Release Notes for Build 57.19 of NetScaler 12.0 Release

Additional Changes/Fixes Available in Versions

What's New?

• Support for Non-Blocking of TACACS Accounting and Authorization Requests

  The Terminal Access Controller Access-Control System (TACACS) is now not blocking the NetScaler AAA daemon while sending the TACACS accounting request. With this enhancement, the NetScaler AAA daemon allows LDAP, and RADIUS authentication to proceed with the request. The TACACS authentication request resumes once TACACS server acknowledges the TACACS request.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/aaa-tm/configure-aaa-policies/ns-aaa-setup-policies-authntcn-tsk.html.
  [# 638597, 685002, 633598, 590652, 604515, 684539, 697289, 700605]

CloudBridge Connector

• AES 256-bit Support

  The NetScaler appliance now supports AES 256-bit encryption algorithm for IPSec tunnel (CloudBridge Connector) configurations.

  For more information about CloudBridge Connector, see https://docs.citrix.com/en-us/netscaler/12/system/cloudbridge-connector-introduction.html.
  [# 696803]

GSLB

• Service Groups Support for GSLB

  The NetScaler appliance now supports service groups for GSLB. The following types of GSLB service groups are supported:

  - IP address-based service groups

  - Domain name-based service groups

  - Domain name-based autoscale service groups

  You can configure the GSLB service groups to use domain names instead of IP addresses when referring to the load balancing endpoints.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/global-server-load-balancing/configure/configuring-a-gslb-service-group.html.
  [# 693071]

Load Balancing

• Support for Gx Interface in a Cluster Topology

  The NetScaler appliance now supports Gx interface in a cluster topology.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/lsn-telco-subscriber-management.html.
  [# 697737]

NetScaler Gateway

• OPSWAT v4 Support for EPA plug-in

  You can now configure the following End-point analysis (EPA) scans for the NetScaler Gateway appliance. The client computers use the NetScaler Gateway plug-in to access the software environment of their enterprise network.

  The following OPSWAT scans are configured on a NetScaler Gateway appliance.

  -Product specific scan

  -Vendor specific scan

  -Generic scan

  The following system scans are configured on a NetScaler Gateway appliance.

  -MAC Address

  -Domain Check

  -Numeric Registry

  -Non-numeric Registry

  -Windows Update

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12/vpn-user-config/advanced-epa-policies.html
  [# 693089]

NetScaler SDX Appliance

• An Interactive GUI for Restoring a NetScaler Appliance

  For a successful NetScaler SDX appliance restore, you need the following resources:

  - A valid license

  - An XVA images

  - A NetScaler image

  - A Single Bundle Image

  If any of these resources are missing in the backup file, the GUI now prompts to upload the resource before proceeding further – enabling you to restore the appliance efficiently in a single go.

  Previously, if any resource was found missing, the process terminated with an error message. The user needed to start the process again after uploading the required resources.

  For more information, see https://docs.citrix.com/en-us/sdx/12/configuring-management-service/backup-restore.html
  [# 689549, 666240, 603135]

• Jumbo MTU Support for CLAG

  In a cluster setup that involves one or more NetScaler SDX appliances, you get confirm messages when you perform the following actions:

  - When you click Create to configure a CLAG in one of NetScaler SDX appliances in the cluster setup, a message prompts you to refresh the CLAG settings in the other SDX appliances. At the prompt, select Yes to continue. If you select No, the CLAG is not configured. Note that you must manually refresh the CLAG settings in the other SDX appliances.

  - If you change the MTU setting in one of the SDX appliances, a message prompts you to change the setting in the other SDX appliances. At the prompt, select Yes to continue. If you select No, the MTU is not set. Note that you must manually change the MTU setting in the other SDX appliances.

  For more information about how to configure CLAG on SDX appliances, see https://docs.citrix.com/en-us/sdx/12/configuring-management-service/configure_cluster_link_aggregation.html
  [# 689767]

• Support for Automatic LOM Firmware Upgrade

  With this release, the Lights Out Management (LOM) firmware is automatically upgraded after the NetScaler SDX single bundle image is upgraded. When the appliance restarts after upgrading the single bundle image, it checks if LOM firmware upgrade is required and upgrades the firmware accordingly. The LOM upgrade might take a few minutes.

  However, the following exceptions and usage guidelines apply:

  - Do not upgrade NetScaler SDX 8010/8015/8400/8600 appliances to release 12.0 57.19, because LOM upgrade hangs during single bundle image upgrade. For more information, see 706269 in the Known Issues section in this release notes.

  - For SDX 115XX/175XX series appliances with LOM firmware version lower than 3.03, manual upgrade is required. For more information about manual upgrade, see the following documentations:

  https://support.citrix.com/article/CTX137970

  https://support.citrix.com/article/CTX140270

  - SDX 14000-40S platform is not enabled for automatic LOM firmware upgrade. Support will be provided in future releases.

  - Before upgrading the single bundle image, verify that LOM is running successfully by checking health monitoring events in the NetScaler SDX GUI dashboard. If LOM is in hung state, power cycle the appliance by pulling all the AC power cables on the power supplies. Wait for a minute and then replug the AC cables to power up the unit. Next, upgrade the single bundle image and complete the LOM upgrade.

  For more information, see:

  Lights Out Management Port of the NetScaler SDX Appliance documentation

  https://docs.citrix.com/en-us/netscaler-hardware-platforms/sdx/lights-out-management-port.html

  Citrix LOM Firmware Upgrade page

  https://www.citrix.com/downloads/netscaler-adc/components/lom-firmware-upgrade.html?_ga=2.171892064.1772880763.1519622542-31978247.1493873654
  [# 695122, 690194]

• ACL Rules for Accessing an SDX Appliance

  Now you can create ACL rules to control and restrict access to your NetScaler SDX appliances, by using the SDX GUI.

  For more information, see https://docs.citrix.com/en-us/sdx/12/configuring-management-service/access-control-lists.html
  [# 696715]

NetScaler VPX Appliance

• Support for High Availability for VPX Instances with SR-IOV Interfaces Running on AWS

  High availability is now supported for VPX instances with SR-IOV interfaces running on AWS.

  For more information, see the following topics:

  https://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-aws/vpx-aws-ha.html

  https://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-aws/configure-vpx-to-use-sr-iov-aws.html
  [# 694260]

• Support for Extra Management CPU for NetScaler VPX Instances

  To achieve better performance for configuring and monitoring of your appliance, you can now allocate an extra management CPU from packet engine pool in all NetScaler VPX models except VPX instances that run on an SDX appliance. Previously the feature was supported only in NetScaler MPX models 25xxx, 22xxx, 14xxx, 115xx, 15xxx, and 26xxx.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/system/basic-operations/allocate-extra-management-CPU.html
  [# 700311]

Networking

• Detecting a NetScaler Appliance in a UDP Load Balancing Setup through TTL Updates

  Some enterprises/scenarios running a monitoring application requires the NetScaler appliance of a load balancing setup to be detected as one of the hop in a traceroute. A NetScaler appliance of a load balancing setup is not detected in a traceroute because the appliance, by default, sets the TTL value to 255 instead of decrementing it when forwarding the request to a backend server.

  To meet this requirement, Decrement TTL parameter of a VIP address can be used. This parameter applies to all UDP virtual servers using this VIP.

  When you enable the Decrement TTL parameter of a VIP, the NetScaler appliance decrements the TTL value by 1 instead of setting it to 255 when forwarding requests, which are received on the UDP virtual servers that use this VIP. Monitoring applications using traceroute data can now detect the presence of a NetScaler appliance of a UDP load balancing setup.

  For more information, see https://docs.citrix.com/en-us/netscaler/11/networking/ip-addressing/configuring-netscaler-owned-ip-addresses/configuring-and-managing-virtual-ip-addresses-vips.html.
  [# 695718]

Optimization

• Support for Facebook Video Optimization

  The NetScaler Video Optimization feature now enables you to detect and optimize Facebook video traffic.
  [# 690410]

Platform

• Support for Hardware Platforms

  This release now supports the NetScaler MPX 5900 and NetScaler MPX 8900 platforms. For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/support-for-mpx-5900-8900-platforms.html.
  [# 493998, 681106]

• Support for New Hardware Platforms

  This release now supports the NetScaler MPX 26000-100G and NetScaler MPX 26000T-100G platforms. For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-100g-26000T-100g.html.
  [# 648922, 653372]

• Support for SDX 8900 Appliance

  This release supports the NetScaler SDX 8900 appliance.

  For more information see the following documentation:

  NetScaler SDX Hardware-Software Compatibility Matrix

  https://docs.citrix.com/en-us/netscaler-hardware-platforms/sdx/supported-versions.html

  Citrix NetScaler SDX 8900

  https://docs.citrix.com/en-us/netscaler-hardware-platforms/sdx/hardware-platforms/8900.html

  Citrix Downloads page

  https://www.citrix.com/downloads/netscaler-adc/components/netscaler-firmware-59xx-89xx.html
  [# 653122, 636909]

• Support for NetScaler Pooled Capacity

  The following new NetScaler MPX platforms now support NetScaler Pooled Capacity:

  * MPX-22000

  * MPX-24000
  [# 680354]

SSL

• Support for ECDSA ciphers on the front end and back end of NetScaler VPX Appliances

  The NetScaler VPX appliances now support the elliptical curve digital signature algorithm (ECDSA) cipher group end to end. ECDSA cipher suites use elliptical curve cryptography (ECC). Because of its smaller size, it is particularly helpful in environments where processing power, storage space, bandwidth, and power consumption are constrained.

  Note: ECDSA certificates with only the following curves are supported:

  -prime256v1

  -secp384r1

  -secp521r1

  -secp224r1

  The following ciphers are supported with ECDSA:

  -ECDHE-ECDSA-AES256-GCM-SHA384

  -ECDHE-ECDSA-AES256-SHA384

  -ECDHE-ECDSA-AES256-SHA

  -ECDHE-ECDSA-AES128-GCM-SHA256

  -ECDHE-ECDSA-AES128-SHA256

  -ECDHE-ECDSA-AES128-SHA

  -ECDHE-ECDSA-RC4-SHA

  -ECDHE-ECDSA-DES-CBC3-SHA

  For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/customize-ssl-config/ecdsa_cipher_suite_support_on_mpx_appliances_with_n3_chips.html
  [# 603602]

• Support for Subject Alternative Name in a Certificate Signing Request

  The subject alternative name (SAN) field in a certificate allows you to associate multiple values, such as domain names and IP addresses, with a single certificate. By using SAN, you can secure multiple domains, such as www.example.com, www.example.net, www.example.org, with a single certificate. The NetScaler appliance now supports adding SAN entries when creating a certificate signing request (CSR). You can send a CSR to a Certificate Authority to obtain a signed certificate.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/manage-certs/obtain-cert-frm-cert-auth.html.
  [# 686067]

Secure Web Gateway

• Support for ICAP for Remote Content Inspection

  The NetScaler Secure Web Gateway (SWG) appliance can now act as an ICAP client and use policies for interacting with third-party security vendors that specialize in antimalware and data leak prevention (DLP). The encrypted files, which were earlier bypassed, can now be scanned by security vendors using ICAP on a NetScaler SWG appliance.

  The appliance intercepts client traffic (HTTP and HTTPS), decrypts it, and sends the decrypted traffic to the ICAP server(s). The appliance supports content inspection in both request mode (REQMOD) and response mode (RESPMOD). While REQMOD is ideal for DLP integration, RESPMOD is used in checking for antimalware. You must configure policies to select the traffic to send to the ICAP servers.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12/security-configuration/using-icap-for-remote-content-inspection.html.

  For the use case, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12/use-case-icap-for-remote-malware-inspection.html.
  [# 638345]

System

• Support for TCP Fast Open (TFO) in Multipath TCP (MPTCP)

  A NetScaler appliance now supports TCP Fast Open (TFO) mechanism for establishing Multipath TCP (MPTCP) connections and speeding up data transfers. The mechanism allows subflow data to be carried during the initial MPTCP connection handshake in SYN and SYN-ACK packets. Also, while establishing the MTCP connections, the mechanism enables the receiving node to consume data.
  [# 696961]

• Support for Variable TCP Fast Open (TFO) Cookie Size

  A NetScaler appliance now enables you to configure a variable length TCP Fast Open (TFO) cookie of a minimum size of 4 bytes and a maximum size of 16 bytes in a TCP profile. By doing this, the appliance can respond to the client with the configured TFO cookie size in the SYN-ACK packet.
  [# 699083]

Telco

• License Change for Telco Platform Consolidation

  As part of Telco platform consolidation, the following set of features are now added to the CNS Platinum edition.

  * Telco URL Filtering

  * ABR Video Optimization

  * Adaptive TCP

  * Connection Quality Analytics (CQA)

  To support the effort, the features work on Telco platforms with the purchase of a basic CBM license and CBM Premium license and for other NetScaler platforms, the features work with the purchase of a CNS Platinum license.

  Note: For Telco URL Filtering feature to work on all platforms, it requires an additional URL Threat Intelligence license. You can purchase the license with a subscription service for one year or for three years.

  License support for Telco platforms:

  * CBM_TXXX_SERVER_Retail.lic

  * CBM_TPRE_SERVER_Retail.lic

  * CNS_WEBF_SSERVER_Retail.lic

  Where XXX is the throughput, for example, NetScaler T1000.

  License support for other NetScaler platforms:

  * CNS_XXX_SERVER_PLT_Retail.lic

  Where XXX is the throughput.
  [# 697194]

Fixed Issues

• In some cases, authentication on a NetScaler appliance fails, when a certificate on an RDP listener is not properly bound even if the certificate is bound on the VPN virtual server.
  [# 683992]

• A NetScaler appliance configured for NetScaler AAA might become unresponsive when it accesses a NULL pointer.
  [# 698595]

• If single sign-on credentials are enabled in authentication loginschema, a NetScaler appliance might miss executing NetScaler AAA session policy bind to a particular user after nFactor authentication.
  [# 698752]

• If a NetScaler appliance configured for SAML has a password that is not authenticated by Active Directory (such as RADIUS password), you cannot access Citrix StoreFront by using single sign-on.
  [# 698830]

• If a SAML LogoutResponse parameter does not contain destination attribute in a SAML Identity Provider (IdP), the logout request might fail on a SAML Service Provider (SP).
  [# 699475]

• A NetScaler appliance configured for NetScaler AAA by using advanced authentication policies over a VPN session might become unresponsive if both of the following conditions are met:

  • The connection is initiated from LAN to a client by using assigned Intranet IP (IIP).

  • The default authorization action is denied.
  [# 699513]

• In case of multiple cascades, if the user is applied with only first authentication policy, the NetScaler appliance sends an incorrect authentication feedback.
  [# 701290]

Analytics

• The NetScaler Gateway login page fails to load if you have enabled client side measurements in the AppFlow action.
  [# 694892]

Application Firewall

• A NetScaler Application Firewall appliance running release 10.5 build 66.6, 11.0, or 11.1 fails because of a packet-engine crash while applying an AppFirewall policy to the load balancing virtual server.
  [# 691211, 692817, 695869, 701193, 691219, 700413]

• A NetScaler AppFirewall appliance running release 10.5 build 66.6, 11.0, or 11.1 fails because of a packet-engine crash while applying an AppFirewall policy to the load balancing virtual server.
  [# 691219]

• The Application Firewall auto-update feature does not work and the ‘https://s3.amazonaws.com/NSAppFwSignatures/SignaturesMapping.xml" file fails to download.
  [# 692155]

• Application firewall truncates html error page response, if the configured html error page is more than 8 KB in size.
  [# 695591]

• When the cookie proxy feature is enabled, the NetScaler application firewall appliance might crash while updating cookies.
  [# 698829]

DNS

• The NetScaler appliance returns incorrect SERVFAIL responses for records that are configured by using the NetScaler CLI and if DNS queries with EDNS Client Subnet Option are sent for such records over a content switching virtual server.
  [# 700049]

• The NetScaler appliance crashes when the following conditions are met:

  - The NetScaler appliance is configured as a Forwarder.

  - For a particular domain name and CNAME record type, the appliance returns a NODATA response and the response is cached.

  - Subsequent queries are sent to the same domain name and any other record type.
  [# 701051]

DataStream

• The NetScaler appliance might fail and dump core memory if a load balancing virtual server of type ORACLE is configured with SOURCEIP persistence.
  [# 700294]

Integrated Caching

• A NetScaler appliance might become unresponsive when the Integrated Cache (IC) module processes a byte range request for a large content.
  [# 695002]

• The NetScaler appliance might fail to respond if the buffer size of a TCP profile is set to a high value with Integrated Caching (IC) being configured.
  [# 695083]

• The NetScaler appliance might fail to respond when serving content from the Integrated Cache (IC) module.
  [# 698208]

Logstream

• Upgrading NetScaler MAS high availability pair might cause the system to fail.
  [# 700450, 699829]

NetScaler Gateway

• Citrix Virtual Adapter icon is not displayed in the network connections list if you logon to VPN virtual server using intranet IP.
  [# 695986, 703246]

• In some cases, the NetScaler Gateway appliance is unable to block access to the Internet and the intranet. This happens if you enable the AlwaysOn feature with NetworkAccessOnVPNFailure parameter set to onlyToGateway and if the FQDN of the virtual server is not accessible by client over the intranet.
  [# 696805]

• False SNMP alarms for SYN flood are reported when the NetScaler Gateway appliance is deployed in an ICA Proxy mode and session reliability functionality is enabled.
  [# 697457]

• In some cases, XenApp and XenDesktop applications fail to reconnect when a NetScaler Gateway appliance is configured for high availability and a failover happens. The reconnection failure is caused because of the network delay between the NetScaler Gateway appliance and the StoreFront server, owing to the failover.
  [# 699575]

• Group information is lost when a native client is used for nFactor authentication and "password change" is enabled for the active directory of the second factor.
  [# 699873]

• A client machine cannot access the StoreFront applications if both of the following conditions are met:

  - A VPN virtual server and a load balancing (LB) virtual server are configured on the same NetScaler appliance.

  - The VPN virtual server is accessed from an IPv6 address.

  The client connection fails because use source IP (USIP) address is enabled internally on the loopback connection between the VPN virtual server and the LB virtual server.
  [# 700034, 699530]

• The title message on the logon page is missing if the VPN virtual server is configured for the n-Factor authentication.
  [# 701163]

• A NetScaler Gateway appliance crashes or becomes unresponsive if HTTP/0.9 or HTTP/1.0 requests are sent without a host header.
  [# 701273]

• The Enlightened Data Transport (EDT) application fails to launch if the application is accessed using a second hop VPN virtual server in a double-hop deployment.
  [# 701292]

• In some cases, the NetScaler Gateway appliance dumps core due to memory corruption caused by the CVPN module.
  [# 701624, 702311]

• If a client tries to access the NetScaler Gateway appliance using the VPN plug-in, the EPA scan prompt appears even if the trustAlways feature is enabled for the client connection. 
  [# 702212]

• In rare cases, the NetScaler Gateway packet engine dumps core when an allocated memory is released in the event of a double free error.
  [# 704346, 704228, 703747]

NetScaler Insight Center

• AppFlow logging is enabled by default in VPN virtual servers from NetScaler appliance 12.0 57.x version.
  [# 690220]

• When HDX Insight is enabled in NetScaler Appliance. In a rare scenario, due to a negative length saved in one of the structures used for logging mechanism, the NetScaler Appliance fails.
  [# 697800, 698444, 650103]

• If AppFlow is enabled globally or in any VPN virtual server, NetScaler Gateway might fail, if a user logs in to VPN and launches an application.
  [# 698664, 698699, 697366]

NetScaler SDX Appliance

• If an LACP channel is bound to nine or more interfaces and is a member of a tagged VLAN, deleting the channel from a service VM can cause the NetScaler appliance to fail intermittently.
  [# 524320, 630772]

• You can only assign 22 partition MAC addresses to the following SDX platforms and the virtual machine will not start, if you assign more than 22 partition MAC addresses:

  * 11500

  * 13500

  * 14500

  * 16500

  * 18500

  * 20500

  * 115xx series
  [# 647534]

• When you upgrade the NetScaler SDX Management Service from release 11.0 or lower to release 11.1 or higher, some anomalies might occur such as:

  - Management Service does not display the VPX instances running on the SDX appliance.

  - The NetScaler VPX instances fail to come up.

  - Management Service becomes unreachable.

  - XenServer upgrade is incomplete.

  These issues occur if the NetScaler database contains large sets of NetScaler events-related historical data. With this fix, reports of historical data is lost; however, reports collected after upgrade is retained.
  [# 693526, 694388]

• The "Version-Bit" field displays no information when you perform any of the following actions:

  - Click a backup file and fetch its details.

  - Add instances for instance restore.
  [# 696131]

• On a NetScaler SDX appliance, access to GUI using HTTPS might fail if a FIPS card virtual-function (VF) is assigned to that instance. The appliance might also intermittently fail to process HTTPS traffic received on the management interface.
  [# 701070]

• The NetScaler SDX GUI freezes and stops responding after you save a configuration under Configuration > NetScaler > NetScaler Configuration > Save Configuration.
  [# 702792]

NetScaler Secure Web Gateway

• If you run the auto_update_urlset script during an URL Set import or update process, the script generates temporary folders in the file system. As a result, the folders inadvertently fill the file system causing multiple job failures.
  [# 698694]

• A NetScaler SWG appliance crashes or becomes unresponsive if the vendor configuration file gets corrupted during an URL categorization database update.
  [# 698948]

Networking

• In FTP passive proxy mode, the NetScaler appliance allocates the same port to more than one client.
  [# 642271]

• Adding an extended ACL/extended ACL6/PBR/PBR6 rule fails if the rule has the same set of conditions as that of a removed extended ACL/extended ACL6/PBR/PBR6 rule.
  [# 699886]

Optimization

• In certain cases, a NetScaler appliance might crash or become unresponsive, if the appliance fails to serve a range request from the cached content.
  [# 699392, 692176, 701481]

• A NetScaler appliance crashes if you execute an unsupported operation using Selectors in contentgroup for observing cache objects.
  [# 700581, 692600]

SSL

• If you run the "sh ssl service group" command on the cluster IP (CLIP) address and on nodes of a cluster setup, ECC curves are displayed as unbound from the CLIP.
  [# 660257]

• On the MPX 5900/8900 and SDX 8900 platforms memory allocation fails in some partitions when the memory allocated from one partition is freed in another partition. This results in incorrect memory accounting across partitions causing memory allocation failures.
  [# 697089]

• The NetScaler appliance becomes unresponsive if after an SNI handshake is complete, an HTTP/1.1 request is received and the SNI certificate is unbound from the virtual server simultaneously.
  [# 697789, 697902, 698125, 699526]

• An SSL handshake fails if all of the following conditions are met:

  - Both OCSP stapling and session ticket are enabled on the SSL virtual server.

  - Server certificate is linked to its issuer certificate.

  - Client sends a status_request extension in the ClientHello message.
  [# 698066]

• The message “FIPS Card is not configured” appears if a NetScaler appliance performs a warm restart after the packet engine crashes.
  [# 699865, 700588]

System

• The NetScaler appliance does not initiate subflows (MP_JOIN's). The appliance expects the client to initiate subflows.
  [# 694416]

• A NetScaler appliance might crash if it receives original and retransmitted MP_JOIN SYN packets in succession.
  [# 697267]

• A NetScaler appliance might crash if it selects a MP_JOIN subflow that is not fully established to send a FASTCLOSE packet.
  [# 698360]

User Interface

• In a cluster setup, the “bind vlan” command and the management connection to the NetScaler appliance might fail if the length of both IP address and subnet mask is 15 characters each (including the decimal.)

  For example, bind vlan 100 192.168.250.196 255.255.255.204
  [# 699032, 702822]

• In a cluster setup, the nodes become unresponsive if you run any configuration command on the CLIP while sync is in progress on a non-CCO node.
  [# 700626]

• In a cluster deployment, you cannot set or reset the rsskey on each node.
  [# 701078]

Known Issues

• The TACACS attribute or group extraction is supported only if the backend is Cisco ACS TACACS+ Server. For TACACS server other than Cisco, the attribute or group extraction is not supported. For more information, see https://support.citrix.com/article/CTX220024.
  [# 651719]

• The group extraction for authorization policies cannot extract the groups from external access control lists (ACS) if the Identity Group parameter is configured as “All Groups.”

