Release Notes for NetScaler 10.1 Maintenance Releases

This document describes the enhancements, fixed issues, and known issues in the maintenance releases of Citrix NetScaler, Citrix NetScaler SDX, and Citrix NetScaler Insight Center.

Note:

Build 120.13

Release version: Citrix NetScaler, version 10.1 build 120.13

Replaces build: None

Release date: September 2013

Release notes version: 6.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

DNS64

  • ENH ID 0318404: The NetScaler DNS64 feature responds with a synthesized DNS AAAA record to an IPv6 client sending an AAAA request for an IPv4-only domain. The DNS64 feature is used with the NAT64 feature to enable seamless communication between IPv6-only clients and IPv4-only servers. DNS64 enables discovery of the IPv4 domain by the IPV6 only clients, and NAT64 enables communication between the clients and servers.

    For synthesizing an AAAA record, the NetScaler appliance fetches a DNS A record from a DNS server. The DNS64 prefix is a 96-bit IPv6 prefix configured on the NetScaler appliance. The NetScaler appliance synthesizes the AAAA record by concatenation of the DNS64 Prefix (96 bits) and the IPv4 address (32 bits).

Setting Up NetScaler for XenApp/XenDesktop

  • ENH ID 0345912: The NetScaler now provides a wizard that simplifies the task of setting up a NetScaler appliance for a XenApp/XenDesktop deployment. For more information, see Setting Up NetScaler for XenApp/XenDesktop.

New Subnet Mask Field for the SNIP Address in the First-time Setup Wizard

  • ENH ID 0413542: The first-time setup wizard now has separate subnet mask fields for the NetScaler IP (NSIP) and subnet IP (SNIP) addresses.

Upgrade Progress

  • ENH ID 0346988: When you upgrade a NetScaler VPX instance on an SDX appliance, a new window, Upgrade Progress, shows the status of the upgrade operation, including any error messages. This feature is also available for SecureMatrixGSB and Websense Protector virtual machines.

Support for 8 Channels

  • ENH ID 0401113: The SDX SVM now allows you to configure 8 channels on a VPX instance.

Bug Fixes

AAA Application Traffic

  • Issue ID 0401000: When AAA is configured by authentication profile on a NetScaler appliance that has content switching enabled, users can use the Microsoft Internet Explorer or Mozilla Firefox browsers to log on, but might not be permitted to access all resources that they should be able to access. Users who log on using the Google Chrome browser do not experience this problem. The underlying cause was that authentication level is checked only once per connection rather than at each request.

Application Firewall

  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.

Configuration Utility

  • Issue ID 0361970: When a NetScaler session expires, a session expiry message appears in the graphical user interface, and the user has to manually enter the IP address or the domain name of the NetScaler appliance in the address bar to log back on.

Domain Name System

  • Issue ID 0401451: The NetScaler appliance, configured to function as DNS forwarder or DNS resolver, may becomes unresponsive whenever it receives UDP DNS truncated response from a name server.

Load Balancing

  • Issue ID 0390545 (nCore): A NetScaler nCore appliance uses multiple CPU cores (Packet Engines) for packet handling. Every session on the appliance is owned by a packet engine (PE). If the appliance receives a request for which a session does not already exist, a session is created, and one of the PEs is designated as the owner of that session. Subsequent requests that belong to that session might not always arrive at and be handled by the owner PE. During the time that the PE gets details about the session from the owner PE, the packet is corrupted.

  • Issue ID 0398327: You can now bind a StoreFront monitor to a service group. Each member of a service group is now monitored by using the member's IP address.

    The -hostname parameter is no longer required and is deprecated.

    To determine whether to use HTTP (the default) or HTTPS to send monitor probes, you must now use the -secure parameter. If your current StoreFront monitor configuration uses HTTP, you only have to remove the hostname parameter.

    To use HTTPS, set the -secure option to Yes.

