Release Notes for Build 51.16 of Citrix ADC 12.1 Release

Additional Changes/Fixes Available in Versions

What's New?

• Hardware token support for Native OTP

  A Citrix ADC appliance with Native OTP now supports hardware token along with third-party solutions that conform to the RFC 6238 time-based one-time password (TOTP) standards. The Citrix ADC uses a time slice of 30 seconds and HMAC-SHA1 algorithm.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/aaa-tm/native-otp-authentication.html
  [# NSAUTH-4]

• Encrypted tokens support on OpenID Connect

  Citrix ADC appliance with OpenID Connect mechanism now supports sending of encrypted tokens along with signed tokens. The Citrix ADC appliance uses JSON web encryption specifications to compute the encrypted tokens and supports only compact serialization of encrypted tokens. To encrypt OpenID token, Citrix ADC appliance needs the public key of the relying party (RP). The public key is obtained dynamically by polling the relying party’s well-known configuration endpoint.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/aaa-tm/configuring-openid-connect-protocol.html#encrypted-tokens-support-on-openid-connect
  [# NSAUTH-4167, NSAUTH-620, NSAUTH-1820, 708857]

Citrix Gateway

• AlwaysON service establishes a VPN tunnel before user login

  Citrix Gateway can now establish a VPN tunnel even before users log in to a Windows system. This enhanced capability enables the following:

  - Windows machine becomes a part of corporate intranet even before users log in, allowing IT administrators to access the client machine from the corporate network for debugging purposes.

  - Windows machine can verify user's login credential using corporate Active Directory (AD). Hence the caching of Windows credentials on the machine is avoided, allowing new corporate AD users to login to the same machine.

  - Windows machine remains connected with corporate network even when different users log in.

  For more information, see https://docs.citrix.com/en-us/citrix-gateway/12-1/vpn-user-config/alwayson-service-for-windows.html.
  [# CGOP-5585, 714655]

• New virtual adapter for Windows VPN plugin

  Microsoft recommends using type "Other" for a virtual network adapter. Based on this recommendation, Citrix virtual adapter type is changed from "Ethernet" to "other".
  [# CGOP-9519]

DNS

• Service discovery using DNS SRV records

  You can use the DNS SRV records to discover the service endpoints. Citrix ADC is configured to periodically query the DNS servers with the SRV record associated with a service. On receiving the SRV record, each of the target host published in the SRV record is bound to a service group associated with the service. Each of the bindings inherits the port, priority, and weight from the SRV record. For each service deployment the user has to configure the Citrix ADC once during bring up, making it a single touch deployment for applications.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/dns/service-discovery-using-dns-srv-records.html.
  [# NSHELP-18130, 706558]

Load Balancing

• Detect transport failures over established Gx connections

  A Citrix ADC appliance can now be configured to detect transport failures over established Gx connections by using device watchdog request (DWR) and device watchdog answer (DWA) messages.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/citrix-adc-support-for-telecom-service-providers/lsn-telco-subscriber-management.html.
  [# NSBASE-6545, 715971]

• Clear subscriber database when Gx interface fails

  The purgeSDBonGxFailure parameter can now be used to clear all subscriber sessions if the Gx interface fails. Gx interface failure includes both DWR monitoring (if enabled) and network healthCheck (if enabled).

  For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/citrix-adc-support-for-telecom-service-providers/lsn-telco-subscriber-management.html.
  [# NSBASE-6546, 715978]

Networking

• Clear traps for HA-LICENSE-MISMATCH and HA-STICKY-PRIMARY SNMP alarms

  The Citrix ADC now sends SNMP clear traps to the configured trap destinations for HA-LICENSE-MISMATCH and HA-STICKY-PRIMARY SNMP alarms.
  [# NSHELP-286, 715410]

• Dynamic routing support on shared VLANs

  In a partitioned Citrix ADC appliance, dynamic routing now supports both dedicated and shared VLAN configuration. The dynamic routing is supported on both IPv4 and IPv6 addresses.
  [# NSHELP-300, NSNET-5662, 688589]

• Display reason for high availability sync failure

  In a high availability setup, the Citrix ADC GUI and CLI now display the reason for HA sync failure.
  [# NSNET-2859, 703141]

Policies

• API support to fetch client or server IP address in the extension

  Citrix ADC appliance now supports API-based protocol extension for fetching client or server IP address in the extension.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/citrix-adc-extensions/api-reference.html.
  [# NSEXT-287]

• String literals for expressions

  The 255 byte limit for string literals in Advanced policy expressions has been removed and can now be as long as the policy expression. The expression is allowed to be 1499 or 8191 bytes long. Previously, the string literal was limited to 255 bytes within quotes.

  For more information, see https://docs.citrix.com/en-us/netscaler/11-1/appexpert/policies-and-expressions/ns-pi-config-adv-expr-start-wrapper/ns-pi-charsets-con.html
  [# NSHELP-16014, 707731]

• Adding milliseconds to system time format

  Advanced policy expressions can now provide granular level system time format in microseconds or milliseconds. Previously, the time format was an unsigned long number in Nano format.

  Example: "Fri, 26 Aug 2016 12:22:01:<milliseconds>"
  [# NSHELP-16081, 659582]

• NSPEPI tool enhancement

  The NSPEPI conversion tool has been enhanced to perform the following:

  1. Convert Classic policy expressions to Advanced policy expressions.

  2. Convert certain Classic policies and their entity bindings to Advanced policies and bindings.

  3. Convert a few additional deprecated features to their corresponding non-deprecated features.

  4. Log information in an improved manner.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/appexpert/policies-and-expressions/ns-pi-intro-pol-exp-wrapper-con/ns-pi-pe-to-pi-conversion-tool-wrapper-con.html
  [# NSPOLICY-507]

SSL

• Support for HSTS preload

  The Citrix ADC appliance supports adding an HSTS preload in the HTTP response header. To include the preload, you must set the "preload" parameter to YES in the SSL virtual server or the SSL profile. The appliance then includes the preload in the HTTP response header to the client.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/ssl/how-to-articles/ssl-support-for-hsts.html#support-for-hsts-preload.
  [# NSHELP-13355, 716929]

• Support for Enlightened Data Transport (EDT) on DTLSv1.0 protocol

  DTLSv1.0 protocol is now supported with EDT on the following Citrix ADC appliances:

  - MPX 5900

  - MPX/SDX 8900

  - MPX/SDX 26000-100G

  - MPX/SDX 15000-50G
  [# NSSSL-1949, 492162]

System

• Two factor authentication for Citrix ADC management access

  Citrix ADC appliance now supports two-factor authentication for enhanced security. There is an additional layer of security added to the authentication process. As a result, the user identity is verified at two authentication levels. Only if passwords at both authentication levels are correct, the user is allowed to access the Citrix ADC appliance.

  Previously, in single-factor authentication process, the appliance authenticated the system user only at one level of authentication.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/system/ns-ag-aa-intro-wrapper-con/two-factor-authentication.html
  [# NSAUTH-12]

URL Filtering

• Display URL Categorisation result from CLI on demand (CLI implementation)

  URL Filtering Command Interface enables you to enter an URL and get the categorization result (category, group, and reputation score) as returned by the NetSTAR SDK database.

  For more information, see https://docs.citrix.com/en-us/citrix-secure-web-gateway/12-1/url-filtering/url-categorization.html
  [# NSSWG-887, 709193]

Web Citrix Web App Firewall

• Bypass or block non-RFC compliance HTTP requests

  A new parameter, “malformedReqAction” is now added to the application firewall global setting. You can configure this parameter to bypass or block non-RFC compliant requests. Previously, there was no option to block or bypass invalid HTTP requests and they were dropped.

  For example, if there is an incoming request that has a host header missing, the appliance can block or bypass such invalid requests by using the “malformedReqAction” parameter.

  Warning: If you disable the "block" option in the "malformedReqAction" parameter, the appliance bypasses the app firewall processing for all non-RFC compliance requests and forwards the requests to the next module.

  For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/application-firewall/profiles/enforce-http-rfc-compliance.html
  [# NSWAF-605, 717499]

Fixed Issues

Authentication, authorization, and auditing

• The self-service password reset knowledge-based question and answer validation might fail if the size of the certificate bound to VPN global is greater than 1024 bytes.
  [# NSAUTH-5342]

• XML parsing fails if Citrix ADC appliance adds an extra character to the SAML assertion.
  [# NSHELP-18158, 717976]

• A Citrix ADC appliance might crash if clear config command is invoked when authentication, authorization, and auditing actions are handled.
  [# NSHELP-18165, 712982]

• The AAAD daemon might crash because of a memory corruption if the following conditions are met:

  - The nested group extraction is enabled on an active directory.

  - The extracted group length is between 52-56 bytes.
  [# NSHELP-18239, NSHELP-18258, NSHELP-18306]

• A Citrix ADC appliance might become unresponsive if there is a high CPU usage.
  [# NSHELP-8356, 711351]

• In a SAML de-serialize function, the Citrix ADC appliance might crash due to invalid memory access.
  [# NSHELP-8464, 718180]

• A Citrix ADC appliance might crash if the following conditions are met:

  - Changes in metadata URL.

  - The existing user session is disconnected.
  [# NSHELP-8504, 717465]

Base

• ABR video connections are throttled in nature and thus can negatively impact the correctness of Connection Quality Analytics (CQA).

  So, CQA metrics produced for ABR video transactions should be discarded.
  [# NSBASE-1116, 711964]

Citrix ADC GUI

• After an upgrade from Citrix ADC 11.1 build 56.x to Citrix ADC 12.1 build 49.x, the login to Citrix ADC GUI fails. The issue occurs if the password contains an escape sequence, such as "

  " or " ".
  [# NSHELP-18178, 716920]

• File download option does not work on the Citrix ADC GUI.
  [# NSUI-11341]

Citrix ADC SDX Appliance

• After upgrading an SDX appliance to 12.1 or 12.0 (any build) from any previous version, Management Service becomes unreachable if the CPU assigned to Management Service is used by another instance on the SDX appliance. The issue occurs in platforms SDX 15XXX, 26XXX, 14XXX 40S, 14XXX FIPS, and 89XX.
  [# NSSVM-311]

• In an SDX appliance, after a clean installation from any older version to 12.1 50.x, you might be unable to recover the network configuration and fail to access to SDX appliance (Dom0 and Management Service).
  [# NSSVM-452, 714118]

Citrix ADC VPX Appliance

• Support for Citrix ADC VPX instance on Google Cloud Platform

  You can deploy a Citrix ADC VPX instance on Google Cloud Platform (GCP). A VPX instance in GCP enables you to leverage cloud computing capabilities of GCP and use Citrix load balancing and traffic management features for your business needs. You can deploy VPX instances in GCP as standalone instances. Both single NIC and multi NIC configurations are supported.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-vpx-google-cloud.html.
  [# NSPLAT-2006, 709691]

• When a Citrix ADC VPX instance running on KVM hypervisor is provisioned with one or more ntel XL710 40G NICs, the 40G interface does not initialize correctly inside the VPX instance. Also, the interface name or MAC address appears incorrectly.
  [# NSPLAT-8533]

Citrix Gateway

• Admin UI calls from all IP addresses are now allowed.

  Earlier, some of these calls were blocked because of a deny rule in the httpd.conf file.
  [# NSHELP-1478, 689278]

• Files and folders hosted under the following SharePoint default folder cannot be accessed.

  - SitesPages

  - Shared Documents
  [# NSHELP-18114, 717798]

• Files and folders hosted under the SharePoint default folder "PublishingImages" cannot be accessed.
  [# NSHELP-18116, 716394]

• A Citrix ADC appliance might become unresponsive if the following conditions are met.

  - The appliance is configured for EDT proxy.

  - Audit log for TCP is enabled.
  [# NSHELP-18120, 718663]

• A Citrix ADC appliance might crash if the following conditions are met:

  - The appliance is configured for Citrix Gateway with EDT proxy functionality enabled.

  - The appliance is running low on memory.
  [# NSHELP-18121, 718754]

• In a Citrix Gateway appliance configured for nFactor authentication, the secondary factor of authentication is ignored if the following conditions are met:

  - Primary factor of authentication is certificate policy.

  - Secondary factor of authentication is group extraction.
  [# NSHELP-18139, 717520]

• If you click an RDP bookmark, a .rdp file is downloaded.

  Earlier, when the RDP bookmark was clicked, it opened in a new tab.
  [# NSHELP-18140, 718864]

• Citrix Gateway appliance dumps core when STA server closes the connection abruptly.
  [# NSHELP-18141, 716179]

• In some cases, logging out from Citrix Gateway is not supported.
  [# NSHELP-18144, 713765]

• After a successful logoff from a Citrix Gateway appliance, the client browser window must be closed and a new browser window must be opened for a new login.This is required, if the following authentication methods are selected:

  - SAML with IdP enabled

  - Smartcard
  [# NSHELP-18519, NSHELP-18422]

• jQuery version 1.12.4 used for the RfWebUI portal has security concerns.
  [# NSHELP-6662, 716381]

• Citrix Gateway server invariably downloads the plug-in configuration files from the Citrix downloads page, ignoring the settings pushed from the Citrix StoreFront server.
  [# NSHELP-6724, 716927]

• In Citrix ADC GUI, the options under file upload browse button incorrectly displays "object" and not the option name.
  [# NSHELP-7191, 714998]

• In a multicore environment, the Citrix Gateway appliance dumps core during login transfer when intranet IP address is enabled in VPN.
  [# NSHELP-8164, NSHELP-7078, NSHELP-7082, NSHELP-17438, NSHELP-18156, NSHELP-18368, 714043]

• Upon attempting to bind a previously bound VPN virtual server to a CS virtual server, the following error message is displayed, "ERROR: Only one VPN vserver can be bound to a CS vserver."
  [# NSHELP-8672, 718302]

Load Balancing

• After an upgrade to 12.1 build 51.x from any 12.1 previous build and after the appliance is rebooted, the argument -vlan is not applicable in the static subscriber profile commands.

  As a result, you must execute the add, remove, show subscriber profile commands without the argument "-vlan."

  Example commands:

  - Adding subscriber with IP address 1.1.1.1 and VLAN 22: add subscriber profile 1.1.1.1 22

  - Adding subscriber with IP address 1.1.1.1 and no defined VLAN: add subscriber profile 1.1.1.1

  - Removing subscriber with IP address 1.1.1.1 and no defined VLAN: rm subscriber profile 1.1.1.1

  If your running configuration includes subscriber profile commands with the "-vlan," argument, after the upgrade, you must define these subscriber profiles according to the new format.
  [# NSBASE-6561]

• If the command for configuring load balancing virtual server with listen policy fails, the Citrix ADC appliance might stop responding while freeing the allocated memory.
  [# NSHELP-10186, 718627]

• For a monitor bound to an SSL profile and certificate, the number of characters allowed in the monitor name is limited to 31.
  [# NSHELP-18148, 718469]

Citrix Gateway

• When a user enters an incorrect password for logon, "Bad Pass" error message is displayed. This happens when "enhancedAuthenticationFeedback" feature is enabled.
  [# NSHELP-6508, 716404]

• Chrome does not trigger EPA plug-in when multiple EPA factors configured.
  [# NSHELP-6840, 712659]

NetScaler Insight Center

• In a certain scenario, the Citrix ADC appliance might become unresponsive if ICA AppFlow or SmartControl feature is enabled.
  [# NSHELP-15475, 718403]

• A Citrix ADC appliance might become unresponsive in certain traffic patterns if AppFlow feature is enabled for ICA traffic.
  [# NSHELP-15858, 718196]

Networking

• In a Citrix Gateway appliance, responder and rewrite policies bound to VPN virtual servers might not process the packets that matched the policy rules.
  [# NSHELP-18311]

• Enabling secure access (secureonly) to Citrix ADC GUI on the NSIP or SNIP addresses fails to disable HTTP (insecure) GUI access.
  [# NSHELP-18353]

Platform

• You cannot configure two MPX 26xxx appliances in a high availability setup if you do not have the correct licenses for the two models.
  [# NSHELP-14880, 718615]

SSL

• If the appliance receives the "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" cipher more than once in a client hello message, the message is no longer blocked. Earlier, such client hello messages were blocked.
  [# NSHELP-18190, NSUAT-212, 718827]

• An application using the DTLS protocol might become unresponsive if one of the following conditions are met:

  - You bind an unsupported DTLS cipher to a virtual server.

  - You bind a cipher group that does not contain even one DTLS supported cipher to a virtual server.
  [# NSHELP-8634, 718228]

• You cannot remove an SSL log profile if it is attached to the SSL default profile and client authentication is enabled on the SSL default profile.
  [# NSSSL-885, 664622]

• Key file installation fails if you are using the GUI to install the bundle containing the certificates and the key file.
  [# NSUI-11392, 717443]

• The SSL parameters do no appear correctly in the service view.
  [# NSUI-11414]

System

• Market specific violation is caused, if you have CallHome enabled by default on a Citrix ADC 12.1 appliance. The feature should be configured as an user's opt-in feature.
  [# NSCALLHOME-82, 716240]

• A Citrix ADC appliance might crash if several memory dumps are generated on the appliance. This occurs when you upgrade the appliance from version 12.0 build 58.15 to version 12.0 build 57.11.
  [# NSHELP-11554, 715337]

• A Citrix ADC appliance might crash if you observe the following conditions:

  - Fail to respond to the client with reset stream.

  - Drop request body when more packets arrive from the client.
  [# NSHELP-11614, 715665]

• The timezone is inconsistent in Citrix ADC GUI and CLI.
  [# NSHELP-11971, 718229]

• In a Citrix ADC appliance, an issue occurs when both classic auditlog policy and advanced authentication policy are globally bound to the system. As a result, the "bind system global" command is not applied successfully and if either of the following conditions is observed:

  - If you upgrade the appliance.

  - If a secondary node is added to a high availability setup.
  [# NSHELP-18119, 718688]

• In a clustered setup, a latency issue is observed, if:

  - Client reuses the TCP port number to send requests

  - Citrix ADC appliance takes a longer time to respond.
  [# NSHELP-9497, 718669]

URL Categorization

• When a cloud categorization lookup failure is observed, a Citrix ADC appliance displays a generic error for level 4 logs.
  [# NSSWG-397, 705070]

URL Filtering

• During long policy evaluation, a Citrix ADC appliance might crash when obfuscating an Internet Watch Foundation (IWF) domain. The issue occurs when a TCP connection is closed.
  [# NSHELP-18365, NSSWG-538]

Video Optimization

• The Citrix ADC TCP/IP processing module (also known as, Packet Processing Engine (PPE)) crashes when a TCP connection attached to a non-master TCP processing module stays open for more than 3,276 seconds.
  [# NSHELP-8799, 710123]

• In a corner case, a Citrix ADC appliance reboots when an internal function performs Server Name Indication (SNI) extraction from server certificate. This happens because server side certificate is invalid with a zero-length DNS name.
  [# NSHELP-8803, 718515]

• The Video Optimization burst period implementation is not working properly in a Citrix ADC appliance.
  [# NSVIDEOOPT-215, 715011]

• The ABR video detection algorithm is unable to detect videos from xvideos.com domain (vid-egc.xvideos-cdn.com)
  [# NSVIDEOOPT-424, 715921]

• When handling QUIC ABR video traffic, a Citrix ADC appliance might crash during a video optimization policy evaluation.
  [# NSVIDEOOPT-649, NSHELP-5781, 709940]

• During video optimization, buffering occurs because of a conflict between the Nile congestion handler and the pacing scheduler.
  [# NSVIDEOOPT-758, 705099]

• The Application Flags field in AppFlow records are not correctly populated for video-paced connections. As a result, the ADM TCP Insight reports for Download Speed might display lower values. Also, external AppFlow consumers always report connections as unoptimized.
  [# NSVIDEOOPT-771, 718659]

Web App Firewall

• A user cannot send an HTTP request from a website if the Web App Firewall profile has the following options enabled:

  - Streaming

  - signature bound with post body rules.
  [# NSHELP-18238]

Web Citrix Web App Firewall

• A Citrix ADC appliance might crash if there is a Cross-Site Request Forgery (CSRF) tag failure.
  [# NSHELP-17940, 715105]

• Memory leak is observed in a Citrix ADC appliance, if the Integrated Cache and the Web Citrix Web App Firewall features are enabled.
  [# NSHELP-17969, NSHELP-17158, 717405]

Known Issues

• A Citrix ADC appliance configured for Citrix ADC AAA might become unresponsive if the following conditions are met:

  • The samlAction parameter is configured.