  Workaround: While creating the Device Administration Authorization Policy, specify the identity group that is required to bind to the shell profile.
  [# 652502]

• A NetScaler appliance configured for NetScaler AAA with LDAP over SSL can become unresponsive when the LDAP server is very slow to respond to requests. At this point, the packet engine is unable to process anymore authentication requests.
  [# 660065, 674005]

• In rare scenarios, response cookie from OWA 2013 server is not greater than 70 bytes when the NetScaler appliance is configured with Forms Based SSO. Hence, length check for cookie value in success-rule configured in Forms SSO action on the NetScaler appliance needs to be updated with an appropriate value.
  [# 676450]

• When SAML authentication is employed as the log on method for Gateway users on FIPS hardware, and an encrypted assertion is sent from IdP, then the NetScaler appliance dumps core memory.

  This is applicable only for FIPS hardware platforms.
  [# 677458]

• If the primary and secondary passwords in a logon request are the same, and the first-factor authentication server prompts the user to change the password, the second-factor server uses the password that was sent in the logon request.

  Workaround: Configure the second-factor authentication server to use the http.req.user.passwd expression if the first-factor server requests a password change.
  [# 678553]

• In an nFactor EPA configuration, if EPA is configured in secondary factors and requires conditional access, a passthrough factor must be configured to select EPA factors for required users. Otherwise, EPA flow starts even for users that do not require EPA.

  Workaround: Configure EPA factor only for users requiring it. This could be achieved by configuring passthrough factors to make logic decisions.
  [# 680519]

• If forms based Single Sign-On (SSO) is configured for Outlook Web Access (OWA) 2013 servers, the "successRule" configured in the forms SSO action must be corrected, because the server sends 64 byte cookie upon successful SSO.
  [# 681730]

• In an nFactor EPA configuration, if EPA is configured in secondary factors and requires conditional access, a passthrough factor must be configured to select EPA factors for required users. Otherwise, EPA flow starts even for users that do not require EPA.

  Workaround: Configure EPA factor only for users requiring it. This could be achieved by configuring passthrough factors to make logic decisions.
  [# 683224]

• The back end is not accessible through a clientless VPN (CVPN). The issue occurs when SSO is ON, the proxy is specified in a traffic action, and the back-end credentials are different from the logon credentials.

  Workaround:

  Create a traffic policy based on back-end URL and create a trafficAction with SSO OFF and No Proxy. The backend should be accessible.
  [# 689153]

• If you have to set a domain wide cookie for an authentication domain, you must enable authentication profile on a load balancing virtual server.
  [# 697727]

• The NetScaler appliance is unable to handle the authentication request if the client sends the request again after the authentication server has already generated the response.
  [# 701201]

• The NetScaler appliance configured for NetScaler AAA rejects the authentication if both of the following conditions are met:

  • The client certificate authentication is used for logon.

  • The certificate revocation list (CRL) check fails even though the checks are configured as optional.
  [# 701206]

• A NetScaler appliance configured for NetScaler AAA might become unresponsive while validating many incoming Kerberos authentication requests.
  [# 702907]

• A NetScaler appliance does not attempt SSO when you configure client certificate authentication but client always sends basic authorization header.
  [# 703466]

• The loginSchema policy in NetScaler AAA does not allow SSL expressions.
  [# 704497]

Admin Partitions

• Admin partitions are not supported on FIPS appliances, but you can nonetheless create them. You are advised against creating admin partitions on a FIPS appliance, because they will not function properly.
  [# 517145]

• In a partitioned NetScaler appliance with Shared VLAN configuration, the incoming packets received on a shared VLAN and destined to a partition get dropped if the partition's partitioned MAC (PMAC) address is learnt from the NetScaler Bridge table.
  [# 703325, 694214, 704386]

• In a rare scenario, the secondary appliance of a high availability setup fails during an HA force sync operation. The appliance fails because of a memory allocation failure in an admin partition.
  [# 703522, 690223]

AppFlow

• If multiple AppFlow policies are bound to the same bind point, only the last policy is chosen.
  [# 603177, 647386]

• In a NetScaler appliance, the Appflow data does not include values for TCP parameters such as SACK enabled, WS Factor, and RST Ended. As a result, AppFlow consumers do not receive data to make use of these parameters.

  - SACK enabled

  - WS Factor sent by NS

  - RST Ended
  [# 703437]

• The NetScaler appliance crashes while exporting data to SSL insight if both of the following conditions are met:

  -AppFlow is enabled.

  -You update or unbind an SNI certificate during the SSL transaction.
  [# 704352]

Application Firewall

• In the Visualizer, some buttons might not work if you use Mozilla Firefox or Internet Explorer.

  Workaround: Use the Google Chrome browser.
  [# 648272]

• The information that the GUI displays for the application firewall web services interoperability (WSI) check does not say that it is a prerequisite and cannot be disabled.
  [# 650789, 650317, 658472]

• The NetScaler application firewall should bypass requests from application firewall processing after the system reaches a specified CPU/memory usage limit, but there is currently no policy for reviewing CPU and memory capacity and bypassing the application firewall.
  [# 660546]

• An alert is generated when you set the NetScaler AppFirewall session limit to a value of 0 or lower, because such a setting affects advanced protection check functionality that requires a properly functioning application firewall session.
  [# 668892]

• If you upgrade a NetScaler appliance in a high availability (HA) setup from version 10.5.56.15 to version 11.1.51.1901 and skip 250 rules with active traffic, the GUI or CLI displays a "failed to skip some rules" error message and an operation time-out error message.

  Workaround: Turn off the Learning feature when skipping learned rules.
  [# 671807]

• In an HA environment, a NetScaler appliance running release 11.0 does not learn new rules when the application firewall feature is enabled.
  [# 672864]

• When a third-party version-0 signature object is merged with a user-defined signature that is not version 0 and has both native and user-defined rules, the resulting signatures are all version 0 and do not include the native rules.

  To include the native rules, you must update both signature objects (third-party and user-defined) before the merge. The update changes the version from 0. If you then perform the merge operation, the Native rules are included.
  [# 672970]

• Application Firewall port information about open ports, such as port 443, is not suppressed. It can therefore be detected by port scan tools such as NMAP in targeted hacker attacks.
  [# 674864]

• If you have multiple application firewall policies configured on a load balancing virtual server, and a policy has a GotoPriority Expression of NEXT, the NetScaler AppFirewall policy order bypasses all security checks in that policy's profile and moves to the next policy.
  [# 682935]

• The IP address of a content switching virtual server cannot be accessed after an upgrade from a previous release to the current release. The POST request results in a 302 redirect error.
  [# 687314]

• In a HA environment, after an upgrade to release version 11.1 56.x, the NetScaler application firewall primary node fails to restart after a failover.
  [# 693905]

• On a NetScaler Application Firewall appliance, Analytics security insight support for content switching target LB vserver is missing.
  [# 694743]

• In a HA mode, the NetScaler appliance crashes due to corrupted memory issue when the AppFW profile policy custom settings are not properly configured, after an upgrade to the latest release version.
  [# 698678]

• The NetScaler appliance crashes when the Application Firewall feature is enabled.
  [# 699165, 700528]

• NetScaler appliance resets the HTTP connection and does not upload large files when application firewall is configured.
  [# 701164]

• The application firewall referer header check fails even after you manually add the referer URL to the relaxation rule.
  [# 701604]

Clustering

• For validating a Citrix NetScaler cluster setup against IPv6 ready logo suite, Citrix recommends to use cluster link aggregation (CLAG) consisting of only one interface per cluster node.
  [# 679468]

• In a layer 3 cluster deployment, fragmented traffic steered through a GRE tunnel might cause packet loops, which result in high traffic load.

  Workaround: Reduce the maximum segment size (MSS) to 1,360 bytes, in the cluster deployment.
  [# 692350]

DNS

• If the response to a proactive update contains an invalid query ID from the back-end service, the NetScaler appliance handles this response erroneously. A subsequent response with a valid query ID results in the appliance crash.
  [# 699318]

GSLB

• In a GSLB setup, uneven load balancing is observed when both of the following conditions are met:

  - The primary GSLB method is configured as Static Proximity with the backup method as Round Robin.

  - Multiple service location matches exist for multiple incoming requests.
  [# 700134]

• In a GSLB setup, the GSLB configuration sync operation is aborted when all of the following conditions are met:

  - NetScaler appliance is configured for GSLB in an admin partition.

  - The slave site is a high availability setup.
  [# 703753]

Licensing

• When NetScaler licenses hosted on NetScaler MAS expires, the NetScaler appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the NetScaler appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.
  [# 697665]

Load Balancing

• If a service group member is assigned a wildcard port (port *), the monitor details for that service group member can be viewed from the Monitor Details page.
  [# 671729]

• In a cluster setup, you cannot disable a service group if there are no services bound to it.
  [# 690943]

• In rare cases, if IPv6-IPv4 mapping is missing and persistence is enabled on the load balancing virtual servers, the secondary appliance might crash In a high availability setup.
  [# 700152, 700343]

• The NetScaler packet processing engine crashes when both of the following conditions are met:

  - Delete a server bound to a node group without unbinding the associated service.

  - Access the service associated with the deleted server.
  [# 704052]

NITRO

• The .NET NITRO SDK get call for snmpmib resource (snmpmib.get()) fails with JSON derserialization errors.
  [# 702648]

• The Java NITRO SDK of the NetScaler release 12 build 56.20 does not include some feature modules, for example, Networking and SSL.
  [# 702797]

NetScaler CPX

• Modifying the nf_conntrack_max sysctl variable to get better network performance can cause unexpected behavior. In that case, you have to increase the size of the connection-tracking and/or the hash table, and/or decrease timeout values. For more information, see http://antmeetspenguin.blogspot.in/2011/01/high-performance-linux-router.html.
  [# 658734, 658736]

• Modifying the nf_conntrack_max sysctl variable to get better network performance can cause unexpected behavior. In that case, you have to increase the size of the connection-tracking and/or the hash table, and/or decrease timeout values. For more information, see http://antmeetspenguin.blogspot.in/2011/01/high-performance-linux-router.html.
  [# 680693]

NetScaler GUI

• In older versions of Internet Explorer version 7, the browser incompatibility message does not appear for NetScaler release 11.1. The logon page directly appears, and you can log on successfully.
  [# 649052]

• If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled, and you log on as nsroot user, an extra session is created.
  [# 657924]

• If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled and the nsroot password is changed at the first logon to the NetScaler appliance, the nsroot password change is not propagated to non-CCO nodes. Therefore, when an nsroot user logs on to non-CCO nodes, the appliance asks for password change again.
  [# 658132]

NetScaler Gateway

• An error message appears when a user logs off of a Storefront session, if Gateway logon uses SAML based authentication for ICA Proxy mode.

  Workaround: Log off by closing the browser.
  [# 646706]

• The Internet Explorer 8 browser does not display the Gateway portal if the portal theme is set to Default, Greenbubble, or X1. The portal does appear if the portal theme is set to RfWebUI.
  [# 669942]

• If custom theme is applied for NetScaler 11.1 build 50.10, text for password field is not displayed.
  [# 671802]

• After a NetScaler HA failover, Citrix Receiver takes a few seconds to reconnect.
  [# 672067, 689973]

• RfWebUI based theme is not supported for an Authentication virtual server configured with Classic Authentication policies
  [# 672333]

• In an outbound ICA proxy deployment, the NetScaler appliance closes the client connection if the following conditions are met:

  - A TCP service has the same IP address as the destination server.

  - The TCP service also has the same IP port as the destination server.

  The appliance closes the connection because it fails to establish a connection with the destination server.
  [# 674632]

• When nFactor authentication is configured with multiple factors having custom password expressions, default password for all secondary factors is passwd1.

  Users need to configure passwordExpression in loginSchema to pick the right password for the given factor if the logon flow is nontrivial.
  [# 675401]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), hyperlinks listed under "Sites" are nonfunctional.

  Workaround: Either copy the link, paste it to a new tab, and click the new copy of the link, or right-click the link to automatically open it on a new tab.
  [# 679117]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot upload a Profile Picture.

  Workaround: Use Chrome or Firefox.
  [# 679176]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot drag and drop files.

  Workaround: Upload the document instead of using drag and drop.
  [# 679193]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to open a word (.doc) document.

  Workaround: Use Firefox to open the document.
  [# 679713]

• If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN), "Stop Following a Site" functionality is not available.
  [# 679744]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to add a new item to the calendar.

  Workaround: Use Chrome or Firefox.
  [# 679747]

• If nFactor authentication is configured on a NetScaler Gateway appliance running release 11.1 build 11.1 51.x or later, native clients use authentication policies configured on the authentication virtual server. See https://support.citrix.com/article/CTX223386 for details.
  [# 680378]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), a link is broken on the Setting > Master Pages screen. The link to Folders on Site is nonfunctional.

  Workaround: Either copy the link, paste it to a new tab, and click the new copy of the link, or right-click the link to automatically open it on a new tab.
  [# 680403]

• If you log on to a VPN in a cluster Deployment, the value of Total Connected Users is shown incorrectly for the NSIP addresses of all the nodes. The correct value is shown for the CLIP address.
  [# 681247]

• Responder policies are not supported for a Gateway virtual server configured with a portal theme based on RfWebUI.
  [# 684658]

• After upgrading to 11.1 build 55.13, the n-Factor authentication does not work if the first factor has NO-Authentication policy with "true" rule.

  Workaround: Avoid configuring "true" as rule for policy. Add the following expression for this policy:

  "http.req.url.contains("/nf/auth/doAuthentication.do")"
  [# 695650]

• After upgrading the NetScaler Gateway appliance to release 11.x or later, users might see a blank page upon log on. The blank page appears because the browser serves some of the files from its own cache, instead of requesting all the files from the upgraded appliance.

  Workaround: Clear the browser cache.
  [# 698839]

• In rare cases, a NetScaler Gateway appliance does not assign Intranet IP (IIP), when the transfer login is started and the previous session is dropped.
  [# 699996]

• The SSL-VPN audit log messages are not sent to the SYSLOG servers.
  [# 700823, 698853]

• In certain cases, if a NetScaler Gateway appliance tries to connect to a VMware Horizon View Connection Server, the connection server responds with an invalid session ID.
  [# 702689]

• In a High Availability (HA) setup, the secondary node does not respond because it receives an incorrect virtual server IP address from the primary node.
  [# 703007]

• In some cases, if a NetScaler Gateway appliance is configured for n-Factor authentication, the authentication fails if you log on to the appliance through Citrix Receiver. This happens because the NetScaler Gateway appliance is unable to set the "pwcount" cookie.
  [# 703341]

NetScaler ICA

• The session reliability on HA Failover feature is not supported between 64-bit and 32-bit kernels in an HA pair.
  [# 681628]

NetScaler Insight Center

• If you log on to a NetScaler Gateway appliance that is deployed in a full tunnel mode and access numerous URLs and IP addresses, Gateway Insight reports these URLs and IP addresses as Applications on the Application tab.
  [# 626944]

NetScaler SDX Appliance

• When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.

  Workaround: Delete the 10G LACP/static channel that has this issue and create it again.
  [# 600152, 697276]

• The Rx/Tx Flow Control configuration is lost if you manually set the Rx/Tx Flow Control for a 1000BASE-T copper interface to OFF, and the interface is reset.

  Workaround: Enable Flow Control Auto Negotiation (ON).
  [# 643853]

• The current software driver for 1G ports does not support hot-swap capability for 1G SFP transceivers on NetScaler SDX 115xx models.

  Workaround: After replacing the 1G SFP transceiver, reset the interface from Management Service. If the issue still persists, restart the appliance.
  [# 668696]

• In some cases, a client is unable to connect to the TCP-related VIP address of a NetScaler VPX instance on a NetScaler SDX appliance.
  [# 684106]

• When you upgrade a NetScaler SDX appliance from an older release to release 11.1 51.x and later, some of the VPX instances running on the SDX appliance fail to start if the following conditions are met:

  - The SDX appliance is configured with Intel X710 10G and XL710 40G NICs

  - More than 20 VPX instances run on the SDX appliance

  This happens because in older NetScaler releases (prior to 11.1 51.x) one NIC can support up to 40 VPX instances. However, from release 11.1 51.x onwards one NIC can support only up to 20 VPX instances.

  So, after you upgrade to release 11.1 51.x and later ensure that one NIC is configured for maximum 20 VPX instances. For additional VPX instances, configure a different NIC.
  [# 699567]

• When you log on to the SDX appliance as an external user by using an RADIUS, LDAP, or TACACS server, the NetScaler VPX instances that have not been configured in the group for external authentication don’t appear under NetScaler > Instances in the SDX GUI. This happens after you’ve upgraded the NetScaler SDX appliance from the following releases, any build:

  - From release 10.5 to release 11.1 or 12.0

  - From release 11.0 to release 11.1 or 12.0

  Workaround: Log on to the SDX appliance by using your nsroot credentials. From the SDX GUI, go to System > User Administration > Group. Select the group and click Edit. Under Instances, move the Available instances to Configured instances. Click OK to save changes. Log out from the SDX appliance and log on back as an external user.
  [# 703323]

• IPv6 traffic to the NetScaler SDX Management Service is blocked if you enable the ACL feature.
  [# 704847]

• In NetScaler SDX 8010/8015/8400/8600 appliances LOM upgrade hangs during single bundle image upgrade to 12.0 57.19.
  [# 706269]

NetScaler Secure Web Gateway

• The default certificate bundle is not listed when you run the show certbundle command.
  [# 685789]

• An authentication virtual server that is created by using the Secure Web Gateway wizard appears DOWN, because an SSL certificate is not bound to it. This does not affect the functionality.
  [# 686077]

• If you create a negotiate action by using a keytab file, the SWG wizard displays the domain name and user name instead of the service principal name (SPN).
  [# 686741]

• User authentication does not fail in transparent proxy mode even though an application firewall policy to block specific traffic is configured.
  [# 687328]

• You cannot send or receive multimedia messages by using WhatsApp in a NetScaler Secure Web Gateway deployment.
  [# 687748]

• An incorrect warning "No usable ciphers configured" appears if you change the SSL settings in a profile by using the Secure Web Gateway wizard.
  [# 689581]

NetScaler VPX Appliance

• Due to a limitation of the XenServer platform, if NetScaler virtual appliances with different interfaces, such as SR-IOV and Para-virtualized (PV) mode interfaces, use the same physical NIC, traffic between the virtual appliances with different interfaces fails.
  [# 652640]

• The NetScaler virtual appliance might fail to start if you have configured 15 or more SR-IOV and PCI passthrough interfaces.
  [# 657492]

• Due to a limitation in Linux-KVM and VMware ESX platforms, if you add new PCI passthrough interfaces to an existing NetScaler virtual appliance configured with SR-IOV interface, the PCI passthrough interfaces might take precedence over the existing SR-IOV interfaces.
  [# 660000]

• The physical link status of a PCI passthrough interface of a NetScaler VPX appliance is not updated when the state of the link is changed (for example, when the link is enabled, disabled or reset), because of a limitation in the Intel XL710 NIC. As a result, any active traffic over the PCI passthrough interface fails during this time.
  [# 660159]

• If you use the IP link set command to change the VLAN ID to zero, or any valid value, on the virtual function (VF) on the host, the physical function (PF) processes the tagged packets with the original tag and does not reflect the new VLAN ID.

  Workaround: Run a reset command on the NetScaler VF, after changing the VLAN ID or removing it from the host. For example:

  reset interface 10/1
  [# 672441]

• If you configure an MTU value on a NetScaler VPX appliance running on Citrix XenServer and save the value, and force a shutdown, the saved MTU value is lost, and the appliance displays the old value.
  [# 676417]

• A NetScaler VPX instance running on a NetScaler SDX appliance does not receive any traffic under the following set of conditions:

  - The Intel 710 series NICs of the NetScaler SDX appliance are connected to a switch with an LLDP-enabled port.

  - That port has been disabled and then enabled.
  [# 684860, 703400]

• If a NetScaler VPX instance deployed on KVM hypervisor is configured with SRIOV NICs and PCI Passthrough, when you add or remove SR-IOV or PCI Passthrough interfaces, the order in which the interfaces are presented to the NetScaler VPX instance changes. As a result, the configurations bound to the interfaces might not work.

  Workaround: Redo the configurations manually.
  [# 690896]

• If a KVM hypervisor runs on an AMD processor-based server, the NetScaler VPX instance running on the KVM hypervisor restarts cyclically and then stabilizes after a few iterations.

  Workaround:

  Add the following entry in /flash/boot/loader.conf

  vm.pmap.pg_ps_enabled="0"
  [# 692177]

• Error messages appear when an SR-IOV-enabled NetScaler VPX instance configured with Intel X710 10G and XL710 40G NICs, running on KVM hypervisor, restarts. The error messages are harmless and can be safely ignored.
  [# 692334]

• A VPX instance running on VMware ESX server might lose network connection intermittently when the following conditions are met:

  - The VPX instance is upgraded to release 12.0, any build

  - Adapter type on the ESX server is E1000

  - The interface link on the adapter is down
  [# 705093]

Networking

• While responding to a VXLAN broadcast (for example, ARP and ND6), the NetScaler appliance does not look up the bridge table to populate the VNI field in the VXLAN header. The VNI field in the VXLAN header of the response is same as that of the incoming broadcast. This results in the peer VTEP dropping the response packets.
  [# 675626]

• The NetScaler appliance becomes unresponsive when it accesses memory that was not properly freed and therefore contains stale information about a session.
  [# 685233]

• The NetScaler appliance drops non-SYN TCP packets, which match an INAT rule, and a RESET is sent.
  [# 688642]

• After cluster synchronization, if some of the load-balancing monitors are not synchronized to the node, the NetScaler appliance fails to add the dependent static Monitor Static Route (MSR) routes.
  [# 700070]

• When the state of a VLAN becomes DOWN (due to all bound interfaces in DOWN state), the NetScaler appliance might remove some ECMP routes learnt through other UP VLANs.
  [# 703541]

• If ECMP routes are present in a NetScaler appliance and a new route is added for the same prefix with a lower metric or a distance, not all existing connections are updated with the new route. Only connections pointing to the first route of the ECMP set are updated with the new route.
  [# 703782]

Optimization

• For the NetScaler video optimization feature to work properly, you must not delete the built-in policies that have an "ns_videoopt" prefix (for example, ns_videoopt_http_abr_netflix).
  [# 670449]

• The new video optimization feature is not supported on a partitioned NetScaler appliance.
  [# 677320]

• The video insight option cannot be enabled for a specific virtual server. You can only enable it as a global setting (set appflow param -videoInsight ENABLED).
  [# 678625]

Policies

• If you use classic expressions to filter the output of the show connectiontable command, only a warning message appears.

  Workaround: Use advanced expressions instead.
  [# 680916]

• A NetScaler appliance becomes unresponsive and its memory gets exhausted when an authentication, authorization, and auditing (AAA) policy using an advanced policy expression bound to VPN servers leaks 256 bytes of data on execution.
  [# 701044]

• The nspepi tool for converting classic policy expressions to advanced policy expressions fails when the following set of conditions are met:

  - Advanced policy expressions are parsed in command line configurations.

  - Add policy expression conversion is incorrectly handled if the command line configurations contain comments.
  [# 704541, 706084]

SSL

• Secure renegotiation using SSLv3 protocol fails on MPX-FIPS appliances running firmware version 2.2.
  [# 550788]

• If you have configured two SafeNet HSMs in a high availability setup on a standalone NetScaler appliance, and the primary HSM goes down, the secondary HSM does not serve traffic after a failover.
  [# 628075]

• In a cluster setup, if a client certificate is bound to a back-end SSL service or service group, it appears as a "Server Certificate" instead of a "Client Certificate" when you run the "show ssl service" or the "show ssl servicegroup" command on the CLIP address.
  [# 667389]

• The SSL entities to which an SSL profile is bound do not appear when you run the show ssl profile <Default-Profile> command on a cluster IP (CLIP) address.

  Workaround: You can view the bound entities from the NetScaler IP (NSIP) address.
  [# 673458, 689516]

• In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
  [# 678175, 678522, 678526]

• Configuration loss might occur if you upgrade from release 11.1 build 54.x to release 12.0 build 41.x or 51.x, in any one of the following scenarios:

  Scenario 1:

  1. Your deployment uses an SSL profile.

  2. In the SSL profile, sessionTicket is enabled and one or more of the following new secure session ticket parameters have non-default values:

  - sessionTicketKeyRefresh

  - sessionTicketKeyData

  - sessionKeyLifeTime

  - prevSessionKeyLifeTime

  Scenario 2:

  1. Your deployment uses a custom SSL profile.

  2. In the SSL profile, sessionTicket is disabled.
  [# 678176, 687205, 687098]

• You cannot add a CRL with X.509 version 1 on a NetScaler appliance if the explicit version field in that CRL is set to 0.
  [# 681878]

• An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
  [# 682859]

• You cannot set the previous session-key life time to its minimum value (0 seconds).
  [# 687135]

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
  [# 687208]

• On a NetScaler Secure Web Gateway appliance, running the clear config command does not reset the certificate bundle to the default certificate bundle.
  [# 689898]

• SSL classic policy expressions are not honored.