    Example:
    add lb monitor storefront_ssl STOREFRONT -storename myStore -storefrontacctservice YES -secure yes
  • Issue ID 0409028: If you unbind a load balancing (LB) monitor from its service, all the connections to the configured destination IP address (destip) and port (destport) of the LB monitor are closed. In a typical L3 Direct Server Return (DSR) deployment mode, the destip and destport of the LB monitor are actually the IP address and port of the virtual server. Therefore, in a typical L3 DSR deployment, if you unbind an LB monitor from its service, all the existing connections to the virtual server are closed. The same behavior is observed if you delete a service.

Monitoring

  • Issue ID 0406391: If you bind monitors to services, and then bind a DoS or SureConnect policy to one of these services, save the configuration, and restart the appliance, you lose information about monitors bound to any services created after the service to which you bound the policy was created. Also, if you run the show ns runningConfig command before restarting the appliance, the monitor binding information does not appear.

Multipath TCP Support

  • Issue ID 0399708: Syncookie cannot be disabled on a TCP profile that has MPTCP enabled.

  • Issue ID 0399938: The NetScaler appliance might not respond when TCP buffering and MPTCP is enabled.

  • Issue ID 0400888: The NetScaler appliance does not respond when using client IP insertion with MPTCP.

  • Issue ID 0401105: MPTCP transactions of a TCP profile with Selective ACKnowledgement and window scaling might not respond.

NetScaler Insight Center

  • Issue ID 0369664: For an Active session, data is sent to the AppFlow collector even if the policy rule is changed to FALSE when the session is active.
  • Issue ID 0395022: On the Dashboard > HDX Insight > Users page, the Active Apps count is not updated instantly on the left pane.
  • Issue ID 0402458: If the memory usage on the NetScaler Insight Center reaches the maximum limit, the appliance fails to respond to further memory-allocation requests by other modules and becomes unresponsive.
  • Issue ID 0402727: If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
  • Issue ID 0402959: In certain situations, the NetScaler appliance incorrectly interprets the compression buffer size negotiation between the client and the server, and enabling AppFLow on the ICA connection causes the appliance to fail when the connection is used to launch an application or desktop. This problem most commonly occurs when a CloudBridge appliance or any WAN optimization device is placed between the client and the NetScaler appliance.
  • Issue ID 0405818/ 0405273: On the Dashboard > Users page, ICA RTT values displayed on the graph in the left panel do not match the values displayed below the graph, or there is a delay in the updating the values.
  • Issue ID 0408495: During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.
  • Issue ID 0411107: In a mixed XenApp/XenDesktop server farm, if the XenApp and XenDesktop versions are older than 6.5 and 5.0 respectively, the applications fail to launch because the NetScaler appliance incorrectly parses the ICA packets.
  • Issue ID 0413016/0414140 : NetScaler appliance may fail to respond when AppFlow is enabled on the NetScaler Insight Center and the user tries to access the XenApp/XenDesktop farm.
  • Issue ID 0414844: HDX Insight does not support XenApp versions earlier than 6.5.
  • Issue ID 0415812: If a CloudBridge appliance is placed between the client and a NetScaler appliance, and AppFlow is enabled for ICA traffic, the XenApp/XenDesktop applications fail to launch and the NetScaler appliance fails.
  • Issue ID 0413657: In some situations, the NetScaler appliance fails after parsing ICA traffic incorrectly.

NetScaler SDX Appliance

  • Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of NetScaler instance Modify NetScaler Wizard.

  • Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.

  • Issue ID 0405115: SSL certificate installation on a NetScaler instance from the SDX Management Service fails during validation if the SSL certificate does not have an associated key file.

  • Issue ID 0405921: The SVM restore operation of NetScaler instances fail as the SVM shuts down the NetScaler instances that are still being provisioned.

  • Issue ID 0410416: After the SDX appliance restarts, NetScaler VPX instances on the appliance cannot send packets tagged with VLAN IDs through an LACP channel.

Networking

  • Issue ID 0401303: When the conditions specified in an ACL rule includes the operator !=, the NetScaler appliance may not properly filter packets based on the ACL rule.

  • Issue ID 0402123: The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.