  • The back-end server is unreachable.
  [# NSHELP-8220, TSK0702827]

Citrix Web App Firewall

• A Citrix ADC application firewall appliance intermittently blocks requests for some URLs under heavy traffic loads when advance application firewall start url check is enabled.
  [# NSHELP-16678, TSK0694123]

• In a HA environment, after an upgrade to release version 11.1 56.x, the Citrix Web App Firewall primary node fails to restart after a failover.
  [# NSHELP-17644, TSK0693905]

• The Citrix Web App Firewall auto-update feature does not work and the ‘https://s3.amazonaws.com/NSAppFwSignatures/SignaturesMapping.xml" file fails to download.
  [# NSHELP-17705, TSK0692155]

• Citrix Web App Firewall AppFw Field Format learned Data is different from the Export Learned Data. When aslearn configured learned data is deployed and the field types reaches aslearn supported limit, the get learnt data will not able to display total learnt data.
  [# NSHELP-18077, TSK0695412]

Citrix ADC SDX Appliance

• The VPX instance restarts by itself in the following case.

  - You change the admin profile associated with a Citrix ADC VPX instance with channel configuration; and

  - The Citrix ADC VPX instance is running on Citrix ADC SDX 26XXX and 15XXX appliances.
  [# NSHELP-12377, TSK0714041]

Citrix Gateway

• In some cases, a Citrix ADC appliance dumps core if the Citrix Gateway is configured for EDT Proxy and the EDT Insight functionality is enabled.

  Workaround: Disable EDT Insight functionality.
  [# NSINSIGHT-1948]

Clustering

• In a cluster deployment, the ‘show cluster node’ command displays the interfaces on which the heartbeat is turned off in a ‘Interfaces on which heartbeat are not seen’ parameter.
  [# NSHELP-16123, BUG0715129]

• The node-to-node messaging (NNM) stalls on a cluster-enabled Citrix ADC appliance.
  [# NSHELP-16150, TSK0717052]

Licensing

• When Citrix ADC licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.
  [# NSPLAT-6417, BUG0697665]

Load Balancing

• A Citrix ADC appliance might crash in the following case:

  A new HTTP request is received when changing the persistence type from COOKIEINSERT to other type.
  [# NSHELP-10921, TSK0714710]

• A Citrix ADC appliance might crash if a stream selector with rate limiting objects gets deleted and added again with overlapping selectlets.
  [# NSHELP-11131, 713444]

• In a high availability setup, the running config displays unwanted port information for service group monitor bindings when you execute the show ns runningConfig command. This results in loss of service group monitor binding after a reboot or a failover. The service group member bindings are unaffected.
  [# NSLB-4418]

NITRO

• Application delivery Management fails to log on to a Citrix ADC appliance if the system password contains forward slash (/).
  [# NSHELP-9116, BUG0718535]

Citrix ADC GUI

• After successfully logging into the Citrix ADC appliance, the GUI home page takes longer time to appear.
  [# NSHELP-18249]

Citrix Gateway

• In a multi-core Citrix ADC appliance, Enlightened Data Transport (EDT) application fails to launch on a Citrix ADC instance deployed on VMware ESX, and configured to use VMXNET3 NIC.
  [# NSHELP-1639, BUG0697771]

• The global settings for the graphical user interface are not shown correctly.
  [# NSHELP-7740, TSK0603701]

• SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).

  Workaround: Use an IP address for VDA.
  [# NSHELP-8549, TSK0704511]

NetScaler Insight Center

• NetScaler Insight Center does not report an application-launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
  [# NSINSIGHT-943, BUG0609604]

Citrix ADC VPX Appliance

• Support for VMware vMotion

  From this release, you can migrate a Citrix ADC VPX instance by using VMware vMotion. The vMotion feature does not support Citrix ADC VPX instances configured to use SR-IOV and PCI passthrough interfaces. Supported interfaces are E1000 and VMXNET3.

  For more information, see Install a Citrix ADC VPX instance on VMware ESX topic: https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/install-vpx-on-esx.html
  [# NSHELP-15343, TSK0690477]

• Error messages appear when an SR-IOV-enabled Citrix ADC VPX instance configured with Intel X710 10G and XL710 40G NICs, running on KVM hypervisor, restarts. The error messages are harmless and can be safely ignored.
  [# NSPLAT-3883, BUG0692334]

• In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.

  Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
  [# NSPLAT-4451, BUG0705793]

• When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.
  [# NSPLAT-4520, BUG0706104]

Networking

• The Citrix ADC appliance might not properly process the packets received from Check Point firewall.
  [# NSHELP-201, NSHELP-116, TSK0689372]

• The Citrix ADC appliance might not completely remove the RNAT global configuration during a clear config operation.
  [# NSHELP-86, TSK0712215]

• In some cases, when a net profile is bound to VPN virtual server, the Citrix Gateway logon page does not load and the Citrix ADC admin user interface becomes inaccessible.
  [# NSHELP-92, TSK0715048]

• The appliance might fail in unbinding NAT rules, with 32-bit netmask, from a netprofile.
  [# NSHELP-93, TSK0715128]

• In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
  [# NSNET-5233, BUG0485678]

• For an RNAT connection, the Citrix ADC appliance drops the first ICMP packet that the server sends to the client.
  [# NSNET-5708, NSNET-5463, BUG0543171]

Policies

• The HTTP.REQ.TXID and HTTP.RES.TXID policy expressions return the same "universally unique identifier" (UUID) for different transactions.
  [# NSHELP-16091, BUG0663414]

SSL

• You cannot create an RSA key by using the GUI if the PEM algorithm is DES or DES3.

  Workaround: Use the CLI.
  [# NSHELP-13018, BUG0716709]

• You might see heartbeat failures eventually leading to a high availability failover. The issue is seen when secure monitors are enabled on a Citrix ADC VPX appliance and the appliance performs DH-key exchange with the backend servers. The failures happen because some CPU intensive DH operations are performed inline.
  [# NSHELP-13321, TSK0715231]

• You cannot add a CRL with X.509 version 1 on a Citrix ADC appliance if the explicit version field in that CRL is set to 0.
  [# NSHELP-14919, TSK0681878]

• In a cluster setup, when you enable the session reuse parameter for any internal service, the parameter is enabled on the cluster IP (CLIP) address. However, this setting is not allowed on the nodes. Therefore, the running configuration on the CLIP shows session reuse enabled, while on the nodes it shows session reuse disabled.
  [# NSHELP-18186, TSK0718409]

• In a cluster setup, if you bind a custom certificate to the internal services, and then run the "clear config basic" command, the default certificate (ns-server-certificate) is no longer bound to the internal services on the cluster IP (CLIP) node.

  On the other nodes, the default certificate is bound to the internal services.
  [# NSHELP-18187, TSK0718408]

• In a cluster setup, the running configuration on the CLIP address and the nodes differs if the following conditions are met:

  - You add a certificate-key pair with a password.

  - Update this certificate-key pair with another certificate and a key without a password.

  The running configuration on the CLIP address shows a password for the updated certificate even though there is no password. However, it does not show a password for the updated certificate on the nodes.
  [# NSHELP-18189, TSK0718410]

• In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
  [# NSSSL-3161, NSSSL-1258, NSSSL-1264, BUG0678175]

• An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
  [# NSSSL-3184, NSSSL-1379, NSSSL-1394, BUG0678176]

• In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
  [# NSSSL-3402, BUG0708057]

• An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
  [# NSSSL-4001, BUG0682859]

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
  [# NSSSL-4427, BUG0687208]

• The TLS 1.3 server sends an "internal_error" alert and breaks the connection if all of the following conditions are met:

  - TLS 1.3 is negotiated for a connection.

  - An ssl policy action is configured that causes the server to request a certificate from the client.

  - The client's response is received for the post-handshake certificate request.
  [# NSSSL-793, BUG0713257]

• If you create an ECDSA key by using the GUI, the type of curve is not displayed.
  [# NSUI-6838, BUG0705612]

SWG URL Filtering

• A Citrix ADC appliance sends categorization requests asynchronously to the NetSTAR cloud service through an SSL connection. When the SSL connection closes because of momentary connection issue, the appliance crashes.
  [# NSHELP-17285, 717377]

• When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.

  As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.
  [# NSSWG-849]

System

• In a cluster deployment, if you run "force cluster sync" command on a non-cco node, the ns.log file contains duplicate log entries.
  [# CGOP-6794, NSGI-1293, BUG0702608]

• The ipFreePorts counter value is always zero.

  Workaround: Correct the counter to read proper values.
  [# NSHELP-16587, TSK0715208]

• In high memory condition, a Citrix ADC appliance crashes and dumps core memory because of a memory allocation issue.
  [# NSHELP-4853, TSK0701323]

• A TCP transaction delay is observed if a Citrix ADC appliance is unable to use the TCP connection to connect to the back-end server. In this case, the appliance opens a new connection to forward the client requests to the back-end server after some waiting period. The waiting period ranges from 400 ms to 600 ms.
  [# NSHELP-9118, TSK0690965]

• The Citrix ADC appliance may display messages that are a result of file system compatibility checks that are performed when booting up. These messages are informational only, and do not have any adverse impact on the functioning of the Citrix ADC.
  [# NSPLAT-4384, NSPLAT-3243, NSPLAT-3417, BUG0452382]

• Connections might hang if the size of processing data is more than the configured default TCP buffer size.

  Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
  [# NSPOLICY-1267, BUG0707209]

URL Filtering

• If a consecutive import of URLset times out because of connectivity issues with the download server, the Comman Line tool will freeze, create a core dump, and will restart. The appliance's traffic will run as expected.

  Workaround: Download the URL set from the same server and disperse their download frequency.
  [# NSSWG-656, NSHELP-4492, BUG0712904]

Video Optimization

• In a rare scenario, a Citrix ADC appliance might crash, if Video Optimization releases the allocated memory in the event of a double free error.
  [# NSVIDEOOPT-770, 717965]

Web App Firewall

• In a content switching deployment, the load balancing virtual server details are not captured in the AppFlow records. As a result, the Security Insight reports are generated at the content switching virtual server level and not at the load balancing virtual server level.
  [# NSHELP-17152, NSHELP-2786, TSK0709737]

• A Citrix ADC appliance might crash if the WSDL schema includes an "anyAttribute" element.
  [# NSHELP-17943, TSK0718315]

Web Citrix Web App Firewall

• A Citrix ADC appliance might crash during forceful browser protection if the following conditions are observed:

  - Limited memory.

  - URL closure is enabled on the Web Citrix Web App Firewall profile.
  [# NSHELP-18004, TSK0718751]

What's New in Previous Citrix ADC 12.1 Releases

• Securing web traffic with HTTP RFC compliance

  You can now secure your web traffic with HTTP RFC compliance by setting the RFC profile in “Block” or “Bypass” mode. By doing this, any invalid traffic (request or response) that matches the Citrix Web App Firewall profile is implicitly blocked or bypassed accordingly.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/application-firewall/profiles/enforce-http-rfc-compliance.html
  [From Build 49.37]
  [# 638547]

Authentication, authorization, and auditing

• Setting NSC_TMAS cookie for HTTPS

  Citrix ADC appliance sets only secure cookie (NSC_TMAS) for secure or HTTPS traffic management servers.
  [From Build 50.31]
  [# 700291]

• Support for validating end-to-end RADIUS authentication

  Citrix ADC appliance can now validate end-to-end RADIUS authentication through Citrix ADC GUI. A new “test” button is introduced in Citrix ADC GUI to validate this feature. A Citrix ADC administrator can use this feature to achieve the following benefits:

  - Consolidates the complete flow (packet engine – AAA daemon – external server) to provide better analysis.

  - Reduces time on validating and troubleshooting issues related to individual scenarios.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/configure-aaa-policies/ns-aaa-setup-policies-authntcn-tsk/ns-aaa-setup-policies-auth-radius-tsk.html#support-for-validating-end-to-end-radius-authentication
  [From Build 50.31]
  [# NSAUTH-1097, ENH0713160]

• Metadata reading and generation support for SAML SP and IdP configuration

  Citrix ADC appliance now supports metadata files as means of configuration entities for both SAML Service Provider (SP) and Identity Provider (IdP). The metadata file is a structured XML file that describes the configuration of an entity. The metadata files for SP and IdP are separate. Based on deployment, and at times, one SP or IdP entity can have multiple metadata files.

  As an administrator, you can export and import (SAML SP and IdP) metadata files on Citrix ADC.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/saml-authentication.html#metadata-reading-and-generation-support-for-saml-sp-and-idp-configuration
  [From Build 50.31]
  [# NSAUTH-4008, NSHELP-595, ENH0689985]

• Support for self-service password reset

  Citrix ADC appliance now supports self-service password reset. Self-service password reset is a web-based password management solution that eliminates the user dependency for administrator(s) assistance to change or reset the password. It is available on both in Citrix ADC as an authentication, authorization, and auditing feature and in Citrix Gateway.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/sspr-support.html.
  [From Build 50.31]
  [# NSAUTH-4204, ENH0703743]

• Support for noAuth authentication

  Citrix ADC appliance now supports noAuth authentication capability that enables the customer to configure a defaultAuthenticationGroup parameter in noAuthAction command, when a user handles this policy. The administrator can verify for the presence of this group in a users group to determine user’s navigation through noAuth policy.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/authentication-virtual-server/ns-aaa-setup-auth-vserver-tsk.html.
  [From Build 50.31]
  [# NSAUTH-540, BUG0711009]

• Setting NSC_TMAS cookie for HTTPS

  Citrix ADC appliance sets only secure cookie (NSC_TMAS) for secure or HTTPS traffic management servers.
  [From Build 50.31]
  [# NSHELP-8493, 700291]

Browser-EPA

Citrix ADC SDX Appliance

• Support for Citrix SD-WAN VPX instance

  You can deploy a Citrix SD-WAN VPX instance on Citrix ADC SDX 14XXX and SDX 115XX appliances.

  For more information, see https://docs.citrix.com/en-us/sdx/12-1/deploy-sd-wan-vpx.
  [From Build 49.37]
  [# 710971]

• Support for new SNMP traps

  The following new SNMP traps are now supported:

  deviceBooted

  deviceRebooted

  inventoryPassed

  logicalDrivePassed

  For more information about how to configure SNMP traps, see https://docs.citrix.com/en-us/sdx/12-1/manage-monitor-appliance-network-configuration/configuring-snmp-trap-destination.html.
  [From Build 50.31]
  [# 714140]

• Severity column for SNMP alarms

  You can now view severity level for SNMP alarms. To view, log on to the Citrix ADC user interface and navigate to System Alarms. Check the levels under the Severity column.
  [From Build 50.31]
  [# 714827]

Citrix ADC SDX appliance

• Severity column for SNMP alarms

  You can now view severity level for SNMP alarms. To view, log on to the Citrix ADC user interface and navigate to System Alarms. Check the levels under the Severity column.
  [From Build 50.31]
  [# NSHELP-12401, 714827]

• Support for new SNMP traps

  The following new SNMP traps are now supported:

  deviceBooted

  deviceRebooted

  inventoryPassed

  logicalDrivePassed

  For more information about how to configure SNMP traps, see https://docs.citrix.com/en-us/sdx/12-1/manage-monitor-appliance-network-configuration/configuring-snmp-trap-destination.html.
  [From Build 50.31]
  [# NSHELP-13543, 714140]

Citrix ADC VPX Appliance

• Support for vCPU-based perpetual licensing

  Virtual CPU (vCPU)-based perpetual licensing is now supported for Citrix ADC VPX instances. This licensing provides the computing power requirement of VPX on-prem and cloud customers. For each VPX model, existing Citrix ADC licensing editions apply: Citrix ADC Standard Edition, Enterprise Edition, Platinum Edition.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/licensing/netscaler-licensing-overview.html.
  [From Build 49.37]
  [# 701340]

• Support for Azure Availability Zones in a high availability deployment

  You can deploy a pair of Citrix ADC VPX appliances with multiple NICs in an active-passive high availability setup across Azure Availability Zones. For more information about Azure Availability Zones and what they offer, see Azure documentation: https://docs.microsoft.com/en-us/azure/availability-zones/az-overview

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-vpx-on-azure/configure-vpx-pair-ha-inc.html.
  [From Build 49.37]
  [# 710226, 712503]

• Support for VMware ESXi 6.7 server

  Citrix ADC VPX instances now support VMware ESXi 6.7 server.

  For more information, see table 2 in this page: https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/supported-hypervisors-features-limitations.html.
  [From Build 49.37]
  [# 710366]

• Support for Citrix ADC VPX instance on Google Cloud Platform

  You can deploy a Citrix ADC VPX instance on Google Cloud Platform (GCP). A VPX instance in GCP enables you to leverage cloud computing capabilities of GCP and use Citrix load balancing and traffic management features for your business needs. You can deploy VPX instances in GCP as standalone instances. Both single NIC and multi NIC configurations are supported.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-vpx-google-cloud.html.
  [From Build 50.31]
  [# NSPLAT-2006, ENH0709691]

• Citrix ADC VPX support for AWS China region

  Now Citrix ADC VPX deployment (both standalone and high availability) is supported in AWS China region.
  [From Build 50.31]
  [# NSPLAT-2237, ENH0518744]

• Support for RHEL 7.5

  Now RHEL version 7.5 is supported for Citrix ADC VPX instance deployment on Linux KVM. For more information, see https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/supported-hypervisors-features-limitations.html.
  [From Build 50.31]
  [# NSPLAT-3755, ENH0714623]

Citrix Gateway

• nFactor authentication support using Windows VPN plug-in.

  nFactor authentication is now supported using a Windows VPN plug-in.
  [From Build 49.37]
  [# 647169]

• Support for USB redirection in Citrix Gateway Enabled PCoIP proxy

  USB devices connected to the client machine can be accessed from the virtual desktops and apps.

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12-1/netscaler-gateway-enabled-pcoip-proxy-support-for-vmware-horizon-view/configuring-netscaler-gateway-enabled-pcoip-proxy-for-vmware-horizon-view.html
  [From Build 49.37]
  [# 670578]

• GUI enhancements aiding STA server troubleshoot and seamless app launch

  The following GUI enhancements are made:

  - In the XA-XD wizard under StoreFront setting Test STA Connectivity button is added to test STA servers connectivity.

  - In the XA-XD dashboard page, Gateway entry list shows STA server and StoreFront server status.

  - In the Citrix Gateway Virtual Server page, you can view STA server status bound to a VPN virtual server.
  [From Build 49.37]
  [# 705538]

• Device Certificate in nFactor as an EPA component

  You can configure Device Certificate in nFactor as an EPA component.