  Workaround: Use SSL default policy expressions.
  [# 692137]

• If your deployment uses ECDHE ciphers, ECC curves are not bound by default to a NetScaler CPX instance.

  Workaround: Manually bind ECC curves to the NetScaler CPX instance.
  [# 700363]

• A NetScaler MPX 5900, MPX 8900, or SDX 8900 appliance might crash if you enable policy based renegotiation.
  [# 702328]

Secure Web Gateway

• You cannot add an SSL interception or a URL categorization policy by using the NetScaler GUI because the list of categories is missing.

  Workaround: Use the NetScaler CLI to add the policies.
  [# 705340]

System

• If a wildcard virtual server's redirection mode is set to IP (-m IP), the NetScaler appliance cannot forward a TCP connection request to a service bound to that virtual server if the back-end server is down.
  [# 331889]

• On a partitioned NetScaler appliance, you can no longer use the same command to bind a system user and a command policy to a system group. Instead, you must use two different commands. For example:

  "bind system group grpX -userName userX"

  "bind system group grpX -policyName superuser 1"

  If you try to bind both arguments with a single command, the appliance displays an error message: Arguments cannot both be specified [policyName, userName.]
  [# 652345]

• The initial probe connection that a NetScaler appliance makes with the back-end internet server to check for server availability is now reusable for actual server connection with the internet server.
  [# 654087]

• A NetScaler appliance might not initiate a rewrite action correctly if data is modified in adjacent fields in the message.
  [# 657565, 686496]

• If you enable Web Logging feature before configuring the log buffer size, the NetScaler appliance does not apply the buffer size after a restart.

  Workaround: Configure the log buffer size before you enable the Web Logging feature.
  [# 667392]

• When you run the set command on a NetScaler appliance, the ns.log file stores the command with all parameter values, including customer provided values.
  [# 674165]

• A NetScaler appliance in a clustered setup displays a "Cannot allocate memory" error message if you use the set command to set the server domain name in a SYSLOG action.

  Workaround: Delete the SYSLOG action in which you set the domain name, and add a new SYSLOG action that specifies the server domain name instead of the server IP address.

  rm syslogaction

  add syslogaction -loglevel [-options ...]
  [# 687067]

• Random packets on loopback interface are found missing if you capture nstrace on a NetScaler appliance.
  [# 689837]

• A TCP transaction delay is observed if a NetScaler appliance is unable to use the TCP connection to connect to the back-end server. In this case, the appliance opens a new connection to forward the client requests to the back-end server after some waiting period. The waiting period ranges from 400 ms to 600 ms.
  [# 690965]

• When a NetScaler appliance completely closes an active TCP connection, if the back-end server has its connection in TIME_WAIT state, the server silently drops the connection. When dropping the connection, the server uses the same 4tuple unless the initial sequence number of the connection is greater than the current running sequence number of an existing connection. As a result, the appliance keeps retrying to establish the connection but the transaction fails.
  [# 692473]

• A NetScaler appliance silently truncates and drops HTTP request body packets greater than the maximum HTTP header size configured in the HTTP profile. The request body is truncated only if the appliance receives an HTTP request after an incomplete header assembly (request header spanning more than one packet) and the request body is received when the appliance awaits a TCP acknowledgment for the request header sent to the server. The truncation results in TCP retransmission and latency issues.
  [# 695668]

• If you have a VPX appliance on an SDX platform or NetScaler devices managed by MAS, after an upgrade, the appliance does not display a notification message, “Call home is enabled by default” on the first user log on for 24 hours.
  [# 698292]

• A NetScaler appliance aborts a websocket connection that tracks failed websocket upgrade attempts. This leads to a connection closure with App Flow feature or "Drop invalid requests" option enabled on the HTTP profile.
  [# 699831]

• A NetScaler appliance might crash if it sends messages from one processor to another processor, for deleting a steering session in some error cases.
  [# 700423]

• A NetScaler appliance might crash if the following set of conditions are met:

  * Either the Compression policy or its actions are changed.

  * AddVaryHeader is enabled when configuring the compression parameters.
  [# 702081]

• After an upgrade, instead of initiating a new TCP connection to the back-end server for CONNECT Requests, the NetScaler appliance reuses a client connection from the reuse pool. The client connection reuse might not be accepted by some back-end servers.
  [# 704304]

• A NetScaler appliance might crash if the SPDY feature is enabled in an HTTP profile for accessing freed internal connection structures.
  [# 704835]

Telco

• The NetScaler appliance displays an error message if you have configured a negative value for the Random Sampling Percentage parameter.

  Workaround: Configure a positive integer ranging from 0 to 100 for the parameter.
  [# 693421]

Telco URL Filtering

• When you filter an incoming URL using the URL Categorization feature, the appliance does not include the domain name in the TCP analytics (Appflow) data. As a result, an external server receiving the data is unable to detect the domain name of the URL set.
  [# 693818]

• If you import a private URL set into your NetScaler appliance, the appliance by default discloses the domain name of the URL set in the analytics (Appflow) data. Instead, the appliance must display the domain name as “Illegal".
  [# 702303]

Upgrade and Downgrade

• When you upgrade the NetScaler firmware by using the NetScaler GUI, the appliance restarts in the background as soon as the upgrade is complete, but the GUI does not show that the upgrade has been completed.

  Workaround: Log off and log back on to the NetScaler appliance to check the firmware version.
  [# 646046]

• The auto cleanup option (/installns -c) is not supported in NetScaler release 12.0.

  Clean up flash manually if space is insufficient when upgrading or downgrading a NetScaler appliance.
  [# 683380]

User Interface

• When a non-nsroot system user logs on to the NetScaler GUI, the set system parameter command is executed internally. This command fails because the user is not authorized to run this command. The appliance creates entries in the ns.log files for this command failure for this user. These log entries introduce an ambiguity regarding whether the user requires specific permission for this command.

  With this fix, this internally run command is no longer logged in the ns.log file.
  [# 665454]

• A timezone setting ("set timezone” command) in a NetScaler appliance running release 11.1 might get lost after you upgrade it to a later release.

  Workaround: Set the required timezone (by using the "set timezone" command in the NetScaler CLI or the NetScaler GUI) again on the upgraded appliance.
  [# 692565, 683168]

Video Optimization

• A NetScaler appliance is unable to optimize QUIC-based video traffic if pacing policies are bound to QUIC load balancing virtual server at response time.

  Workaround: Bind the policies to the QUIC load balancing virtual server only at request time.
  [# 697461]

What's New in Previous NetScaler 12.0 Releases

• SAMLIDP Single Logout Support for Redirect and Post Bindings

  SAMLIDP single logout support for Redirect and Post bindings is now available.
  [From Build 35.6] [# 642105]

• Support for SHA2 Message Digest on a NetScaler MPX FIPS Appliance

  A NetScaler MPX FIPS appliance functioning as a SAML service provider or a SAML identity provider can now be configured to use the SHA2 algorithms on FIPS hardware.
  [From Build 53.22] [# 673799]

• Group Attribute Parsing Support from a SAML Assertion

  You can now configure a NetScaler appliance to parse attributes in SAML assertions as group attributes. Parsing them as group attributes enables the appliance to bind policies to the groups. For more information, see http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication.html.
  [From Build 53.22] [# 681375]

• HMAC SHA256 Authentication Support for NetScaler AAA

  The NetScaler appliance configured for NetScaler AAA now accepts incoming tokens that are signed using keyed-hash message authentication code (HMAC) HS256 algorithm. In addition, the public keys of the SAML Identity Provider (IdP) are read from a file, instead of learning from a URL endpoint.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/aaa-tm/oauth-authentication.html.
  [From Build 56.20] [# 681415]

• Audience Restriction Check Support for NetScaler configured as SAML SP

  A NetScaler appliance configured as a SAML service provider can now enforce an audience restriction check. The audience restriction condition evaluates to “Valid” only if the SAML replying party is a member of at least one of the specified audiences. For more information, see http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication.html.
  [From Build 53.22] [# 687628]

• Support for RSA Private Key Decryption for SAML Operations on a NetScaler MPX FIPS Appliance

  A NetScaler MPX FIPS appliance used as a SAML service provider now supports encrypted assertions.
  [From Build 53.22] [# 688140, 635174]

• OpenID connect support for NetScaler AAA

  A NetScaler appliance can now be configured as an identity provider by using OpenID Connect protocol. OpenID Connect protocol is an add-on to OAuth mechanism to get user information from an authorization server.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/aaa-tm/configuring-openid-connect-protocol.html.
  [From Build 56.20] [# 691235, 691739, 617838]

Admin Partitions

• VXLAN Support for Admin Partitions

  A partitioned NetScaler appliance now supports Virtual eXtensible Local Area Networks (VXLANs) protocol. A VXLAN can be created in the default partition and bound to any administrative partition. When you extend a VXLAN to a VLAN, binding a VLAN to a partition will also bind the VXLAN to the same partition. However, the appliance does not support shared VXLAN and does not allow you to extend a VXLAN to a shared VLAN.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 651332]

• Configurable Partition Resource Limit

  When you create an administrative partition, you can now set a partition resource (such as memory, bandwidth, or connections) limit to zero, which specifies that use of the resource is unlimited. The partition can consume up to the system limit. For a previously created partition, you can increase or decrease the limit or set the limit to zero.
  [From Build 35.6] [# 652187]

• Memory Management in Admin Partitions

  In a partitioned NetScaler appliance, the partition connections are now accounted from the partition quota memory. Previously, the connections were accounted from the default partition quota memory.
  [From Build 35.6] [# 652198]

• Blocking VRRP on Shared VLANs in Admin Partitions

  On a partitioned NetScaler appliance, Virtual Router Redundancy Protocol (VRRP) protocol is now supported only on non-shared VLANs. It is blocked on shared VLANs (tagged or untagged type) bound to a default or an administrative partition.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 655514]

• SNMP Traps for Admin Partition Rate Limiting

  On a partitioned NetScaler appliance, a SNMP-RATE-LIMIT alarm can generate six new SNMP traps for notification that a partition resource (such as connection or memory) has reached its limit or returned to normal. Previously, only three SNMP traps were available for rate limiting partition resources.

  Note: To enable generation of the SNMP trap messages, you must enable the SNMP-RATE-LIMIT alarm on the appliance and then configure the destination device to which the appliance can send the trap messages.

  The threshold and limit values for partition rate limiting are:

  Highest threshold = 80% (applicable for all partition rate limit traps)

  Lowest threshold = 60 % (applicable for all partition rate limit traps)

  Memory limit = 95% (applicable only for partition memory traps)

  The six new SNMP traps are:

  partitionCONNThresholdReached. Number of active connections for a partition exceeds its high threshold.

  partitionCONNThresholdNormal. Number of active connections are less than or equal to the configured normal threshold percentage.

  partitionBWThresholdReached. Partition's bandwidth usage reaches configured high threshold percentage.

  partitionMEMThresholdReached. Current memory usage of the partition exceeds its high threshold percentage.

  partitionMEMThresholdNormal. Current memory usage of the partition is less than or equal to the configured normal threshold percentage.

  partitionMEMLimitExceeded. Current memory usage of the partition exceeds its memory limit percentage
  [From Build 35.6] [# 655560]

• SNMP Monitoring for Partition Resource Utilization

  The SNMP Get and Walk functionalities are now supported on a partitioned NetScaler appliance for monitoring resource utilization details such as of bandwidth, memory, or connection resources.
  [From Build 56.20] [# 676597]

AppExpert

• Blacklisting Up to One Million URLs by Using URL Sets

  To prevent access to restricted websites, a NetScaler appliance uses a specialized URL matching algorithm. The algorithm uses a URL set that can include up to one million (1,000,000) blacklisted URLs. Each entry can include metadata that defines URL categories and category groups as indexed patterns. The appliance can also periodically download highly sensitive URL sets managed by internet enforcement agencies (with government websites) or independent internet organizations such as the Internet Watch Foundation (IWF). After downloading and importing the URL set, the appliance encrypts it (as required by these agencies) and keeps it confidential so that the entries are not tampered with.

  The NetScaler appliance uses advanced policies to determine whether an incoming URL should be blocked, allowed, or redirected. These policies use advanced expressions to evaluate incoming URLs against blacklisted entries. An entry can include metadata. For entries that have no metadata, you can use an expression that evaluates the URL on the basis of an exact string match. For URLs that have metadata, you can use an expression that evaluates the URL's metadata, in addition to an expression that checks for an exact string match.
  [From Build 35.6] [# 628124]

Application Firewall

• Generate SNMP alarm and log message when application firewall Session limit is reached

  When NetScaler reaches appfw_session_limit and CSRF checks are enabled, the web application freezes.

  To prevent web application freeze, decrease the session timeout and increase the session limit by using the following commands:

  From CLI: > set appfw settings -sessiontimeout 300

  From shell: root@ns# nsapimgr_wr.sh -s appfw_session_limit=200000

  Logging and generating SNMP alarm when appfw_session_limit is reached assists users in troubleshooting and debugging issues.
  [From Build 35.6] [# 589567]

• Application Firewall GUI - Signature Editor

  When using the signature editor to perform an import and merge operation from the NetScaler GUI, you can now see the new, updated, duplicate, and invalid rules.

  The signature editor displays the following four new rows:

  1. New Rules

  2. Updated Rules

  3. Duplicate Rules

  4. Invalid Rules

  The output of the New Rules Only and Updated Rules Only filters also appears in the Category filter pane of the Edit window in signature editor.
  [From Build 35.6] [# 656279]

• Configure Application Firewall Session Limit Through the CLI

  You can now use the CLI to configure the Application Firewall session limit. Enter the following command:

  set appfw settings -sessionLimit <value>

  Where <value> is the maximum number of sessions allowed for each packet engine. Minimum value: 0. Maximum value: 500000. Default: 100000.
  [From Build 35.6] [# 662582]

Clustering

• SNMP MIB Support for Cluster Nodes

  In a cluster setup, you can now configure the SNMP MIB on any node by including the ownerNode parameter in the set snmp mib command. Without this parameter, the set snmp mib command applies only to the cluster coordinator node.

  To display the MIB configuration for an individual node other than the cluster coordinator node, include the ownerNode parameter in the show snmp mib command.
  [From Build 35.6] [# 628136, 623888]

• Disabling Steering for Forwarding Sessions in a Cluster Setup

  The default behavior of a NetScaler cluster is to direct the traffic that it receives (flow receiver) to another node (flow processor) that must then process the traffic. This process of directing the traffic from flow receiver to flow processor occurs over the cluster backplane and is called steering. This steering can be an overhead for real time processing or when high latency links are present in the setup.

  Steering for forwarding sessions can now be disabled so that the processing becomes local to the flow receiver and therefore makes the flow receiver the flow processor.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 636825]

• Monitor Static Route (MSR) Support for Inactive Nodes in a Spotted Cluster Configuration

  In a spotted cluster configuration, you can now configure an inactive or spare node to monitor a static route for which the MSR option is enabled. From a SNIP address owned exclusively by an inactive node, the node can send PING and ARP probes to an IPv4 route or ping5 and nd6 probes to an IPv6 route. Previously, only active nodes could monitor a static route.
  [From Build 35.6] [# 648194]

• VRID/VRID6 support for cluster

  When you migrate a high availability (HA) setup to a cluster setup, all configurations must be compatible and must be supportable in the cluster. To achieve this, you can now configure virtual router IDs (VRIDs and VRID6s) on a single-node cluster interface.
  [From Build 35.6] [# 655726]

• Managing Cluster Heartbeat Messages

  In a cluster configuration, you can now disable the heartbeat option on node interfaces. However, the heartbeat option on the backplane interface cannot be disabled, because it is required for maintaining connectivity among the cluster nodes.
  [From Build 35.6] [# 655842]

• TFTP Support in a Cluster Setup

  Trivial File Transfer Protocol (TFTP) is now supported in a NetScaler cluster setup. TFTP is a simple form of file transfer protocol and is based on the UDP protocol. TFTP does not provide any security features and is generally used for automated transfer of configuration and boot files between devices in a private network. TFTP support on a NetScaler cluster setup is compliant with RFC 1350. A server listens on port 69 for any TFTP request.

  The following features are supported:

  * INAT processing compliant with TFTP. If a NetScaler cluster receives a request packet whose destination is port 69 and that matches an INAT rule with the TFTP option enabled, the cluster's processing of the request and the corresponding response is compliant with the TFTP protocol. For an INAT configuration for a TFTP server, only spotted SNIP addresses are supported for the server-side communication.

  * RNAT processing compliant with TFTP. When a request packet generated by a server is destined to a TFTP server, and the packet matches an RNAT rule on a NetScaler cluster, the cluster's processing of the request and the corresponding response from the TFTP server is compliant with the TFTP protocol. In an RNAT configuration of TFTP servers, only spotted NAT IP addresses are supported for the TFTP server-side communication.
  [From Build 35.6] [# 658631]

• Audit-Log Support in Cluster

  A cluster setup of NetScaler appliances now supports the audit-log feature.
  [From Build 35.6] [# 669938]

• Support for Heterogeneous Cluster

  The NetScaler appliance now supports heterogeneous cluster in a cluster deployment. A heterogeneous cluster spans nodes of different NetScaler hardware and you can have a combination of different platforms in the same cluster. For more information, see https://docs.citrix.com/en-us/netscaler/12/clustering/support-for-heterogeneous-cluster.html.
  [From Build 56.20] [# 691119, 682150]

DNS

• Support for Wildcard DNS Domains

  You can now use wildcard DNS domains to handle requests for a nonexistent domains and subdomains. In a zone, if you want to redirect queries for all nonexistent domains or subdomains to a particular server, you can use wildcards rather than creating a separate Resource Record (RR) for each such domain. The wildcard RRs synthesize the responses to queries for a nonexistent domain or a subdomain name.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 558993]

• Caching of EDNS0 Client Subnet (ECS) Data when the NetScaler Appliance is in Proxy Mode

  In NetScaler Proxy mode, if a back-end server that supports ECS sends a response containing the ECS option, the NetScaler appliance forwards the response as-is to the client and stores it in the cache, along with the client subnet information. Further DNS requests that are from the same subnet of the same domain, and for which the server would send the same response, are then served from the cache instead of being directed to the server.
  [From Build 35.6] [# 626837]

• Securing DNS Keys with Passwords on a Partitioned NetScaler Appliance

  You can now secure the DNS keys with passwords on a partitioned NetScaler appliance.

  Specify the password in the create dns key command, and then specify the same password in the add dns key command when adding the DNS key to the NetScaler appliance.
  [From Build 35.6] [# 655295]

GSLB

• Configuring GSLB by Using a Wizard in the NetScaler GUI

  You can now use a wizard to configure the GSLB deployment types (active-active and active-passive) and parent-child topologies. In the NetScaler GUI, navigate to Configuration > Traffic Management > GSLB, and click Get Started.

  You can also start the GSLB configuration wizard from the dashboard. The dashboard provides the overall status of the GSLB sites participating in GSLB. You can also synchronize the sites and test the GSLB setup from the dashboard. To access the GSLB dashboard, navigate to Configuration > Traffic Management > GSLB > Dashboard.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 664467]

Licensing

• Support for Higher Number of vCPUs

  With NetScaler Pooled Capacity, the NetScaler VPX instances can be configured for bandwidth licensing up to 100G and 20 vCPUs.

  With NetScaler Check-in/Check-out licensing, the NetScaler VPX instances can be configured with bandwidth licenses up to 100G
  [From Build 53.22] [# 687192]

Load Balancing

• SNMP OID for Tracking Persistence Sessions on a Per-Vserver Basis

  The vsvrCurPersistenceSessions (1.3.6.1.4.1.5951.4.1.3.1.1.76) SNMP OID provides the number of current persistence sessions on each virtual server.
  [From Build 35.6] [# 346825]

• Setting alertRetries to a Value Higher than the Retries Value

  The alertRetries parameter, which specifies the maximum number of consecutive monitoring-probe failures after which the NetScaler appliance generates an SNMP trap called monProbeFailed, can now be set to a value higher than the Retries value (which specifies the maximum number of probes to send to establish the state of a service for which a monitoring probe failed). If the alertRetries value is higher than the Retries value, the SNMP trap is not sent until after the service is DOWN.

  For example, if you set Retries to 3, alertRetries to 12, and the time interval to 5 seconds, the service is marked DOWN after 15 seconds (3*5), but no alert is generated. If the monitor probes are still failing after 60 seconds (12*5), the NetScaler appliance generates a monProbeFailed trap. If a probe succeeds at some time between 15 and 60 seconds, the service is marked UP and no alert is generated.
  [From Build 35.6] [# 422816]

• Connection Failover Support for IPv6 Load Balancing Configurations

  Connection failover support has been extended for IPv6 load balancing configurations. Connection failover helps prevent disruption of access to applications deployed in a distributed environment. In a NetScaler High Availability (HA) setup, connection failover (or connection mirroring) refers to keeping an established TCP or UDP connection active when a failover occurs. The new primary NetScaler appliance has information about the connections established before the failover and continues to serve those connections. After failover, the client remains connected to the same physical server. The new primary appliance synchronizes the information with the new secondary appliance by using the SSF framework. If the L2Conn parameter is set, Layer 2 connection parameters are also synchronized with the secondary.

  You can set up connection failover in either stateless or stateful mode. In the stateless connection failover mode, the HA nodes do not exchange any information about the connections that fail over. This method has no runtime overhead. In the stateful connection failover mode, the primary appliance synchronizes the data of the failed-over connections with the new secondary appliance. Connection failover is helpful if your deployment has long lasting connections.

  For example, if you are downloading a large file over HTTP and a failover occurs during the download, the connection breaks and the download is aborted. However, if you configure connection failover in stateful mode, the download continues even after the failover.
  [From Build 35.6] [# 472611]

• Configuring Backup Persistence

  You can now configure a virtual server to use source IP persistence as the backup persistence type when the primary persistence type is rule-based. If the primary persistence lookup fails, the appliance uses source-IP based persistence when the parameter specified in the rule is missing in the incoming request.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 519440]

• Support for RADIUS Shared Secret

  A shared secret must now be configured in RADIUS load balancing deployments. A RADIUS client and server communicate with each other by using a shared secret that is configured on the client and the server. Transactions between the client and RADIUS server are authenticated through the use of a shared secret. This secret is also used to encrypt some of the information in the RADIUS packet.

  You can configure a default RADIUS shared secret, or you can configure a shared secret on a per-node basis. The appliance uses the client IP address or the server IP address in the RADIUS packet to decide which shared secret to use.

  In telco deployments, you must now configure a RADIUS client when you configure a RADIUS listener service. If a shared secret is not configured, the RADIUS message is silently dropped.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 564185]

• RADIUS Interim Message Support for RADIUS-Only Mode

  RADIUS interim message support has been added for RADIUS-only mode, to treat interim messages as start messages.
  [From Build 51.24] [# 675763]

• Support for Autofill of username from SAML Service Provider (SP)

  A NetScaler appliance used as a SAML Service Provider (SP) with Multi-Factor (nFactor) authentication now prepopulates the user-name field on the login page. The appliance sends a NameID attribute as part of an SAML authorization request, retrieves the NameID attribute value from the NetScaler SAML Identity Provider (IdP), and prepopulates the user-name field.
  [From Build 51.24] [# 677540]

• Backup Persistence Support for SSL Session ID

  Source IP persistence is now supported as a backup persistence type for SSL session ID persistence. If the client and load-balanced server renegotiate the session, and source IP persistence is configured as the backup persistence, client requests are forwarded to the same server.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-persistence/session-id-persistence.html
  [From Build 56.20] [# 681813]

NITRO

• Prevent XSS and CSRF Attacks by Disabling Basic Authentication

  As an administrator or a root user, you can now prevent users from making API calls after using basic authentication (such as one-time credentials) to log on. You can use this feature to prevent Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and other types of attacks.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 611690, 570838]

• View Individual Counter Information

  To view global counters that are not otherwise shown by the NetScaler CLI or the NITRO API, you can now use the following URL format.