  • Issue ID 0404861: If the NetScaler appliance has redundant L2 connectivity with a switch, the NetScaler appliance may mark its link-local IPv6 addresses as duplicate during the DAD (Duplicate address detection) process.

  • Issue ID 0405190: When IP fragments are received on a load balancing virtual server with client timeout parameter set to zero, the NetScaler appliance might dump core and then restart.

Platform

  • Issue ID 0409202: The NetScaler license is not processed if the configuration file (ns.conf) contains multiple instances of the host name, or if the host name in the ns.conf file is different from the host name in the rc.conf file. With this fix, if the ns.conf file contains multiple host names, only the name set by the set ns hostname command is used. Also, the host name in ns.conf no longer takes precedence over the host name in rc.conf.

Rewrite

  • Issue ID 0401455: Modifying the content with more than one callout results in incorrect computation of the content length. This issue is not observed if all the callouts use GET requests.

System

  • Issue ID 0353546: When you try to add a second name-based SNMP manager, you get an error message that says an SNMP manger with that name already exists.

  • Issue ID 0391632: The output of the stat commands specified with -fullValues option is aligned incorrectly.

  • Issue ID 0391754: On a NetScaler MPX system, the SNMP count for the system's hardware memory and the show system memory display are incorrect. The amount of memory shown is larger than the actual amount.

  • Issue ID 0401111: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.

  • Issue ID 0402677: The NetScaler appliance might fail to respond if an ICMP error occurs when TCP buffering and integrated caching are enabled on the appliance.

  • Issue ID 0407868: Remote monitoring of a high capacity appliance, such as a NetScaler MPX 22000, might indicate a drop in performance even though performance remains robust. The apparent problem is the result of a pause in the stream of monitoring data, not an actual drop in throughput.

  • Issue ID 0407974: A session is not freed when port allocation fails. The session is getting matched and the NetScaler fails when it tries to access other linked sessions which are NULL.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability force failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.

Application Firewall

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793 (nCore and nCore VPX): The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0409605: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, the compression feature is not enabled on the appliance and for the service groups.

    Workaround: Enable compression on the appliance by using the enable ns feature CMP command. Also, enable compression for the service groups by using the set servicegroup <name> -CMP on command.

  • Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0413087: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, if you configure XenDesktop and later edit the Xen Farm settings to have only XenApp, the XenDesktop bound to the Web Interface site of type Xenappservices in not modified. Therefore, published resources of both, XenApp and XenDesktop, are displayed when accessing the Web Interface site through Receivers.

  • Issue ID 0414361: When you click the Edit link to update the configurations specified in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, an error is displayed when you try to apply the optimization settings.

    Workaround: Edit the XenFarm section (no actual changes required), click Continue and then apply the optimization settings.

  • Issue ID 0414422: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.

  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.

    Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.

  • Issue ID 0414760: When editing the Xen Farm settings in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, load balancing configuration is lost if you switch from XenApp or XenDesktop to Both or from Both to XenApp or XenDesktop. This issue is observed only when Web Interface on NetScaler is the integration point.

  • Issue ID 0414807: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, an error is displayed if:

    • More than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers.
    • More than one service is bound to the service group.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Documentation

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.

    Workaround:
    1. Create a monitor of type CiTRIX-wi-EXTENDED.
    2. Set the script name.
    3. Set the site path.
    For example,
    add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
    set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
    set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp

Multipath TCP Support

  • Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.

  • Issue ID 0400819: MPTCP does not support FTP data connections.

  • Issue ID 0400861: Virtual servers to which a listen policy is bound accept connections from the first subflow only.

  • Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.

  • Issue ID 0401793: MPTCP does not support IPv6 addresses.

NetScaler Insight Center

  • Issue ID 0331944: When there are no devices added in the inventory, the welcome screen is displayed for the configuration tab along with the dashboard tab which makes it unable to perform any basic configurations.
  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0403665: If the values for certain metrics are zero, the graphs display these values incorrectly.
  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405849: NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936: After the NetScaler upgrade or downgrade operation, NetScaler Insight Center does not report any data on the dashboard.