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12-1/device-certificate-in-nfactor-as-an-epa-component.html
  [From Build 50.31]
  [# CGOP-5758, ENH0701170]

• Advanced Clientless VPN access

  Outlook Web Access 2016 and SharePoint 2016 are supported for Clientless access. SharePoint no longer needs to use the default folder for rewriting URLs.

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12-1/vpn-user-config/cvpn-overview/ng-connect-cvpn-policies-how-work-con/advanced-clientless-access.html.
  [From Build 50.31]
  [# CGOP-6174, ENH0671584]

Citrix Secure Web Gateway

• Support for new SWG platforms

  Citrix Secure Web Gateway (SWG) is supported on Citrix SWG MPX 5900/8900 and Citrix SWG SDX 8900 platforms.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/supported-hardware-software-platforms.html.
  [From Build 49.37]
  [# 704727]

• Integration with IPS or NGFW as inline devices

  A Citrix Secure Web Gateway (SWG) appliance can now integrate with inline security devices, such as Intrusion Prevention System (IPS) and Next Generation Firewall (NGFW). This integration helps in protecting servers and users from web bound threats hidden in encrypted packets.

  The Citrix SWG appliance offloads TLS/SSL processing from inline devices. If there are multiple inline devices, the appliance also load balances the traffic to these devices.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/security-configuration/integration-with-ips-or-ngfw-as-inline-devices.html.
  [From Build 50.31]
  [# NSBASE-2703, ENH0659611]

• Performing an explicit subdomain match

  You can now perform an explicit subdomain match for an imported URL set. To do this, a new parameter, "subdomainExactMatch" is added to the “import policy URLset” command. When you enable the parameter, the URL Filtering algorithm performs an explicit subdomain match. For example, if the incoming URL is "news.example.com" and if the entry in the URL set is "example.com", the algorithm does not match the URLs.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/url-filtering/url-list.html
  [From Build 50.31]
  [# NSSWG-686, ENH0711662]

• Displaying imported URL sets

  You can now display imported URL sets in addition to added URL sets. To do this, a new parameter “imported” is added to the “show urlset” command. If you enable this option, the appliance displays all imported URL sets and distinguishes the imported URL sets from the added URL sets.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/url-filtering/url-list.html
  [From Build 50.31]
  [# NSUI-1191, ENH0714076]

• Configuring seed database path and cloud server name

  You can now configure the seed database path and cloud lookup server name for manually setting of the cloud lookup server name and the seed database path. To do this, two new parameters, “CloudHost” and “SeedDBPath”, are added to the URL filtering parameter command.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/url-filtering/url-categorization.html
  [From Build 50.31]
  [# NSUI-1210, ENH0715434]

Citrix Web App Firewall

• Rebranding Citrix ADC App Firewall to Citrix Web App Firewall

  According to Citrix rebranding guidelines, the Citrix ADC App Firewall feature is now renamed as Citrix Web App Firewall in Citrix ADC GUI.
  [From Build 50.31]
  [# NSUI-1219, ENH0715820]

Clustering

• Cluster support for ANY type of virtual server

  The Citrix ADC appliance can now support "ANY" type of virtual server while gracefully handling of nodes in a cluster deployment.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/clustering/cluster-managing/graceful-shutdown-of-nodes.html.
  [From Build 49.37]
  [# 683859]

• GRE tunnel based steering support for L2 cluster deployments

  The Citrix ADC appliance now supports GRE tunnel based packet steering in an L2 cluster deployment.
  [From Build 49.37]
  [# 701890]

DFD

DNS

• Jumbo frame support for DNS to handle UDP responses of large sizes

  DNS now supports jumbo frames for handling UDP responses greater than 1,280 bytes. You can set the maximum UDP packet size that the appliance can handle in proxy, ADNS, and forwarder modes by configuring the Maximum UDP Packet Size parameter value.

  The maximum UDP packet size is 16,384 bytes.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/dns/jumbo-frames-support-for-dns-to-handle-responses-of-large-sizes.html.
  [From Build 49.37]
  [# 695871]

GSLB

• Support for generation of SNMP traps for GSLB configuration synchronization

  A Citrix ADC appliance now generates SNMP traps for both local and remote sites when you synchronize the GSLB configuration. SNMP traps are generated for both manual synchronization and real-time synchronization.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/global-server-load-balancing/synchronizing-configuration-in-gslb-setup/snmp-traps-for-gslb-configuration-synchronization.html.
  [From Build 49.37]
  [# 694414]

• Support for GSLB parent-child topology in Citrix ADC clusters

  The GSLB parent-child topology is now supported in Citrix ADC clusters.

  For parent and child sites to exchange aggregated statistics in metric-based load balancing methods, you must add local GSLB services on the child site.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/clustering/cluster-usage-scenarios/cluster-gslb-deploy.html.
  [From Build 49.37]
  [# 706504]

• GSLB supports multi-IP virtual servers

  GSLB now supports multi-IP virtual servers. In cloud deployments, for autoscaling of Citrix ADC instances, you can use IPset if Citrix ADC is used for GSLB as well as autoscaling load balancing end points.

  The statistics and the state of the virtual server are collected irrespective of the IP address provided to the GSLB service.

  Parent child topology is supported with IPset. Communication between the parent and the child sites is always using public IP address and the public port of the GSLB service. Also, site persistence works irrespective of the IP addresses associated with the GSLB service.

  Only one IP address is associated with a GSLB service. You cannot associate an IPset with a GSLB service.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/load-balancing/load-balancing-customizing/multi-ip-virtual-servers.html.
  [From Build 50.31]
  [# NSLB-424, ENH0710454]

• Gracefully aborting the GSLB configuration synchronization when the master and slave nodes are on different Citrix ADC versions

  The Citrix ADC appliance now checks for the firmware version on master and slave nodes before initiating synchronization. If the master and the slave nodes run different versions, the synchronization is aborted for that remote site to avoid pushing any incompatible changes across the versions. Also, an error message displaying the site details on which the synchronization aborted appears.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/global-server-load-balancing/synchronizing-configuration-in-gslb-setup.html.
  [From Build 50.31]
  [# NSLB-780, BUG0711371]

Gateway

Gateway Insight

• View HDX Insight reports for EDT traffic.

  HDX Insight reports can be viewed for the EDT traffic. By default, HDX Insight and EDT feature are disabled.
  [From Build 49.37]
  [# 690033]

Load Balancing

• Support for graceful shutdown of services in Citrix ADC clusters

  The Citrix ADC clusters now support graceful shutdown of services.

  To gracefully shutdown the services, you can perform one of the following tasks.

  - Explicitly disable the service, and set a delay (in seconds) or enable graceful shutdown.

  - Add a TROFS code or string to the monitor.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/clustering/cluster-managing/graceful-shutdown-of-services.html.
  [From Build 49.37]
  [# 691848]

• Increase in Citrix ADC system limit for unique load balancing monitors

  The Citrix ADC system limit for unique load balancing monitors is now increased to 16360.
  [From Build 50.31]
  [# 693776]

• Getting location details from user IP address using geo database

  Citrix ADC appliance performs geo location (policy-based) user authorization. When there is a user request from a particular location, the appliance uses the IP address to retrieve the user’s location details from a geo database. The appliance evaluates the location details using geo location (responder and rewrite) policies. The appliance also logs the location details (optional) using the audit logging mechanism.

  After policy evaluation, based on Citrix ADC configuration, the appliance or the back-end server sends a suitable response.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/load-balancing/load-balancing-advanced-settings/retrieve-location-details-using-ip-address-from-geolocation-database.html.
  [From Build 50.31]
  [# NSLB-325, NSHELP-3740, ENH0688198]

• Creating negative session when PCRF is down

  If the PCRF server is down, the Citrix ADC appliance creates negative sessions for the pending or incoming Gx subscriber requests.

  When the PCRF server is back up again, the Citrix ADC appliance prevents a storm of requests by waiting for the negative sessions to expire before performing the specific subscriber requests.
  [From Build 50.31]
  [# NSLB-519, BUG0713709]

Load balancing

• Increase in Citrix ADC system limit for unique load balancing monitors

  The Citrix ADC system limit for unique load balancing monitors is now increased to 16360.
  [From Build 50.31]
  [# NSHELP-18135, 693776]

MPX-Platform

NITRO

• Retrieving LOM Port firmware version

  The nshardware NITRO API resource now supports retrieving the LOM port’s firmware version of a Citrix ADC appliance.

  For more information, see https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/latest/configuration/ns/nshardware/nshardware/
  [From Build 50.31]
  [# NSHELP-4797, ENH0695712]

Networking

• USIP support on a v4-to-v6 load balancing configuration

  Earlier, in a v4-to-v6 load balancing configuration, the Citrix ADC used to include one of the configured IPv6 SNIP address as the source IP address in the translated IPv6 requests packet to the servers. The Citrix ADC used to include an IPv6 SNIP address even when the USIP option is enabled for the related load balancing services.

  Now, USIP NAT prefix parameter has been introduced for making the servers aware of the client’s IP address of the request packets. USIP NAT prefix is a global IPv6 prefix of length 96 bits (128-32=96) configured on Citrix ADC.

  For a load balancing service that has USIP enabled, the ADC translates the IPv4 request packet to an IPv6 packet and sets the source IP address of the translated IPv6 packet to a concatenation of the USIP NAT prefix [32/40/48/56/64/96 bits] and the IPv4 source address [32 bits] that was received in the request packet.

  On receiving an IPv6 response packet from the server, the ADC translates the IPv6 packet to an IPv4 packet and sets the destination IP address of the translated IPv4 packet to the last 32 bits of the destination IP address of the IPv6 packet.

  Note: This feature is not supported for gateway configuration and, content switching and cache redirection load balancing configurations.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/load-balancing/load-balancing-advanced-settings/usip-lb-v4v6.html.
  [From Build 49.37]
  [# 699605]

• BGP ECMP support for route paths in multiple autonomous systems

  The BGP protocol in a Citrix ADC appliance now supports load balancing route traffic across equal-cost BGP neighbors in different autonomous systems.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/networking/ip-routing/configuring-dynamic-routes/configuring-bgp.html.
  [From Build 50.31]
  [# NSHELP-329, ENH0710330]

• Support to configure HTTP and HTTPS management ports

  In a single-IP mode deployment of a Citrix ADC appliance, a single IP address is used as NSIP, SNIP, and VIP addresses. This single IP address uses different port numbers to function as NSIP, SNIP, and VIP addresses.

  Port numbers 80 and 443 are well-known ports for HTTP and HTTPS services. Earlier, port 80 and 443 of Citrix ADC IP address (NSIP) were dedicated ports for internal HTTP and HTTPS management services. Because these ports were reserved for internal services, you cannot use these well-known ports for providing HTTP and HTTPS data services from a VIP address, which has the same address as the NSIP address in a single-IP mode deployment.

  To address this requirement, you can now configure ports for internal HTTP and HTTPS management services (of the NSIP address) other than port 80 and 443.

  The following lists the default port numbers for internal HTTP and HTTPS management services in Citrix ADC MPX, VPX, and CPX appliances:

  - Citrix ADC MPX and VPX appliances: 80 (HTTP) and 443 (HTTPS)

  - Citrix ADC CPX appliances: 9080 (HTTP) and 9443 (HTTPS)

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/basic-operations/configure-http-https-management-ports.html.
  [From Build 50.31]
  [# NSNET-1630, BUG0708735]

• Support for IPv4 VIP route health injection and BGP dynamic routing protocol in a Citrix ADC CPX appliance

  The Citrix ADC CPX appliance now supports route health injection of IPv4 VIP addresses to its routing table and advertisement of these VIP routes to neighbor routers/networking devices using BGP dynamic routing protocol.
  [From Build 50.31]
  [# NSNET-2897, ENH0709944]

Platform

• Support for Citrix ADC MPX 15000-50G platform

  This release supports the Citrix ADC MPX 15000-50G platform. It includes MPX 15020-50G, MPX15030-50G, MPX 15040-50G, MPX 15060-50G, MPX 15080-50G, and MPX 15100-50G models.

  For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-15000-50g.html.
  [From Build 50.31]
  [# NSPLAT-4724, 637170]

• Support for Citrix ADC MPX 26000 platform

  This release supports the Citrix ADC MPX 26000 platform. It includes MPX 26100, MPX 26160, and MPX 26200 models.

  For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000.html.
  [From Build 50.31]
  [# NSPLAT-4909, NSPLAT-3127, NSPLAT-4087, TSK0637172]

• Support for Citrix ADC MPX 26000-100G platform

  This release now supports the Citrix ADC MPX 26000-100G and Citrix ADC MPX 26000T-100G platforms. For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-100g-26000T-100g.html.
  [From Build 50.31]
  [# NSPLAT-6288, NSPLAT-3076, ENH0648922]

• Support for Citrix ADC MPX 15000 platform

  This release supports the Citrix ADC MPX 15000 platform. It includes MPX 15020, MPX 15030, MPX 15040, MPX 15060, MPX 15080, and MPX 15100 models.

  For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-15000.html.
  [From Build 50.31]
  [# NSPLAT-7566, ENH0688399]

• Support for Citrix ADC MPX 26000-50S Platform

  This release supports the MPX 26000-50S platform.

  For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-50s.html.
  [From Build 50.31]
  [# NSPLAT-7606, NSPLAT-4122, NSPLAT-3133, NSPLAT-4047, 662685]

• Support for Citrix ADC MPX 26000-50S platform

  This release supports the Citrix ADC MPX 26000-50S platform. It includes MPX 26100-50S, MPX 26160-50S, MPX 26200-50S models. For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-50s.html.
  [From Build 50.31]
  [# NSSSL-1855, NSSSL-2056, ENH0682991]

Policies

• New API support for reusing a server connection for other client connections in the server context

  A Citrix ADC API support is now added for reusing a server connection for other client connections in the server context. This API can be used only if an EOM event is used (in ns.send() API) to send for sending the data in the client context.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-extensions/api-reference.html and https://docs.citrix.com/en-us/netscaler/12-1/netscaler-extensions/netscaler-protocol-extensions.html.
  [From Build 49.37]
  [# 699069]

• RSA encryption with no padding policy function

  Policy-based RSA encryption now supports EY_ENCRYPT_PEM_NO_PADDING() policy function for no padding operation. The policy function works similar to the PKEY_ENCRYPT_PEM() function, except it uses the RSA_NO_PADDING method instead of RSA_PKCS1_PADDING. The pkey parameter is a text string with a PEM-encoded RSA public key. Similar to PKEY_ENCRYPT_PEM(), you can use a policy expression for the key.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/appexpert/rewrite/rewrite-action-policy-examples/example-11-policy-based-rsa-encryption-no-padding-operation.html
  [From Build 49.37]
  [# 708991]

• API support to fetch TCP or SSL related info in the extension

  Citrix ADC appliance now supports API-based protocol extension for fetching TCP or SSL-related data in the extension.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-extensions/api-reference.html#ssl-context.
  [From Build 50.31]
  [# NSEXT-280, ENH0715744]

• API support for modifying traffic

  Citrix ADC appliance now supports API-based protocol extensions for modifying TCP stream data.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-extensions/netscaler-protocol-extensions/use-cases.html#modify-traffic.
  [From Build 50.31]
  [# NSEXT-281, ENH0715180]

• API support in protocol extension to send data to the client and server

  Citrix ADC appliance now supports a ns.send() API to send data from extension code to client and origin server. To send or receive data directly with the client, from client context, you must use ctxt.client as the target. To send or receive data directly with the server from server context, you must use ctxt.server as the target. The data in the payload can be a TCP stream or a Lua string.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-extensions/netscaler-protocol-extensions/use-cases.html#originate-traffic-to-client-or-server.
  [From Build 50.31]
  [# NSEXT-283, ENH0715743]

SSL

• Support for AES-based PEM encoding

  You can now use AES256 algorithm with PEM key format to encrypt a private key on the Citrix ADC appliance. AES with 256-bit key is mathematically efficient and secure compared to the 56-bit key of DES. Select ‘aes256’ in the following CLI command.

  create ssl rsakey <keyFile> <bits> [-exponent ( 3 | F4 )] [-keyform (

  DER | PEM )] [-des | -des3 | -aes256] {-password }

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-certificates/obtain-cert-frm-cert-auth.html#create-a-private-key.
  [From Build 49.37]
  [# 275417, 710620]

• Support for DTLS protocol on the Citrix ADC MPX FIPS platform

  The MPX 14000 FIPS platform now supports the DTLS protocol end-to-end. That is, the protocol is supported on the client side and the server side. The following cipher suites are supported.

  - TLS1-AES-256-CBC-SHA

  - TLS1-AES-128-CBC-SHA

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  Note: Enlightened Data Support (EDT) is supported on the FIPS platform if all of the following conditions are met:

  - UDT MSS value set on StoreFront is 900.

  - Windows client version is 4.12 or later.

  - DTLS enabled VDA version is 7.17 or later.

  - Non-DTLS VDA version is 7.15 LTSR CU3 or later.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [From Build 49.37]
  [# 498187]

• Support for TLSv1.3 protocol on the front end of Citrix ADC VPX and select MPX appliances

  The Citrix ADC VPX and N3 chip based MPX appliances now support the TLSv1.3 protocol as specified in RFC 8446. For N3 chip based MPX appliances, the support is currently only in software. That is the processing is not offloaded to the hardware (SSL acceleration chip.) To use TLS1.3, you must use a client that conforms to the RFC 8446 specification. The following ciphers are supported on the frontend:

  - TLS1.3-AES256-GCM-SHA384 (0x1302)

  - TLS1.3_CHACHA20_POLY1305_SHA256 (0x1303)

  - TLS1.3-AES128_GCM-SHA256 (0x1301)

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/tls13-protocol-support.html.
  [From Build 49.37]
  [# 544128, 664161]

• Support for KEK encryption in private key

  The password of the private key used while adding an SSL certificate-key pair is now saved using a unique encryption key for each Citrix ADC appliance.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/config-ssloffloading.html#add-or-update-a-certificate-key-pair.
  [From Build 50.31]
  [# 671714]

• Support for wildcard in the subject alternative name in a certificate signing request

  You can now use wildcards in the subject alternative name (SAN) entry in the certificate signing request. For example, *.example.com.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-certificates/obtain-cert-frm-cert-auth.html#support-for-subject-alternative-name-in-a-certificate-signing-request.
  [From Build 49.37]
  [# 686067]

• Support for client-hello based expressions and a new bind point

  A new bind point ‘CLIENTHELLO_REQ’ is now available to evaluate SSL policies when a client hello message is received. That is, the policy is evaluated after parsing the client hello message. A ‘FORWARD’ action is added to forward the client traffic to a target load balancing virtual server. The target load balancing virtual server can be of type SSL, SSL_BRIDGE or TCP.

  In this release, only the forward and reset actions are supported for CLIENTHELLO_REQ bind point. The following expression prefixes are available:

  - CLIENT.SSL.CLIENT_HELLO.CIPHERS.HAS_HEXCODE

  - CLIENT.SSL.CLIENT_HELLO.CLIENT_VERSION

  - CLIENT.SSL.CLIENT_HELLO.IS_RENEGOTIATE

  - CLIENT.SSL.CLIENT_HELLO.IS_REUSE

  - CLIENT.SSL.CLIENT_HELLO.IS_SCSV

  - CLIENT.SSL.CLIENT_HELLO.IS_SESSION_TICKET

  - CLIENT.SSL.CLIENT_HELLO.LENGTH

  - CLIENT.SSL.CLIENT_HELLO.SNI

  For more information about the new bind point, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-actions-and-policies/bind-ssl-policies-vserver.html.