  URL: http://<NSIP>/nitro/v1/stat/nsglobalcntr?args=counters:<counter1>;<counter2>

  Previously, these counter values could be viewed only through the "nsconmsg" Shell command.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 622976]

NetScaler CPX

• Ability to Assign Multiple Interfaces to NetScaler CPX

  You can now assign dedicated network interfaces to the NetScaler CPX container by using a NetScaler CPX-specific environment variable. The network interfaces that you define are held by the NetScaler CPX container until you uninstall the NetScaler CPX container. For more information, see http://docs.citrix.com/en-us/netscaler-cpx/12/deploy-using-docker-image-file.html.
  [From Build 53.22] [# 656533]

• Support for Licensing the NetScaler CPX with Multiple Cores

  You can use NetScaler MAS to pool your NetScaler CPX licenses, and use NetScaler MAS as a licensing server. You can use the NetScaler GUI to install licenses in MAS by uploading the license files or using the License Access Codes (LACs) that you purchased from Citrix. If you are provisioning a NetScaler CPX deployment with multiple vCPU cores, each core is allocated a CPX license from the license pool. For more information, see http://docs.citrix.com/en-us/netscaler-cpx/12/cpx-licensing.html.
  [From Build 51.24] [# 673368]

• Ability to Control the Throughput Performance of NetScaler CPX

  When a NetScaler CPX container does not receive any incoming traffic to process, it yields CPU cycles, which causes low throughput performance. When provisioning the NetScaler CPX container, you can now use the CPX_CONFIG environment variable to control the throughput performance of the NetScaler CPX container in such cases. For more information, see http://docs.citrix.com/en-us/netscaler-cpx/12/deploy-using-docker-image-file.html.
  [From Build 51.24] [# 687896]

NetScaler GUI

• PHP Version Upgraded from Version 5.3.17 to 7.0.13

  PHP has been upgraded from version 5.3.17 to version 7.0.13 on the NetScaler appliance to resolve security vulnerabilities and stability issues with PHP.
  [From Build 35.6] [# 572765]

• NetScaler GUI Masks Full Path

  To enhance security, the NetScaler GUI no longer displays the full path to an admin partition when a file browser is opened for an activity such as SSL certificate installation. Everything except the last part of the path is masked.
  [From Build 35.6] [# 661475]

• Changes in Create Monitor Page and Persistence Type Selection

  In Create Monitor Page, the Standard Parameters and Special Parameters are renamed to Basic Parameters and Advanced Parameters respectively. The Basic Parameters section contains the parameters that must be set for each monitor. The Advanced Parameters section contains the parameters that can be used in advanced use cases.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-configure-monitors/create-monitor.html

  In Persistence Type Selection page, when selecting the persistence types, the most suitable persistence types for a virtual server is available as option buttons. Other persistence types that are applicable to the specific virtual server type can be selected from the Others list.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-persistence/rule-persistence.html
  [From Build 56.20] [# 669787, 655064, 687327]

• Support for Atomocity in Wizards

  The new atomicity feature removes the residual configuration left by an unsuccessful configuration attempt, so that you can successfully reconfigure the entity by using a wizard in Citrix XenMobile, XenApp, NetScaler Gateway, NetScaler Unified Gateway, or GSLB. Previously, co-entities and other unwanted configurations left by the unsuccessful configuration attempt caused error messages to appear.
  [From Build 35.6] [# 669990]

NetScaler Gateway

• Configuring Separate Ports of a RADIUS Server for Accounting and Authentication Functionalities

  You can now configure separate ports of a RADIUS server (other than the default ports) for accounting and authentication functionalities.
  [From Build 35.6] [# 355523, 634307]

• Proxy Auto Configuration for Outbound Proxy

  You can now configure the NetScaler Gateway appliance to support Proxy Auto Configuration (PAC). Upon configuration, a PAC file URL is pushed to the client browser, the traffic initiated from browser is then redirected to the respective proxies based on the conditions defined in the PAC file.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 378411]

• Support for validating the server certificate provided by the back-end server during an SSL handshake.

  The NetScaler Gateway appliance can now be configured to validate the server certificate provided by the back-end server during an SSL handshake.

  You can use the NetScaler CLI or the NetScaler GUI to configure the NetScaler appliance to validate the server certificate.

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12/validating-server--certificate-during-ssl-handshake.html.
  [From Build 56.20] [# 481784, 402833, 508834, 682862]

• Support for One Time Password (OTP)

  NetScaler Gateway now supports one-time passwords (OTPs) without having to use a third-party server. In addition to reducing capital and operating expenses, this feature enhances the administrator's control by keeping the entire configuration on the NetScaler appliance.

  Note that, since third-party servers are no longer needed, the gateway administrator has to configure an interface to manage and validate user devices.

  To use the OTP feature, a user must be registered with a NetScaler Gateway virtual server. Registration is required only once per unique device, and typically is restricted to certain environments. Configuring validation of a registered user is similar to configuring an additional authentication policy. For more information about this feature, see http://docs.citrix.com/en-us/netscaler-gateway/12/native-otp-support.html
  [From Build 51.24] [# 603663]

• Support for EPA in GSLB Active-Active deployment

  EPA now functions reliably on GSLB Active-Active deployment.
  [From Build 35.6] [# 619596]

• Authorization policy support for UDP, DNS, and ICMP Traffic

  The NetScaler Gateway appliance now supports authorization policy configuration for UDP, DNS, and ICMP traffic. The policy can be configured by using only default syntax policies.
  [From Build 56.20] [# 621062]

• SNI Support for NetScaler Gateway

  A NetScaler Gateway appliance can now be configured to include a server name indication (SNI) extension in the SSL “client hello” packet sent to the backend server. The SNI extension helps the backend server identify the FQDN being requested during the SSL handshake and respond with the respective certificates.

  Note: Enable SNI support when multiple SSL domains are hosted on same server.

  For more information, see http://docs.citrix.com/en-us/netscaler-gateway/12/configuring-server-name-indication-extension.html.
  [From Build 53.22] [# 624091]

• PCoIP Proxy Support for VMware View

  NetScaler Gateway now supports the PCoIP protocol which is the core building block for several VDI solutions, including VMware Horizon View solution. This enables the solution to deliver desktops and applications and secure data on a variety of endpoint devices more efficiently.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 632624]

• Support for Logon Lockdown Control

  Logon lockdown control is now supported on a NetScaler cluster. Unsuccessful logon attempts are recorded in a distributed hash table (DHT). The advantage of using the DHT is that both n2n (node to node) and c2c (cluster to cluster) messaging are supported.
  [From Build 35.6] [# 635415]

• Support for Logon Lockdown Control

  The User Lockdown Control feature is now available for system role-based access control users on a cluster.
  [From Build 35.6] [# 650547, 490670]

• Support for logging out from a VPN session upon removal of smart-card from the logged on device.

  You can now optionally log out from a VPN session if you remove smart-card from the logged on device.
  [From Build 35.6] [# 654943]

• EDT as a Data Transmission Path Support for NetScaler Gateway

  The NetScaler Gateway appliance now supports the HDX Enlightened Data Transport (EDT) as a data transmission path. EDT provides a high definition in-session user experience of virtual desktops for users running a Citrix Receiver.
  [From Build 35.6] [# 659795, 666135]

• Logging "Destination IP address" and "ICA Proxy policy name" for Outbound ICA Proxy

  Now "Destination IP address" and "ICA Proxy policy name" are logged additionally along with other information logged earlier for Outbound ICA Proxy.
  [From Build 35.6] [# 661832]

• Support for SAML ForceAuthn Parameter and Artifact Binding (when NetScaler is SP) using GET HTTP Method

  NetScaler SAML SP (Service Provider) module now sends additional attribute called 'ForceAuth' in the authentication request to external IDP (Identity Provider). By default, the ForceAuthn carries a value of 'false'. It can be set to 'true' to provide a hint to IDP to force authentication despite existing authentication context.

  Additionally, NetScaler SP does authentication request in query parameter when configured with artifact binding.
  [From Build 35.6] [# 665828]

• Inter-operability with OAuth

  NetScaler Gateway is now able to process JWT (Json Web Tokens) during logon. Gateway is required to be configured with an OAuth action that contains a URL to fetch the certificates to verify incoming JWT. This enables Gateway to inter-operate with OAuth providers.
  [From Build 35.6] [# 671380]

• Multi-Stream ICA Functionality Support for EDT

  NetScaler Gateway now supports multi-stream ICA functionality while using HDX Enlightened Data Transport (EDT) as a data transmission path.
  [From Build 35.6] [# 671878]

• Support for End-point analysis and VPN plugins for Firefox

  End-point analysis and VPN plug-ins get launched from Firefox browser, build 52.0 or later, even though the browser no longer supports NPAPI plug-ins.
  [From Build 51.24] [# 679998, 682798]

• Network Access Control and Conditional Access for Windows by using Microsoft Enterprise Mobility + Security (EMS).

  The NetScaler Gateway client running on Windows machine can now be configured to provide Network Access Control and Conditional Access using Microsoft Enterprise Mobility + Security (EMS).
  [From Build 56.20] [# 689493]

• Support for End-to End Encryption with DTLS 1.0 for Enhanced Data Transport (EDT) Termination between Receiver and VDA.

  With this enhancement, the NetScaler Gateway appliance supports end-to end encryption with DTLS 1.0 for EDT termination between Receiver and VDA.

  Also, the appliance can now be configured for the Double-hop functionality for EDT traffic between Receiver and VDA.

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12/hdx-enlightened-data-transport-support.html.
  [From Build 56.20] [# 690030]

• Proxy Auto Configuration (PAC) Support for Client Running on Mac Operating System

  The NetScaler Gateway appliance can now be configured to support Proxy Auto Configuration (PAC) for a client running on Mac operating system.

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12/proxy-auto-configuration-for-outbound-proxy-support-for-netScaler-gateway.htmlhttps://docs.citrix.com/en-us/netscaler-gateway/12/proxy-auto-configuration-for-outbound-proxy-support-for-netScaler-gateway.html.
  [From Build 56.20] [# 690852]

• Using Advance Policy

  - The following VPN policies can now be configured by using default syntax policies.

  - Session Policy

  - Authorization Policy

  - Traffic Policy

  - Tunnel Policy

  - Audit Policy

  - End Point Analysis (EPA) scan functionality can be now configured as an nFactor for authentication. Previously the EPA scan was configured as part of session policy. Now it can be linked to nFactor providing more flexibility, as to when it can be performed.

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12/using-advance-policy-to-create-vpn-policies.html.
  [From Build 56.20] [# 695727]

NetScaler SDX Appliance

• Support for FQDN as External Server Name

  For LDAP and RADIUS servers, you can now use Fully Qualified Domain Names (FQDNs) to specify external servers. Previously you had to specify IP addresses for all external servers.

  For more information, see http://docs.citrix.com/en-us/sdx/12/configuring-management-service/configuring-external-authentication-server.html.
  [From Build 51.24] [# 684417]

• Support for SWG Instances on a NetScaler SDX Appliance

  This release supports Secure Web Gateway (SWG) instances on all NetScaler SDX platforms. You must purchase an "SDX 2-Instance Add-On Pack for Secure Web Gateway" license to provision an SWG instance on the SDX appliance. For more information, see https://docs.citrix.com/en-us/sdx/12/deploying-sdx-swg-instances.html.
  [From Build 56.20] [# 693950]

NetScaler Secure Web Gateway

• Support for a new product called NetScaler Secure Web Gateway

  The NetScaler Secure Web Gateway (SWG) implementation supports the following features:

  * SSL Interception - Intercept HTTPS traffic and apply policies to enforce compliance rules and security checks. The traffic is intercepted, blocked, or bypassed on the basis of the configured policies.

  * Forward Proxy - Support for transparent and explicit proxy modes. In explicit proxy mode, an IP address must be specified in the client's browser, unless the organization pushes the setting onto the client's device. This address is the IP address and port of a proxy server that is configured on the SWG appliance. All client requests are sent to this IP address. In transparent proxy mode, a proxy is not configured on the client's device. The SWG appliance is configured in an inline deployment, and the appliance transparently accepts all HTTP and HTTPs traffic.

  * Identity Management - Tag traffic to the users so that administrators can take user based actions. Authentication is explicitly enabled, or user information from the active directory is extracted and tagged to the traffic.

  * URL Threat Intelligence - Enable the appliance to categorize internet sites to more effectively enforce compliance policies around internet usage. URL threat intelligence also provides the reputation score of the URLs that are being accessed, to protect the users from exposure to harmful (malware/phishing) internet sites. You can also deploy custom URL lists that are managed by independent internet organizations, such as the Internet Watch Foundation (IWF), or create blacklists and whitelists of URLs by using pattern sets.

  * Analytics - The transaction-level records are exported from Secure Web Gateway to NetScaler MAS by using the Logstream transport mechanism. In NetScaler MAS, the User Behaviour Analytics dashboard displays user internet-usage information. It also shows the transaction-level details per user. From the Outbound Traffic Dashboard, you can view the overall network details, and the top websites in terms of maximum bandwidth consumption.

  Using the above features, an administrator can protect the enterprise network from external threats coming from the web in the form of malware, by defining policies to do the following:

  - Block access to URLs identified as serving harmful content.

  - Identify end users in the enterprise (employees) who are accessing malicious websites, and categorize them as high-risk users.

  For more information about this feature, see http://docs.citrix.com/en-us/netscaler-secure-web-gateway/12.html.

  Important! Secure Web Gateway requires its own platform license. Contact your local Citrix sales representative to purchase your license.
  [From Build 51.24] [# 653661]

• New nodes in the GUI

  The Load Balancing and Content Switching nodes now appear, after the Secure Web Gateway node, in the NetScaler Secure Web Gateway GUI. You can configure deployments with both secure web gateway, and load balancing or content switching features from the NetScaler Secure Web Gateway GUI.

  Also, the SSL Interception node is renamed to SSL Interception Policies.
  [From Build 56.20] [# 695039]

NetScaler VPX Appliance

• Support for AWS Auto Scaling Service

  AWS Auto Scaling in now supported on VPX instances.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-aws/configuring-aws-auto-scaling-service.html.
  [From Build 51.24] [# 432348, 432345, 487534]

• Support for Key-Pair Based Authentication

  For VPX deployment on KVM OpenStack, you can now use key-pair based authentication to log on and access a VPX instance in a more secure way. You can also execute custom scripts with a userdata file.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 617478]

• Two New Commands to Control CPU Usage Behavior

  Two new commands, set ns vpxparam and show ns vpxparam, control the CPU-usage behavior of VPX instances in VMWare ESX and Citrix XEN environments:

  1. set ns vpxparam -cpuyield (YES | NO | DEFAULT)

  Allow each VM to use CPU resources that have been allocated to another VM but are not being used.

  Set ns vpxparam parameters:

  -cpuyield: Release or do not release of allocated but unused CPU resources.

  YES: Allow allocated but unused CPU resources to be used by another VM.

  NO: Reserve all CPU resources for the VM to which they have been allocated. This option shows higher percentage in hypervisor for VPX CPU usage.

  DEFAULT: NO

  Note: On all NetScaler VPX platforms, the vCPU usage on the host system will be 100 percent. Type the set ns vpxparam –cpuyield YES command to override this usage.

  2. show ns vpxparam

  Display the current vpxparam settings.
  [From Build 51.24] [# 625698]

• Two New Commands to Control CPU Usage Behavior

  Two new commands, set ns vpxparam and show ns vpxparam, control the CPU-usage behavior of VPX instances in VMWare ESX and Citrix XEN environments:

  1. set ns vpxparam -cpuyield (YES | NO | DEFAULT)

  Allow each VM to use CPU resources that have been allocated to another VM but are not being used.

  Set ns vpxparam parameters:

  -cpuyield: Release or do not release of allocated but unused CPU resources.

  YES: Allow allocated but unused CPU resources to be used by another VM.

  NO: Reserve all CPU resources for the VM to which they have been allocated.

  DEFAULT: Reset -cpuyield to its factory default value based on license.

  - If license <= 8G, release CPU resources.

  - If license > 8G, use up all the CPU resources allocated to it.

  2. show ns vpxparam

  Display the current vpxparam settings.
  [From Build 35.6] [# 625698]

• Support for VMware ESXi 6.5 server

  NetScaler VPX appliances now support VMware ESXi 6.5 server.
  [From Build 35.6] [# 643974]

• Support for High-Performance VPX on OpenStack

  You can now deploy high-performance NetScaler VPX instances that use single-root I/O virtualization (SR-IOV) technology, on OpenStack. Also, on the OpenStack host, you can configure VLAN tagging on the SR-IOV virtual functions.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 660055]

• Support for SR-IOV Interfaces for NetScaler VPX Instances on AWS

  After you have created a NetScaler virtual instance on AWS, you can use the AWS CLI to configure the virtual appliance to use SR-IOV network interfaces. For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-aws/Config-NS-VPX-SRIOV-AWS.html
  [From Build 53.22] [# 673928]

• Active/Passive Multi-NIC Multi-IP HA-INC Deployment on Azure

  You can deploy a NetScaler VPX pair with multiple IP addresses and network interfaces in active/passive high availability (HA) Independent Network Configuration (INC) mode. Use the new Citrix NetScaler HA template on Azure for deployment, or use Windows PowerShell commands.

  For more information, see the following topics:

  http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/deploy-vpx-on-azure/configuring-multiple-azure-nics-ip-for-vpx-in-ha-mode.html

  http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/deploy-vpx-on-azure/configuring-gslb-active-standby-ha-deployment-azure.html
  [From Build 53.22] [# 675920]

• SR-IOV Support with Intel X710 10G and XL710 40G NICs

  You can now configure a NetScaler VPX appliance to use single-root I/O virtualization (SR-IOV) technology with Intel X710 10G and XL710 40G NICs.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-kvm/configure-SR-IOV-KVM.html
  [From Build 53.22] [# 679513]

• OVS DPDK for NetScaler VPX Instances Running on KVM

  You can configure a NetScaler VPX instance running on KVM to use Open vSwitch (OVS) with the Data Plane Development Kit (DPDK). This configuration provides better network performance. Also, certain NetScaler VPX deployments require the VPX host on KVM to operate on the vhost user ports exposed by OVS rather than the standard MacVTap-based vhost interfaces.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-kvm/configure-ovs-dpdk-kvm.html.
  [From Build 53.22] [# 682999]

• Support for Subscription-Based Licensing Model

  A subscription based licensing model is now supported for NetScaler VPX in the Azure Marketplace. When creating a NetScaler VPX instance on Azure, you can choose either subscription (pay by hour) or Bring Your Own License (BYOL).

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/deploy-vpx-on-azure.html.
  [From Build 51.24] [# 683144, 644004]

• Support for NetScaler Pooled Capacity Licensing Framework

  The NetScaler pooled-capacity licensing framework is now supported on Microsoft Azure and Hyper-V, and Amazon Web Services. A pooled-capacity enabled NetScaler VPX instance can check out licenses from a bandwidth pool of any NetScaler software edition (Platinum/Enterprise/Standard) hosted on and served by NetScaler MAS server. The bandwidth pool is the total bandwidth that can be shared by NetScaler instances. You can dynamically modify the bandwidth of a VPX instance as appropriate for the available pool.

  For more information, see http://docs.citrix.com/en-us/netscaler-mas/12/netscaler-pooled-capacity.html.
  [From Build 51.24] [# 684408]

• Auto-Provision a NetScaler VPX Instance by Using Virtual Machine Manager

  You now have the option to auto-provision a NetScaler VPX instance by using the Virtual Machine Manager. If auto-provisioning is enabled, the IP address, gateway, and netmask are automatically assigned to the instance during initial setup. If auto-provisioning is not enabled, you must provide the networking configuration manually.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-kvm/provision-on-kvm-using-vmm.html
  [From Build 53.22] [# 690684]

• NetScaler VPX Check-In/Check-Out Licensing Support for New Licenses

  You can now purchase and use the new 10Gbps+ NetScaler VPX Check-In/Check-Out Licenses for NetScaler VPX instances deployed on any supported hypervisors, and for instances used in cloud deployments. The newly supported licenses include 10Gbps, 15Gbps, 25Gbps, 40Gbps and 100Gbps versions of the Standard, Enterprise, and Platinum editions.
  [From Build 53.22] [# 691005]

• Support for VPX Express License

  VPX Express license is a new license offering for NetScaler VPX on-prem and cloud deployments. If the VPX instance does not have any license, it comes up with the VPX Express license by default.

  The Express license includes:

  - 20 Mbps bandwidth

  - All NetScaler standard license features, except NetScaler Gateway

  - Maximum 250 SSL sessions

  - 20 Mbps SSL throughput

  You can upgrade the VPX Express License to the following two options:

  1. A standalone NetScaler VPX license

  2. NetScaler Pooled Capacity license for VPX instances. For more information, see https://docs.citrix.com/en-us/netscaler-mas/12/netscaler-pooled-capacity.html

  For more information about NetScaler licenses, see https://docs.citrix.com/en-us/netscaler/12/licensing/netscaler-licensing-overview.html.
  [From Build 56.20] [# 693061]

Networking

• Support for Bidirectional Forwarding Detection Protocol

  Bidirectional Forwarding Detection (BFD) protocol is a mechanism for fast detection of failures of forwarding paths. BFD detects path failures in the order of milliseconds. BFD is used in conjunction with dynamic routing protocols.

  In BFD operation, routing peers exchange BFD packets at a negotiated interval. If a packet is not received from a peer within the negotiated interval plus grace interval, the peer is considered to be dead and a notification will be sent to the set of registered routing protocols. In turn, the routing protocols recalculate the best path and reprogram the routing table. BFD supports smaller time interval, when compared to the timers provided by the routing protocols, thus resulting in faster detection of failures.

  The NetScaler appliance supports BFD for the following routing protocols: BGP (IPv4 and IPv6), OSPFv2 (IPv4), and OSPFv3 (IPv6). BFD support in the NetScaler appliance is compliant with RFCs 5880, 5881, and 5883.

  For more information about this feature, see http://docs.citrix.com/en-us/netscaler/12/networking/ip-routing/configuring-dynamic-routes/configuring-bidirectional-forwarding-detection.html.
  [From Build 51.24] [# 647447]

• IPv6 Virtual Router Redundancy Protocol Support for a Cluster Setup

  IPv6 Virtual Router Redundancy Protocol (VRRP6) protocol is now supported on a cluster setup.

  The following are the two VRRP6 features supported on a cluster setup:

  * Interface based VRRP6: This feature is only applicable to a two-node cluster where one of node is in active state and the other in Spare. In this feature, same VMAC address is configured on both the nodes of a cluster setup. This VMAC address is used in GARP advertisements and ARP responses for the IPv6 addresses configured on a node. This feature is useful in an active-spare two-node cluster setup that has external devices/routers that do not accept GARP advertisements. By configuring a same VMAC address on both cluster nodes, when the active node goes down and the spare node takes over as active, the MAC address for the IP addresses in the new active node remain unchanged and the ARP tables on the external devices/ routers do not need to be updated.

  * IP based VRRP6: In this feature, striped VIP6 addresses bound to the same VRID6 are configured on all nodes of a cluster setup. These VIP6 addresses are active on all the nodes One of the cluster nodes acts as the VRID6 owner and sends out the VRRP6 advertisement to other nodes. In case of failure of the VRID6 owner node, another node in the cluster assumes the ownership of the VRID6 and starts sending VRRP6 advertisements.
  [From Build 35.6] [# 657315]

• Removing RNAT Sessions

  You can remove any unwanted or inefficient RNAT sessions from the NetScaler appliance. The appliance immediately releases resources (such as a port of the NAT IP address, and memory) allocated for these sessions, making the resources available for new sessions. The appliance also drops all the subsequent packets related to these removed sessions. You can remove all or selected RNAT sessions from the NetScaler appliance.

  For more information about this feature, see http://docs.citrix.com/en-us/netscaler/12/networking/ip-addressing/configuring-network-address-translation/configuring-rnat.html.
  [From Build 51.24] [# 672953]

• Using the Client IP address in the Outer Header of Tunnel Packets in DSR IP tunneling mode

  The NetScaler supports using the client IP address as the source IP address in the outer header of tunnel packets related to direct server return mode using IP tunneling. This feature is supported for DSR with IPv4 and DSR with IPv6 tunneling modes. For enabling this feature, enable the use client source IP address parameter for IPv4 or IPv6. This setting is applied globally to all the DSR configurations that use IP tunneling.

