports the MPX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:

  Model number System Throughput

  MPX 14030 FIPS 30 Gbps

  MPX 14060 FIPS 60 Gbps

  MPX 14080 FIPS 80 Gbps

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 592833, 498222, 590397]

• Support for New SDX FIPS Platform

  This release supports the SDX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:

  Model number System Throughput

  SDX 14030 FIPS 30 Gbps

  SDX 14060 FIPS 60 Gbps

  SDX 14080 FIPS 80 Gbps

  For more information, see http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/configuring-SDX-14030-14060-14080-fips-appliance.html.
  [From Build 35.6] [# 597890]

• Support for AES-GCM and SHA2 Ciphers at the Back End of MPX/SDX 14000 FIPS Appliances

  The NetScaler MPX/SDX 14000 FIPS appliance now supports AES-GCM and SHA2 ciphers at the back end.

  The following AES-GCM and SHA2 ciphers are supported at the back end of the MPX/SDX 14000 FIPS appliance:

  - TLS1.2-AES256-GCM-SHA384

  - TLS1.2-AES128-GCM-SHA256

  - TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

  - TLS1.2-AES-256-SHA256

  - TLS1.2-AES-128-SHA256
  [From Build 35.6] [# 611983]

• Support for HTTP strict transport security (HSTS)

  NetScaler appliances now support HTTP strict transport security (HSTS) as an inbuilt option in SSL profiles and SSL virtual servers. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client. That is, the site can be accessed only by using HTTPS. Support for HSTS is required for A+ certification from SSL Labs.

  You can enable HSTS in an SSL front-end profile or on an SSL virtual server. By setting the maximum age header, you specify that HSTS is in force for that duration for that client. You can also specify whether subdomains should be included.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 636384, 651353]

• Support for ECDHE Ciphers at the Front End and Back End on NetScaler MPX//SDX 14000 FIPS Appliances

  Citrix NetScaler MPX/SDX 14000 FIPS appliances now support the ECDHE cipher group.

  The following ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1.2-ECDHE-RSA-AES-256-SHA384

  - TLS1.2-ECDHE-RSA-AES-128-SHA256

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  This following ciphers are supported at the back end of the MPX/SDX 14000 FIPS appliance:

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1.2-ECDHE-RSA-AES-128-SHA256

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment. It is also very useful in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

  The following ECC curves are supported: P_256, P_384, P_224, and P_521.

  By default, all four curves are bound to an SSL virtual server.
  [From Build 35.6] [# 651524]

• Support for a Hybrid FIPS Mode on the MPX 14000 FIPS Platform

  The new MPX 14000 FIPS platform contains one primary card and one or more secondary cards. If you enable the hybrid FIPS mode, the pre-master secret decryption commands are run on the primary card because the private key is stored on this card, but the bulk encryption and decryption is offloaded to a secondary card. This significantly increases the bulk encryption throughput on a MPX 14000 FIPS platform as compared to non-hybrid FIPS mode and the existing MPX 9700/10500/12500/15000 FIPS platform. Enabling the hybrid FIPS mode also increases the SSL transactions per second on this platform.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 651814]

System

• Option to Allocate an Extra Management CPU

  According to your requirement, now you can allocate an extra management CPU from packet engine pool in the NetScaler MPX appliance, and achieve better performance for configuring and monitoring of your appliance. This feature is supported in NetScaler MPX models 250xxx, 220xxx, 14xxx, 115xx.
  [From Build 35.6] [# 352233, 235321, 559207, 604165, 615657]

• Configuring HMAC Keys for PI Function

  A new parameter of the ns hmackey command specifies the HMAC key value. A NetScaler default syntax policy expression uses the HMAC () function to compute a Hash-based Message Authentication Code on selected text. This function is derived from the RFC 2104 technique to authenticate the sender of a message and verify that the contents of the message have not been altered. To set this value, type:

  HMAC (<keyValue>)

  The HMAC key value specifies the digest method and the shared secret key to be used for the HMAC computation.
  [From Build 35.6] [# 415808]

• Displaying MPTCP Statistics

  The new "stat mptcp" command displays statistical information about MPTCP counters, including counters for total MPTCP traffic, current traffic, and erroneous traffic flowing through the NetScaler appliance.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 646498, 350115]