  For more information about the new expression prefixes, see https://docs.citrix.com/en-us/netscaler/12-1/appexpert/policies-and-expressions/ns-pi-ae-parse-ssl-certs-wrapper-con.html#parse-ssl-client-hello.
  [From Build 49.37]
  [# 692432]

• Increase in the OCSP cache timeout limit

  The cache timeout limit is now increased to a maximum of 43,200 minutes (30 days). Earlier the limit was 1,440 minutes (one day). The increased limit helps reduce the lookups on the OCSP server and avoids any SSL/TLS connection failures in case the OCSP server is not reachable due to network or other problems.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/monitor-cert-status-with-ocsp.html#ocsp-response-caching.
  [From Build 49.37]
  [# 696815]

• Support for non-secure renegotiation on a DTLS service

  Non-secure renegotiation is now supported on a DTLS service (backend) on Citrix ADC MPX and VPX appliances.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [From Build 49.37]
  [# 696904]

• Support for a new SSL action to forward traffic to another virtual server

  You can now forward the traffic received on an SSL virtual server to a load balancing virtual server to avoid SSL offloading or terminating the connection on the ADC appliance. For example, if the appliance does not have a certificate or it does not support a specific cipher, instead of terminating the connection, admins can choose to forward the request to a load balancing virtual server for further action. This virtual server can be of type: SSL, TCP, or SSL_BRIDGE.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-actions-and-policies/config-built-in-ssl-actions.html#configure-an-ssl-action-to-forward-client-traffic-to-another-virtual-server.
  [From Build 49.37]
  [# 704106]

• Support for PFS on a DTLS virtual server

  The following cipher suites are now supported on a DTLS virtual server (frontend). These ciphers help achieve PFS (Perfect Forward Secrecy).

  - SSL3-EDH-RSA-DES-CBC3-SHA

  - SSL3-EDH-RSA-DES-CBC-SHA

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  - TLS1-DHE-RSA-AES-128-CBC-SHA

  - TLS1-DHE-RSA-AES-256-CBC-SHA

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [From Build 49.37]
  [# 705164, 711810]

• Support for PFS on a DTLS service

  The following cipher suites are now supported on a DTLS service (backend). These ciphers help achieve PFS (Perfect Forward Secrecy).

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1-DHE-RSA-AES-128-CBC-SHA

  - TLS1-DHE-RSA-AES-256-CBC-SHA

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [From Build 49.37]
  [# 705165]

• Clear the OCSP stapling cached response of server certificate

  You can now clear the cached response of the server certificate from the OCSP responder even before the timeout expires. Earlier, you had to wait until the configured timeout was over to clear the cached response.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-11-1-ocsp-stapling-solution.html#ocsp-response-caching-of-server-certificates.
  [From Build 49.37]
  [# 709027]

• Support for SNI on a DTLS virtual server

  SNI (Server Name Indication) is now supported on a DTLS virtual server (frontend) on Citrix ADC MPX and VPX appliances. You can bind multiple SNI certificates to a DTLS virtual server.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [From Build 49.37]
  [# 709345, 363547]

• Support for KEK encryption in private key

  The password of the private key used while adding an SSL certificate-key pair is now saved using a unique encryption key for each Citrix ADC appliance.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/config-ssloffloading.html#add-or-update-a-certificate-key-pair.
  [From Build 50.31]
  [# NSHELP-14911, 671714]

• Support for PKCS#8 format in RSA, DSA, and ECDSA keys

  You can now create an RSA, DSA, or ECDSA key in PKCS#8 format. Earlier, the Citrix ADC appliance did not support this format, and you had to convert the key to a supported format, such as PKCS#12, before using it on the appliance. Also, you can now create certificate signing requests and add certificate-key pairs with PKCS#8 keys.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-certificates/obtain-cert-frm-cert-auth.html and https://docs.citrix.com/en-us/netscaler/12-1/ssl/ciphers-available-on-the-citrix-ADC-appliances/ecdsa-cipher-suite-support-on-mpx-appliances.html.
  [From Build 50.31]
  [# NSHELP-4891, ENH0673657]

• Support for DTLSv1.0 protocol on additional Citrix ADC MPX appliances

  DTLSv1.0 protocol is now supported on the following additional MPX appliances.

  - MPX 5900

  - MPX/SDX 8900

  - MPX/SDX 26000-100G

  - MPX/SDX 15000-50G

  Note: Enlightened Data Transport (EDT) is not supported on these platforms.
  [From Build 50.31]
  [# NSSSL-1943, ENH0705163]

• Software-only support for TLSv1.3 protocol on additional Citrix ADC MPX appliances

  TLSv1.3 protocol (RFC 8446) is now supported on SSL virtual servers configured on the following additional Citrix ADC MPX appliances:

  - MPX 5900

  - MPX/SDX 8900

  - MPX/SDX 26000-100G

  - MPX/SDX 15000-50G

  This release includes software-only implementation of TLSv1.3 and does not support hardware acceleration for cryptographic operations.
  [From Build 50.31]
  [# NSSSL-1966, ENH0715273]

• SSL action to select the list of CAs based on SNI for client authentication

  Typically, multiple CA certificates are bound to SSL virtual servers. These CA certificates are used to verify the client certificate during client authentication. Earlier, the list of all the CAs bound to an SSL virtual server were sent in the client certificate request from the Citrix ADC appliance to the client. With this enhancement, only the list of CA certificates is sent based on SNI (domain) in the client certificate request.

  Note: This feature is not supported on TLSv1.3 and DTLS connections.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-actions-and-policies/config-built-in-ssl-actions.html#ssl-action-to-selectively-pick-cas-based-on-sni-for-client-authentication.
  [From Build 50.31]
  [# NSSSL-504, ENH0709142]

Security

• ICAP support for Citrix ADC

  A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and send back responses to the appliance as modified messages. The adapted messages are either an HTTP or HTTPS response or request.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
  [From Build 50.31]
  [# NSBASE-825, 702971]

System

• Telemetry Support in CallHome

  CallHome is now enhanced to send Citrix ADC usage metrics to Citrix Insight Services (CIS) periodically. Citrix collects the data to understand how the appliance works and how to improve the product. By default, CallHome sends the metrics once in every 7 days.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/configuring-call-home.html
  [From Build 49.37]
  [# 705785]

• Maximum limit for name attribute is set to 64 characters

  In rate limiting, the maximum limit for name attribute is now increased to 64 characters.
  [From Build 50.31]
  [# 710289]

• Inline device integration with Citrix ADC

  You can now integrate a Citrix ADC appliance with inline security devices such as Intrusion Prevention System (IPS) and Next Generation Firewall (NGFW). This integration prevents security threats and provides advanced security protection.

  The Citrix ADC appliance performs TLS/SSL processing and offloads the data to the inline device for high volume content inspection. If there are multiple inline devices, the appliance load balances the devices for traffic distribution.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/inline-device-integration-with-citrix-adc.html
  [From Build 50.31]
  [# NSBASE-4049, BUG0713041]

• Enabling TCP timestamp option

  In certain scenarios, transactions might be slow or incomplete, if you enable the TCP timestamp option on a Citrix ADC appliance.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/TCP_Congestion_Control_and_Optimization_General.html
  [From Build 50.31]
  [# NSBASE-843, BUG0710224]

• Maximum limit for name attribute is set to 64 characters

  In rate limiting, the maximum limit for name attribute is now increased to 64 characters.
  [From Build 50.31]
  [# NSHELP-11115, 710289]

TCP

Telco

• Support for triggering negative TTL for partial success response code 2002

  You can use the following command for triggering negative TTL for partial success response code 2002.

  set subscriber gxinterface -negativeTTLLimitedSuccess YES
  [From Build 49.37]
  [# 680136, 699466]

• IP prefix NAT support for TCP and HTTP load balancing configurations

  IP Prefix NAT feature is now supported for TCP and HTTP load balancing configurations. IP prefix NAT translates a part of the source IP address instead of the complete address of packets received on the Citrix ADC. IP prefix NAT includes changing one or more octets or bits of the source IP address.

  For more information about IP prefix NAT, see https://docs.citrix.com/en-us/netscaler/12-1/networking/ip-addressing/configuring-network-address-translation/partial-nat.html.
  [From Build 49.37]
  [# 699465]

• AppFlow support for Gx messages

  The Citrix ADC appliance now supports Gx message reporting capability that enables the customer to maintain a log of subscriber session status. All received Credit-Control and Re-Auth Request diameter messages are logged through Appflow/Logstream infrastructure.

  The reported records include:

  - diameter message information, for example, type and response code.

  - essential pre-selected Attribute-Value Pairs (AVPs), for example, session-id and MSISDN

  - information up to five customers defined AVPs
  [From Build 50.31]
  [# NSBASE-1752, ENH0699467]

• Support of Gx session information in subscriber awareness AppFlow records

  The Citrix ADC subscriber awareness functionality for L4 and L7 Appflow records have been extended to include subscriber session id along with the last Gx/diameter message time stamp information. This allows easier correlation of data-plane logs with the newly introduced Gx reporting records.
  [From Build 50.31]
  [# NSBASE-2154, ENH0697881]

URLFiltering

• Configuring seed database path and cloud server name

  Feature: Citrix Secure Web Gateway

  You can now manually configure the seed database path and cloud lookup server name details. To do this, two new parameters, “CloudHost” and “SeedDBPath”, are added to the URL filtering parameter command.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/url-filtering/url-categorization.html
  [From Build 50.31]
  [# NSSWG-399, NSSWG-475, ENH0713975]

User Interface

Fixed Issues in Previous Citrix ADC 12.1 Releases

• In some cases, the Citrix Gateway appliance dumps core during the authentication if the following conditions are met:

  - The Citrix ADC appliance is configured for nFactor authentication.

  - The Gateway Insight feature is enabled for the appliance.
  [From Build 50.31]
  [# NSHELP-5271, TSK0713011]

AppExpert

• If you bind a rewrite policy to a load balancing or content switching virtual server and save the configuration, the policy binding does not apply on the appliance after a reboot. This issue occurs if the policy bindings do not contain the request or response type saved in the nsconfig file.
  [From Build 50.31]
  [# 715617]

AppFW

AppFlow

Citrix Web App Firewall

• When you deploy CSRF learned rules from the application firewall GUI, the rules do not get deleted and the following error "The CrossSiteRequestForgery check is already in use" is displayed if you try to redeploy the rules.
  [From Build 49.37]
  [# 704487]

• A high availability setup that has an application firewall profile with starurl closure enabled, experiences high CPU usage and system failover. The issue occurs if response pages contain many URLs.
  [From Build 50.31]
  [# 706088, 706156, 713509]

• The functionality for importing Citrix Web App Firewall profile configuration fails, if the profile contains user-defined field types and if the field types are used in multiple relaxation rules.
  [From Build 50.31]
  [# 706747]

• The cluster upgrade to a 12.1 build with Citrix Web App Firewall enabled on a Citrix ADC appliance is not supported.
  [From Build 49.37]
  [# 708269]

• The leading TCP window size is rounded off when the post body limit is set to 4294967295(2^32-1). The fix ensures that the limit max TCP window set by Citrix Web App Firewall is 100 MB in non-streaming data and 20 MB for streaming data.

  As a workaround, please add the post body limit on profile to values <=512MB, preferably to value 100MB. Also when requests are of larger sizes, please ensure that the profile has streaming enabled. Enable streaming only if backend server is able to accept chunked requests.
  [From Build 49.37]
  [# 708394, 708678, 707955, 708851, 711014]

• When you use special characters in AppFW SessionCookieName, the AppFirewall policy resets website URLs. The issue is resolved, if you remove special characters and use alphabets in the cookie name.
  [From Build 49.37]
  [# 708601]

• After an upgrade to Citrix ADC 11.1 build 57.13, the URL transformation policy for cookie domains is not applied to application secure cookies.
  [From Build 49.37]
  [# 708975]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [From Build 50.31]
  [# 709465, 710841, 713841, 716249]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [From Build 49.37]
  [# 709465, 710841]

• Citrix Web App Firewall Cookie proxying feature is not working in Cluster 12.1 deployment.
  [From Build 49.37]
  [# 710139]

• Citrix Web App Firewall Cookie proxying feature is not working in Cluster 12.1 deployment.
  [From Build 50.31]
  [# 710139]

• After a software upgrade, the Citrix ADC appliance crashes with AppFW violation data record when the AppFlow feature is disabled.
  [From Build 49.37]
  [# 710491]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [From Build 49.37]
  [# 710596]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [From Build 50.31]
  [# 710596]

• In a rare case, when Citrix Web App Firewall Learning option is enabled, the resulting aslearn.log file can consume a high amount of hard disk space, starving other disk users.
  [From Build 50.31]
  [# 712139]

• After an upgrade, if Applicable Firewall is enabled on a Citrix ADC appliance, it causes memory leak leading to a high memory usage.
  [From Build 49.37]
  [# 712290, 711993]

• A high availability setup that has an application firewall profile with starurl closure enabled, experiences high CPU usage and system failover. The issue occurs if response pages contain many URLs.
  [From Build 50.31]
  [# NSHELP-16694, 706088]

• The functionality for importing Citrix Web App Firewall profile configuration fails, if the profile contains user-defined field types and if the field types are used in multiple relaxation rules.
  [From Build 50.31]
  [# NSHELP-17851, 706747]

• In a rare case, when Citrix Web App Firewall Learning option is enabled, the resulting aslearn.log file can consume a high amount of hard disk space, starving other disk users.
  [From Build 50.31]
  [# NSHELP-18083, 712139]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [From Build 50.31]
  [# NSHELP-2820, BUG0710596]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [From Build 50.31]
  [# NSHELP-2851, NSHELP-2760, NSHELP-2770, NSWAF-446, TSK0709465]

• Citrix Web App Firewall Cookie proxying feature is not working in Cluster 12.1 deployment.
  [From Build 50.31]
  [# NSWAF-628, BUG0710139]

Authentication, authorization, and auditing

• A Citrix ADC appliance is unable to evaluate an advanced policy expression if you either bind the policy to a virtual server or to an authentication, authorization, and auditing group.
  [From Build 49.37]
  [# 705898]

• A Citrix ADC appliance becomes unresponsive because of memory corruption when it handles jumbo frames.
  [From Build 50.31]
  [# 705972, 712490, 711718, 698974, 714419, 712489, 715399]

• A Citrix ADC appliance becomes unresponsive because of memory corruption when it handles jumbo frames.
  [From Build 49.37]
  [# 705972, 712490, 711718, 698974, 714419, 712489]

• The Citrix ADC appliance might fail to establish an SSO connection to a back-end server, if the form-SSO has a hidden value containing special characters such as &, <, >, and ‘.
  [From Build 49.37]
  [# 707018]

• The Citrix ADC appliance might fail to establish an SSO connection to a back-end server, if the form-SSO has a hidden value containing special characters such as &, <, >, and ‘.
  [From Build 50.31]
  [# 707018]

• In case of nFactor authentication, the extracted authentication, authorization, and auditing group name from certificate-factor are concatenated with the first extracted group from LDAP-factor without any delimiter.
  [From Build 49.37]
  [# 709794]

• The authentication, authorization, and auditing feature does not evaluate the advanced authorization policies that are bound to authentication, authorization, and auditing user and group entities.
  [From Build 49.37]
  [# 710288]

• A Citrix ADC appliance might crash if there is a memory corruption due to a buffer overflow.
  [From Build 50.31]
  [# 710433]

• The Citrix ADC appliance might become unresponsive if both of the following conditions are met:

  • Login schema policy with reset action provokes the reset function to send reset packet, and then free it later.

  • The same packet is freed again, resulting in a duplicate packet free condition.
  [From Build 49.37]
  [# 710993]

• The request to the back-end server fails if the following conditions are met:

  • Request URL to the back-end server is encoded prior to establishing authentication, authorization, and auditing session.

  • Citrix ADC appliance decodes the URL after log on.
  [From Build 49.37]
  [# 711287, 711806, 713423]

• If you configure "add kcdaccount xxx -keytab yyy" on release 12.1 build 49.x, the Citrix ADC appliance might become unresponsive.
  [From Build 50.31]
  [# 712411, 713603, 713300, 710862]

• If you configure "add kcdaccount xxx -keytab yyy" on release 12.1 build 49.x, the Citrix ADC appliance might become unresponsive.
  [From Build 49.37]
  [# 712411, 713603, 713300]

• A Citrix ADC authentication, authorization, and auditing session observe an accounting error on the logout method.
  [From Build 50.31]
  [# 712813]

• A Citrix ADC appliance crashes if a replay packet is received once authentication is already generated a response.
  [From Build 50.31]
  [# 714057, 715858]

• In a rare case, a Citrix ADC appliance restarts if it tries to access a memory that was previously freed.
  [From Build 50.31]
  [# 714441, 715848, 715865, 715201]

• A Citrix ADC appliance with two factor SAML authentication might eternally cause authentication loop.
  [From Build 49.37]
  [# 714523, 714736]

• A Citrix ADC appliance with two factor SAML authentication might eternally cause authentication loop.
  [From Build 50.31]
  [# 714523, 714736]

• CPU utilization increases and the DNS data packet keeps looping if Citrix ADC authentication, authorization, and auditing uses port 3000 to send a DNS query to an LDAP or a RADIUS server. With this fix, Citrix ADC authentication, authorization, and auditing use source port 10000 and above to send DNS queries to LDAP or RADIUS servers.
  [From Build 50.31]
  [# 714739]

• A Citrix ADC appliance configured for SAML IdP might not perform Cross-site scripting (XSS) checks on the incoming RelayState parameter.
  [From Build 50.31]
  [# 714801]

• A Citrix ADC appliance configured as SAML Service Provider (SP) with artifact bindings occasionally return assertion replay when there is no replay.
  [From Build 50.31]
  [# 714920]

• A Syslog message reports the client IP and server IP in a reverse hexadecimal format.
  [From Build 50.31]
  [# 715098]

• A Citrix ADC appliance might become unresponsive if the function specifies a wrong async handler.
  [From Build 50.31]
  [# 715443]

• A Citrix ADC traffic management virtual server enabled for authentication might result in access failures, if the following conditions are met:

  - An unauthenticated URL contains special characters.

  - Back-end server receives a decoded URL request.
  [From Build 50.31]
  [# 716958]

• A gradual memory leak is observed on a Citrix ADC appliance for the following occurrences:

  - nFactor authentication is used.

  - There are no default or true authentication policies used.
  [From Build 50.31]
  [# 717322]

• An SSO to Office 365 fails if objectGUID of a user contains a NULL character.
  [From Build 50.31]
  [# 717549]

• A gradual memory leak is observed on a Citrix ADC appliance for the following occurrences:

  - nFactor authentication is used.

  - There are no default or true authentication policies used.
  [From Build 50.31]
  [# NSHELP-1642, TSK0717322]

• The AAAD daemon might crash because of a memory corruption if the following conditions are met:

  - The nested group extraction is enabled on an active directory.