  For more information about this feature, see the section "Using the Client IP address in the Outer Header of Tunnel Packets" at http://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-dsrmode-tos-ipoverip.html.
  [From Build 51.24] [# 677829]

• Increase in Maximum Value for VRRP Dead Interval

  In an active-active setup of NetScaler appliances using Virtual Router Redundancy Protocol (VRRP), VRRP dead interval is the time interval after which the master VIP address is marked down if the VRRP advertisements are not received from the node of the master VIP address.

  The maximum value that can be set for VRRP dead interval has been increased from 3 to 60 seconds.
  [From Build 51.24] [# 679999]

Platform

• Support for Pooled Licensing

  NetScaler MPX 115xx models are now supported with pooled licensing. For more information about pooled licensing, see http://docs.citrix.com/en-us/netscaler-mas/12/netscaler-pooled-capacity.html.
  [From Build 53.22] [# 599575]

SSL

• Support for ECDHE Ciphers on the Back End of NetScaler VPX Instances

  Citrix NetScaler VPX instances now support the ECDHE cipher group on the back end. This group contains the following ciphers:

  - TLS1-ECDHE-RSA-AES256-SHA 0xc014

  - TLS1-ECDHE-RSA-AES128-SHA 0xc013

  - TLS1-ECDHE-RSA-DES-CBC3-SHA 0xc012

  - TLS1-ECDHE-RSA-RC4-SHA 0xc011

  Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

  The following ECC curves are supported: P_256, P_384, P_224, and P_521.

  By default, all four curves are bound to an SSL virtual server.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/cipher_protocl_support_matrix.html.
  [From Build 56.20] [# 543535, 603626]

• Support for AES-GCM and SHA2 Ciphers at the Front End of MPX/SDX 14000 FIPS Appliances

  The NetScaler MPX/SDX 14000 FIPS appliance now supports AES-GCM and SHA2 ciphers at the front end.

  The following AES-GCM and SHA2 ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:

  - TLS1.2-AES256-GCM-SHA384

  - TLS1.2-AES128-GCM-SHA256

  - TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

  - TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

  - TLS1.2-AES-256-SHA256

  - TLS1.2-AES-128-SHA256
  [From Build 35.6] [# 579751]

• Support for New FIPS Platform

  This release supports the MPX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:

  Model number System Throughput

  MPX 14030 FIPS 30 Gbps

  MPX 14060 FIPS 60 Gbps

  MPX 14080 FIPS 80 Gbps

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 592833, 498222, 590397]

• Support for New SDX FIPS Platform

  This release supports the SDX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:

  Model number System Throughput

  SDX 14030 FIPS 30 Gbps

  SDX 14060 FIPS 60 Gbps

  SDX 14080 FIPS 80 Gbps

  For more information, see http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/configuring-SDX-14030-14060-14080-fips-appliance.html.
  [From Build 35.6] [# 597890]

• Support for 4096-bit Server Certificates and 4096-bit DH Keys on a NetScaler VPX Instance

  A NetScaler VPX instance now supports 4096-bit server certificates on the back end and 4096-bit DH keys on the front end and back end.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/ssl-server-cert-support-matrix.html.
  [From Build 56.20] [# 603623, 690665, 676131, 695579]

• Support for AES-GCM and SHA2 Ciphers at the Back End of MPX/SDX 14000 FIPS Appliances

  The NetScaler MPX/SDX 14000 FIPS appliance now supports AES-GCM and SHA2 ciphers at the back end.

  The following AES-GCM and SHA2 ciphers are supported at the back end of the MPX/SDX 14000 FIPS appliance:

  - TLS1.2-AES256-GCM-SHA384

  - TLS1.2-AES128-GCM-SHA256

  - TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

  - TLS1.2-AES-256-SHA256

  - TLS1.2-AES-128-SHA256
  [From Build 35.6] [# 611983]

• Support for DTLS 1.0 on the Back End of a NetScaler Appliance

  The NetScaler appliance now supports DTLS 1.0 on the back end. With this enhancement, a NetScaler or a NetScaler Gateway appliance can talk to a virtual desktop agent over DTLS.

  You can use the NetScaler CLI or the NetScaler GUI to configure a DTLS back-end service on the NetScaler appliance.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/config-ssloffloading/configuring-a-dtls-service.html.
  [From Build 56.20] [# 632600]

• Support for Skipping Policy Extension Check in a Certificate Chain

  The NetScaler appliance now supports skipping the policy extension check, if present inside a X509 certificate chain. If client authentication is enabled and client certificate is set to mandatory, you can set the "Skip Client Certificate Policy Check" in the front-end SSL profile.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/config-client-auth.html.
  [From Build 56.20] [# 636019, 629981]

• Support for ChaCha20-Poly1305 Ciphers on a NetScaler VPX Instance

  ChaCha20-Poly1305 ciphers are now supported on the front-end and back-end of NetScaler VPX instances. These ciphers are secure stream ciphers that provide better performance and security, and faster encryption. The following cipher suites are supported in this release:

  - TLS1.2-DHE-RSA-CHACHA20-POLY1305 (Hex: 0xCCAA)

  - TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 (Hex: 0xCCA8)

  The cipher alias name is CHACHA20.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/cipher_protocl_support_matrix.html.
  [From Build 56.20] [# 636381]

• Support for HTTP strict transport security (HSTS)

  NetScaler appliances now support HTTP strict transport security (HSTS) as an inbuilt option in SSL profiles and SSL virtual servers. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client. That is, the site can be accessed only by using HTTPS. Support for HSTS is required for A+ certification from SSL Labs.

  You can enable HSTS in an SSL front-end profile or on an SSL virtual server. By setting the maximum age header, you specify that HSTS is in force for that duration for that client. You can also specify whether subdomains should be included.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 636384, 651353]

• Support for ECDHE Ciphers at the Front End and Back End on NetScaler MPX//SDX 14000 FIPS Appliances

  Citrix NetScaler MPX/SDX 14000 FIPS appliances now support the ECDHE cipher group.

  The following ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1.2-ECDHE-RSA-AES-256-SHA384

  - TLS1.2-ECDHE-RSA-AES-128-SHA256

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  This following ciphers are supported at the back end of the MPX/SDX 14000 FIPS appliance:

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1.2-ECDHE-RSA-AES-128-SHA256

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment. It is also very useful in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

  The following ECC curves are supported: P_256, P_384, P_224, and P_521.

  By default, all four curves are bound to an SSL virtual server.
  [From Build 35.6] [# 651524]

• Support for a Hybrid FIPS Mode on the MPX 14000 FIPS Platform

  The new MPX 14000 FIPS platform contains one primary card and one or more secondary cards. If you enable the hybrid FIPS mode, the pre-master secret decryption commands are run on the primary card because the private key is stored on this card, but the bulk encryption and decryption is offloaded to a secondary card. This significantly increases the bulk encryption throughput on a MPX 14000 FIPS platform as compared to non-hybrid FIPS mode and the existing MPX 9700/10500/12500/15000 FIPS platform. Enabling the hybrid FIPS mode also increases the SSL transactions per second on this platform.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 651814]

• Recording the time taken for an SSL handshake in the syslog

  The time taken for an SSL handshake to complete can now be recorded in the system log (syslog). To do this, set the log level in the syslog parameters to All.
  [From Build 53.22] [# 669508]

• Secure Implementation of Session Tickets

  You can now secure session tickets by using a symmetric key to encrypt them. Additionally, to achieve forward secrecy, you can specify a time interval at which the session-ticket key is refreshed. Session-ticket keys can be generated by the appliance, or you can manually enter session-ticket key data. Entering this data manually is helpful in HA or cluster deployments so that the appliances can decrypt each other's session tickets.

  For more information about this enhancement, see http://docs.citrix.com/en-us/netscaler/12/ssl/customize-ssl-config/secure-implementation-of-session-tickets.html.
  [From Build 53.22] [# 669514]

• A new category of SSL certificates

  A new category of SSL certificates called Unknown Certificates is added to the NetScaler GUI. This category is for certificates that do not meet the conditions for end-user certificates (both server and client), CA certificate, and intermediate CA certificate. To view these certificates, navigate to Traffic Management > SSL > Certificates>Unknown Certificates.
  [From Build 56.20] [# 673219]

• Optimizing ECDHE Computation on NetScaler MPX 5900/8900 and NetScaler SDX 8900 Platforms

  ECDHE-RSA computation has been optimized by using a combination of software and hardware offload capabilities.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/ssl/customize-ssl-config/ssl-hybrid-ecdhe-optimization.html.
  [From Build 56.20] [# 677459]

• Support for FIPS 140-2 Level-3 on MPX/SDX 14000 FIPS Platforms

  This release adds support for FIPS 140-2 Level 3 on the MPX 14000 FIPS and SDX 14000 FIPS platforms. The "set fips" command allows only "Level-2" option but internally level-2 is converted to level-3.

  For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/configuring-mpx-14000-fips-appliance.html and https://docs.citrix.com/en-us/netscaler/12/ssl/configuring-SDX-14030-14060-14080-fips-appliance.html.
  [From Build 56.20] [# 694386]

System

• Option to Allocate an Extra Management CPU

  According to your requirement, now you can allocate an extra management CPU from packet engine pool in the NetScaler MPX appliance, and achieve better performance for configuring and monitoring of your appliance. This feature is supported in NetScaler MPX models 250xxx, 220xxx, 14xxx, 115xx.
  [From Build 35.6] [# 352233, 235321, 559207, 604165, 615657]

• Configuring HMAC Keys for PI Function

  A new parameter of the ns hmackey command specifies the HMAC key value. A NetScaler default syntax policy expression uses the HMAC () function to compute a Hash-based Message Authentication Code on selected text. This function is derived from the RFC 2104 technique to authenticate the sender of a message and verify that the contents of the message have not been altered. To set this value, type:

  HMAC (<keyValue>)

  The HMAC key value specifies the digest method and the shared secret key to be used for the HMAC computation.
  [From Build 35.6] [# 415808]

• SNMP Alarm for Saved NetScaler Configuration Failure

  You can now enable the CONFIG-SAVE alarm for saving a configuration failure on a NetScaler appliance. On enabling the alarm, the appliance sends a proactive notification (SNMP Trap) to the trap destination. This helps administrators to timely correct system failures and respond to a configuration loss.
  [From Build 56.20] [# 550606]

• Call Home Support for NetScaler Services in Citrix Service Provider (CSP) Deployments

  In a Citrix Service Provider (CSP) environment where NetScaler services are deployed on VPX instances, the call home feature can now monitor and track the license specific information and securely send it to Citrix Insight Services (CIS). The CIS in turn sends the information to the License Usage Insights (LUI) portal for accounting purposes and for CSP customers to review their license usage. Currently, CSP environments support NetScaler services on VPX instances only, not on MPX or SDX appliances. The VPX instances can be deployed in either standalone or high availability mode.

  For more information about this feature, see http://docs.citrix.com/en-us/netscaler/12/system/configuring-call-home.html.
  [From Build 51.24] [# 637763]

• Policy Support for RSA Encryption

  A NetScaler appliance now supports policy-based RSA encryption. The algorithm uses the PKEY_ENCRYPT_PEM() function to encrypt HTTP predefined and user-defined header or body content. The function accepts only RSA public keys (not private keys) and the encrypted data cannot be longer than the length of the public key. If the data being encrypted is shorter than the key length, it will be padded using the PKCS1 padding method.

  For example, the function can be used with the B64ENCODE() function in a rewrite action to replace an HTTP header value with the value encrypted by an RSA public key, which can then be decrypted by the recipient with its corresponding RSA private key.
  [From Build 56.20] [# 641912]

• Displaying MPTCP Statistics

  The new "stat mptcp" command displays statistical information about MPTCP counters, including counters for total MPTCP traffic, current traffic, and erroneous traffic flowing through the NetScaler appliance.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 646498, 350115]

• Configuring SYN-Cookie Timeout Interval

  In addition to the SYN Cookie setting in the TCP profile, a NetScaler appliance now maintains a second SYN Cookie setting for each virtual server. This enhancement is especially important for cluster deployments. To protect the appliance against SYN attacks, the SYN Cookie parameter in the TCP profile is enabled by default. Previously, if you disabled it, its value would toggle to ENABLED if a SYN attack was detected. If the appliance was deployed in a cluster, the cluster configuration would become inconsistent until the parameter was toggled back to the DISABLED state after the attack. Now, the SYN Cookie parameter is enabled and disabled only for the virtual server that detects the SYN attack.

  Note: A SYN attack does not enable the SYN Cookie parameter for a virtual server unless the SYN Cookie parameter in the TCP profile is set to DISABLED.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 651196]

• HTTP Version 2 Support for Server Side

  The NetScaler appliance now supports HTTP version 2 (HTTP/2) for the server side of an HTTPS or HTTP load balancing setup. If the backend server supports HTTP/2 protocol, the appliance and the server use one of the following methods to start communicating in HTTP/2.

  - TLS ALPN (for HTTPS load balancing setup)

  - HTTP/2 Upgrade ( for HTTP load balancing setup)

  - Direct HTTP/2 (for HTTP load balancing setup)

  - Direct HTTP/2 using Alternative Service (for HTTP load balancing setup)

  For more information, see https://docs.citrix.com/en-us/netscaler/12/system/http-configurations/configuring-http2.html.
  [From Build 56.20] [# 652119]

• Protection Against Wrapped Sequence (PAWS) Algorithm

  On a NetScaler appliance, you can now enable the TCP timestamp option in the default TCP profile to use the Protection Against Wrapped Sequence (PAWS) algorithm. The algorithm can identify and discard old packets whose sequence numbers are within the current TCP connection's receive window because the sequence has "wrapped" (reached its maximum value and restarted from 0).

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 652210]

• HTTP version 2 Protocol Support for Plaintext

  A NetScaler appliance now supports HTTP version 2 (HTTP/2) protocol for plaintext messaging. The appliance advertises the service availability to its clients by including an Alt-Svc field in its response so that the client can directly send a subsequent HTTP/2 request instead of an HTTP 1.1 or HTTP/2 upgrade request. Previously, the appliance supported plaintext messaging only as an upgrade request in HTTP version 1.1.
  [From Build 35.6] [# 653154]

• Configuring Heartbeat Time Interval for Call Home

  The Call Home feature periodically reports the latest status of the NetScaler appliance to Citrix Technical Support servers. The report has the same content as the registration message. Previously, CallHome sent the report once every 30 days, but you can now specify a time interval of from 1 to 30 days. However, a value of less than 5 days is not recommended, because the frequent uploads are usually not very useful.
  [From Build 35.6] [# 655515]

• Monitoring Rate Limit Errors in Call Home

  The NetScaler Call Home feature can now monitor rate-limiting packet drops caused by exceeding either the throughput (Mbps or Gbps) limit or the packets-per-second (pps) limit.
  [From Build 35.6] [# 656569]

• Encrypting user passwords by using SHA-512

  For enhanced security, the NetScaler appliance now uses the SHA-512 hashing algorithm to encrypt user passwords.

  Note: A user to which the following set of conditions applies cannot log on:

  1. The user is added, or the user's credentials are modified.

  2. The NetScaler software is then downgraded to an earlier build, but the modified configuration file (ns.conf) is used.
  [From Build 35.6] [# 658393, 204279, 658859]

• Audit-log Support for Admin Partitions

  A partitioned NetScaler appliance now supports audit logging for non-default partitions by using advanced (PI) policies. Previously, you could configure the audit-log feature only in a default partition, not in administrative partitions.
  [From Build 35.6] [# 659649]

• Configuring TCP Burst Control Parameters by using NetScaler GUI

  The following TCP Burst Control parameters are now configurable through either the NetScaler GUI or the command line interface. Previously, you could configure the following parameters through only the command line interface:

  - BurstRateCntrl

  - CreditBytePrms

  - RateBytePerms

  - RateSchedulerQ
  [From Build 35.6] [# 660828]

• Silently Dropping Idle TCP Connections

  In a Telco network, almost 50 percent of a NetScaler appliance's TCP connections become idle, and the appliance sends RST packets to close them. The packets sent over radio channels activate those channels unnecessarily, causing a flood of messages that in turn cause the appliance to generate a flood of service reject messages. The default TCP profile now includes DropHalfClosedConnOnTimeout and DropEstConnOnTimeout parameters, which by default are disabled. If you enable both of them, neither a half-closed connection nor an established connection causes an RST packet to be sent to the client when the connection times out. The appliance just drops the connection.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 664057]

• NetScaler Adaptive TCP Optimization

  The new NetScaler Adaptive TCP feature can optimize TCP and HTTP traffic over a mobile network. On receiving a connection request, the appliance uses an advanced optimization technique that independently adapts a TCP profile based on the subscriber’s network conditions. By enabling the feature on the appliance, the network operators can have deep insights of a TCP connection and adapt different TCP profiles to get maximum benefits of TCP optimization for any network condition.
  [From Build 56.20] [# 671824]

• NetScaler Connection Quality Analytics (CQA)

  The NetScaler Connection Quality Analytics (CQA) feature derives CQA parameters such as network type (2G, 3G or 4G), congestion level (None, Low, Medium, or High), and signal quality (Excellent, Good, Fair, or Poor) from raw metrics extracted during an active connection. The NetScaler appliance stores the derived data in its memory and also exports it to the AppFlow collectors for TCP statistics and reporting.
  [From Build 56.20] [# 677352]

• Advanced TCP Statistics Reporting

  The Advanced TCP Statistics feature can now generate a rich insight of a TCP connection by collecting raw metrics such as maximum RTT, Maximum bytes-in-flight (BIF), Average bandwidth-delay product, and total packets transmitted or retransmitted. The statistics is calculated based on the burst detection mechanism of TCP Speed Reporting feature.
  [From Build 56.20] [# 684446]

• Call Home Enabled by Default on All NetScaler Platforms

  The NetScaler Call Home is now enabled by default on NetScaler platforms such as MPX, VPX, and SDX. By enabling this feature on the appliance, you allow Citrix to collect NetScaler deployment and usage details for better product design, implementation, and support service.
  [From Build 56.20] [# 691276, 690506, 693505]

• Direct HTTP/2 Version 2 Support for Server Side

  A NetScaler appliance supports direct HTTP/2 for the server side of an HTTP load balancing setup. When direct HTTP/2 is enabled for an HTTP load balancing service, the NetScaler appliance directly starts communicating to a server in HTTP/2 instead of using the HTTP/2 upgrade method. If the server does not support HTTP/2 or is not configured to directly accept HTTP/2 requests, it drops the HTTP/2 requests from the appliance.

  The NetScaler appliance also supports direct HTTP/2 using alternative service (ALT-SVC) for the server side of an HTTP load balancing setup. When alternative service is enabled for an HTTP load balancing service, the NetScaler appliance sends a direct HTTP/2 request to the server after the server advertised that it supports HTTP/2 in the ALT-SVC field in its HTTP/1.1 responses to the appliance. The appliance and the server start communicating directly in HTTP/2.



  For more information, see https://docs.citrix.com/en-us/netscaler/12/system/http-configurations/configuring-http2.html.
  [From Build 56.20] [# 694164]

Telco

• IPFIX Logging Support for Large Scale NAT

  The NetScaler appliance supports sending information about LSN events in Internet Protocol Flow Information Export (IPFIX) format to the configured set of IPFIX collector(s).

  The appliance uses the existing AppFlow feature to send LSN events in IPFIX format to the IPFIX collectors.

  IPFIX based logging of LSN events is available for the following events in the context of NAT44, NAT64, and Dual-Stack Lite.

  * Creation or deletion of an LSN session.

  * Creation or deletion of an LSN mapping entry.

  * Allocation or de-allocation of port blocks in the context of deterministic NAT.

  * Allocation or de-allocation of port blocks in the context of dynamic NAT.

  * Whenever subscriber session quota is exceeded.

  For more information about IPFIX logging for large scale NAT44, see IPFIX Logging section in http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/lsn-introduction/lsn-logging-monitoring.html.

  For more information about IPFIX logging for dual-stack lite, see IPFIX Logging section in http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/dual-stack-lite/logging-monitoring-DS-Lite.html.

  For more information about IPFIX logging for large scale NAT64, see IPFIX Logging section in http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/lsn-nat-64/log-monitor-largescale-nat64.html.
  [From Build 53.22] [# 496832, 677632]

• URL Filtering for Telco Mobile Networks

  The new NetScaler URL Filtering feature for telco mobile network provides policy based control of websites by using information contained in a URL. The feature helps administrators monitor and comply with government mandated safe internet usage policies on mobile networks. As an administrator, you can filter websites by using either the URL Categorization feature or the URL List feature.

  URL Categorization. Controls access to websites and web pages by filtering traffic on the basis of a predefined list of categories.

  URL List. Controls access to blacklisted websites and web pages by denying access to URLs contained in a URL set imported into the appliance.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/url-filtering.html
  [From Build 53.22] [# 628121]

• Large Scale NAT64 SIP and RTSP ALGs Support for 464XLAT Connections

  NetScaler appliances now support Large Scale NAT64 RTSP and SIP ALGs for 464XLAT connections that use large Scale NAT64.

  For a 464XLAT SIP connection using NAT64 and SIP ALG, the show lsn sipalgcall command now displays the IPv4 address (XLAT IP) of the subscriber. For a 464XLAT RTSP connection using NAT64 and RTSP ALG, the show lsn rtspalgsession command now displays the IPv4 address (XLAT IP) of the subscriber.

  464XLAT is an architecture that provides IPv4 connectivity across an IPv6-only ISP core network by combining the existing and well-known stateful translation at the core (Stateful NAT64; RFC 6146) and stateless protocol translation at the edge (IP/ICMP Translation algorithm; RFC 6145). In other words, 464XLAT provides connectivity between IPv4-only applications on IPv6 subscriber hosts and IPv4 Servers on the internet through an IPv6-only ISP core network.

  For more information about configuring SIP and RTSP ALGs for Large NAT64, see https://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-nat-64/configuring-agl-large-scale-NAT64.html.
  [From Build 35.6] [# 635880]

• NetScaler Video Optimization: Support for QUIC over UDP Protocol for Encrypted ABR Traffic

  The NetScaler video optimization feature is now enhanced to optimize video delivery over TCP (as HTTP and HTTPS traffic) and UDP (as QUIC traffic). The appliance can detect incoming video traffic as Adaptive Bit Rate (ABR) and optimize both the unencrypted and the encrypted video. The new capabilities are especially useful for reducing the overall network bandwidth consumption in mobile networks.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/NetScaler-Video-Optimization.html
  [From Build 53.22] [# 674151]

• Configuring IPSec Application Layer Gateway for Large Scale NAT44

  If communication between two network devices (for example, client and server) uses the IPSec protocol, IKE traffic (which is over UDP) uses port fields, but Encapsulating Security Payload (ESP) traffic does not. If a NAT device on the path assigns the same NAT IP address (but different ports) to two or more clients at the same destination, the NAT device is unable to distinguish and properly route the return ESP traffic. Therefore, IPSec ESP traffic fails at the NAT device.

  NAT-Traversal (NAT-T) capable IPSec endpoints detect the presence of an intermediate NAT device during IKE phase 1 and switch to UDP port 4500 for all subsequent IKE and ESP traffic (encapsulating ESP in UDP). Without NAT-T support on the peer IPSec endpoints, IPSec protected ESP traffic is transmitted without any UDP encapsulation. Therefore, IPSec ESP traffic fails at the NAT device.

  The NetScaler appliance supports IPSec application layer gateway (ALG) functionality for large scale NAT configurations. The IPSec ALG processes IPSec ESP traffic and maintains session information so that the traffic does not fail when the IPSec endpoints do not support NAT-T (UDP encapsulation of ESP traffic).