• Configuring SYN-Cookie Timeout Interval

  In addition to the SYN Cookie setting in the TCP profile, a NetScaler appliance now maintains a second SYN Cookie setting for each virtual server. This enhancement is especially important for cluster deployments. To protect the appliance against SYN attacks, the SYN Cookie parameter in the TCP profile is enabled by default. Previously, if you disabled it, its value would toggle to ENABLED if a SYN attack was detected. If the appliance was deployed in a cluster, the cluster configuration would become inconsistent until the parameter was toggled back to the DISABLED state after the attack. Now, the SYN Cookie parameter is enabled and disabled only for the virtual server that detects the SYN attack.

  Note: A SYN attack does not enable the SYN Cookie parameter for a virtual server unless the SYN Cookie parameter in the TCP profile is set to DISABLED.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 651196]

• Protection Against Wrapped Sequence (PAWS) Algorithm

  On a NetScaler appliance, you can now enable the TCP timestamp option in the default TCP profile to use the Protection Against Wrapped Sequence (PAWS) algorithm. The algorithm can identify and discard old packets whose sequence numbers are within the current TCP connection's receive window because the sequence has "wrapped" (reached its maximum value and restarted from 0).

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 652210]

• HTTP version 2 Protocol Support for Plaintext

  A NetScaler appliance now supports HTTP version 2 (HTTP/2) protocol for plaintext messaging. The appliance advertises the service availability to its clients by including an Alt-Svc field in its response so that the client can directly send a subsequent HTTP/2 request instead of an HTTP 1.1 or HTTP/2 upgrade request. Previously, the appliance supported plaintext messaging only as an upgrade request in HTTP version 1.1.
  [From Build 35.6] [# 653154]

• Configuring Heartbeat Time Interval for Call Home

  The Call Home feature periodically reports the latest status of the NetScaler appliance to Citrix Technical Support servers. The report has the same content as the registration message. Previously, CallHome sent the report once every 30 days, but you can now specify a time interval of from 1 to 30 days. However, a value of less than 5 days is not recommended, because the frequent uploads are usually not very useful.
  [From Build 35.6] [# 655515]

• Monitoring Rate Limit Errors in Call Home

  The NetScaler Call Home feature can now monitor rate-limiting packet drops caused by exceeding either the throughput (Mbps or Gbps) limit or the packets-per-second (pps) limit.
  [From Build 35.6] [# 656569]

• Encrypting user passwords by using SHA-512

  For enhanced security, the NetScaler appliance now uses the SHA-512 hashing algorithm to encrypt user passwords.

  Note: A user to which the following set of conditions applies cannot log on:

  1. The user is added, or the user's credentials are modified.

  2. The NetScaler software is then downgraded to an earlier build, but the modified configuration file (ns.conf) is used.
  [From Build 35.6] [# 658393, 204279, 658859]

• Audit-log Support for Admin Partitions

  A partitioned NetScaler appliance now supports audit logging for non-default partitions by using advanced (PI) policies. Previously, you could configure the audit-log feature only in a default partition, not in administrative partitions.
  [From Build 35.6] [# 659649]

• Configuring TCP Burst Control Parameters by using NetScaler GUI

  The following TCP Burst Control parameters are now configurable through either the NetScaler GUI or the command line interface. Previously, you could configure the following parameters through only the command line interface:

  - BurstRateCntrl

  - CreditBytePrms

  - RateBytePerms

  - RateSchedulerQ
  [From Build 35.6] [# 660828]

• Silently Dropping Idle TCP Connections

  In a Telco network, almost 50 percent of a NetScaler appliance's TCP connections become idle, and the appliance sends RST packets to close them. The packets sent over radio channels activate those channels unnecessarily, causing a flood of messages that in turn cause the appliance to generate a flood of service reject messages. The default TCP profile now includes DropHalfClosedConnOnTimeout and DropEstConnOnTimeout parameters, which by default are disabled. If you enable both of them, neither a half-closed connection nor an established connection causes an RST packet to be sent to the client when the connection times out. The appliance just drops the connection.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 664057]

Telco

• Large Scale NAT64 SIP and RTSP ALGs Support for 464XLAT Connections

  NetScaler appliances now support Large Scale NAT64 RTSP and SIP ALGs for 464XLAT connections that use large Scale NAT64.