  - The extracted group length is between 52-56 bytes.
  [From Build 50.31]
  [# NSHELP-18239, NSHELP-18258, NSHELP-18306]

• A Citrix ADC appliance configured as SAML Service Provider (SP) with artifact bindings occasionally return assertion replay when there is no replay.
  [From Build 50.31]
  [# NSHELP-2132, TSK0714920]

• A Citrix ADC appliance becomes unresponsive because of memory corruption when it handles jumbo frames.
  [From Build 50.31]
  [# NSHELP-445, NSHELP-515, NSHELP-579, TSK0705972]

• In a rare case, a Citrix ADC appliance restarts if it tries to access a memory that was previously freed.
  [From Build 50.31]
  [# NSHELP-449, NSHELP-432, NSHELP-587, NSHELP-589, TSK0714441]

• A Citrix ADC appliance configured for SAML IdP might not perform Cross-site scripting (XSS) checks on an incoming RelayState parameter.
  [From Build 50.31]
  [# NSHELP-453, BUG0714801]

• An SSO to Office 365 fails if objectGUID of a user contains a NULL character.
  [From Build 50.31]
  [# NSHELP-455, TSK0717549]

• If you configure "add kcdaccount xxx -keytab yyy" on release 12.1 build 49.x, the Citrix ADC appliance might become unresponsive.
  [From Build 50.31]
  [# NSHELP-618, NSAUTH-1854, NSHELP-2276, NSHELP-2306, TSK0712411]

• A Citrix ADC appliance with two factor SAML authentication might eternally cause authentication loop.
  [From Build 50.31]
  [# NSHELP-644, NSHELP-575, TSK0714523]

• A Syslog message reports the client IP and server IP in a reverse hexadecimal format.
  [From Build 50.31]
  [# NSHELP-663, TSK0715098]

• CPU utilization increases and the DNS data packet keeps looping if Citrix ADC AAA uses port 3000 to send a DNS query to an LDAP or a RADIUS server. With this fix, Citrix ADC AAA uses source port 10000 and above to send DNS queries to LDAP or RADIUS servers.
  [From Build 50.31]
  [# NSHELP-8416, 714739]

• A Citrix ADC appliance might become unresponsive if the function specifies a wrong async handler.
  [From Build 50.31]
  [# NSHELP-8440, 715443]

• A Citrix ADC appliance might crash if the following conditions are met:

  - Changes in metadata URL.

  - The existing user session is disconnected.
  [From Build 50.31]
  [# NSHELP-8504, 717465]

• A Citrix ADC appliance might crash if there is a memory corruption due to a buffer overflow.
  [From Build 50.31]
  [# NSHELP-8537, 710433]

• The Citrix ADC appliance might fail to establish an SSO connection to a back-end server, if the form-SSO has a hidden value containing special characters such as &, <, >, and ‘.
  [From Build 50.31]
  [# NSHELP-939, TSK0707018]

• A Citrix ADC AAA session observes an accounting error on the logout method.
  [From Build 50.31]
  [# NSHELP-979, BUG0712813]

• A Citrix ADC appliance might crash if a replay packet is received after authentication has generated a response.
  [From Build 50.31]
  [# NSHELP-982, NSHELP-676, TSK0714057]

• When a Citrix ADC appliance configured for SAML SP sends a request to SAML IdP, the following issues are identified:

  - URL is decoded sent from the traffic management virtual server.

  - Incorrect URL is displayed when authentication is complete.
  [From Build 50.31]
  [# NSHELP-995, TSK0716958]

Browser-EPA

CLI

• If a user tries to log on to a Citrix ADC appliance through any console, the system displays a log message with an incorrect client type. For example, if the user logs on to the appliance through the XenServer console, the system displays the log message as follows:

  "Apr 9 12:27:02 <local0.info> 10.102.201.11 04/09/2018:06:57:02 GMT 0-PPE-0 : d

  efault UI CMD_EXECUTED 502 0 : User nsroot - Remote_ip 127.0.0.1 - Command "log

  in nsroot "********"" - Status "Success"
  [From Build 50.31]
  [# 701582]

• If a user tries to log on to a Citrix ADC appliance through any console, the system displays a log message with an incorrect client type. For example, if the user logs on to the appliance through the XenServer console, the system displays the log message as follows:

  "Apr 9 12:27:02 <local0.info> 10.102.201.11 04/09/2018:06:57:02 GMT 0-PPE-0 : d

  efault UI CMD_EXECUTED 502 0 : User nsroot - Remote_ip 127.0.0.1 - Command "log

  in nsroot "********"" - Status "Success"
  [From Build 49.37]
  [# 701582]

• <ID review in progress; this description will be updated soon>
  [From Build 50.31]
  [# NSHELP-11970, 710002]

• If a user tries to log on to a Citrix ADC appliance through any console, the system displays a log message with an incorrect client type. For example, if the user logs on to the appliance through the XenServer console, the system displays the log message as follows:

  "Apr 9 12:27:02 <local0.info> 10.102.201.11 04/09/2018:06:57:02 GMT 0-PPE-0 : d

  efault UI CMD_EXECUTED 502 0 : User nsroot - Remote_ip 127.0.0.1 - Command "log

  in nsroot "********"" - Status "Success"
  [From Build 50.31]
  [# NSHELP-4864, TSK0701582]

CMP

Cache

• A Citrix ADC appliance crashes if the following conditions are met:

  - The cache contentgroup's memory limit exceeds the threshold.

  - The PINNED option is enabled on the cache contentgroup.
  [From Build 50.31]
  [# NSHELP-3629, TSK0714583]

Citrix ADC SDX Appliance

• The VPX instance restarts by itself in the following case.

  - You change the admin profile associated with a Citrix ADC VPX instance with channel configuration; and

  - The Citrix ADC VPX instance is running on Citrix ADC SDX 26XXX and 15XXX appliances.
  [From Build 50.31]
  [# 714041]

• The VPX instance restarts by itself in the following case.

  - You change the admin profile associated with a Citrix ADC VPX instance with channel configuration; and

  - The Citrix ADC VPX instance is running on Citrix ADC SDX 26XXX and 15XXX appliances.
  [From Build 50.31]
  [# NSHELP-12377, 714041]

• In an SDX appliance, after a clean installation from any older version to 12.1 50.x, you might be unable to recover the network configuration and fail to access to SDX appliance (Dom0 and Management Service).
  [From Build 50.31]
  [# NSSVM-452, 714118]

Citrix ADC VPX Appliance

• If vCPUs are more than 12, password-based authentication does not work in Citrix ADC VPX instances running in Azure and AWS. However, you can log on by using ssh private key.
  [From Build 50.31]
  [# 712146, 714490]

• If vCPUs are more than 12, password-based authentication does not work in Citrix ADC VPX instances running in Azure and AWS. However, you can log on by using ssh private key.
  [From Build 49.37]
  [# 712146, 714490]

• In a hypervised environment, the management CPU usages could appear high if the hypervisor schedules the management CPUs incorrectly.
  [From Build 50.31]
  [# 714691]

• The SNS topic required for AWS back-end auto scale feature to work is not updated automatically.
  [From Build 50.31]
  [# 715919]

• The SNS topic required for AWS back-end auto scale feature to work is not updated automatically.
  [From Build 49.37]
  [# 715919]

• The VPX instance removes two servers instead of one when the following conditions are met:

  - The remove 1 server parameter is set in the scale down policy of the EC2 auto scaling group.

  - Back-end auto scale feature is configured on the VPX instance.
  [From Build 49.37]
  [# 716006]

• The VPX instance removes two servers instead of one when the following conditions are met:

  - The remove 1 server parameter is set in the scale down policy of the EC2 auto scaling group.

  - Back-end auto scale feature is configured on the VPX instance.
  [From Build 50.31]
  [# 716006]

• The Citrix ADC VPX instance, configured with AWS back- end auto scaling feature, removes the EC2 auto scale group alarm.
  [From Build 49.37]
  [# 716030]

• The Citrix ADC VPX instance, configured with AWS back- end auto scaling feature, removes the EC2 auto scale group alarm.
  [From Build 50.31]
  [# 716030]

• In a multizone cluster deployment, the Citrix ADC VPX instance configured with AWS back-end auto-scaling fails to create multiple SNS topics.
  [From Build 50.31]
  [# 716031]

• In a multizone cluster deployment, the Citrix ADC VPX instance configured with AWS back-end auto scaling fails to create multiple SNS topics.
  [From Build 49.37]
  [# 716031]

• The Citrix ADC VPX instance configured with AWS back-end auto scaling does not detect the back-end servers bound to the EC2 auto scaling group, and the following error message appears.

  "Your AutoScaling Group:<autoscalegroup> can't have more than 10 topics"
  [From Build 49.37]
  [# 716101]

• The Citrix ADC VPX instance configured with AWS back-end auto-scaling does not detect the back-end servers bound to the EC2 auto scaling group, and the following error message appears.

  "Your AutoScaling Group:<autoscalegroup> can't have more than 10 topics"
  [From Build 50.31]
  [# 716101]

• The first-time user screen appears even on subsequent logons or every time the logon page is refreshed. By design, the first-time user screen should appear only when the user logs on to the VPX instance for the first time.
  [From Build 50.31]
  [# 716714]

• The first-time user screen appears even on subsequent logons or every time the logon page is refreshed. By design, the first-time user screen should appear only when the user logs on to the VPX instance for the first time.
  [From Build 49.37]
  [# 716714]

• In a hypervised environment, the management CPU usages could appear high if the hypervisor schedules the management CPUs incorrectly.
  [From Build 50.31]
  [# NSHELP-18184, 714691]

• The VPX instance removes two servers instead of one when the following conditions are met:

  - The remove 1 server parameter is set in the scale down policy of the EC2 auto scaling group.

  - Back-end auto scale feature is configured on the VPX instance.
  [From Build 50.31]
  [# NSPLAT-1554, BUG0716006]

• The Citrix ADC VPX instance, configured with AWS back- end auto scaling feature, removes the EC2 auto scale group alarm.
  [From Build 50.31]
  [# NSPLAT-1587, BUG0716030]

• In a multizone cluster deployment, the Citrix ADC VPX instance configured with AWS back-end auto-scaling fails to create multiple SNS topics.
  [From Build 50.31]
  [# NSPLAT-1622, BUG0716031]

• The Citrix ADC VPX instance configured with AWS back-end auto scaling does not detect the back-end servers bound to the EC2 auto scaling group, and the following error message appears.

  "Your AutoScaling Group:<autoscalegroup> can't have more than 10 topics"
  [From Build 50.31]
  [# NSPLAT-1652, BUG0716101]

• The first-time user screen appears even on subsequent logons or every time the logon page is refreshed. By design, the first-time user screen should appear only when the user logs on to the VPX instance for the first time.
  [From Build 50.31]
  [# NSPLAT-1710, BUG0716714]

• The SNS topic required for AWS back-end auto scale feature to work is not updated automatically.
  [From Build 50.31]
  [# NSPLAT-1818, BUG0715919]

• If vCPUs are more than 12, password-based authentication does not work in Citrix ADC VPX instances running in Azure and AWS. However, you can log on by using ssh private key.
  [From Build 50.31]
  [# NSPLAT-4781, BUG0712146]

• Tagged VLAN traffic might fail after upgrading a VPX instance to release 12.1 50.28, running on the following Citrix ADC SDX platforms:

  11500,13500, 14500, 16500, 18500, 20500, 11515, 11520, 11530, 11540, 11542,

  17500, 19500, 21500, 17550, 19550, 20550, 21550, 8400, 8600, 8010, 8015, 22040, 22060, 22080, 22100, 22120, 22040, 22060, 22080, 22100, 22120, 24100, 24150, 14020, 14030, 14040, 14060, 14080, 14100, 14020 FIPS, 14030 FIPS, 14060 FIPS, 14080 FIPS
  [From Build 50.31]
  [# NSPLAT-7863]

Citrix Gateway

• In a Citrix Gateway deployment, the log out operation for Outlook Web Access (OWA) application intermittently fails.
  [From Build 50.31]
  [# 708643, 710636, 709652, 710570]

• In a Citrix Gateway deployment, the log out operation for Outlook Web Access (OWA) application intermittently fails.
  [From Build 49.37]
  [# 708643, 710636, 709652, 710570]

• When IPv6 is disabled globally, the connection reset is mandated, if the IPv6 packet arrives on MUX channel.
  [From Build 50.31]
  [# 709903]

• When IPv6 is disabled globally, the connection reset is mandated, if the IPv6 packet arrives on MUX channel.
  [From Build 49.37]
  [# 709903]

• The Citrix Gateway appliance does not display the right logon form when the user clicks the "Go Back" button in the following case:

  The session initialization fails because the user does not belong to any of the groups configured on the Citrix ADC appliance.
  [From Build 49.37]
  [# 710342]

• If StoreFront is load balanced using an internal load balanced virtual server, IPv6 clients is not evenly load balanced.
  [From Build 50.31]
  [# 710351]

• If StoreFront is load balanced using an internal load balanced virtual server, IPv6 clients is not evenly load balanced.
  [From Build 49.37]
  [# 710351]

• URLs are not rewritten if SharePoint is configured with IT folder. Also, URLs with Unicode encoding for the following special character “\” are broken and hence are not rewritten.
  [From Build 50.31]
  [# 710577]

• Authentication fails when Citrix Gateway is configured with advanced policies, that is nFactor, and the client is configured only for certificate authentication.
  [From Build 49.37]
  [# 710801]

• Authentication fails when Citrix Gateway is configured with advanced policies, that is nFactor, and the client is configured only for certificate authentication.
  [From Build 50.31]
  [# 710801]

• The VPN plug-in for Citrix Gateway becomes unresponsive once the client machine moves to active mode from standby mode.
  [From Build 49.37]
  [# 711434, 710161, 716058]

• EPA fails when Citrix Gateway is configured for nFactor authentication.
  [From Build 49.37]
  [# 713291]

• EPA fails when Citrix Gateway is configured for nFactor authentication.
  [From Build 50.31]
  [# 713291]

• In some cases, when Citrix Gateway is configured for nFactor authentication, quarantine group is not evaluated during post authentication EPA.
  [From Build 50.31]
  [# 713466]

• User initiated password change request using the Citrix Gateway user interface fails .
  [From Build 50.31]
  [# 715566]

• User initiated password change request using the Citrix Gateway user interface fails.
  [From Build 49.37]
  [# 715566]

• A client machine that has Chrome or Firefox set as default browser does not fall back to ICA proxy mode after the post authentication EPA scan fails.
  [From Build 50.31]
  [# 715872]

• A Citrix Gateway appliance fails to process a SAML response on an existing connection.
  [From Build 50.31]
  [# 715920]

• In some cases, Citrix Gateway appliance dumps core during freeing up the VPN session.
  [From Build 50.31]
  [# 715925]

• User initiated password change request using the Citrix Gateway user interface fails .
  [From Build 50.31]
  [# NSAUTH-4502, 715566]

• In a Citrix Gateway deployment, the log out operation for Outlook Web Access (OWA) application intermittently fails.
  [From Build 50.31]
  [# NSHELP-1054, NSHELP-1429, NSHELP-3235, NSHELP-559, TSK0708643]

• All admin UI calls are now allowed.

  Earlier, some of these calls were blocked because of a deny rule in the httpd.conf file.
  [From Build 50.31]
  [# NSHELP-1478, 689278]

• When IPv6 is disabled globally, the connection reset is mandated, if the IPv6 packet arrives on MUX channel.
  [From Build 50.31]
  [# NSHELP-1606, TSK0709903]

• If you click an RDP bookmark, a .rdp file is downloaded.

  Earlier, when the RDP bookmark was clicked, it opened in a new tab.
  [From Build 50.31]
  [# NSHELP-18140, 718864]

• Authentication fails when Citrix Gateway is configured with advanced policies, that is nFactor, and the client is configured only for certificate authentication.
  [From Build 50.31]
  [# NSHELP-598, BUG0710801]

• A client machine that has Chrome or Firefox set as default browser does not fall back to ICA proxy mode after the post authentication EPA scan fails.
  [From Build 50.31]
  [# NSHELP-6692, 715872]

• A Citrix Gateway appliance fails to process a SAML response on an existing connection.
  [From Build 50.31]
  [# NSHELP-670, BUG0715920]

• URLs are not rewritten if SharePoint is configured with IT folder. Also, URLs with Unicode encoding for the following special character “\” are broken and hence are not rewritten.
  [From Build 50.31]
  [# NSHELP-6709, 710577]

• In some cases, when Citrix Gateway is configured for nFactor authentication, quarantine group is not evaluated during post authentication EPA.
  [From Build 50.31]
  [# NSHELP-6843, 713466]

• If StoreFront is load balanced using an internal load balanced virtual server, IPv6 clients is not evenly load balanced.
  [From Build 50.31]
  [# NSHELP-8597, 710351]

• EPA fails when Citrix Gateway is configured for nFactor authentication.
  [From Build 50.31]
  [# NSHELP-8642, 713291]

• In some cases, Citrix Gateway appliance dumps core during freeing up the VPN session.
  [From Build 50.31]
  [# NSHELP-8664, 715925]

Client AG-EE

Client-EPA

Clustering

• In a layer 3 cluster deployment, fragmented traffic steered through a GRE tunnel might cause packet loops, which result in high traffic load.
  [From Build 49.37]
  [# 692350]

• In a Citrix ADC cluster setup, you might find some inconsistencies in the server state in the database and in the packet engine, if you perform the following tasks in a sequence:

  1. Add a server in DISABLED state.

  2. Enable the server.

  If you use this server when executing the “bind servicegroup” command, the servicegroup members are added in OUT OF SERVICE state.
  [From Build 50.31]
  [# 715328, 716644]

• In a Citrix ADC cluster setup, you might find some inconsistencies in the server state in the database and in the packet engine, if you perform the following tasks in a sequence:

  1. Add a server in DISABLED state.

  2. Enable the server.

  If you use this server when executing the “bind servicegroup” command, the servicegroup members are added in OUT OF SERVICE state.
  [From Build 50.31]
  [# NSHELP-10943, 715328]

ConnectivityCheck

• <ID review in progress; this description will be updated soon>

  Special character '\' handling for Connectivity checks is missing
  [From Build 50.31]
  [# NSHELP-5754, BUG0709581]

DNS

• A Citrix ADC appliance crashes when negative responses for root domain are cached.
  [From Build 50.31]
  [# 710624]

• The Citrix ADC appliance might fail for proactive update DNS queries if there is an ICMP error.
  [From Build 50.31]
  [# 712811]

• A Citrix ADC appliance crashes when negative responses for root domain are cached.
  [From Build 50.31]
  [# NSHELP-12589, 710624]

• The Citrix ADC appliance might fail for proactive update DNS queries if there is an ICMP error.
  [From Build 50.31]
  [# NSHELP-18132, 712811]

Drivers-SR-IOV-PF

• <ID review in progress; this description will be updated soon>

  A crash occured in the RRS initialization portion of the 40G NIC driver when one or more ports were connected to a specific type of switch (Juniper EX4550) at boot time.

  The issue was causing by failure of an AdminQueue command sent to the NIC hardware (i40e_aqc_opc_configure_vsi_tc_bw=0x0407) when TrafficClasses 0-7 were all enabled. The failure of this command caused a knock on effect in a later part of the RSS initialization, leading to a divide-by-zero error.