  For more information, see For https://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/lsn-introduction/lsn-configuring-alg/configure-ipsec-application-layer-gateway-for-large-scale-nat.html.
  [From Build 53.22] [# 675938, 496583]

Video Optimization

• Policy Support for QUIC Based Video Optimization

  NetScaler now supports policy-based video optimization for QUIC traffic over UDP.
  [From Build 56.20] [# 681754]

Fixed Issues in Previous NetScaler 12.0 Releases

• An attempt to change an LDAP password through the NetScaler Gateway virtual server fails if the new password includes any multibyte UTF-8 characters, such as German umlauts (for example, kölnbonn207), Latin small letter sharp s (for example, straße2017), or special characters (for example, &%$§1Lucie-Marie).
  [From Build 53.22] [# 672846, 691269]

• NTLM authentication fails when the NetScaler tries to negotiate with an LB virtual server in front of the NTLM server.
  [From Build 51.24] [# 677747]

• The NetScaler appliance might fail if you use Kerberos authentication and the cached ticket incorrectly points to NULL, because the Kerberos ticket has expired and removed from the Distributed Hash Table (DHT).
  [From Build 51.24] [# 678865]

• The NetScaler appliance crashes because of a failure to access the NetScaler AAA logon credentials. The failure occurs while attempting to match the rewrite policy against an AAA group.
  [From Build 51.24] [# 680099]

• If you set the ‘Validate LDAP Server Certificate’ parameter in an LDAP server configuration, you can log on even if the hostname does not match. With this fix, the hostname is checked when the option is enabled.
  [From Build 53.22] [# 681888, 644099]

• NetScaler fails to perform SAML Single Logout, if NetScaler is configured for SAML Authentication with an Identity Provider (IdP) that sends session index of 64 bytes. If the session index is less than 64 bytes, Single Logout is performed as expected.
  [From Build 51.24] [# 683429]

• If external LDAP authentication uses a case-insensitive user name, NetScaler AAA is unable to lock the user name after the number of attempts specified by the Max Login Attempts parameter.
  [From Build 53.22] [# 683645]

• Client logons are delayed by 15 seconds if Kerberos Constrained Delegation (KCD) is used on a NetScaler appliance. The delay occurs during the process of issuing a Kerberos ticket to the client.
  [From Build 51.24] [# 683869]

• In rare scenarios, NetScaler dumps core if dialogue mode operation like password change operation happens during RBA authentication.
  [From Build 51.24] [# 684648]

• If an assertion is sent twice from the same browser, a NetScaler authentication virtual server configured by using SAML authentication returns a 404-error message.
  [From Build 56.20] [# 686810]

• In some authentication modes, a NetScaler appliance configured for NetScaler AAA becomes unresponsive if a “Max Login Attempt” value is configured on an authentication virtual server.
  [From Build 51.24] [# 688463]

• A NetScaler appliance can add multiple NetScaler AAA groups, but the “save config” operation saves only the first group.
  [From Build 53.22] [# 689212, 689457]

• A NetScaler appliance configured for NetScaler AAA becomes unresponsive during a VPN session if both of the following conditions are met:

  • The primary session is in the timed out state.

  • The secondary session is in sync but the actual state of the session is reset to zero.
  [From Build 53.22] [# 690468]

• In some cases, a NetScaler appliance becomes unresponsive if either or both of the following conditions are met:

  • The SSO and Proxy are configured

  • The authentication request is a POST method
  [From Build 56.20] [# 691795]

• A NetScaler Gateway might occasionally become unresponsive if the following set of conditions are met:

  • The static text string is configured in the webAuthAction parameter.

  • The webAuthAction action is updated or removed after using at least once.
  [From Build 56.20] [# 693241]

• A NetScaler appliance configured for forms single sign-on (SSO) to back end adds whitespaces at the end of URL and before HTTP version.
  [From Build 56.20] [# 694433, 686735]

• In the SAML LogoutRequest parameter, the attributes SPNameQualifier and NameQualifier are missing from the NameID element when a SAML Service Provider (SP) receives an assertion from SAML Identity Provider (IdP).
  [From Build 56.20] [# 695087]

• If the HTTPOnly flag is not set on the NSC_TASS cookie of NetScaler AAA, the script allows you to access an application. With this fix, the script is unable to read NSC_TASS cookie.
  [From Build 56.20] [# 695118]

• If the initial request to the traffic management virtual server is an unauthenticated POST request, the NetScaler appliance configured for NetScaler AAA, disregards the post body.
  [From Build 56.20] [# 695703]

• A NetScaler appliance configured for NetScaler AAA might become unresponsive when trying to single sign-on (SSO) with a backend server, because the front-end loses the connection.
  [From Build 56.20] [# 695764]

• If a SAML Identity Provider (IdP) sends a namespace for a digital signature and if the namespace is not within the signedInfo or signature parameters, the NetScaler appliance configured for SAML Service Provider (SP) rejects the namespace assertion and the signature validation fails.
  [From Build 56.20] [# 697392]

Admin Partitions

• When you access a partitioned appliance through the NetScaler GUI, the Dashboard does not display the "CPU vs. Memory Usage and HTTP Requests Rate" graph in the left pane.
  [From Build 51.24] [# 676700]

• WWhen you configure an administrative partition, validation of the partition's VMAC address might fail, causing the NetScaler appliance to crash.
  [From Build 41.24] [# 677765]

• When you configure an administrative partition, validation of the partition's VMAC address might fail, causing the NetScaler appliance to crash.
  [From Build 51.24] [# 677765]

• On a partitioned NetScaler appliance, the system memory counters are not updated properly unless they are cleared during partition deletion.
  [From Build 51.24] [# 681422, 682240]

• In rare cases, one of the partitions on a partitioned appliance does not get enough slots to send Gratuitous Address Resolution Protocol (GARP) messages for all its IP addresses on the network.
  [From Build 56.20] [# 692922]

AppExpert

• When a NetScaler appliance receives a client request for evaluating a responder policy, it might not log the responder data. Before evaluation, the appliance sets the ns_auditlog_module_id global variable and uses the data for log processing. If during the evaluation you block the log action and wait for more data, and while you are waiting the appliance receives another client request to evaluate a different policy, the responder log data is not recorded for the responder module.
  [From Build 51.24] [# 687140]

AppFlow

• The NetScaler appliance crashes, dumps core, and restarts if a certificate is unbound from an SSL virtual server while an SSL transaction is in progress.
  [From Build 51.24] [# 679995]

• When ClientSide Measurements is enabled, and you access the NetScaler Gateway, then the Microsoft Internet Explorer browser displays an error.
  [From Build 51.24] [# 680567, 688758]

• A NetScaler appliance crashes and dumps core if an ECDSA certificate is bound to the SSL virtual server that processes an SSL transaction.
  [From Build 51.24] [# 683567, 686195]

• A NetScaler appliance does not generate AppFlow records if an action is set to RESET in an SSL or responder policy.
  [From Build 53.22] [# 685920]

• When both Logstream and IPFIX (AppFlow) collectors are configured on a NetScaler instance, NSBs leak while trying to send an IPFIX msg on a Logstream collector.
  [From Build 51.24] [# 687908, 686407]

• A NetScaler appliance might become unresponsive if an AppFlow action has client-side measurements enabled and the appliance receives a corrupted request.
  [From Build 56.20] [# 691229]

• A NetScaler appliance might become unresponsive if an AppFlow action has client-side measurements enabled and the appliance receives an HTTP server response before the full client request.
  [From Build 56.20] [# 692649]

Application Firewall

• On a NetScaler appliance running release 11.1 build 64, SQL and cross-site scripting relaxations might not work for application or json content types. The AppFW logs display the following message, even when the relaxation rules are applied for User-Agent:

  SQL Keyword check failed for header User-Agent.
  [From Build 51.24] [# 651054]

• A large number of DHT operations causes high CPU usage when StartURLClosure is enabled. Packet per engine (PPE) operations consume over 95% of the CPU cycles after an upgrade to NetScaler 11.1.
  [From Build 51.24] [# 672807, 672753]

• Form based NetScaler AppFirewall checks can be bypassed by a multipart POST request in which the Content-type header has been tampered with.
  [From Build 51.24] [# 674658]

• The NetScaler AppFirewall appliance crashes while copying form data if the form field consistency check is enabled.
  [From Build 51.24] [# 678297, 689073]

• A NetScaler appliance running release 11.1 and build 52 might fail because of a mismatch during memory allocation and display the following error message:

  userspace_panic as_free().
  [From Build 51.24] [# 681746, 683564, 684632]

• Since release 11.1 build 41, the ImportSizeLimit parameter in the AppFW settings can be set to limit the size of the objects that are imported to the NetScaler appliance. This limit is now extended from 128 MB to 256 MB. Execute the following set command from the CLI to change the value to meet your requirement:

  set appfw setting -importsizelimit

  Maximum value: 268435456

  Minimum value: 1

  Default: 134217728

  Example

  > set appfw setting -importsizelimit 268435457
  [From Build 51.24] [# 682219]

• The application firewall signature-update warning messages are not delivered in standard syslog message format. Therefore, NetScaler MAS does not process them. The warning messages do not include the module name or a time stamp, both of which are part of the syslog standard. Signature update messages are also not in standard syslog format.
  [From Build 51.24] [# 682416]

• Applying cross-site scripting checks to complete URLs causes applications to stop after an upgrade. With this fix, cross-site scripting checks run only on the URL's base path if the CrossSiteScriptingCheckCompleteURLs option is enabled in the AppFw profile.
  [From Build 51.24] [# 682770]

• Application firewall log messages generated when data is dropped because of Unknown Content-Type do not include the Content-Type Header value, which would facilitate tracking and monitoring.

  This issue has been fixed now. The application firewall logs allows requests which have multiple charsets with same value in the content-type header.
  [From Build 51.24] [# 682778]

• On a NetScaler AppFirewall appliance, URL global pages cause memory buildup on the secondary node when the URL closure protection feature is enabled.
  [From Build 51.24] [# 683366]

• When you attempt to export learned data for an application firewall profile, the appliance fails because of improper initialization of a stack variable. The Aslearn process restarts continuously because of connection failure.
  [From Build 51.24] [# 684988]

• Traffic to a back-end application is blocked by the HTML cross-site scripting check when the profile type is XML. The cross-site scripting check fails for field with following tags; &lt;?xml version="Bad tag: ?xml" <blocked>.

  When you have cross-site scripting enabled, the application firewall makes the following changes to requests that match the HTML Cross-Site Scripting check:

  Left angle bracket (<) to HTML character entity equivalent (&lt;) Right angle bracket (>) to HTML character entity equivalent (&gt;) This prevents browsers from interpreting unsafe html tags, such as <script>, and thereby executing malicious code. If you enable both request-header checking and XSS transformation, any special characters found in request headers are also modified as described above. If scripts on your protected web site contain cross-site scripting features, but your web site does not rely upon those scripts to operate correctly, you can safely disable blocking and enable transformation. This configuration allows legitimate web traffic while stopping any potential cross-site scripting attacks.
  [From Build 51.24] [# 685775]

• If you use the CLI of a NetScaler AppFirewall appliance to display an enum definition, the AS_CCARD_DEFAULT_CARD_TYPE default value for credit card options is not included.
  [From Build 53.22] [# 686540]

• If you use the CLI of a NetScaler AppFirewall appliance to display an enum definition, the AS_CCARD_DEFAULT_CARD_TYPE default value for credit card options is not included.
  [From Build 56.20] [# 686540]

• The NetScaler packet processing engine fails to start when URL transform regression scripts are executed during a low-memory condition.
  [From Build 51.24] [# 687625]

• The NetScaler appliance crashes when security insight is enabled and the application firewall detects a violation of the maximum limit for fld_name length.

  Set the fld_name length limit to the same value as MAX_AS_NAME_LEN.
  [From Build 53.22] [# 690028, 690556, 690467]

• After an upgrade from an earlier release 11.0 build to release 11.1 build 55.4, the 'APPFW_RESET' and 'APPFW_DROP' AppFw profiles do not appear when you run the sh appfw profile command with the "more" option.

  For example:

  sh appfw profile | more

  1) Name: APPFW_BYPASS LogEveryPolicyHit: OFF

  2) Name: APPFW_RESET LogEveryPolicyHit: ON

  3) Name: APPFW_DROP LogEveryPolicyHit: ON

  4) Name: APPFW_BLOCK UseHTMLErrorObject: OFF

  This issue does not occur after upgrading a NetScaler AppFirewall appliance to release 11.1 build 55.8.
  [From Build 53.22] [# 690261, 689327]

• A NetScaler AppFirewall custom signature request for field name value parsing does not clear the field name pattern match buffer.
  [From Build 56.20] [# 691268]

• In some cases, when a credit card number is split across multiple packets, the learned data rules of a NetScaler application firewall report incorrect credit card information.
  [From Build 56.20] [# 692814]

• On a NetScaler application firewall appliance in a high-availability mode, the DUT might crash when performing application security check because of memory resource constraints for the NetScaler appliance.
  [From Build 56.20] [# 694195]

• If a signature rule is configured on POST body with the content-type “application/xml”, the NetScaler application firewall appliance might not apply the associated rule actions to a traffic even after the rule matches the traffic.
  [From Build 56.20] [# 694727]

• On a NetScaler AppFW profile, when the charset is set to Japanese(SJIS), enabling SQL transform on AppFW profile transforms Japanese data containing Yen symbols
  [From Build 56.20] [# 694764]

• The error message “Cannot deploy CSS relaxation with empty value” appears when you attempt to deploy CSS learned rules with value type as "$" on a NetScaler application firewall appliance.
  [From Build 56.20] [# 695903]

Cache Redirection

• Counters for classic cache redirection policies are not incremented for HTTPS traffic.
  [From Build 56.20] [# 657190]

Clustering

• When secure connection is enabled on CCO, config sync doesn't work.
  [From Build 51.24] [# 525671]

• The NetScaler appliance might fail to reestablish a connection if both of the following conditions are met:

  • The policy engine (PE) receiving the traffic is in the DOWN state.

  • The NetScaler buffer (NSB) is kept on hold by a recovery mechanism.
  [From Build 53.22] [# 685979, 687732]

Content Switching

• In some cases, the NetScaler appliance might fail after a set command is run on a content switching virtual server.
  [From Build 53.22] [# 687467, 688523, 688071, 692366, 693777]

DNS

• In a cluster setup, the default DNS policy is not made available to packet engines. With this fix, the default DNS policy is loaded into the packet engine.
  [From Build 51.24] [# 669829]

• If a NetScaler appliance receives a CNAME chain that includes some entries that are currently cached, the appliance returns a valid address record instead of reporting that the bailiwick check failed.
  [From Build 51.24] [# 675553]

• When a NetScaler appliance in resolver mode receives a DNS response from a name server and forwards it to an alternative name server, the NetScaler appliance goes DOWN.
  [From Build 51.24] [# 682730, 683138, 680141]

• The NetScaler appliance returns incorrect NODATA responses for records that are configured by using the NetScaler CLI and if DNS queries with EDNS Client Subnet Option are sent for such records.
  [From Build 56.20] [# 693310]

• When a NetScaler appliance receives a DNS query, the NetScaler appliance does not forward the query to the back-end server. Instead, the appliance responds with a SERVFAIL error.
  [From Build 56.20] [# 693315]

Front End Optimization

• The NetScaler appliance dumps core when the front end optimization (FEO) feature is enabled for one virtual server and an AppFlow action with client-side measurement is enabled for another virtual server.
  [From Build 51.24] [# 686146]

GSLB

• When a remote GSLB service is configured with an external monitor on a GSLB site node, the state of this service might become inconsistent across packet engines, because of core-to-core message failures. In that case, the NetScaler appliance might generate incorrect replies to GSLB domain queries.
  [From Build 56.20] [# 658108, 679822, 692324, 692737, 695765]

• In a new cluster deployment or when the NetScaler firmware in a cluster deployment is upgraded to build 11.1-53.11, management CPU usage spikes to up to 99% on every cluster node. This issue occurs in the absence of any additional configuration, management, or data traffic.
  [From Build 41.24] [# 682766, 683601, 685391]

• In a new cluster deployment or when the NetScaler firmware in a cluster deployment is upgraded to build 11.1-53.11, management CPU usage spikes to up to 99% on every cluster node. This issue occurs in the absence of any additional configuration, management, or data traffic.
  [From Build 51.24] [# 682766, 683601, 685391]

• GSLB auto synchronization might fail if the GSLB virtual server's status appears different on the sites participating in GSLB.
  [From Build 56.20] [# 692943]

• When a responder policy with a rate limiting expression is bound to a DNS bindpoint, and DNS views are configured, the NetScaler appliance might fail to return an expected response to a GSLB domain query.
  [From Build 56.20] [# 696496]

Integrated Cache

• The integrated cache does not have enough memory to accommodate the policy updates required when all policies bound to a content group have to be updated because of a change in the cache configuration. This fix increases the cache memory allocation from 4 Kb to 80 KB.
  [From Build 51.24] [# 675025, 675504]

• The NetScaler Integrated Cache might delay processing of client requests if you enable the flash cache.
  [From Build 51.24] [# 681664]

Integrated Caching

• When a request is sent and if the back-end server responds with a 301 status code, the cache stores the response meaning the URL is permanently moved and Cache is trying to serve range request. This causes the NetScaler appliance to crash.
  [From Build 41.24] [# 673506, 684404]

• If the response from the Integrated Caching (IC) module has trailing spaces in the content-length header, the HTTP/2 connection times out.
  [From Build 56.20] [# 688274]

• A NetScaler appliance might crash when stored static objects cause the buffer to overflow and overwrite the pointer to the adjacent buffer.
  [From Build 56.20] [# 696001, 697526, 696597, 697716, 697718, 697268, 697535, 698707, 700083, 700414]

Load Balancing

• The NetScaler appliance resets a client-side TCP connection if a virtual server with spillover (SO) persistence enabled is bound to the load balancing group. With this fix, the client-side TCP connection is not reset.
  [From Build 53.22] [# 589363]

• The NetScaler appliance crashes, because an issue in the internal timer logic in stream analytics causes the system to spend more time than expected for ageing tasks.
  [From Build 51.24] [# 672899]

• In a high availability (HA) setup, if domain-based services are configured and the secondary node does not receive any Service State Sync (SSS) update for the services for more than 247 days, a packet engine might crash when this node becomes the primary node.
  [From Build 53.22] [# 673446, 684550, 688305]

• A spillover trap might be sent even though a backup virtual server is not configured.

  With this fix, a spillover trap is sent only if one of the following conditions applies:

  - A spillover method or policy is configured.

  - No spillover method or policy is configured, but a backup virtual server is configured to accept the traffic when the primary virtual server is DOWN.
  [From Build 51.24] [# 679991]

• NetScaler: AAA

  A cached ticket is expired before server receives it. This happens when a NetScaler is used as a kerberos SSO to backend servers. This usually happens just around the time ticket expires, which is typically 10 hours.
  [From Build 51.24] [# 681026]

• When you rename an HTTPS virtual server that is associated with an internal HTTP virtual server, the internal virtual server's name is not changed correctly.
  [From Build 51.24] [# 681559, 674427]

• The maximum string size of Target Vserver Expression is 1500. If the configuration includes an expression greater than 1500, the NetScaler appliance crashes. With this fix, the maximum string size of Target Vserver Expression is limited to 1499.
  [From Build 51.24] [# 684131]

• In a high availability (HA) setup, an unusually large spike in the number of persistent connections might result in underperformance of the Secure Socket Funneling (SSF) channel between the primary node and the secondary node. The underperformance can eventually lead to session buildup on the primary node and cause persistence to fail.
  [From Build 53.22] [# 685179, 684834]

• Resetting a server connection resets the connections to all services configured with the same IP address and port number. As a result, connections to the service group members are also reset. With this fix, deleting a service that has the same IP address and port number as that of other service group members does not affect the service group connections.
  [From Build 53.22] [# 685707]

• If an add lb monitor command specifies an httprequest argument value of more than 77 characters, a subsequent show command shows an incorrect httprequest value for the HTTP requests that the monitor sends to the CLIP address. The NetScaler appliance's ns.conf file also contains the incorrect httprequest value for the monitor. Also, the other nodes (non-CCO) in the cluster are updated with the incorrect httprequest value by the configsync process.
  [From Build 53.22] [# 685856, 687784]

• The RADIUS shared secret key is now an optional configuration for all RADIUS load balancing and RADIUS Listener deployments. All existing configurations continue to function as they did before.

  The validation of the RADIUS shared secret key happens in the following scenarios:

  - RADIUS shared secret key is configured for both the radius client and the radius server: The NetScaler appliance uses the RADIUS secret key for both the client side and the server side. If the verification succeeds, the appliance allows the RADIUS message to go through. Otherwise, it drops the RADIUS message.

  - RADIUS shared secret key is not configured for either the radius client or the radius server: The NetScaler appliance drops the RADIUS message, because shared-secret-key validation cannot be performed on a node that has no radkey configured.

  - RADIUS shared secret key is not configured for both the RADIUS client and the RADIUS server: The NetScaler appliance bypasses the RADIUS secret key validation and allows the RADIUS messages to go through.
  [From Build 51.24] [# 687326, 688713, 690164]

• The NetScaler appliance might crash if deletion of a service item and display of the service item are executed in parallel.
  [From Build 56.20] [# 691507]

• A packet engine crashes because of an invalid memory reference when memory allocation for Call ID persistence session fails. With this fix, the packet engine checks for memory allocation failure before accessing the persistence session.
  [From Build 56.20] [# 694655]

• The NetScaler appliance crashes if a delinked TCP connection is logged incorrectly.
  [From Build 56.20] [# 695326]

NITRO

• The .NET SDK GET call fails with the following exception if it is made with a parameter that accepts boolean values:

  Invalid argument value [<attribute>].

  Example:

  When the “internal” attribute of service_args is set to “true”, a get on service_args yields the following exception:

  Invalid argument value [internal]
  [From Build 53.22] [# 595938]

• If you make multiple NITRO API calls in parallel, the responses might return incorrect results.
  [From Build 53.22] [# 684543]

• Restarting a NetScaler appliance after upgrading it to release 12.0 might cause the appliance to fail to respond to NITRO requests.
  [From Build 53.22] [# 686434, 672544, 689415, 690265]

• In a partitioned NetScaler appliance, you can add authentication loginschemas with inbuilt schemas through the NetScaler command line interface only.

  To add authentication login schemas through the NetScaler CLI, use the switch partition command. For example:

  > switch partition p1

  Done

  p1> add loginSchema ls1 -authenticationSchema LoginSchema/DualAuth.xml

  Done
  [From Build 51.24] [# 687133]

NS-Gateway

• NetScaler: AAA-TM

  After an upgrade from an earlier release 10.5 build 60.7 to release 11.1 build 52.32, if the client sends an invalid basic authorization header as "Authorization: Basic (null)", then NetScaler appliance does not perform single sign-on (SSO) to access the backend.
  [From Build 53.22] [# 689265]

NetScaler 1000V Appliance

• TCP services that go through tagged VLAN interfaces might go down.
  [From Build 51.24] [# 683196]

NetScaler GUI

• Certificate bundles are not supported in cluster setups.
  [From Build 51.24] [# 644199]

• When using the XenApp and XenDesktop wizard, the Retrieve Stores functionality intermittently fails on the first click.
  [From Build 53.22] [# 655159]

• A NetScaler appliance might crash or become unresponsive if you restart the appliance when it is under memory stress.
  [From Build 56.20] [# 684653]

• The NetScaler GUI displays an integer value instead of a security rating (critical, important, moderate, or low) if you configure an End Point Analysis (EPA) scan for the windows update.
  [From Build 56.20] [# 694638]

NetScaler Gateway

• When encryption is enabled for client security expressions (in the VPN session action parameter), the device might fail occasionally.
  [From Build 51.24] [# 607555, 616311]

• Under the following set of conditions, the wrong error message appears:

  A VPN traffic action is configured with SSO OFF.

  A samlSSOProfile is configured.

  The user tries to set this samlSSOProfile to the VPN traffic action.
  [From Build 56.20] [# 643029]

• When HTTP Strict Transport Security (HSTS) is enabled on a virtual server and on a NetScaler appliance, the appliance adds an STS header to the response. An HSTS-enabled response advertises that the appliance accepts only HTTPS requests. It does not accept plain-text HTTP. This option prevents privacy leaks and downgrade attacks and uses trusted certificates to establish a secure connection to the server.

  When HSTS is enabled on a NetScaler appliance, a browser that supports HSTS does the following:

  - Automatically redirects the HTTP requests to HTTPS for the target domain. For example, http://example.com/some/page/ is changed to https://example.com/some/page/ before the appliance accesses the server.