  For a 464XLAT SIP connection using NAT64 and SIP ALG, the show lsn sipalgcall command now displays the IPv4 address (XLAT IP) of the subscriber. For a 464XLAT RTSP connection using NAT64 and RTSP ALG, the show lsn rtspalgsession command now displays the IPv4 address (XLAT IP) of the subscriber.

  464XLAT is an architecture that provides IPv4 connectivity across an IPv6-only ISP core network by combining the existing and well-known stateful translation at the core (Stateful NAT64; RFC 6146) and stateless protocol translation at the edge (IP/ICMP Translation algorithm; RFC 6145). In other words, 464XLAT provides connectivity between IPv4-only applications on IPv6 subscriber hosts and IPv4 Servers on the internet through an IPv6-only ISP core network.

  For more information about configuring SIP and RTSP ALGs for Large NAT64, see https://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-nat-64/configuring-agl-large-scale-NAT64.html.
  [From Build 35.6] [# 635880]

Fixed Issues in Previous NetScaler 12.0 Releases

GSLB

• In a new cluster deployment or when the NetScaler firmware in a cluster deployment is upgraded to build 11.1-53.11, management CPU usage spikes to up to 99% on every cluster node. This issue occurs in the absence of any additional configuration, management, or data traffic.
  [From Build 41.24] [# 682766, 683601, 685391]

Integrated Caching

• When a request is sent and if the back-end server responds with a 301 status code, the cache stores the response meaning the URL is permanently moved and Cache is trying to serve range request. This causes the NetScaler appliance to crash.
  [From Build 41.24] [# 673506, 684404]

NetScaler Gateway

• NetScaler Gateway dumps core in case SingleSignOn (SS0) is disabled and the connection to server is removed or gatetimeout happens during TCP handshake with the back-end server.
  [From Build 41.24] [# 678251]

• Mail synchronization fails on iOS and Android devices if secure mail is configured to use secure ticket authority (STA).
  [From Build 41.24] [# 685075]

NetScaler ICA

• When session Reliability on HA Failover is enabled on a NetScaler high availability pair, the primary NetScaler has a buffer to maintain CGP sequence updates, which will be sent to secondary. After a reconnect, buffer updates wrong offset, resulting in corruption. Once the buffer corruption happens, wrong addresses will be accessed which can lead the NetScaler instance to become unresponsive.
  [From Build 41.24] [# 679494, 684204]

Optimization

• With this fix, the built-in video detection policies have new names, which more clearly represent the purposes of the policies.
  [From Build 41.24] [# 681308]

• When configuring the NetScaler video optimization feature, you cannot bind built-in detection policies or custom optimization policies to multiple virtual servers. An attempt to do so produces the following error message, "ERROR: CVPN Policies cannot be bound to multiple entities."

  For example:

  > bind lb vserver IPv4_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 600 -gotoPriorityExpression 3300 -type RESPONSE

  > bind lb vserver IPv6_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 601 -gotoPriorityExpression 3301 -type REQUEST

  ERROR: CVPN Policies cannot be bound to multiple entities
  [From Build 41.24] [# 682864]

• A NetScaler appliance crashes if you generate AppFlow or ULFD records for clear-text video transactions.
  [From Build 41.24] [# 682947]

SSL

• After you upgrade to this build, the priority of the cipher groups changes in the default profile.
  [From Build 41.24] [# 579059, 679085]

• If an OCSP responder URL incorrectly resolves to a NetScaler reserved IP address, the appliance dumps core memory and restarts.
  [From Build 41.24] [# 675887]

• If the destination IP address in an OCSP request is an IPv6 address, the NetScaler appliance dumps core memory and restarts.
  [From Build 41.24] [# 678474]

• If both OCSP stapling and session ticket are enabled on an SSL virtual server, and a client sends a session reuse request that contains an OCSP stapling status extension, the appliance dumps core memory and restarts.
  [From Build 41.24] [# 678743, 678740]

• You cannot modify the internal OCSP responder parameters in this build. This is a temporary limitation.
  [From Build 41.24] [# 679708]

User Interface

• When secure connection is enabled on CCO, config sync doesn't work.
  [From Build 41.24] [# 525671]

Release history