  The fix was to retry the AQ failure with only TC0 enabled.
  [From Build 50.31]
  [# NSHELP-14703, 714199]

EPA

• Customer will experience loop when using nfactor authn: SAML + epa
  [From Build 50.31]
  [# NSHELP-2137, TSK0715167]

Export

• <ID review in progress; this description will be updated soon>

  If there is no default LB configured for a CS vserver, the client-side-measurement of appflow action may not work properly.
  [From Build 49.37]
  [# NSHELP-3488, BUG0707170]

• <ID review in progress; this description will be updated soon>

  If there is no default LB configured for a CS vserver, the client-side-measurement of appflow action may not work properly.
  [From Build 50.31]
  [# NSHELP-3488, BUG0707170]

• <ID review in progress; this description will be updated soon>

  Citrix ADC crashes with Appflow Client Side Measurements or with Front End Optimization feature enabled if the html response served has a cdata larger than 32B.
  [From Build 50.31]
  [# NSHELP-3494, TSK0711515]

GSLB

• GSLB configuration synchronization failed because the "set ssl servicegroup"command was also synchronized. With this fix, the command is not synchronized. As a result, the GSLB configuration is synchronized successfully.
  [From Build 50.31]
  [# 709722, 718076]

• The Citrix ADC appliance might stop responding in the following case:

  - There are cached DNS records

  - The show gslb domain command is executed
  [From Build 50.31]
  [# 712678, 713411, 713844]

• You might find GSLB service state inconsistencies among the cores when the MEP connection goes DOWN and the connection is back UP within a short time.
  [From Build 50.31]
  [# 712842, 712454]

• In a GSLB cluster setup, when a parent site is removed, the corresponding child site and its services are also removed.
  [From Build 50.31]
  [# 713908]

• In a GSLB cluster setup, when a parent site is removed, the corresponding child site and its services are also removed.
  [From Build 49.37]
  [# 713908]

• You might find GSLB service state inconsistencies among the cores when the MEP connection goes DOWN and the connection is back UP within a short time.
  [From Build 50.31]
  [# NSHELP-11872, 712842]

• The Citrix ADC appliance might stop responding in the following case:

  - There are cached DNS records

  - The show gslb domain command is executed
  [From Build 50.31]
  [# NSHELP-18131, 712678]

• GSLB configuration synchronization failed because the "set ssl servicegroup"command was also synchronized. With this fix, the command is not synchronized. As a result, the GSLB configuration is synchronized successfully.
  [From Build 50.31]
  [# NSHELP-4058, NSHELP-3090, TSK0709722]

• In a GSLB cluster setup, when a parent site is removed, the corresponding child site and its services are also removed.
  [From Build 50.31]
  [# NSLB-880, BUG0713908]

GUI

• A time zone setting ("set timezone” command) in a Citrix ADC appliance running release 11.1 might get lost after you upgrade it to a later release.
  [From Build 50.31]
  [# 692565, 683168]

• A Citrix ADC appliance might crash if some entity names in the database have quotations and if a closing quotation is found missing. The issue is resolved if you upgrade your appliance to the latest version.
  [From Build 49.37]
  [# 707993]

• After you upgrade a Citric ADC appliance when a non-shell access user creates a certificate signing request (CSR), the appliance adds a "\" (backslash) appears before a " "(space) for organization name, locality name, etc.
  [From Build 50.31]
  [# 713382]

• A time zone setting ("set timezone” command) in a Citrix ADC appliance running release 11.1 might get lost after you upgrade it to a later release.
  [From Build 50.31]
  [# NSHELP-11550, 692565]

• After you upgrade a Citric ADC appliance when a non-shell access user creates a certificate signing request (CSR), the appliance adds a "\" (backslash) appears before a " "(space) for organization name, locality name, etc.
  [From Build 50.31]
  [# NSHELP-4521, BUG0713382]

• <ID review in progress; this description will be updated soon>

  RADIUS Key is not been saved using the GUI.. Works from CLI though.
  [From Build 50.31]
  [# NSHELP-4771, TSK0711531]

• <ID review in progress; this description will be updated soon>

  RADIUS Key is not been saved using the GUI.. Works from CLI though.
  [From Build 49.37]
  [# NSHELP-4771, TSK0711531]

• <ID review in progress; this description will be updated soon>

  It is a regression with PHP upgrade. PHP coding standard changed causing the PHP layer API to break.
  [From Build 50.31]
  [# NSUI-11341]

Gateway

Gateway Insight

• Receivers which are not white-listed fail to launch apps using Citrix Gateway with HDX Insight feature enabled.
  [From Build 49.37]
  [# 710678, 712929]

• Receivers which are not white-listed fail to launch apps using Citrix Gateway with HDX Insight feature enabled.
  [From Build 50.31]
  [# 710678, 712929]

• Receivers which are not white-listed fail to launch apps using Citrix Gateway with HDX Insight feature enabled.
  [From Build 50.31]
  [# NSHELP-5260, TSK0710678]

ICA

• <ID review in progress; this description will be updated soon>

  Some ICA connections (with advanced encryption) may get dropped during the upgrade, if HDX Insight is enabled before the upgrade. This behaviour depends on the Netscaler versions before and after the upgrade, and applicable when there is a mismatch in SR+HA structures between the Netscaler versions.
  [From Build 50.31]
  [# NSINSIGHT-831, BUG0713468]

Integrated Caching

• A Citrix ADC appliance crashes if the following conditions are met:

  - The cache contentgroup's memory limit exceeds the threshold.

  - The PINNED option is enabled on the cache contentgroup.
  [From Build 50.31]
  [# 714583]

LB

Licensing

• When the connection between a Citrix ADC appliance (MPX, SDX, or VPX) and the NetScaler MAS licensing server is lost, the Citrix ADC appliance revokes the licensing capacity immediately. As a result, the throughput drops.

  After the connection with the MAS licensing server is established, you must manually reconfigure the license to restore.
  [From Build 50.31]
  [# 712434]

• When the connection between a Citrix ADC appliance (MPX, SDX, or VPX) and the NetScaler MAS licensing server is lost, the Citrix ADC appliance revokes the licensing capacity immediately. As a result, the throughput drops.

  After the connection with the MAS licensing server is established, you must manually reconfigure the license to restore.
  [From Build 49.37]
  [# 712434]

• When the connection between a Citrix ADC appliance (MPX, SDX, or VPX) and the NetScaler MAS licensing server is lost, the Citrix ADC appliance revokes the licensing capacity immediately. As a result, the throughput drops.

  After the connection with the MAS licensing server is established, you must manually reconfigure the license to restore.
  [From Build 50.31]
  [# NSHELP-4804, TSK0712434]

Load Balancing

• A Citrix ADC appliance crashes if you add a Rate-Limiting expression to a DNS responder policy.
  [From Build 49.37]
  [# 708722]

• Traffic disruptions might occur if the encoded redirect URL is greater than 2048 bytes.
  [From Build 49.37]
  [# 709311]

• If the REGISTER request processing for a specific service fails during the Session Initiation Protocol (SIP) call, the memory usage of the Citrix ADC appliance starts building up.
  [From Build 49.37]
  [# 710763]

• The “Operation not permitted” error appears when you try to execute the set operation on domain name based service group member.
  [From Build 49.37]
  [# 712840]

• If a wildcard TCP-based virtual server is moved to a wildcard HTTP-based virtual server or vice versa, there might be a possibility of linking TCP and HTTP sessions resulting in an unexpected behavior.
  [From Build 50.31]
  [# 714154]

• Memory can build up on a Citrix ADC appliance, if the following conditions are met:

  - You have added a UDP nameserver (but no TCP nameserver).

  - You have configured a DNS autoscale servicegroup.

  - The truncated bit is set in the DNS response.

  Because the truncated bit and there is no TCP nameserver configured, the DNS resolution is tried over UDP and some memory is allocated for each IP address sent as part of UDP responses. The cycle continues and results in memory buildup.
  [From Build 50.31]
  [# 714694]

• A Citrix ADC appliance might crash in the following case:

  A new HTTP request is received when changing the persistence type from COOKIEINSERT to other type.
  [From Build 50.31]
  [# 714710]

• In a Citrix ADC GSLB parent-site topology setup, the appliance might crash, if the following conditions are observed:

  1. A child site has requested some information from a parent site because of site persistence.

  2. A client connection is terminated at the child site before the parent sends the response.

  3. An MEP connection is terminated after step 2.
  [From Build 50.31]
  [# 716318]

• If a wildcard TCP-based virtual server is moved to a wildcard HTTP-based virtual server or vice versa, there might be a possibility of linking TCP and HTTP sessions resulting in an unexpected behavior.
  [From Build 50.31]
  [# NSHELP-10014, 714154]

• Memory can build up on a Citrix ADC appliance, if the following conditions are met:

  - You have added a UDP nameserver (but no TCP nameserver).

  - You have configured a DNS autoscale servicegroup.

  - The truncated bit is set in the DNS response.

  Because the truncated bit and there is no TCP nameserver configured, the DNS resolution is tried over UDP and some memory is allocated for each IP address sent as part of UDP responses. The cycle continues and results in memory buildup.
  [From Build 50.31]
  [# NSHELP-10053, 714694]

• A Citrix ADC appliance might crash in the following case:

  A new HTTP request is received when changing the persistence type from COOKIEINSERT to other type.
  [From Build 50.31]
  [# NSHELP-10921, 714710]

• In a Citrix ADC GSLB parent-site topology setup, the appliance might crash, if the following conditions are observed:

  1. A child site has requested some information from a parent site because of site persistence.

  2. A client connection is terminated at the child site before the parent sends the response.

  3. An MEP connection is terminated after step 2.
  [From Build 50.31]
  [# NSHELP-18129, 716318]

NITRO

• System login API fails with "Invalid username or password" error if the login account password has ‘=‘ character.
  [From Build 50.31]
  [# NSHELP-4801, TSK0714487]

• Firing curl command "curl -u nsroot:nsroot http://<IP_Address>/nitro/v1/config/" causing httpd to crash.
  [From Build 50.31]
  [# NSUI-7739, BUG0714963]

NS-GW-LinuxClient

NS-Gateway

Citrix ADC GUI

• In rare cases, a Citrix ADC appliance displays an ‘Error in retrieving Certificate-key pair. Unable to get property match of undefined or null reference’ error message if you update certkey from the Certificates tab.
  [From Build 50.31]
  [# 706444, 715207]

• In rare cases, a Citrix ADC appliance displays an ‘Error in retrieving Certificate-key pair. Unable to get property match of undefined or null reference’ error message if you update certkey from the Certificates tab.
  [From Build 50.31]
  [# NSUI-6885, NSHELP-5180, BUG0706444]

Citrix Gateway

• The users connected to the Citrix Gateway appliance are unable to ping each other using the Intranet IP (IIP).
  [From Build 50.31]
  [# 470679, 565941]

• Citrix Gateway appliance dumps core upon freeing the NSB memory twice.
  [From Build 50.31]
  [# 701843]

• Citrix Gateway appliance dumps core upon freeing the NSB memory twice.
  [From Build 49.37]
  [# 701843]

• After an upgrade to version 11.1, the Citrix Gateway logon page does not appear on the Citrix ADC GUI.
  [From Build 50.31]
  [# 702580]

• The Citrix Gateway appliance dumps core if the following conditions are met:

  • HTTP websites are accessed.

  • Memory allocation is low.

  • Memory allocation for code compression feature fails.
  [From Build 50.31]
  [# 706402]

• In rare cases, a Citrix Gateway appliance configured for EDT becomes unresponsive because of memory corruption.
  [From Build 49.37]
  [# 706704, 709305, 709349, 706229, 705896, 710041, 710117, 707924, 709493, 709911, 710415, 710907, 710891, 711509, 711523, 710808, 712343, 715140, 715145]

• A Citrix Gateway appliance does not fallback to the LDAP policy if the following conditions are met:

  - Certificate authentication and LDAP are configured as the first factor and LDAP checks data from login Schema.

  - The certificate authentication fails.
  [From Build 49.37]
  [# 708140]

• In some cases, the Citrix Gateway appliance dumps core if the following conditions are met:

  - The Citrix Gateway appliance hosts connections to Citrix XenDesktop 7.16 and above the supports UDT.

  - A DTLS service with the same IP:PORT as the VDA is added.
  [From Build 50.31]
  [# 708188]

• In rare cases, the Citrix Gateway appliance dumps core when DTLS is enabled on a VPN virtual server.
  [From Build 49.37]
  [# 708703, 709315, 711421, 710131]

• POST request has some non-required fields.
  [From Build 49.37]
  [# 709243]

• POST request has some non-required fields.
  [From Build 50.31]
  [# 709243]

• Connectionlist corruption occurs if VMware horizon client reuses the same SPI for UDP connections, resulting in eventual crashes when show or kill command is executed.
  [From Build 49.37]
  [# 709325]

• In case of network errors, cached client certificates were removed, prompting user to select the certificate from the drop-down menu manually.
  [From Build 50.31]
  [# 709689]

• In case of network errors, cached client certificates were removed, prompting user to select the certificate from the drop-down menu manually.
  [From Build 49.37]
  [# 709689]

• In rare cases, the VPN plug-in crashes.
  [From Build 49.37]
  [# 709695]

• A Citrix Gateway appliance dumps core if a Regex in a patset takes a long time to execute.
  [From Build 49.37]
  [# 709923, 710642]

• In rare cases, the Citrix Gateway appliance dumps core when a client machine tries to open more than one DTLS connection.
  [From Build 49.37]
  [# 710131]

• VPN tunneling is ceased because Windows firewall on Citrix virtual adapter drops the packets. The packet drop is caused because of cross firewall profile switch (profile switch from domain to public) for any inbound connection.
  [From Build 50.31]
  [# 710165, 707791, 704144, 716197]

• The session through a Citrix Gateway appliance using RfWebUI goes to unresponsive mode after you click cancel on the "Change Password" error window.
  [From Build 49.37]
  [# 710220]

• Accessing a Citrix Gateway appliance results in 404 error, if the Citrix Gateway and Authentication, Authorization, and Auditing are deployed on the same Citrix ADC appliance in the same domain but outside of Citrix Gateway domain.
  [From Build 49.37]
  [# 711330]

• The VPN plug-in for Citrix Gateway becomes unresponsive once the client machine moves to active mode from standby mode.
  [From Build 50.31]
  [# 711434, 710161, 716058]

• Upon using the Citrix Gateway plug-in to logon to VPN, the RADIUS challenge message is displayed on Citrix Receiver instead of the Citrix Gateway plug-in.
  [From Build 49.37]
  [# 711570]

• In a multi-core environment, device certificate failed intermittently due to syncing issues.
  [From Build 50.31]
  [# 711654]

• Pre-authentication EPA check fails when total length of single EPA expression (not separated by any logical operators) is greater than 1024 characters.
  [From Build 50.31]
  [# 711678]

• Pre-authentication EPA check fails when total length of single EPA expression (not separated by any logical operators) is greater than 1024 characters.
  [From Build 49.37]
  [# 711678]

• Windows Gateway Plugin displays incorrect message on the user interface when the VPN virtual server with Citrix Gateway is in disabled or in out of order state.
  [From Build 49.37]
  [# 711715]

• In some cases, the Citrix Gateway appliance with multiple core crashes if the HDX Insight feature is enabled.
  [From Build 49.37]
  [# 711720, 712124, 712553, 714141, 714351, 714721]

• In some cases, the Citrix Gateway appliance with multiple cores crashes if the HDX Insight feature is enabled, during a session reconnect.
  [From Build 50.31]
  [# 711720, 712124, 712553, 714141, 714351, 714721, 715556, 715557, 716043, 714261, 715482, 716653, 718681, 718673]

• Allowed login groups parameters in session action do not take effect with advanced session policies.
  [From Build 50.31]
  [# 712705]

• Allowed login groups parameters in session action do not take effect with advanced session policies.
  [From Build 49.37]
  [# 712705]

• A Citrix Gateway appliance does not allow post body expressions for relaystateRule parameter when sending SAML assertions.
  [From Build 49.37]
  [# 712790]

• While repairing the Citrix Gateway plug-in, a re-installation for the plug-in is initiated without checking if the plug-in is already installed. This creates a new virtual adapter instance.
  [From Build 49.37]
  [# 712856]

• The Citrix Gateway appliance displays incorrect http content for STA ticket refresh request.
  [From Build 50.31]
  [# 713473]

• In rare cases, the Citrix Gateway appliance dumps core when a proxy server is configured.
  [From Build 50.31]
  [# 713474]

• For a non-admin user, Citrix Gateway service is not able to get the admin privileges.
  [From Build 50.31]
  [# 714332]

• In some cases, performing certificate related operations after changing the RDP listeners by setting and unsetting RDP ServerProfile result in a crash.
  [From Build 50.31]
  [# 714720]

• A Citrix Gateway appliance configured for nFactor authentication becomes unresponsive when the following conditions are met.

  - SAML is configured as the first factor of authentication.

  - EPA is configured as the last factor of authentication.
  [From Build 50.31]
  [# 715167]

• Windows can add a best route for any On-link interface to route traffic. The addition of a new route for the internal network address on the virtual adapter's interface results in connectivity issues over VPN connection.
  [From Build 50.31]
  [# 715217]

• In some cases, the Citrix Gateway appliance dumps core based on a particular sequence of events, if the appliance is configured for EDT proxy.
  [From Build 50.31]
  [# 715713]

• In some cases, applications accessed using Citrix Gateway become unresponsive because excessive logon redirects causes memory build up in the appliance.
  [From Build 50.31]
  [# 717351, 718406]

• In a multi-core environment, device certificate failed intermittently due to syncing issues.
  [From Build 50.31]
  [# CGOP-3666, BUG0711654]

• The users connected to the Citrix Gateway appliance are unable to ping each other using the Intranet IP (IIP).
  [From Build 50.31]
  [# CGOP-878, BUG0470679]

• Citrix Gateway now supports a new version of NetworkAccessControl (NAC) checks using Microsoft Enterprise Mobility (Microsoft Intune) suite. This variant uses a signed device information of the end client for validation. To use this feature, you need a compatible version of the Citrix SSO app.
  [From Build 50.31]
  [# NSAUTH-4239, BUG0716353]

• Windows can add a best route for any On-link interface to route traffic. The addition of a new route for the internal network address on the virtual adapter's interface results in connectivity issues over VPN connection.
  [From Build 50.31]
  [# NSHELP-1479, TSK0715217]

• In some cases, the Citrix Gateway appliance with multiple cores crashes if the HDX Insight feature is enabled, during a session reconnect.
  [From Build 50.31]
  [# NSHELP-15792, NSHELP-15687, NSHELP-15689, NSHELP-17901, 711720]

• In rare cases, the Citrix Gateway appliance dumps core when a proxy server is configured.
  [From Build 50.31]
  [# NSHELP-1616, TSK0713474]

• In some cases, the Citrix Gateway appliance dumps core if the following conditions are met:

  - The Citrix Gateway appliance hosts connections to Citrix XenDesktop 7.16 and above the supports UDT.

  - A DTLS service with the same IP:PORT as the VDA is added.
  [From Build 50.31]
  [# NSHELP-1692, TSK0708188]

• The Citrix Gateway appliance displays incorrect http content for STA ticket refresh request.
  [From Build 50.31]
  [# NSHELP-1721, TSK0713473]

• Allowed login groups parameters in session action do not take effect with advanced session policies.
  [From Build 50.31]
  [# NSHELP-1728, TSK0712705]

• Citrix Gateway appliance dumps core upon freeing the NSB memory twice.
  [From Build 50.31]
  [# NSHELP-1790, TSK0701843]

• VPN tunneling is ceased because Windows firewall on Citrix virtual adapter drops the packets. The packet drop is caused because of cross firewall profile switch (profile switch from domain to public) for any inbound connection.
  [From Build 50.31]
  [# NSHELP-1975, NSHELP-1138, NSHELP-1398, NSHELP-2089, TSK0710165]

• For a non-admin user, Citrix Gateway service is not able to get the admin privileges.
  [From Build 50.31]
  [# NSHELP-2040, BUG0714332]

• In some cases, the Citrix Gateway appliance dumps core based on a particular sequence of events, if the appliance is configured for EDT proxy.
  [From Build 50.31]
  [# NSHELP-2134, TSK0715713]

• In some cases, applications accessed using Citrix Gateway become unresponsive because excessive logon redirects causes memory build up in the appliance.
  [From Build 50.31]
  [# NSHELP-2138, TSK0717351]

• In case of network errors, cached client certificates were removed, prompting user to select the certificate from the drop-down menu manually.
  [From Build 50.31]
  [# NSHELP-423, TSK0709689]

• POST request has some non-required fields.
  [From Build 50.31]
  [# NSHELP-428, TSK0709243]

• The Citrix Gateway appliance dumps core if the following conditions are met:

  • HTTP websites are accessed.