  - Does not allow access to the server unless the connection is secure. For example, the server's TLS certificate must be valid, trusted, and not expired.
  [From Build 51.24] [# 654092]

• The NetScaler appliance becomes unresponsive if you change the NTLM path from HTTP to HTTPS.
  [From Build 51.24] [# 657633]

• The Certificate Revocation Lists (CRL) checks and Online Certificate Status Protocol (OCSP) validation are not done on a NetScaler appliance through an SSL renegotiation as part of certificate based authentication.
  [From Build 51.24] [# 658120, 684909]

• In rare cases, a NetScaler appliance dumps core if the server-side connection closes while NTLM Authentication is in progress..
  [From Build 51.24] [# 670062, 657633, 684467, 686139, 672074, 681078]

• When you run the "sh icaconnection summary" command, the columns in the output are misaligned.
  [From Build 51.24] [# 670277]

• Memory leak in SSLVPN pool is encountered when connection to AAAD daemon is closed at the time of authentication.
  [From Build 51.24] [# 670586, 683809, 671944]

• If you configure TACACS authentication in “password*OTP” format, and a user types an invalid credential, the following incorrect error message appears:

  Error in retrieving Versions. Cannot read property ‘replace’ of undefined.

  You can ignore the message.
  [From Build 51.24] [# 672001]

• With this enhancement, Storefront server can be used to validate user credentials instead of Active Directory server. This simplifies Gateway configuration in XA/XD deployments where StoreFront server is mandatory.

  This is applicable only for end user login with password. This feature cannot be used for group extraction without user password. Please check documentation for details.
  [From Build 51.24] [# 672398]

• User session exists on NetScaler appliance after client machine logs out of VPN because of SmartCard removal.
  [From Build 51.24] [# 675596]

• In rare cases, upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), NetScaler Gateway dumps core if SSO and Proxy are configured in Traffic policy.
  [From Build 53.22] [# 676545]

• In rare cases, upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), NetScaler Gateway dumps core if SSO and Proxy are configured in Traffic policy.
  [From Build 51.24] [# 676545]

• NetScaler Gateway dumps core in case SingleSignOn (SS0) is disabled and the connection to server is removed or gatetimeout happens during TCP handshake with the back-end server.
  [From Build 41.24] [# 678251]

• NetScaler Gateway dumps core in case SingleSignOn (SS0) is disabled and the connection to server is removed or gatetimeout happens during TCP handshake with the back-end server.
  [From Build 51.24] [# 678251]

• ShoreTel Sky Softphones do not work on Windows clients accessing enterprise VPN through NetScaler Gateway.
  [From Build 56.20] [# 678701]

• The NetScaler appliance dumps core when a user connected, through Unified Gateway, to a VPN virtual server bound to an AppFlow policy does the following:

  1. Changes the content switching (CS) action to connect to another VPN virtual server, which is not bound to an Appflow policy.

  2. Then removes the first VPN virtual server.

  3. Continues to access resources over the initial VPN session.
  [From Build 51.24] [# 678847]

• Intermittently, a NetScaler Gateway appliance dumps core if a connection is reset during data transfer between a client and a VPN server.
  [From Build 56.20] [# 678885, 674356, 676859, 676857, 684178, 692683]

• DTLS feature must not be enabled on a virtual server configured with "listen" policy. Using command "add vpn vser" on a virtual server with the DTLS feature enabled and "listen" policy configured returns success but the DTLS feature does not get enabled on the virtual server.
  [From Build 51.24] [# 679025]

• In rare scenarios, NetScaler dumps core while accessing virtual server information when the RDP traffic is handled by separate RDP listener on NetScaler and the virtual server information is not present.
  [From Build 51.24] [# 679360]

• In rare situations, the Windows plug-in fails during VPN session logout.
  [From Build 51.24] [# 679570]

• Upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), back-end sites take too long to open.
  [From Build 51.24] [# 679582]

• In rare cases, a NetScaler Gateway appliance in a Unified Gateway (UG) deployment dumps core if the traffic management (TM) virtual server behind the UG is configured for SAML with advanced policies and the content switching (CS) policies are not properly configured to route SAML responses to TM.
  [From Build 51.24] [# 679768]

• If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN) and the Gantt chart option under Tasks is selected, some of the options in the Tasks section (for example, Completed, and Late Task) are not accessible.
  [From Build 51.24] [# 681689]

• If Gateway is configured for certificate authentication in primary cascade with ldap group extraction in secondary, Gateway is disregarding errors from aaad when group extraction is attempted.
  [From Build 51.24] [# 681913]

• In rare scenarios, blue screen appears (BSOD) when NetScaler VPN plug-in is installed along with Pulse Secure plug-in.
  [From Build 51.24] [# 683009]

• If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN), you can't access the "OneDrive" and "Sites" options on the home page if Clientless Mode URL Encoding is set to ENCRYPT.
  [From Build 51.24] [# 683390]

• In rare cases, the NetScaler appliance dumps core when a client sends a FIN event without an HTTP body.
  [From Build 51.24] [# 683452]

• HTML5 Receiver app launch fails while accessing a NetScaler Gateway bound with RfWebUI theme portal.
  [From Build 51.24] [# 683987]

• In rare scenarios, NetScaler Gateway dumps core if you have an SSL-Proxy configured at NetScaler Gateway and you access the intranet web application through a Clientless Virtual Private Network (CVPN) via Gateway that has proxy-authentication configured at proxy.
  [From Build 53.22] [# 684488]

• In rare scenarios, after rebooting the system, AlwaysON enabled VPN plugin fails to connect to Gateway.
  [From Build 51.24] [# 684709]

• When hundreds of users try to log on to NetScaler Gateway at about the same time, the logon page might stop loading, or it might load very slowly, in which case the logon process takes a very long time to complete.
  [From Build 51.24] [# 684774]

• Mail synchronization fails on iOS and Android devices if secure mail is configured to use secure ticket authority (STA).
  [From Build 41.24] [# 685075]

• Mail synchronization fails on iOS and Android devices if secure mail is configured to use secure ticket authority (STA).

  As written in the XenMobile Server known issue doc: http://docs.citrix.com/en-us/xenmobile/server/known-issues.html

  With NetScaler 12.0.41.16, when Secure Mail is configured with STA, mail sync fails on iOS and Android devices. The issue is fixed in NetScaler 10.0 build 41.22. For details and updates, see this Support Knowledge Center article. [#685075]
  [From Build 51.24] [# 685075]

• If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN) and upload a form that has a post body exceeding 8 KB, NetScaler rewrite policies do not decode the form content beyond 8 KB.
  [From Build 51.24] [# 685215]

• In rare cases, a NetScaler Gateway appliance dumps core when the single-sign-on feature tries to access an authentication resource that has been removed.
  [From Build 51.24] [# 685389]

• A secure load balancing virtual server on a NetScaler appliance processes both secure and insecure cookies.
  [From Build 56.20] [# 685421]

• A secure load balancing virtual server on a NetScaler appliance processes both secure and insecure cookies.
  [From Build 51.24] [# 685421]

• In rare scenarios, NetScaler dumps core while binding Classic session polices to an existing binding entity, when you have multiple VPN policies configured to the NetScaler.
  [From Build 53.22] [# 685463, 670544, 691767]

• If you use the NetScaler Gateway plug-in for Windows, a simultaneous download of 128 or more files fails upon accessing NetScaler Gateway.
  [From Build 53.22] [# 685971]

• In rare situations, a NetScaler Gateway appliance dumps core if it receives incorrect SOCKS requests from clients.
  [From Build 53.22] [# 686160, 689726, 690771]

• The client detection logic for Citrix Receiver does not work in Firefox, because the browser no longer supports NPAPI plug-ins.
  [From Build 51.24] [# 686337]

• In a double-hop deployment, a NetScaler Gateway appliance intermittently dumps core when the first-hop server receives a TCP RST event from the second-hop server.
  [From Build 53.22] [# 686508]

• When a user configures a NetScaler appliance for SAML Authentication, duplicate apps appear on the home page if the RfWeb UI portal theme is bound to the appliance.
  [From Build 56.20] [# 686516, 660563]

• NetScaler Gateway does not comply with RFC7230 for POSTLOGINFLAGS headers.
  [From Build 53.22] [# 686632]

• The NetScaler Gateway VPN plug-in fails to launch when you enter the logon credentials by using Google Chrome browser if the post-auth End-point Analysis(EPA) functionality is enabled and the "Client Choices" option is disabled.
  [From Build 56.20] [# 686642]

• The NetScaler appliance fails to access the gateway home page after an upgrade to software release 11.1 build 51.21. The cause of the failure is the presence of an unexpected parameter (/ilearn).
  [From Build 51.24] [# 686715, 687092]

• Some traffic patterns cause application launch through NetScaler Gateway to fail if EDT is enabled on virtual desktop applications.
  [From Build 53.22] [# 686774, 686960, 687587]

• In rare cases, while accessing Gateway via proxy, NetScaler dumps core if KCD based Single Sign-On is attempted to back-end servers.
  [From Build 51.24] [# 686858]

• In rare situations, VPN plug-in installation fails and a "Citrix Access Gateway is not supported on this platform" error message appears on a machine running a 64-bit operating system.
  [From Build 51.24] [# 687139]

• The NetScaler appliance dumps core during Core2Core communication as resetting the TCP connection closes the connection without cleaning the connection structure.
  [From Build 51.24] [# 687211]

• The NetScaler Gateway plug-in incorrectly displays a “green bullet” icon suggesting a connected VPN virtual server session status even after the session is disconnected. The plug-in UI display is not in sync with the plug-in tray icon status.
  [From Build 56.20] [# 688111]

• The NetScaler appliance fails when it tries to authenticate an invalid incoming HTTP packet.
  [From Build 51.24] [# 688215]

• In rare situations, a NetScaler Gateway appliance dumps core when processing forms based SSO to URLs larger than 4 KB.
  [From Build 53.22] [# 688842]

• The NetScaler appliance deletes the JSESSIONID cookie from the HTTP request before sending the request to the origin server.
  [From Build 53.22] [# 689472]

• NTLM Single sign-on (SSO) fails because of invalid signature of type-3 NTLM message.
  [From Build 56.20] [# 689538]

• Both of the following issues are fixed:

  - A NetScaler Gateway appliance becomes unresponsive because the Gateway plug-in continuously tries to connect to the Gateway server.

  - The VPN plug-in displays the Connect button instead of automatically logging on, even when the client certificate is cached and the AlwaysON feature is enabled.
  [From Build 53.22] [# 689570, 689622, 653527, 674320, 688142]

• A single sign-on (SSO) attempt might use the wrong domain in a configuration that has parent and child domains. If SSO expressions are used to compute the correct domain, the NetScaler appliance uses the domain obtained at the time of logon instead of the one computed with the expression.
  [From Build 53.22] [# 689684, 689721]

• If a NetScaler Gateway appliance that has partitions is configured with an intranet IP address, traffic from one of the partitions to the default partition loops back to the sender instead of treating the partitioned appliance as two independent appliances.
  [From Build 56.20] [# 689907]

• A user of Internet Explorer version 8 or 9 can't establish a VPN connection through a NetScaler Gateway appliance that uses the RfWebUI portal theme. The VPN virtual server doesn't respond.
  [From Build 53.22] [# 691752]

• End-point Analysis (EPA) scan fails on the client computer, even though the logs indicate otherwise, if the connection between the computer running on Mac OS and the NetScaler appliance is relatively slow (for example, if there's a client-side proxy).
  [From Build 56.20] [# 692771, 687892]

• End-point analysis (EPA) scan becomes unresponsive if the EPA plug-in is installed for the first time on the user machine that accesses the NetScaler appliance bound to the RfWeb UI portal theme.
  [From Build 56.20] [# 692821, 696260]

• In some cases, the NetScaler appliance becomes unresponsive while back-end authentication cookies are cached when a proxy server is configured between the NetScaler appliance and a back-end server.
  [From Build 56.20] [# 693284]

• When you configure the Gateway server in ICA Proxy mode, the server occasionally becomes unresponsive if the Secure Ticket Authority (STA) servers do not respond in time or the client connection is closed.
  [From Build 56.20] [# 693522, 697088]

• "Authentication" submenu under "System" cannot be expanded.
  [From Build 56.20] [# 693573]

• A NetScaler Gateway appliance stops responding after authentication, if it is configured for post-auth End-point Analysis (EPA) and is bound to an RfWebUI persona.
  [From Build 56.20] [# 694290]

• In case the Split tunnel ON, the Automatic detect settings checkbox (under LAN Settings) in the Internet Explorer settings was being modified after connecting to VPN, because of which external traffic wasn't reachable.
  [From Build 56.20] [# 694328]

• Upon dual refresh of the logon page, the following error message is displayed "Error 404, object not found". The error appears because "NS_TMAC" cookie is missing in the request.
  [From Build 56.20] [# 694417]

• The NetScaler appliance sends a huge quantity of "auditlog" messages to the Syslog server when a duplicate server connection is found.
  [From Build 56.20] [# 694606]

• The NetScaler Gateway plug-in fails to list a device certificate under the Certificate drop-down menu if the Subject field inside the certificate has no value.
  [From Build 56.20] [# 695035]

• When you have Windows AutoLog-ON feature enabled on your NetScaler Gateway appliance, during logon the client is unable to find the "nsauto.exe" file because the path to the file is incorrectly truncated.

  The issue is noticed when you modify the following registry entry:

  NtfsDisable8dot3NameCreation

  This registry entry truncates the applications file path in Windows.
  [From Build 56.20] [# 695209]

• When you have Windows AutoLog-ON feature enabled on your NetScaler Gateway appliance, during logon the client is unable to find the "nsauto.exe" file because the path to the file is incorrectly truncated.

  The issue is noticed when you modify the following registry entry:

  NtfsDisable8dot3NameCreation

  This registry entry truncates the applications file path in Windows.
  [From Build 53.22] [# 695209]

• In some cases, the NetScaler appliance cannot load the background image when the VPN virtual server has custom theme and DFA policy bound to it.
  [From Build 56.20] [# 695413]

• Client and server IP addresses are not displayed if a VPN session is disconnected before a successful logon.
  [From Build 56.20] [# 695444, 697635]

• In some cases, the connection from a client computer to the NetScaler appliance is aborted.
  [From Build 56.20] [# 695560, 696270, 697255]

• Endpoint analysis (EPA) scan fails on the client machine, because the EPA package does not get installed on the machine properly.
  [From Build 56.20] [# 695795]

• In some cases, users using Outlook Web Application (OWA) 10 are not able to access the ECP folder.
  [From Build 56.20] [# 697356]

• In rare cases, the NetScaler appliance configured for Session Reliability (SR) and High Availability (HA) becomes unresponsive as it misses initialization of some of the ICA context fields.
  [From Build 56.20] [# 697700]

• In a multi-core NetScaler appliance, Enlightened Data Transport (EDT) application fails to launch on a NetScaler instance deployed on VMware ESX, and configured to use VMXNET3 NIC.
  [From Build 56.20] [# 697771]

• In case of an End-point Analysis (EPA) failure, debugging fails because of different values of the same case ID in client-side VPN logs and in the NetScaler appliance logs. The case ID always reflects “a4a42” in the client-side logs which is not in sync with the NetScaler Case ID value.
  [From Build 56.20] [# 698336]

NetScaler ICA

• When session reliability is enabled for the high availability feature, memory usage by the NetScaler appliance spikes and causes a failover.
  [From Build 56.20] [# 671918, 673784, 656996, 672949, 676413]

• When session Reliability on HA Failover is enabled on a NetScaler high availability pair, the primary NetScaler has a buffer to maintain CGP sequence updates, which will be sent to secondary. After a reconnect, buffer updates wrong offset, resulting in corruption. Once the buffer corruption happens, wrong addresses will be accessed which can lead the NetScaler instance to become unresponsive.
  [From Build 41.24] [# 679494, 684204]

NetScaler Insight Center

• Under certain network traffic conditions, if you have enabled AppFlow for ICA, the NetScaler appliance does not respond.
  [From Build 56.20] [# 687084, 689052, 696701]

• When you launch the ICA application that is enabled with advanced encryption in XenApp or XenDesktop, in some cases, NetScaler does not respond while handling the advanced encryption handshake.
  [From Build 56.20] [# 689491, 696819]

• The NetScaler appliance does not respond if AppFlow for ICA is enabled under certain network traffic conditions.
  [From Build 56.20] [# 692326, 692554, 698557]

• You cannot see analytics data in the day, week, or month report on Insight Center.
  [From Build 56.20] [# 693359]

• HDX Insight does not display ICA channel data when Logstream transport is enabled for the AppFlow feature in the NetScaler appliance and if “smartctl” is enabled for ICA HDX Insight.
  [From Build 56.20] [# 693672]

• When HDX Insight is enabled, the communication between NetScaler and NetScaler MAS is achieved through a set of ICA status codes. These status code values are maintained both in NetScaler and NetScaler MAS and are always in sync. Due to a new ICA status code introduced in NetScaler 12.0 release, there is a mismatch between some of the code values.

  When you enable SmartAccess in NetScaler and export it to NetScaler MAS, NetScaler MAS interprets it as code. An ICA session is logged as skip parse due to which records are not seen.
  [From Build 56.20] [# 694703]

• If AppFlow for ICA is enabled, in an error scenario for ICA parser with a particular network traffic condition, the NetScaler appliance can go down.
  [From Build 56.20] [# 696552]

NetScaler NITRO

• NetScaler logon credentials are locked and the error message “connection limit CFE exceeded” appears if the following conditions are met:

  - The “show ns runningconfig” command takes a long time to execute

  - The same command is re-run multiple times while the first command is still running at the background.

  The NetScaler appliance remains locked until the command completes.
  [From Build 53.22] [# 689426]

• The HTTP daemon on a NetScaler appliance might fail if the “probe server” NITRO call to the appliance fails.
  [From Build 56.20] [# 693286]

NetScaler SDX Appliance

• When you use a single-bundle image file to upgrade a NetScaler SDX appliance, the upgrade-progress page might become unresponsive.
  [From Build 51.24] [# 672042, 686510]

• A NetScaler SDX appliance does not propagate a global MAC address to the VPX instances if you do both of the following:

  - Assign a global base MAC address in generated mode to a manual channel or an LACP channel.

  - Reset the global base MAC address.
  [From Build 51.24] [# 682573]

• If system logs are not rotated properly, over time they consume too much disk space. This causes the XenServer server to run out of disk space and creates unexpected system behavior.
  [From Build 51.24] [# 683171, 684959, 685535]

• A NetScaler VPX instance's configuration is deleted if you use the Management Service to force a reboot of the instance.
  [From Build 51.24] [# 683743]

• If a channel configuration that is created by using the Management Service is pushed to an existing VPX instance, the channel name on the VPX instance might differ from the channel name on the Management Service.

  Because of this behavior the channel name might differ on two VPX instances of an HA pair, running on two different SDX appliances. This causes a NetScaler VPX HA pair to break after a failover.

  With this fix, Management Service creates channels on VPX instances with the same names provided the LA IDs are available on the VPX instances.

  For example, if channel LA/3 is created on Management Service, the same is created on the VPX instance, provided LA/3 ID is available on the VPX instance.

  However, for example, if LA/9 is created on Management Service, the channel is created with the first available LA ID on the VPX instance, because a VPX instance can support channels only up to LA/8.

  Note: Upon upgrade to this version, the existing LA configurations on the SDX Management Service or on the VPX instance do not change.
  [From Build 56.20] [# 684428]

• In a VPX instance (standalone or part of an HA setup) running on a SDX-21550/SDX-20500 platform, TX stalls are observed and the state of the configured load balancing services in the VPX instance flaps.
  [From Build 56.20] [# 690647, 697369, 694571]

• In a VPX instance (standalone or part of an HA setup) running on a SDX-21550/SDX-20500 platform, TX stalls are observed and the state of the configured load balancing services in the VPX instance flaps.
  [From Build 56.20] [# 694571]

• The “Date” field in the Events detail page displays no information. To see the Events details, navigate to Configuration > System > Events on the NetScaler SDX GUI.
  [From Build 56.20] [# 696706]

• Upon restart of a NetScaler SDX appliance that has a cluster setup configured with a cluster link aggregation group (CLAG) with jumbo MTU, the cluster nodes whose interfaces are part of the CLAG might not restart properly.
  [From Build 56.20] [# 699274]

• An attempt to log on to the NetScaler SDX appliance running software release 12.0 by using the GUI or CLI might fail under one of the following conditions

  - Single Bundle upgrade is attempted.

  - The appliance is restarted.

  - The SDX Management Service is restarted through XenServer.

  In all the above situations, the SDX Management Service database gets corrupted, which causes the logon failure.
  [From Build 56.20] [# 699426, 696477]

NetScaler Secure Web Gateway

• If you try to add multiple URL sets that contain one million or more entries, memory is exhausted and the appliance fails.
  [From Build 56.20] [# 685181]

• A NetScaler Secure Web Gateway appliance does not support the URL List feature in a high availability setup.
  [From Build 53.22] [# 690428]

NetScaler VPX Appliance

• In a NetScaler VPX HA deployment running on AWS, when a failover makes the secondary node primary, the network interfaces are attached to the new primary in the wrong order.

  For example, if the primary node has NICS 1/2 (AA:BB:CC:DD:EE:FF), 1/3 (12:34:56:78:90:12), and 1/4 (1A:2B:3C:4D:5E:6F), upon failover the new primary would have 1/2 (1A:2B:3C:4D:5E:6F), 1/3(AA:BB:CC:DD:EE:FF), 1/4(12:34:56:78:90:12). Here, the interface MAC order has changed. However, this behavior does not apply to the NIC that's configured with the NetScaler management IP address.
  [From Build 51.24] [# 675746]

• In a NetScaler cluster, the configuration coordinator (CCO) node does not support the set ns vpxparam -cpuyield command for controlling CPU-usage behavior.
  [From Build 51.24] [# 678401]

• After a failover of a NetScaler VPX HA setup running on AWS, the interfaces from both the nodes do not attach and detach properly. This happens if the stack name of the Citrix CloudFormation template exceeds 25 characters.

  With the fix, the stack name of the Citrix CloudFormation template supports up to 90 characters.
  [From Build 56.20] [# 689356]

• After a failover of a NetScaler VPX HA setup running on AWS, the interfaces from both the nodes do not attach and detach properly. This happens if the stack name of the Citrix CloudFormation template exceeds 25 characters.

  With the fix, the stack name of the Citrix CloudFormation template supports up to 90 characters.
  [From Build 53.22] [# 689356]

• DNS resolution for existing DNS configurations fails after you upgrade a NetScaler VPX instance running on AWS to release 12.0 build 53.20.
  [From Build 53.22] [# 693877]

• DNS resolution for existing DNS configurations fails after you upgrade a NetScaler VPX instance running on AWS to release 12.0 build 53.20.
  [From Build 56.20] [# 693877]

• A NetScaler VPX instance running on a VMWare ESX hypervisor becomes unreachable if you select "Register with NetScaler MAS for manageability" while configuring pooled licensing in the instance GUI.
  [From Build 56.20] [# 695516]

Networking

• A NetScaler appliance might become unresponsive or a high CPU is observed during the following scenario:

  * The appliance resolves a domain into two IP addresses, one of the IP addresses is a NetScaler owned IP address and the other is an external IP address.

  * The appliance sends a packet destined to the external IP address from LO/1.

  * The response packet keeps looping after the appliance receives it.
  [From Build 51.24] [# 669754, 669977, 687943]

• In a high availability setup, when a critical interface goes to DOWN state because of TX stall, HA failover might not happen.
  [From Build 51.24] [# 677815, 679068, 680001]

• In a high availability setup, when a critical interface goes to DOWN state because of TX stall, HA failover might not happen.
  [From Build 51.24] [# 679068]

• A NetScaler appliance logs an IP conflict error when it receives any unsolicited ARP message from a network device such as Check Point Firewall for a NetScaler appliance-owned IP address. The appliance logs an IP address conflict error even if the IP address to MAC address mapping is correct in the ARP message.
  [From Build 56.20] [# 679490, 689372]

• Memory allocated for a TCP session might not get free after a failure in reassembling fragments of a size of more than 1500 bytes. This accumulation over a period of time depletes available memory.
  [From Build 51.24] [# 680185, 680186]

• Interfaces in MUTED state might drop the LLDP packets instead of processing them.
  [From Build 51.24] [# 682769]

• The NetScaler appliance drops ND6 solicitation packets received on interfaces that are in muted state.
  [From Build 51.24] [# 684119]

• The NetScaler appliance updates the ND entry of a next hop router with its MAC address after learning it from the router advertisement packets received from the router. The appliance might not update the state of the ND entry from INCOMPLETE to STALE. This update failure results in looping the outgoing packets ( destined through the next hop router) in the NetScaler queue. As a result, the NetScaler appliance becomes unresponsive.
  [From Build 51.24] [# 684126]

• The NetScaler appliance does not process the BGP remote-as configuration for an IPv6 peer after a reboot resulting in the loss of BGP configuration for this peer.
  [From Build 51.24] [# 685123]

• In a NetScaler telco deployment, the NetScaler appliance reuses the outgoing probe connection information for two different incoming connections with the same 4-tuple that are destined to the same server. This reuse of probe connection might cause the NetScaler appliance to become unresponsive.
  [From Build 51.24] [# 685344]

• When you remove a static route, the NetScaler appliance does not advertise the connected route that has the same prefix as that of the removed static route and for which the DRADV mode is enabled.
  [From Build 53.22] [# 686058]

• The NetScaler appliance does not accept routes that have 0.0.0.0 prefix and non-zero prefix length.