    Workaround: Restart the NetScaler Insight Center appliance.

  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0412129: The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on VMware ESX from build 118.7 or 119.7 to 120.13 is not supported.

    Workaround: To upgrade to build 120.13, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After using the Management Service to create a channel, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or use the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each of the nodes of an HA configuration:

    add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node’s NSIP address is 198.51.100.9 and the secondary node’s NSIP address is 198.51.100.27, you would run the following command on the primary node:
    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 
    and the following command on the secondary node:
    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

  • Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:

    • Release 10.1 starting build 112.15 or later

    • Release 10 build 74 or later

    • Release 9.3 build 62.4 or later

    • Release 9.3.e build 59.5003.e or later

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

  • Issue ID 0411613: The NetScaler appliance can crash when there are split ICA frames that span 2 CGP frames with other CGP packets in between.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2

    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.


Build 119.7

Release version: Citrix NetScaler, version 10.1 build 119.7

Replaces build: None

Release date: July 2013

Release notes version: 5.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Multipath TCP Support

  • ENH ID 0320221: NetScaler appliances now support Multipath TCP (MPTCP). MPTCP is a TCP/IP protocol extension that identifies and uses multiple paths available between hosts to maintain the TCP session. You have to enable MPTCP on a TCP profile and bind it to a virtual server. When MPTCP is enabled, the virtual server functions as an MPTCP gateway and converts MPTCP connections with the clients to TCP connections that it maintains with the servers.

    For more information, see MPTCP (Multi-Path TCP).

Call Home Proxy Mode Support

  • ENH ID 0311623: Call Home can now upload your NetScaler appliance's data to the Citrix TaaS server through a proxy server.

    For more information, see Configuring Call Home.

Custom HTTP Headers Support using Web Server Logging

  • ENH ID 0329710: The NetScaler can now export values of custom HTTP headers to the NSWL client. You can configure up to a maximum of two HTTP request header names and two HTTP response header names.

    For more information, see Exporting Custom HTTP Headers.

Backing Up and Restoring a NetScaler Appliance

Checking Content Type of Responses

  • ENH ID 0236218: When configuring the Safe Commerce (credit card) check, you can now configure the application firewall to check the MIME/type of HTTP responses and skip responses that are not of the appropriate content type for Safe Commerce filtering. You can use this configuration option to prevent false positives.

    To enable MIME/type checking, at the NetScaler command line type the following command:

     bind appfw profile <name> -inspectResContentType <type>

    For <name>, substitute the name of the profile. For <type>, substitute a string that matches the MIME/type. For example, to check for and skip PDF content sent to the library profile, you would type the following:

     bind appfw profile library -inspectResContentType "text/PDF"

    To disable a MIME/type rule that you have previously enabled, use the unbind command:

     unbind appfw profile <name> -inspectResContentType <type>

Enterprise License Support for AppFlow

  • ENH ID 0395659: AppFlow can now export ICA records from NetScaler appliances that have enterprise licenses. This ensures that HDX insight reports for NetScaler appliances with enterprise licenses are now available on the NetScaler Insight Center.

New Metrics Support for NetScaler Insight Center

  • ENH ID 0400867: HDX Insight reports now include details about Client Side NS Latency, Server Side NS Latency and Host Delay.

Enabling or Disabling the Recursion Available Flag

  • ENH ID 0403114: An option Recursion Available is added for the load balancing virtual servers of type DNS and DNS TCP to control the RA (Recursion Available) flag in all the DNS responses from these virtual servers.

Bug Fixes

AAA Application Traffic

  • Issue ID 0387049: When importing a keytab while setting up a KCD account, AAA might fail to extract the SPN from the keytab, causing the import to fail.

Application Firewall

  • Issue ID 0403027: The application firewall includes an extraneous line break in the hidden field that it adds to forms as part of the form field consistency check. This line break is not javascript-compliant and can cause issues with javascript-enhanced forms.

Cache Redirection

  • Issue ID 0401148: The NetScaler cache fails to respond to a request in which an absolute URL does not include a slash (/) after the host name.