  • Memory allocation is low.

  • Memory allocation for code compression feature fails.
  [From Build 50.31]
  [# NSHELP-5747, TSK0706402]

• In some cases, performing certificate related operations after changing the RDP listeners by setting and unsetting RDP ServerProfile result in a crash.
  [From Build 50.31]
  [# NSHELP-5756, TSK0714720]

• After an upgrade to version 11.1, the Citrix Gateway logon page does not appear on the Citrix ADC GUI.
  [From Build 50.31]
  [# NSHELP-6458, 702580]

• Pre-authentication EPA check fails when total length of single EPA expression (not separated by any logical operators) is greater than 1024 characters.
  [From Build 50.31]
  [# NSHELP-6835, 711678]

• The VPN plug-in for Citrix Gateway becomes unresponsive once the client machine moves to active mode from standby mode.
  [From Build 50.31]
  [# NSHELP-8015, 711434]

NetScaler Insight Center

• When Citrix Gateway appliance is used with NSAP enabled for VDAs (7.16 and above) and if HDX Insight is configured, the Citrix Gateway might fail.
  [From Build 49.37]
  [# 710363, 704912]

• When Citrix Gateway appliance is used with NSAP enabled for VDAs (7.16 and above) and if HDX Insight is configured, the Citrix Gateway might fail.
  [From Build 50.31]
  [# 710363, 704912]

• In certain scenarios, if SR-HA feature is enabled for ICA AppFlow, the secondary Citrix ADC appliance in the high-availability deployment might fail.
  [From Build 50.31]
  [# 713607]

• In certain scenarios, if SR-HA feature is enabled for ICA AppFlow, the secondary Citrix ADC appliance in the high-availability deployment might fail.
  [From Build 49.37]
  [# 713607]

• When Session Reliability on Citrix ADC high availability pair is enabled. The output throughput on the primary Citrix ADC appliance is comparatively higher than the input throughput of the appliance.
  [From Build 50.31]
  [# 714250]

• A Citrix ADC appliance might become unresponsive in a multi-core environment if ICA AppFlow or SmartControl feature is enabled.
  [From Build 50.31]
  [# 716479]

• In certain scenarios, if SR-HA feature is enabled for ICA AppFlow, the secondary Citrix ADC appliance in the high-availability deployment might fail.
  [From Build 50.31]
  [# NSHELP-15811, 713607]

• A Citrix ADC appliance might become unresponsive in a multi-core environment if ICA AppFlow or SmartControl feature is enabled.
  [From Build 50.31]
  [# NSHELP-15834, 716479]

• When Citrix Gateway appliance is used with NSAP enabled for VDAs (7.16 and above) and if HDX Insight is configured, the Citrix Gateway might fail.
  [From Build 50.31]
  [# NSHELP-5259, NSINSIGHT-1192, TSK0710363]

• When Session Reliability on Citrix ADC high availability pair is enabled. The output throughput on the primary Citrix ADC appliance is comparatively higher than the input throughput of the appliance.
  [From Build 50.31]
  [# NSHELP-5261, BUG0714250]

Citrix ADC MPX Appliance

• In a Citrix ADC MPX appliance, the GUI and command interface is unable to distinguish between Mellanox 100G and 50G interfaces. As a result, the interfaces allow you to set 50G on 100G interface.
  [From Build 50.31]
  [# 707811]

• In a Citrix ADC MPX appliance, the GUI and command interface is unable to distinguish between Mellanox 100G and 50G interfaces. As a result, the interfaces allow you to set 50G on 100G interface.
  [From Build 50.31]
  [# NSHELP-14761, 707811]

Citrix ADC SDX Appliance

• When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.
  [From Build 50.31]
  [# 600152, 697276, 704954]

• When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.
  [From Build 49.37]
  [# 600152, 697276, 704954]

• The management IP (NSIP) of a Citrix ADC VPX instance running on SDX 14000 platform becomes unreachable when the following conditions are met:

  - An LACP channel comprising 10G or 40G interfaces is assigned as VPX management NIC.

  - One of the member interfaces in the LACP channel goes down.
  [From Build 50.31]
  [# 707600]

• The virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work on SDX 26000 and SDX 15000-50G platforms.
  [From Build 50.31]
  [# 709182]

• On Citrix ADC SDX 26000 and SDX 15000-50G platforms, the virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work if any one of the following conditions is met:

  - The VPX instance configured with the VRID restarts.

  - The SDX appliance on which the VPX instance is running restarts.
  [From Build 49.37]
  [# 710320]

• On Citrix ADC SDX 26000 and SDX 15000-50G platforms, the virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work if any one of the following conditions is met:

  - The VPX instance configured with the VRID restarts.

  - The SDX appliance on which the VPX instance is running restarts.
  [From Build 50.31]
  [# 710320]

• The message "Appliance license expired" appears when you log on to the Citrix ADC SDX GUI, after upgrading from any previous Citrix ADC version to 12.1 48.13/12.0-58.15. This is a harmless message and can be ignored safely.
  [From Build 49.37]
  [# 710430]

• The VPX instance restarts by itself in the following case.

  - You change the admin profile associated with a Citrix ADC VPX instance with channel configuration; and

  - The Citrix ADC VPX instance is running on Citrix ADC SDX 26XXX and 15XXX appliances.
  [From Build 49.37]
  [# 714041]

• The management IP (NSIP) of a Citrix ADC VPX instance running on SDX 14000 platform becomes unreachable when the following conditions are met:

  - An LACP channel comprising 10G or 40G interfaces is assigned as VPX management NIC.

  - One of the member interfaces in the LACP channel goes down.
  [From Build 50.31]
  [# NSHELP-13895, 707600]

• On Citrix ADC SDX 26000 and SDX 15000-50G platforms, the virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work if any one of the following conditions is met:

  - The VPX instance configured with the VRID restarts.

  - The SDX appliance on which the VPX instance is running restarts.
  [From Build 50.31]
  [# NSPLAT-4076, BUG0710320]

• The virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work on SDX 26000 and SDX 15000-50G platforms.
  [From Build 50.31]
  [# NSPLAT-7364, BUG0709182]

Citrix ADC VPX Appliance

• A Citrix ADC VPX instance configured with VMXNET3 interfaces and running on VMware ESX server might crash if the ESX server sends a zero-length packet through these interfaces.
  [From Build 49.37]
  [# 695358, 706660, 707542]

• A Citrix ADC VPX instance configured with VMXNET3 interfaces and running on VMware ESX server might crash if the ESX server sends a zero-length packet through these interfaces.
  [From Build 50.31]
  [# 695358, 706660, 707542]

• The cloud profile configuration for Azure autoscale shows the load balancing protocol as HTTP irrespective of the protocol selected while configuring the cloud profile. This issue appears both in GUI and CLI.
  [From Build 50.31]
  [# 705295, 689807]

• A Citrix ADC VPX instance configured with VMXNET3 interfaces and running on VMware ESX server might crash if the ESX server sends a zero-length packet through these interfaces.
  [From Build 50.31]
  [# NSHELP-2647, NSHELP-2393, NSHELP-2394, TSK0695358]

• The cloud profile configuration for Azure autoscale shows the load balancing protocol as HTTP irrespective of the protocol selected while configuring the cloud profile. This issue appears both in GUI and CLI.
  [From Build 50.31]
  [# NSPLAT-4343, NSPLAT-4216, BUG0705295]

Networking

• A Citrix ADC appliance does not allow traffic domain configuration inside admin partition context.
  [From Build 50.31]
  [# 647744]

• In some deployments, ICMP error packets, sourced from the NSIP address and destined to 127.0.0.2 address, might go in loops within the Citrix ADC appliance causing high CPU usage in the appliance.
  [From Build 49.37]
  [# 707489]

• In a high availability setup, the Citrix ADC appliance does not send jumbo frames on interfaces that are Jumbo enabled. This issue cause the state of the LACP channels and interfaces to flap, which in turn results in repetitive HA failover in the setup.
  [From Build 50.31]
  [# 708050]

• In a high availability configuration in INC mode, dynamic routing parameters might not get set properly because of the conversion errors.
  [From Build 49.37]
  [# 708496]

• In a Citrix ADC appliance, BGP daemon fails when a routemap, which includes a 'match ip peer' command entry, is applied to the kernel routes.
  [From Build 49.37]
  [# 709231]

• The Citrix ADC appliance might not remove monitors, which have a netprofile bound to a route, during a clear config extended+ operation. These monitors point to the associated netprofile, which was removed during the during a clear config extended+ operation, causing the Citrix ADC appliance to crash.
  [From Build 50.31]
  [# 710015]

• In a cluster setup, a node has the following entities in the same traffic domain:

  - a VIP address and,

  - a load balancing virtual server with the same VIP address.

  When the traffic domain is removed, virtual server configuration is removed but the VIP address is not removed. The node crashes when it sends out a GARP message for this VIP address.
  [From Build 49.37]
  [# 710326, 711605]

• In a cluster setup, a node has the following entities in the same traffic domain:

  - a VIP address and,

  - a load balancing virtual server with the same VIP address.

  When the traffic domain is removed, virtual server configuration is removed but the VIP address is not removed. The node crashes when it sends out a GARP message for this VIP address.
  [From Build 50.31]
  [# 710326, 711605]

• HTTPS access to a SNIP address in a traffic domain fails because the appliance performs port allocation in non-default traffic domain when accessing the NSIP address internally from underlying FreeBSD operating system.
  [From Build 49.37]
  [# 710982]

• BGP IPv6 address family configuration might not get saved in a cluster setup.
  [From Build 49.37]
  [# 711033]

• UDP applications (for example, DNS, TFTP, Radius, DTLS) might not work in Citrix VPX instances running on a VMware ESX server with VMXNET3 network interfaces.
  [From Build 50.31]
  [# 711445, 713549, 715567, 716984, 718232]

• The Citrix ADC appliance might not completely remove the RNAT global configuration during a clear config operation.
  [From Build 50.31]
  [# 712215]

• In a cluster setup, appliances might fail in unbinding NAT rules, with 32-bit netmask, from a netprofile.
  [From Build 50.31]
  [# 715128]

• In a high availability setup, the Citrix ADC appliance does not send jumbo frames on interfaces that are Jumbo enabled. This issue cause the state of the LACP channels and interfaces to flap, which in turn results in repetitive HA failover in the setup.
  [From Build 50.31]
  [# NSHELP-16172, 708050]

• In a Citrix Gateway appliance, responder and rewrite policies bound to VPN virtual servers might not process the packets that matched the policy rules.
  [From Build 50.31]
  [# NSHELP-18311]

• Enabling secure access (secureonly) to Citrix ADC GUI on the NSIP or SNIP addresses fails to disable HTTP (insecure) GUI access.
  [From Build 50.31]
  [# NSHELP-18353]

• In a high availability configuration in INC mode, dynamic routing parameters might not get set properly because of the conversion errors.
  [From Build 50.31]
  [# NSHELP-253, BUG0708496]

• The Citrix ADC appliance might not remove monitors, which have a netprofile bound to a route, during a clear config extended+ operation. These monitors point to the associated netprofile, which was removed during the during a clear config extended+ operation, causing the Citrix ADC appliance to crash.
  [From Build 50.31]
  [# NSHELP-80, BUG0710015]

• In a cluster setup, a node has the following entities in the same traffic domain:

  - a VIP address and,

  - a load balancing virtual server with the same VIP address.

  When the traffic domain is removed, virtual server configuration is removed but the VIP address is not removed. The node crashes when it sends out a GARP message for this VIP address.
  [From Build 50.31]
  [# NSHELP-81, NSNET-553, TSK0710326]

• Trivial File Transfer Protocol (TFTP) might not work in Citrix VPX instances running on VMware ESX server with VMXNET3 network interfaces.
  [From Build 50.31]
  [# NSHELP-85, NSHELP-107, NSHELP-3633, NSHELP-452, TSK0711445]

• The Citrix ADC appliance might not completely remove the RNAT global configuration during a clear config operation.
  [From Build 50.31]
  [# NSHELP-86, TSK0712215]

• In some cases, when a net profile is bound to VPN virtual server, the Citrix Gateway logon page does not load and the Citrix ADC admin user interface becomes inaccessible.
  [From Build 50.31]
  [# NSHELP-92, TSK0715048]

• The appliance might fail in unbinding NAT rules, with 32-bit netmask, from a netprofile.
  [From Build 50.31]
  [# NSHELP-93, TSK0715128]

• A Citrix ADC appliance does not allow traffic domain configuration inside admin partition context.
  [From Build 50.31]
  [# NSNET-4562, BUG0647744]

Platform

• Support for Citrix ADC MPX 26000-50S Platform

  This release supports the MPX 26000-50S platform.

  For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-50s.html.
  [From Build 50.31]
  [# 662685, 703784, 688397, 648918]

• You might see a Tx stall issue on MPX platforms that contain Intel XL710 NICs.
  [From Build 50.31]
  [# 712779]

• In some cases, packets can be corrupted on the MPX-26000-100G and MPX-26000T-100G appliances.
  [From Build 50.31]
  [# 714851]

• You might see a Tx stall issue on MPX platforms that contain Intel XL710 NICs.
  [From Build 50.31]
  [# NSHELP-14786, 712779]

• In some cases, packets can be corrupted on the MPX-26000-100G and MPX-26000T-100G appliances.
  [From Build 50.31]
  [# NSHELP-14823, 714851]

Policies

• An error is encountered when you convert a classic policy expression with domain option to advanced policy expression using NSPEPI tool.
  [From Build 49.37]
  [# 710610]

Portal

RBA

• <ID review in progress; this description will be updated soon>

  Nitro login to get sessionid will not work if password contains special character like %
  [From Build 50.31]
  [# NSHELP-9431, 714322]

Rewrite

• Policy Bindings for LB VServer of types TCP, SIP UDP, MYSQL, MSSQL, ORACLE, NAT, DIAMETER, RADIUS, SIP TCP, DNS, and SSL do not contain the REQUEST or RESPONSE type within saved configuration. A workaround is to manually issue the bind command with proper REQUEST or RESPONSE binding type. Another workaround is to place the corrected bind commands in file /nsconfig/nsafter.sh. However, those commands need to be updated if any change is made to the policy bindings as well. Those commands must be removed once the system is upgraded to a build containing the fix.
  [From Build 50.31]
  [# NSHELP-471, TSK0715617]

SDX-Platform

SDX-UI

SNMP

• When configuring entity-Down and entity-Up traps, the entity state alarms do not work as expected. This issue is observed if you add an extra suffix (_UP or _DOWN) to the entity name "varbind" when configuring the UP and DOWN traps.
  [From Build 50.31]
  [# 715922]

• When configuring entity-Down and entity-Up traps, the entity state alarms do not work as expected. This issue is observed if an extra suffix (_UP or _DOWN) is added to the entity name "varbind" for configuring the UP and DOWN traps.
  [From Build 50.31]
  [# NSHELP-16607, 715922]

• SNMP code was setting some device flags wrongly from the beginning, recent fixes from NS-aggregator exposed this gaps which turned into this problem scenario.
  [From Build 50.31]
  [# NSHELP-359, NSHELP-400, TSK0713612]

SSL

• A Citrix ADC MPX/SDX 14000 FIPS appliance becomes unresponsive if it receives a packet of size > 18 KB from the backend server.
  [From Build 49.37]
  [# 707061]

• In a cluster setup, cipher suites bound to a custom cipher group are lost from the CLIP node after you upgrade the setup.
  [From Build 50.31]
  [# 707738, 708168]

• The symmetric operations fail because the SSL card becomes unresponsive.
  [From Build 49.37]
  [# 708375, 709406, 708978, 708923, 711264, 711404, 712257]

• A Citrix ADC appliance might crash if an OCSP responder is configured with nonce disabled and the integrated caching feature is enabled so that OCSP objects are cached.
  [From Build 49.37]
  [# 709491, 707452, 710458, 707610]

• The “No Certificates present in the certificate bundle file" error appears when you try to add a PFX file using the Citrix ADC GUI.
  [From Build 49.37]
  [# 710202]

• GSLB virtual servers are not accessible if you make any changes to the enabled default SSL profile.

  With this fix, any change to the SSL profile does not affect the state of the GSLB virtual servers.
  [From Build 49.37]
  [# 710207, 710428]

• GSLB virtual servers are not accessible if you make any changes to the enabled default SSL profile.

  With this fix, any change to the SSL profile does not affect the state of the GSLB virtual servers.
  [From Build 50.31]
  [# 710207, 710428]

• Ciphers bound to an SSL service group are not included in the running config if the following commands are run in a sequence:

  1. set ssl servicegroup <servicegroup name> -sslprofile <profile name>

  2. bind ssl servicegroup <servicegroup name> -ciphername <profile name>

  As a result, after you save the config and restart your appliance, the ciphers are not bound to the service group.

  With this fix, the commands are included in the running config. However, you must run the bind command once after upgrading your appliance to include the command in the running and saved configuration files.
  [From Build 49.37]
  [# 710573]

• Ciphers bound to an SSL service group are not included in the running config if the following commands are run in a sequence:

  1. set ssl servicegroup <servicegroup name> -sslprofile <profile name>

  2. bind ssl servicegroup <servicegroup name> -ciphername <profile name>

  As a result, after you save the config and restart your appliance, the ciphers are not bound to the service group.

  With this fix, the commands are included in the running config. However, you must run the bind command once after upgrading your appliance to include the command in the running and saved configuration files.
  [From Build 50.31]
  [# 710573]

• In rare cases, an attempt to install a new certificate on an MPX 9700/10500/12500/15500 appliance might fail with the “bad pkcs error” counter incremented if the private key “CRT Params” size is not equal to the maximum size allowed.
  [From Build 49.37]
  [# 711066, 706981]

• In rare cases, an attempt to install a new certificate on an MPX 9700/10500/12500/15500 appliance might fail with the “bad pkcs error” counter incremented if the private key “CRT Params” size is not equal to the maximum size allowed.
  [From Build 50.31]
  [# 711066, 706981]

• If you configure an MPX/SDX 14000 FIPS appliance for the first time, the appliance restarts after you run the "reset fips" command.
  [From Build 50.31]
  [# 713370]

• ECC curve bindings to a DTLS virtual server are not saved in the configuration (ns.conf) after you enable the SSL default profile in the the global SSL parameter.
  [From Build 50.31]
  [# 713913]

• ECC curve bindings to a DTLS virtual server are not saved in the configuration (ns.conf) after you enable the SSL default profile in the the global SSL parameter.
  [From Build 49.37]
  [# 713913]

• On a Citrix ADC VPX appliance, memory leak is observed when policy-based renegotiation happens.
  [From Build 50.31]
  [# 714186, 706370, 716543]

• On an SDX 14000 FIPS appliance, the FIPS card resets if all of the following conditions are met:

  - You created a partition in release 11.x.

  - The partition name is greater than 12 characters.

  - You upgrade the appliance to release 12.x.
  [From Build 50.31]
  [# 714338]

• A memory leak is observed if all of the following conditions are met:

  - TLSv1.3 protocol and certificate-based client authentication are enabled on the same virtual server.

  - TLSv1.3 is negotiated for a connection.

  - Client sends a `CertificateVerify` message.
  [From Build 50.31]
  [# 715127]

• Memory allocation might fail leading to memory leak in a heavy traffic scenario.
  [From Build 50.31]
  [# 715348]

• The server now aborts the handshake by sending a fatal 'inappropriate_fallback' alert if the following conditions are met:

  - Both TLSv1.2 and TLSv1.3 are enabled on an SSL virtual server.