  With this fix, the NetScaler appliance accepts routes with 0.0.0.0 prefix and prefix length less than eight. But routes belonging to 0.0.0.0/8 block are not accepted as they belong to the reserved IPv4 address range.
  [From Build 56.20] [# 689441]

• If the IP address (type VIP) of a virtual server is bound to a net profile, deleting the virtual server also removes the IP address from the net profile.
  [From Build 53.22] [# 690082]

• The NetScaler appliance might not properly processes the ND6 unsolicited neighbor advertisement messages and update its routing table.
  [From Build 56.20] [# 693472]

• In a high availability configuration, synchronization of session information to the secondary node happens only when the state of the secondary node is UP. When the state of the secondary node is other than UP state for a long time, session information that are to be synchronized are build up on the primary node. This results in memory crunch or session hitting maximum limits in the primary node.
  [From Build 56.20] [# 693995]

• A NetScaler appliance might become unresponsive after applying the ACLs if the appliance has more than 1,100 ACL rules and some of these rules have overlapped conditions.
  [From Build 56.20] [# 694203]

Optimization

• The Video Optimization feature is supported on 32-bit NetScaler platforms only. If you deploy the feature on a 64-bit platform, the appliance displays an error message and crashes.
  [From Build 53.22] [# 676593, 677838, 679578, 681853]

• With this fix, the built-in video detection policies have new names, which more clearly represent the purposes of the policies.
  [From Build 41.24] [# 681308]

• With this fix, the built-in video detection policies have new names, which more clearly represent the purposes of the policies.
  [From Build 51.24] [# 681308]

• When configuring the NetScaler video optimization feature, you cannot bind built-in detection policies or custom optimization policies to multiple virtual servers. An attempt to do so produces the following error message, "ERROR: CVPN Policies cannot be bound to multiple entities."

  For example:

  > bind lb vserver IPv4_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 600 -gotoPriorityExpression 3300 -type RESPONSE

  > bind lb vserver IPv6_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 601 -gotoPriorityExpression 3301 -type REQUEST

  ERROR: CVPN Policies cannot be bound to multiple entities
  [From Build 51.24] [# 682864]

• When configuring the NetScaler video optimization feature, you cannot bind built-in detection policies or custom optimization policies to multiple virtual servers. An attempt to do so produces the following error message, "ERROR: CVPN Policies cannot be bound to multiple entities."

  For example:

  > bind lb vserver IPv4_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 600 -gotoPriorityExpression 3300 -type RESPONSE

  > bind lb vserver IPv6_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 601 -gotoPriorityExpression 3301 -type REQUEST

  ERROR: CVPN Policies cannot be bound to multiple entities
  [From Build 41.24] [# 682864]

• A NetScaler appliance crashes if you generate AppFlow or ULFD records for clear-text video transactions.
  [From Build 41.24] [# 682947]

• A NetScaler appliance crashes if you generate AppFlow or ULFD records for clear-text video transactions.
  [From Build 51.24] [# 682947]

• If a response from the StoreFront server does not have a Content Type field in the header, but the appliance expects a value in the Content Type field, the appliance crashes.
  [From Build 56.20] [# 688412]

• A NetScaler appliance fails when media classification mode is enabled and if there is a memory failure.
  [From Build 56.20] [# 690975, 695683]

Policies

• The HTTP.REQ.TXID and HTTP.RES.TXID policy expressions return the same "universally unique identifier" (UUID) for different transactions.
  [From Build 53.22] [# 663414, 675873]

• The NetScaler appliance can sometimes time out while processing data with rewrite actions.
  [From Build 56.20] [# 675347]

• In some cases, the system encounters a fault if, when adding an entry to a pattern set, you experience errors such as too long patset strings, bad UTF-8 characters, or bad regular expressions.
  [From Build 51.24] [# 675677]

• A log message is not logged for the Responder module when the NetScaler appliance receives a request and processes policies for a different module while a client request sent to the Responder module awaits log processing.
  [From Build 53.22] [# 685375]

• When an Advanced expression function in an ALT expression blocks the current evaluation of the expression, then upon resumption it may cause the NetScaler appliance to crash.
  [From Build 51.24] [# 687345]

• Clearing a NetScaler system configuration causes the appliance to fail if an HTTP profile references a patset configuration entity.
  [From Build 53.22] [# 691227]

• The audit log action in a responder policy resets when modifying a responder action bound to the same responder policy.
  [From Build 56.20] [# 693791]

SSL

• Even though TLS protocol versions 1.1 and 1.2 are not supported by firmware version 1.1, the protocols appear as enabled by default on an SSL virtual server.
  [From Build 51.24] [# 576274]

• After you upgrade to this build, the priority of the cipher groups changes in the default profile.
  [From Build 41.24] [# 579059, 679085]

• In a cluster setup, a certificate update fails, with the following error, if the certificate is in DER format.

  Error :: No such resource
  [From Build 53.22] [# 583715]

• A configuration loss, such as the ECC curve and ciphers unbinding from an SSL virtual server or service, might occur after you upgrade to this build.
  [From Build 51.24] [# 613912, 643135, 647100]

• The cipher description for a back-end service differs for different nodes of a cluster.
  [From Build 56.20] [# 632280, 631258, 674672]

• While using dynamic services, some SSL counters were not cleared properly when you cleared the configuration. As a result, new connections to the same dynamic services were not accepted.

  With this fix, new connections to the dynamic services are accepted even if the configuration is cleared.
  [From Build 56.20] [# 654034, 678140, 666679]

• If you add a partition and later remove it, the state of all the SSL virtual servers configured on the appliance changes to DOWN.
  [From Build 51.24] [# 660319, 667130, 671887]

• The service group members do not appear in the output of the "show lb vserver <name>" command if it is run on a cluster IP address.
  [From Build 53.22] [# 668935, 642802, 463835, 684073, 684892, 691890]

• A NetScaler appliance might dump core and restart if you have configured policy based SSL renegotiation and a client sends multiple SSL records before renegotiation is initiated.
  [From Build 51.24] [# 673348, 682192, 682160, 684547, 684992, 687515]

• In rare cases, a NetScaler appliance might dump core and restart if you add a certificate revocation list (CRL) larger than 256 KB.
  [From Build 51.24] [# 674278, 678890]

• The NetScaler appliance might occasionally send a wrong certificate if SNI is enabled.
  [From Build 51.24] [# 675158]

• Some client authentication connections might be dropped if OCSP check is set to mandatory and an OCSP domain name entry is not found in the NetScaler DNS cache.
  [From Build 53.22] [# 675882, 677473]

• If an OCSP responder URL incorrectly resolves to a NetScaler reserved IP address, the appliance dumps core memory and restarts.
  [From Build 51.24] [# 675887]

• If an OCSP responder URL incorrectly resolves to a NetScaler reserved IP address, the appliance dumps core memory and restarts.
  [From Build 41.24] [# 675887]

• For requests less than 255 bytes long, you can configure the HTTP GET method for queries to an OCSP server. If you specify the GET method but the length is greater than 255 bytes, the appliance uses the POST method by default.

  To set the method by using the NetScaler CLI

  At the command prompt, type;

  set ssl ocspResponder <name> -httpMethod GET
  [From Build 53.22] [# 676942]

• If the destination IP address in an OCSP request is an IPv6 address, the NetScaler appliance dumps core memory and restarts.
  [From Build 51.24] [# 678474]

• If the destination IP address in an OCSP request is an IPv6 address, the NetScaler appliance dumps core memory and restarts.
  [From Build 41.24] [# 678474]

• Session ticket parameters are saved in the configuration (ns.conf) file even though session tickets are not enabled in the SSL profile. As a result, if you upgrade to release 12.0 builds 41.x or build 51.x, you might observe a loss in configuration.
  [From Build 53.22] [# 678514, 677813]

• If both OCSP stapling and session ticket are enabled on an SSL virtual server, and a client sends a session reuse request that contains an OCSP stapling status extension, the appliance dumps core memory and restarts.
  [From Build 41.24] [# 678743, 678740]

• If both OCSP stapling and session ticket are enabled on an SSL virtual server, and a client sends a session reuse request that contains an OCSP stapling status extension, the appliance dumps core memory and restarts.
  [From Build 51.24] [# 678743, 678740]

• You cannot modify the internal OCSP responder parameters in this build. This is a temporary limitation.
  [From Build 41.24] [# 679708]

• You cannot modify the internal OCSP responder parameters in this build.
  [From Build 51.24] [# 679708]

• The value for days to expiration of a certificate appears incorrectly on a cluster IP (CLIP) address.
  [From Build 51.24] [# 682493]

• In a cluster setup, if you remove a service group, the corresponding entries on the CCO node are not deleted.
  [From Build 51.24] [# 682767]

• The NetScaler appliance dumps core and restarts if a wildcard SSL virtual server has the -m mac option enabled.
  [From Build 51.24] [# 682775]

• In a cluster setup, if you rename a service group, the corresponding entries on the CCO node are not updated.
  [From Build 51.24] [# 682784]

• On a NetScaler MPX or SDX 14000 FIPS appliance, requests are not forwarded to the back-end server if virtual-server based transparent access with a wildcard IP address (*:443) is configured in a transparent SSL acceleration setup.
  [From Build 51.24] [# 684413]

• Memory usage might continuously increase on a partitioned NetScaler VPX appliance processing SSL traffic. As a result, the appliance might become unresponsive after some time.
  [From Build 51.24] [# 685669]

• An SSL handshake might take a long time (many retries) to complete after you restart a NetScaler appliance.
  [From Build 56.20] [# 686713]

• The connection with the back-end server is terminated if OCSP validation for the server certificate fails, even though OCSP validation is optional.
  [From Build 53.22] [# 686998]

• The NetScaler appliance dumps core and restarts if it receives a request while both session-ticket and SSL-session persistence are enabled.
  [From Build 51.24] [# 687575]

• The NetScaler appliance dumps core and restarts if both client authentication and session ticket are enabled and a session ticket reuse request is continuously received on the appliance.
  [From Build 51.24] [# 687777]

• In some cases, a pipeline HTTP request is not forwarded to the back-end server if the back-end server sends a response before receiving the full request from a client.
  [From Build 56.20] [# 688100]

• If you try to add a certificate-key pair containing an unsupported OID in the Subject Alternative Name (SAN) field of the certificate, the following error message appears:

  ERROR: Invalid OID for SAN entry in certificate
  [From Build 53.22] [# 688416]

• A certificate without a common name field in the subject name fails to load.
  [From Build 53.22] [# 688811]

• "Duplicate certificate error" appears when you try to bind a certificate containing a specific domain name to an SSL virtual server, if a certificate with a matching wildcard SAN entry is bound to the same virtual server.
  [From Build 56.20] [# 691769]

• After you restart a NetScaler appliance, all the ECC curves might be bound a virtual server or service even though they were unbound from that virtual server or service before the appliance was restarted.
  [From Build 56.20] [# 691889]

• A NetScaler appliance crashes when session ticket is enabled and continuous session ticket reuse requests are received.
  [From Build 56.20] [# 692481, 692823, 694291, 696851]

• An OCSP responder URL is not added to an OCSP HTTP GET request. This causes OCSP failure if GET httpMethod is enabled.
  [From Build 56.20] [# 693312]

• If Qualys scan is run on NetScaler IP (NSIP) address, subsequent SSL transactions with Thales HSM will fail.
  [From Build 56.20] [# 693356]

• A NetScaler appliance might crash during a DHE based key exchange when an allocation failure occurs because of high memory consumption.
  [From Build 56.20] [# 694078]

• If two certificates issued by two different CAs have the same OCSP URL, addition of one of the certificate-key pairs might fail.

  Example

  1. CA certificate C1 is used to issue certificate S1, which contains OCSP_URL1.

  2. Certificate-key pairs for both C1 and S1 are added successfully on the NetScaler appliance.

  3. CA certificate C2 is used to issue certificate S2, which also contains OCSP_URL1.

  4. If you first add a certificate-key pair for S2, it is successful but adding a certificate-key for CA2 fails. If you reverse the order, adding a certificate-key for CA2 is successful but adding a certificate-key for S2 fails.
  [From Build 53.22] [# 694395]

• If two certificates issued by two different CAs have the same OCSP URL, addition of one of the certificate-key pairs might fail.

  Example

  1. CA certificate C1 is used to issue certificate S1, which contains OCSP_URL1.

  2. Certificate-key pairs for both C1 and S1 are added successfully on the NetScaler appliance.

  3. CA certificate C2 is used to issue certificate S2, which also contains OCSP_URL1.

  4. If you first add a certificate-key pair for S2, it is successful but adding a certificate-key for CA2 fails. If you reverse the order, adding a certificate-key for CA2 is successful but adding a certificate-key for S2 fails.
  [From Build 56.20] [# 694395]

• In a cluster setup, a custom cipher group bound to an SSL profile is lost after the "force cluster sync" command is run. As a result, there will be a configuration loss after the cluster node restarts.
  [From Build 56.20] [# 694545]

• In some cases, a NetScaler appliance might crash if it finds invalid data while parsing the binary certificate.
  [From Build 53.22] [# 694904]

• In some cases, a NetScaler appliance might crash if it finds invalid data while parsing the binary certificate.
  [From Build 56.20] [# 694904]

• An SSL handshake fails if both of the following conditions are met:

  - OCSP stapling is configured.

  - Multiple clients request the status of the server certificate in parallel.
  [From Build 56.20] [# 696422, 696993]

System

• A logon issue is observed if you try to insert and delete cookies at the same offset and if the AppFlow and client-side measurement features are enabled on a NetScaler appliance.
  [From Build 56.20] [# 633371, 682640, 672615, 639767, 387117, 232011]

• Enabling both the AppFlow option and the AppQoE option might cause a memory leak, which can degrade performance and eventually cause the appliance to fail.
  [From Build 51.24] [# 640545, 685334, 686832, 687603]

• If the integrated cache (IC) memory limit is set to a value greater than 4 GB and front end optimization (FEO) is enabled, the NetScaler appliance crashes.
  [From Build 51.24] [# 666208]

• A NetScaler appliance fails if multiple vulnerabilities are observed in the Network Time Protocol (NTP) daemon and if it is exploited by an external or local user authentication.
  [From Build 56.20] [# 669821, 670476, 688886, 685045]

• In an SSL connection with a client, the NetScaler appliance does not evaluate the SSL policies for HTTP/2 streams.
  [From Build 53.22] [# 670556, 660674, 672227, 689849]

• A NetScaler appliance adds an SNMP trap for TCP-level synflood if the Varbindings are incorrect for the synflood trap.
  [From Build 51.24] [# 671128]

• Snmpd communicates with nsaggregatord to process the requests it receives. The SNMP Code also maintains a cache of the responses from aggregator in the form of a CacheTable. If the CacheTable is corrupted, a crash might result.
  [From Build 51.24] [# 675631]

• In a non-end-point mode, for every out-of-order packet, NetScaler generates a duplicate acknowledgment (DUP_ACK). In a rare case of sack disabled packets, after generating a duplicate acknowledgment, the appliance does not reset the counter which results in unnecessary duplicate acknowledgments causing the connection to disconnect.
  [From Build 56.20] [# 676598, 690857]

• If the session ID maintained for clients exceeds the threshold of 16 million entries, the configuration engine might crash. That affects the management traffic. As a result, the management connection closes and the manager must log back on to the NetScaler appliance.
  [From Build 53.22] [# 676599, 692553]

• If you enable Front End Optimization (FEO) and configure Integrated Cache (IC) with cache selectors, the NetScaler appliance might crash.
  [From Build 51.24] [# 677943]

• The NetScaler appliance crashes if the total number of TimeWait connections exceeds 7000 while the MPTCP feature is enabled.
  [From Build 53.22] [# 678015]

• In a high availability setup, the following command-propagation warning message appears when a backup is created for a large configuration file on the primary node: "Warning: There is no response from secondary. Propagation Timed out” However, propagation of the backup file succeeds after some time.
  [From Build 51.24] [# 679376]

• A NetScaler appliance crashes if the content-type header is missing from an HTTP responder.
  [From Build 51.24] [# 681284]

• If a client sends an HTTP/2 header continuation frame, the NetScaler appliance dumps core.
  [From Build 51.24] [# 681361, 683274]

• An attempt to configure a NetScaler appliance that uses Cloudstack can cause the appliance to fail. If the Cloudstack AutoScale feature or an AutoScale policy is configured with the IP address a server, an attempt to configure the appliance through the NetScaler CLI instead of through CloudPlatform or Cloudstack binds the IP-address based server to the AutoScale Policy service group. This causes the appliance to crash.
  [From Build 53.22] [# 681426]

• If a load balancing virtual server configured with a backup server is down, the si_cur_Client counter underflows, causing client connections for the virtual server to display abnormal values in the NetScaler GUI.
  [From Build 51.24] [# 682762]

• A NetScaler appliance might crash, if a particular sequence of white space and CR-LF characters is sent to an HTTP or SSL virtual server instead of a valid HTTP request.
  [From Build 53.22] [# 683512, 699684]

• If multiple trap destinations have the same IP address but different SNMP versions, one of which is SNMPv3, modifying an SNMPv3 trap message leads to an appliance failure.
  [From Build 51.24] [# 683622, 683806]

• If the MSS value in a client TCP handshake with a NetScaler appliance is from 1322 to 1329, the appliance sends 1330-byte segments, which cause packet drops, and the TCP connection fails.
  [From Build 51.24] [# 684148, 687638]

• Some packets become invalid and are dropped when policies are applied. If HTTP/2 packets are dropped, the NetScaler appliance fails to send a rst_stream frame to the client, which causes the appliance to crash when new packets arrive.
  [From Build 53.22] [# 684370]

• A NetScaler device might fail if it sends FIN packets on a Multipath TCP (MPTCP) fallback connection and the global state variable has not been cleared.
  [From Build 56.20] [# 684574, 685357, 687357, 696622]

• The NetScaler appliance does not include the latest DATA_ACK packet in the retransmitted data segments. It reuses DATA_ACK packets that were sent in the original data segment.
  [From Build 53.22] [# 684908]

• Connections can become unresponsive because of data loss that occurs under the following set of conditions:

  * Different traffic domains are configured on the virtual server and the service.

  * Data insertion causes the NetScaler appliance to split packets.
  [From Build 56.20] [# 685510]

• A NetScaler appliance in a high availability configuration crashes when using TCP transport to send log messages.
  [From Build 51.24] [# 685898]

• When a client times out and sends a message longer than one packet, TCP sends a FIN packet to the application handler (for example, SSL). When TCP receives the second packet, it directly sends the packet to the application handler. As a result, the application handler generates a close notify alert for the first packet and an RST alert for the second packet.
  [From Build 53.22] [# 686390]

• The NetScaler appliance does not send buffered log messages when the SYSLOG server is ready to accept them.
  [From Build 51.24] [# 686751]

• In a SYSLOG action, setting the netProfile parameter during a log transfer causes multiple SYSLOGTCP connections to be established but only one connection serves the log traffic.
  [From Build 53.22] [# 687042]

• A NetScaler appliance might crash if it receives a FIN packet with multiple invalid SACK blocks from the origin server and tries to forward the packet to an MPTCP client.
  [From Build 53.22] [# 687118, 687352, 687351]

• The user is not able to log on to NetScaler Gateway as there is a high-utilization of memory.
  [From Build 56.20] [# 687462, 686135, 692657, 699960, 698852]

• The user is not able to log on to NetScaler Gateway as there is a high-utilization of memory.
  [From Build 53.22] [# 687462, 686135, 692657]

• If a NetScaler-inserted cookie is deleted from the end of a cookie header, the appliance does not remove the preceding semicolon. As a result, an extra semicolon is sent at the end of the cookie header when forwarding it to the back-end server.
  [From Build 53.22] [# 687612]

• A NetScaler appliance can become unresponsive if it hosts a wildcard load balancing virtual server that has the use source IP option enabled and the use proxy port option disabled. The failure occurs if the virtual server associates the outgoing probe connection information with different incoming connections destined to the same server.
  [From Build 53.22] [# 689915]

• HTTP headers can be corrupted by the following series of events:

  * The rewrite feature inserts an end-of-header mark, but the next packet contains more header bytes.

  * The compression (CMP) feature interprets the incorrectly marked HTTP header-end as the actual end of the header, and tries to insert a content-encoding header.
  [From Build 56.20] [# 691308]

• If a NetScaler appliance performs window management for Transparent connections with Dynamic Window Management option enabled in the TCP profile, it results in a window update acknowledgment. This causes a wrong mapping of sequence and acknowledgment numbers and connection to disconnect.
  [From Build 56.20] [# 692149]

• If a client using the NITRO API over HTTPS to connect to a NetScaler appliance reuses the same source IP address and port within two TCP maximum segment lifetime (MSL) timeout intervals, the connection might be dropped with a TCP reset. Similarly, client TCP connections might be dropped under the following set of conditions:

  * Source IP address is enabled and proxy port disabled in the client's connection request.

  * A previous server connection still exists on the appliance and has persisted for two TCP MSL timeout intervals.
  [From Build 56.20] [# 692613]

• A NetScaler appliance might become unresponsive if an incorrect nstrace logic is applied for collecting packets in TXB mode.
  [From Build 56.20] [# 694368]

• A memory leak occurs if Content Filtering feature is configured with either an add prebody or an add postbody action.
  [From Build 56.20] [# 696218, 699644]

• Strong ciphers are not enabled on a VPX appliance with Telco licenses. As a result, the VPX-T platform supports only export ciphers and denies HTTPS access. This fix addresses the issue by enabling strong ciphers for Telco platform licenses thereby enabling HTTPS access and SSL use cases for VPX-T platform.
  [From Build 56.20] [# 698725]

• A NetScaler appliance might crash with different backtraces if any one of the following conditions is met:

  • Memory is freed to wrong pool.

  • AppQoE or HTMLInjection feature is enabled.

  • AppFlow feature is enabled with clientSideMeasurements option enabled in the AppFlow action.
  [From Build 56.20] [# 700529]

Telco

• In NetScaler T-13xx platform, the NetScaler software incorrectly calculates the minimum memory required for large scale NAT (LSN) configurations. The NetScaler appliance might become unresponsive if the memory limit is set to a value lower than the incorrectly calculated minimum required memory displayed in “show extendedmemory” output.
  [From Build 53.22] [# 689375]

Telco URL Filtering

• The NetSTAR Software Development Kit (SDK) is now upgraded to version 1.6.2-18 to support URL Filtering feature.
  [From Build 56.20] [# 692666, 695092]

• After you upgrade the NetSTAR seed database, you must flush the cache database so that it synchronizes with the new seed database.
  [From Build 56.20] [# 694947]

• The NetScaler URL Filtering feature now enables you to download NetSTAR seed database, in different sizes. For instructions on how you can increase the seed database size, refer to https://support.citrix.com/article/CTX2293.
  [From Build 56.20] [# 695350]

• In a NetScaler appliance, for efficient logging, the URL Filtering log messages are now logged in the /var/log/ns.log file.
  [From Build 56.20] [# 695621]

Upgrade and Downgrade

• Repetitive messages appear in log files when you restart the NetScaler appliance after upgrading the firmware. The messages appear regardless of whether you use the GUI or the CLI to perform the upgrade. The repetitive logging stops when you log back on to the appliance.
  [From Build 56.20] [# 690534]

User Interface

• When secure connection is enabled on CCO, config sync doesn't work.
  [From Build 41.24] [# 525671]

Video Optimization

• The Dashboard and Reporting tabs in the NetScaler GUI do not display the video optimization statistics.
  [From Build 56.20] [# 692757, 678095]

• The NetScaler appliance does not display an error message if you have configured a negative integer for the QUIC Video Pacing Rate parameter.
  [From Build 56.20] [# 693423]

• A NetScaler appliance does not correctly regulate retransmitted TCP packets.
  [From Build 56.20] [# 698919]

Release history