Configuration Utility

  • Issue ID 0372535: The pagination count on the page listing SSL policies that can be bound does not display the correct values.

Global Server Load Balancing

  • Issue ID 0385305: In a GSLB setup, if you perform auto synchronization and the configuration file in your local site contains the add locationFile command, the command is not synchronized to the remote location.

Load Balancing

  • Issue ID 0351870: If you change the load balancing group of a virtual server that has a large number of SSL sessions, the appliance might fail.

  • Issue ID 0383402: If a virtual server is UP because the service(s) are in Transition Out-Of-Service (TROFS) state, the clients do not respond due to requests being queued at the virtual server rather than at the services. Instead, the client must issue 503 or RST.

  • Issue ID 0401118: On a NetScaler appliance or VPX that is configured for load balancing in an environment that includes a Microsoft SQL server database, when a client sends a large number of long queries to the MSSQL database, the appliance or VPX might hang or crash.

Load Balancing/AAA-TM

  • Issue ID 0402472: If you attempt to create a KCD service account on a NetScaler appliance or virtual appliance that has AAA-TM enabled and integrated caching disabled, a buffer overflow might load the appliance or cause it to fail.

NetScaler Insight Center

  • Issue ID 0332854: Unable to add the IP address in the inventory which contains the number 255 in any quadrant.
  • Issue ID 0400545: The help page on the Graphical User Interface (GUI) displays incorrect information for enabling data collection.
  • Issue ID 0400665: The HDX Insight node is not displayed for Enterprise licenses of NetScaler appliances.
  • Issue ID 0400900: The load time and render time metrics are not displayed for standard or enterprise licenses of NetScaler appliances.
  • Issue ID 0405177: During an ICA session, the NetScaler appliance fails to respond when you access it's invalid memory space.
  • Issue ID 0403134/0403195: During an ICA session, the NetScaler appliance fails to respond due to a NULL pointer access.

NetScaler SDX Appliance

  • Issue ID 0400409: If you modify a NetScaler instance from the Management Service, binding 1/x and 10/x interfaces to an L2 VLAN fails.

  • Issue ID 0400607: If you create a static channel, you cannot use the Management Service to remove more than one member interface at a time from the channel.

Networking

  • Issue ID 0366321: The Network Visualizer does not display the bound IP addresses of a configured VLAN.

  • Issue ID 0402068: With Random source port selection for Active FTP enabled on the NetScaler appliance, when an FTP server initiates a connection from the standard TCP port number 20, the NetScaler appliance uses a random port instead of port 20 for the client side data connection.

  • Issue ID 0402123: The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.

Policies

  • Issue ID 0391238: When an HTTP callout is configured with a virtual server that has a widcard port, the NetScaler appliance fails to respond the first time the callout is triggered.

SSL

  • Issue ID 0400084: An attempt to establish an HTTPS connection to a NetScaler FIPS appliance through a Chrome browser fails, because the browser sends a SPDY-NPN extension by default, and the NetScaler FIPS appliance does not support the NPN extension.

  • Issue ID 0400649: In the NetScaler configuration utility, the FipsKey parameter does not appear in the Install certificate dialog box. As a result, you cannot add a certificate-key pair on an MPX FIPS appliance by using the configuration utility.

System

  • Issue ID 0390257: SNMP returns incorrect values for the ifOutOctets and ifInOctets counters.

  • Issue ID 0394724: The SNMP module allocates memory for all OIDs in an SNMP request and queues them for further processing. With a large number of SNMP requests (each request with possibly hundreds of OIDs), the result can be a memory shortage that in turn leads to memory allocation failures.

  • Issue ID 0395735: The NetScaler appliance dumps a core when you create a cluster or a high availability setup on an appliance that has a TFTP load balancing virtual server.

  • Issue ID 0404094: If the SNMP service has the NSI_NS_SERVICE flag set, and you clear the configuration, the NetScaler appliance crashes.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability force failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.