  - The client sends a TLSv1.2 ClientHello with TLS_FALLBACK_SCSV.

  Earlier, the server proceeded with a TLSv1.2 handshake. This issue caused the maximum SSL Labs rating for a TLSv1.3 virtual server to drop from A+ to A. The rating dropped because the scanner detected that the server did not appear to support TLS_FALLBACK_SCSV in all cases.
  [From Build 50.31]
  [# 715561]

• You can directly upgrade from build 11.1-48.x or earlier to build 11.1-60.x and to build 12.1-50.x without losing the PFX certificate-key pairs.

  For earlier builds, you must upgrade incrementally as follows:

  11.1-48.10 --> 11.1-50.10 --> 11.1-59.10

  OR

  11.1-48.10 --> 11.1-50.10 --> 12.1-49.23
  [From Build 50.31]
  [# 716272]

• On a Citrix ADC VPX appliance, memory leak is observed when policy-based renegotiation happens.
  [From Build 50.31]
  [# NSHELP-13294, NSHELP-17903, 714186]

• You can directly upgrade from build 11.1-48.x or earlier to build 11.1-60.x and to build 12.1-50.x without losing the PFX certificate-key pairs.

  For earlier builds, you must upgrade incrementally as follows:

  11.1-48.10 --> 11.1-50.10 --> 11.1-59.10

  OR

  11.1-48.10 --> 11.1-50.10 --> 12.1-49.23
  [From Build 50.31]
  [# NSHELP-13337, 716272]

• In rare cases, an attempt to install a new certificate on an MPX 9700/10500/12500/15500 appliance might fail with the “bad pkcs error” counter incremented if the private key “CRT Params” size is not equal to the maximum size allowed.
  [From Build 50.31]
  [# NSHELP-14157, 711066]

• Memory allocation might fail leading to memory leak in a heavy traffic scenario.
  [From Build 50.31]
  [# NSHELP-14606, 715348]

• Ciphers bound to an SSL service group are not included in the running config if the following commands are run in a sequence:

  1. set ssl servicegroup <servicegroup name> -sslprofile <profile name>

  2. bind ssl servicegroup <servicegroup name> -ciphername <profile name>

  As a result, after you save the config and restart your appliance, the ciphers are not bound to the service group.

  With this fix, the commands are included in the running config. However, you must run the bind command once after upgrading your appliance to include the command in the running and saved configuration files.
  [From Build 50.31]
  [# NSHELP-5052, TSK0710573]

• In a cluster setup, cipher suites bound to a custom cipher group are lost from the CLIP node after you upgrade the setup.
  [From Build 50.31]
  [# NSHELP-5056, NSSSL-1679, BUG0707738]

• GSLB virtual servers are not accessible if you make any changes to the enabled default SSL profile.

  With this fix, any change to the SSL profile does not affect the state of the GSLB virtual servers.
  [From Build 50.31]
  [# NSHELP-5077, NSHELP-3801, TSK0710207]

• On an SDX 14000 FIPS appliance, the FIPS card resets if all of the following conditions are met:

  - You created a partition in release 11.x.

  - The partition name is greater than 12 characters.

  - You upgrade the appliance to release 12.x.
  [From Build 50.31]
  [# NSHELP-5101, BUG0714338]

• A memory leak is observed if all of the following conditions are met:

  - TLS 1.3 protocol and certificate-based client authentication are enabled on the same virtual server.

  - TLS 1.3 is negotiated for a connection.

  - Client sends a `CertificateVerify` message.
  [From Build 50.31]
  [# NSSSL-1152, BUG0715127]

• The server now aborts the handshake by sending a fatal 'inappropriate_fallback' alert if the following conditions are met:

  - Both TLSv1.2 and TLSv1.3 are enabled on an SSL virtual server

  - The client sends a TLSv1.2 ClientHello with TLS_FALLBACK_SCSV

  Earlier, the server proceeded with a TLSv1.2 handshake. This issue caused the maximum possible SSL Labs rating for a TLSv1.3 virtual server to drop from A+ to A, since the scanner detected that the server did not appear to support TLS_FALLBACK_SCSV in all cases.
  [From Build 50.31]
  [# NSSSL-1226, BUG0715561]

• If you configure an MPX/SDX 14000 FIPS appliance for the first time, the appliance restarts after you run the "reset fips" command.
  [From Build 50.31]
  [# NSSSL-2433, BUG0713370]

• ECC curve bindings to a DTLS virtual server are not saved in the configuration (ns.conf) after you enable the SSL default profile in the the global SSL parameter.
  [From Build 50.31]
  [# NSSSL-283, BUG0713913]

• The SSL parameters do no appear correctly in the service view.
  [From Build 50.31]
  [# NSUI-11414]

SSLVPN-J

• <ID review in progress; this description will be updated soon>

  The packet engine to packet engine communication(pe-to-pe) was done, even after the allocation of memory failed for storing sta ticket.

  Due to this, after the pe-to-pe communication , the status is checked. The PE crashed, when it tried freeing the sta ticket, even though it was not allocated earlier.
  [From Build 50.31]
  [# NSHELP-5762, TSK0716202]

System

• For HTTP 2 streams, the stat counters does not increment correctly. For example, when a new stream of data arrives, the counts fails to increment, but decrements correctly, when the stream is closed. This incorrect operation leads to a wrong count of action performed on the HTTP2 streams.
  [From Build 49.37]
  [# 694684, 683374, 694695, 678994]

• A Citrix ADC appliance might crash if it sends messages from one processor to another processor, for deleting a steering session in some error cases.
  [From Build 49.37]
  [# 700423]

• A Citrix ADC appliance crashes because of a timer issue. The issue occurs if the stats are collected after the SYSLOGUDP connection is deleted, but before the appliance deletes the SYSLOGUDP service.
  [From Build 49.37]
  [# 705574]

• In a high availability setup, when the secondary node becomes the primary node, the BGP route update might fail on the new primary node because of a TCP timestamp overflow.
  [From Build 50.31]
  [# 707067]

• If you configure an HTTP type load balancing virtual server with HTTP/2 option enabled on the HTTP profile, the appliance fails to load balance gRPC traffic.
  [From Build 49.37]
  [# 709214]

• If the trace aggregator processor leak opens a file descriptors every time you execute the nstrace command, the Citrix ADC appliance might display the following error message: "kern.maxfiles limit exceeded".
  [From Build 49.37]
  [# 709430, 712687, 712970]

• The "sh audit messages" command does not display log messages in the following case:

  If you configure the log facility parameter with a value other than LOCAL0 in the "syslogparams" or "syslogaction" command.
  [From Build 50.31]
  [# 709464]

• A weblogging client crashes, if a clustered setup on a VMware ESX platform with VMXNET3 interfaces encounters time synchronization issues.
  [From Build 50.31]
  [# 711086]

• During a TCP handshake, if the server responds with a TCP window size of 0 bytes, the appliance keeps the connection in TCP persist mode. Later, if the server opens the TCP window, the connection remains in persist mode and is not removed. As a result, the persist and keep-alive lists get mixed up and the appliance crashes when it tries to free the connection.
  [From Build 50.31]
  [# 711131]

• A Citrix ADC appliance might crash if an external authentication server takes more than 20 seconds to respond.
  [From Build 49.37]
  [# 711282]

• If flash cache option is enabled on a Citrix ADC appliance and also receives client requests to the same resource, the appliance resets the connection before it sends the response to the client.
  [From Build 49.37]
  [# 711508]

• If flash cache option is enabled on a Citrix ADC appliance and also receives client requests to the same resource, the appliance resets the connection before it sends the response to the client.
  [From Build 50.31]
  [# 711508]

• Service state synchronization is not happening in a cluster node deployment, if the following conditions are observed:

  - Cluster setup is upgraded from 11.1 builds.

  - Audit log action (SYSLOG or NSLOG) is configured with SYSLOG or NSLOG server's domain name.
  [From Build 50.31]
  [# 711841]

• When you upgrade a Citrix ADC appliance to release 12.1, SNMP does not work as expected. Instead, it responds with the "No Such Object" error message.
  [From Build 50.31]
  [# 713612, 714913, 718402]

• A Citrix ADC appliance crashes if invalid MP_JOIN options of MP_JOIN SYN packet are sent in an MP_CAPABLE subflow.
  [From Build 50.31]
  [# 714030]

• When a client sends an HTTP2 request to a Citrix ADC appliance and if the MSS value is lesser than the response generated by the appliance, an internal parsing issue occurs.
  [From Build 50.31]
  [# 714410]

• At a given time, you can configure the domain name of the server only for one SYSLOG action or NSLOG action. If you try to add another action (either an SYSLOG action or NSLOG action) with the server's domain name, the system displays an error message.

  Example:

  > add syslogaction act1 syslog.server.com -loglevel all

  Done

  > add nslogaction act2 nslog.server.com -loglevel all

  ERROR: Name conflicts with an existing service or service group member name

  > add syslogaction act3 syslog2.server.com -loglevel all

  ERROR: Name conflicts with an existing service or service group member name
  [From Build 50.31]
  [# 715341]

• gPRC transactions fail under the following conditions:

  - If the initial client request goes to an HTTP/2 enabled virtual server and service but a response is not received.

  - If the server sends a trailer header with multiple header entries.
  [From Build 50.31]
  [# 715863]

• Market specific violation is caused, if you have CallHome enabled by default on a Citrix ADC 12.1 appliance. The feature should be configured as an user's opt-in feature.
  [From Build 49.37]
  [# 716240]

• If the “Stale Cache Group Table” devices reside in the SNMP AVL tree, the SNMP walk operation fails. As a result, the SNMP walk operation does not return an error message for the subsequent SNMP table counters.
  [From Build 50.31]
  [# 716890, 717462]

• Service state synchronization is not happening in a cluster node deployment, if the following conditions are observed:

  - Cluster setup is upgraded from 11.1 builds.

  - Audit log action (SYSLOG or NSLOG) is configured with SYSLOG or NSLOG server's domain name.
  [From Build 50.31]
  [# CGOP-6813, BUG0711841]

• At a given time, you can configure the domain name of the server only for one SYSLOG action or NSLOG action. If you try to add another action (either an SYSLOG action or NSLOG action) with the server's domain name, the system displays an error message.

  Example:

  > add syslogaction act1 syslog.server.com -loglevel all

  Done

  > add nslogaction act2 nslog.server.com -loglevel all

  ERROR: Name conflicts with an existing service or service group member name

  > add syslogaction act3 syslog2.server.com -loglevel all

  ERROR: Name conflicts with an existing service or service group member name
  [From Build 50.31]
  [# CGOP-6838, BUG0715341]

• A weblogging client crashes, if a clustered setup on a VMware ESX platform with VMXNET3 interfaces encounters time synchronization issues.
  [From Build 50.31]
  [# NSHELP-10850, 711086]

• A Citrix ADC appliance crashes if invalid MP_JOIN options of MP_JOIN SYN packet are sent in an MP_CAPABLE subflow.
  [From Build 50.31]
  [# NSHELP-10986, 714030]

• When a client sends an HTTP2 request to a Citrix ADC appliance and if the MSS value is lesser than the response generated by the appliance, an internal parsing issue occurs.
  [From Build 50.31]
  [# NSHELP-11542, 714410]

• If the “Stale Cache Group Table” devices reside in the SNMP AVL tree, the SNMP walk operation fails. As a result, the SNMP walk operation does not return an error message for the subsequent SNMP table counters.
  [From Build 50.31]
  [# NSHELP-15094, 716890]

• If flash cache option is enabled on a Citrix ADC appliance and also receives client requests to the same resource, the appliance resets the connection before it sends the response to the client.
  [From Build 50.31]
  [# NSHELP-3503, TSK0711508]

• The "sh audit messages" command does not display log messages in the following case:

  If you configure the log facility parameter with a value other than LOCAL0 in the "syslogparams" or "syslogaction" command.
  [From Build 50.31]
  [# NSHELP-5736, TSK0709464]

• In a high availability setup, when the secondary node becomes the primary node, the BGP route update might fail on the new primary node because of a TCP timestamp overflow.
  [From Build 50.31]
  [# NSHELP-8844, 707067]

• gPRC transactions fail under the following conditions:

  - If the initial client request goes to an HTTP/2 enabled virtual server and service but a response is not received.

  - If the server sends a trailer header with multiple header entries.
  [From Build 50.31]
  [# NSHELP-9308, 715863]

TCP

• During a TCP handshake, if the server responds with a TCP window size of 0 bytes, the appliance keeps the connection in TCP persist mode. Later, if the server opens the TCP window, the connection remains in persist mode and is not removed. As a result, the persist and keep-alive lists get mixed up and the appliance crashes when it tries to free the connection.
  [From Build 50.31]
  [# NSHELP-5706, TSK0711131]

Telco GUI

• The libqos actions are displayed in the QOS action page of the Citrix ADC T-series platform GUI.
  [From Build 49.37]
  [# 697178]

Telco Networking

• The data connection to the back-end server uses the client IP if the following conditions are met:

  - Global use source IP (USIP) is enabled.

  - Origin USIP on cache redirection (CR) virtual server is disabled.
  [From Build 50.31]
  [# 627692]

• The data connection to the back-end server uses the client IP if the following conditions are met:

  - Global use source IP (USIP) is enabled.

  - Origin USIP on cache redirection (CR) virtual server is disabled.
  [From Build 50.31]
  [# NSNET-4155, BUG0627692]

Telco Traffic Management

• GUI settings are missing in the Traffic Management page of the Citrix ADC T-series platform i.e the following ones:

  - Cache redirection

  - Subscriber

  - Service chaining

  - User

  As a workaround, one can visit MAS and configure a configuration job to run the relevant commands for the missing configuration. Please refer to the citrix documentation for exact details.
  [From Build 49.37]
  [# 712839]

• GUI settings are missing in the Traffic Management page of the Citrix ADC T-series platform i.e the following ones:

  - Cache redirection

  - Subscriber

  - Service chaining

  - User

  As a workaround, one can visit MAS and configure a configuration job to run the relevant commands for the missing configuration. Please refer to the citrix documentation for exact details.
  [From Build 50.31]
  [# 712839]

• GUI settings are missing in the Traffic Management page of the Citrix ADC T-series platform i.e the following ones:

  - Cache redirection

  - Subscriber

  - Service chaining

  - User

  As a workaround, one can visit MAS and configure a configuration job to run the relevant commands for the missing configuration. Please refer to the citrix documentation for exact details.
  [From Build 50.31]
  [# NSUI-7265, BUG0712839]

Telco Video Optimization

• The Citrix ADC appliance might crash when it runs body detection algorithm on chunked content. This issue is fixed now. As part of the fix, boundary checks were added.
  [From Build 50.31]
  [# 714058]

• Memory leak is observed in the SSL detected domain extraction algorithm. The issue occurs if the SSL detected domain is extracted by the server certificate. The memory leak eventually causes the Citrix ADC appliance to become unresponsive.
  [From Build 50.31]
  [# 714470, 717711]

• Memory leak is observed in the SSL detected domain extraction algorithm. The issue occurs if the SSL detected domain is extracted by the server certificate. The memory leak eventually causes the Citrix ADC appliance to become unresponsive.
  [From Build 50.31]
  [# NSHELP-5780, NSHELP-5787, BUG0714470]

• The Citrix ADC appliance might crash when it runs body detection algorithm on chunked content. This issue is fixed now. As part of the fix, boundary checks were added.
  [From Build 50.31]
  [# NSVIDEOOPT-167, BUG0714058]

Tools

• <ID review in progress; this description will be updated soon>

  Unable to generate tech support file from the Citrix ADC GUI
  [From Build 50.31]
  [# 713177]

• <ID review in progress; this description will be updated soon>

  Unable to generate tech support file from the Citrix ADC GUI
  [From Build 50.31]
  [# NSHELP-8784, 713177]

UI Licensing

URL Categorization

• If you execute the command "show urlset <urlset_name>", the Citrix ADC appliance returns information for the requested urlset and any other urlsets added after it.
  [From Build 49.37]
  [# 709042]

URL Filtering

• The “show urlset” command displays only url sets that are imported and not that are added
  [From Build 50.31]
  [# 667361, 664119, 673476, 690227]

• The “show urlset” command displays only url sets that are imported and not that are added
  [From Build 50.31]
  [# NSSWG-670, NSSWG-747, NSSWG-788, BUG0667361]

URLFiltering

User Interface

• <ID review in progress; this description will be updated soon>

  Nitro login to get sessionid will not work if password contains special character like %
  [From Build 49.37]
  [# 714322, 715979]

• <ID review in progress; this description will be updated soon>

  Login API fails with error "Invalid username or password" if password has "=" character.
  [From Build 50.31]
  [# 714487]

VPX-Cloud-Platform

• <ID review in progress; this description will be updated soon>

  Customer will see the interface powered down after there is a failover. Thus traffic will not work on this interface and back to back failover will not work either.

  This issue will occur every time there is a HA failover, and it will be easily observable in single PE environment.

  The fix will not change any known behavior. This will just fix the issue as mentioned in the root cause above, and back to back failover will now work.
  [From Build 49.37]
  [# NSHELP-2631, , NSPLAT-4247, TSK0711888]

VPX-Platform

Web App Firewall

• A Citrix ADC appliance crashes when it attempts to access the return address of a stack frame which is not present in an XML payload.
  [From Build 49.37]
  [# 703461, 712938, 714297]

• A Citrix ADC appliance crashes when it attempts to access the return address of a stack frame which is not present in an XML payload.
  [From Build 50.31]
  [# 703461, 712938, 714297]

• In a content switching deployment, the load balancing virtual server details are not captured in the AppFlow records. As a result, the Security Insight reports are generated at the content switching virtual server level and not at the load balancing virtual server level.
  [From Build 50.31]
  [# 709737]

• The Web App Firewall profile import fails under the following conditions:

  - The WSDL file is configured in the XML message validation check under Relaxation Rules, and

  - The end-point check is set as RELATIVE.
  [From Build 50.31]
  [# 713580]

• In a cluster setup, when you deploy a Learned Rule for HTML Cross-Site Scripting check, the Citrix ADC appliance displays an error, "The CrossSiteScripting Check is already in use".
  [From Build 50.31]
  [# 714392, 688279]

• In a content switching deployment, the load balancing virtual server details are not captured in the AppFlow records. As a result, the Security Insight reports are generated at the content switching virtual server level and not at the load balancing virtual server level.
  [From Build 50.31]
  [# NSHELP-17152, 709737]

• In a cluster setup, when you deploy a Learned Rule for HTML Cross-Site Scripting check, the Citrix ADC appliance displays an error, "The CrossSiteScripting Check is already in use".
  [From Build 50.31]
  [# NSHELP-18085, 714392]

• The Web App Firewall profile import fails under the following conditions:

  - The WSDL file is configured in the XML message validation check under Relaxation Rules, and

  - The end-point check is set as RELATIVE.
  [From Build 50.31]
  [# NSHELP-2876, TSK0713580]

• A Citrix ADC appliance crashes when it attempts to access the return address of a stack frame which is not present in an XML payload.
  [From Build 50.31]
  [# NSWAF-112, NSHELP-2757, NSHELP-2762, BUG0703461]

Web Citrix Web App Firewall

• Memory leak is observed in a Citrix ADC appliance, if the Integrated Cache and the Web Citrix Web App Firewall features are enabled.
  [From Build 50.31]
  [# NSHELP-17969, NSHELP-17158, 717405]

Release history