Application Firewall

  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:

    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793: (nCore and nCore VPX) The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing; Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed. Workaround : Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

Content Switching

  • Issue ID 0399575: When configuring load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Documentation

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

    • Issue ID 0401451: The NetScaler appliance, configured to function as DNS forwarder or DNS resolver, may becomes unresponsive whenever it receives UDP DNS truncated response from a name server.

Load Balancing

  • Issue ID 0398327: Monitoring of StoreFront servers fails if they are part of a cluster and the StoreFront monitor is bound to the entire service group. The StoreFront monitor probe fails because individual members have different host names.

    Workaround: If the StoreFront servers are part of a cluster, Citrix recommends that you add them as individual services instead of as members of a service group.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.

    Workaround:
    1. Create a monitor of type CiTRIX-wi-EXTENDED.
    2. Set the script name.
    3. Set the site path.
    For example,
    add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
    set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
    set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp
  • Issue ID 0406391: If you bind monitors to services, and then bind a DoS or SureConnect policy to one of these services, save the configuration, and restart the appliance, you lose information about monitors bound to any services created after the service to which you bound the policy was created. Also, the monitor binding information does not appear if you run the show ns runningConfig command before restarting the appliance.

Multipath TCP Support

  • Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.

  • Issue ID 0399708: Syncookie cannot be disabled on a TCP profile that has MPTCP enabled.

  • Issue ID 0399938: The NetScaler appliance might not respond when TCP buffering and MPTCP is enabled.

  • Issue ID 0400819: MPTCP does not support FTP data connections.

  • Issue ID 0400861: Virtual servers with listenPolicy specified, accept connections from the first subflow only.

  • Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.

  • Issue ID 0400888: The NetScaler appliance does not respond when using client IP insertion with MPTCP.

  • Issue ID 0401105: MPTCP transactions of a TCP profile with Selective ACKnowledgement and window scaling might not respond.

  • Issue ID 0401793: MPTCP does not support IPv6 addresses.

NetScaler Insight Center

  • Issue ID 0331944: When there are no devices added in the inventory, the welcome screen is displayed for the configuration tab along with the dashboard tab which makes it unable to perform any basic configurations.
  • Issue ID 0369664: In HDX Insight mode, data is sent to the AppFlow collector even if the policy rule is set to FALSE.

    Workaround: Start the session again.

  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: In transparent mode, when you launch XenApp through Citrix Receiver (standard edition), the app launch duration is shown as zero.
  • Issue ID 0388875: If the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, and the page size is set to 25, only the first 25 virtual servers are shown. The list does not continue on another page.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0395022: On the Dashboard > HDX Insight > Users page, the Active Apps count is not updated instantly on the left pane.

    Workaround: The correct value is displayed in the Dashboard > HDX Insight > Applications page.

  • Issue ID 0397236 :On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports display session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0402458: If the analytics decoding process requires more than 100% of RAM memory, the system fails to respond to further memory-allocation requests by other modules.
  • Issue ID 0402727: If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
  • Issue ID 0403665: If the values for certain metrics are zero, the graphs display these values incorrectly.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0405818/ 0405273: On the Dashboard > Users page, ICA RTT values displayed on the graph in the left panel do not match the values displayed below the graph, or there is a delay in the updating the values.
  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0405849: Sometimes, the commands used in the NetScaler Insight Center command line interface are case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936 : If the NetScaler Insight Center virtual appliance remains inactive for a longer duration, the data will not be logged.

    Workaround: Restart the appliance by running the following command on the command line interface:

    #/etc/rc.d/analyticsd restart
  • Issue ID 0408495: During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After creating a channel by using the Management Service, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable on the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of the NetScaler instance's Modify wizard.

    Workaround: Modify the NetScaler instance and remove the nonexistent channel from the VLAN settings page.

  • Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613 : In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or use the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each of the nodes of an HA configuration:

    add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node’s NSIP is 198.51.100.9 and the secondary node’s NSIP is 198.51.100.27, you would run the following command on the primary node:
    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 
    and the following command on the secondary node:
    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while configuring an extended ACL by using the configuration utility, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies over classic policies.

Reporting

  • Issue ID 0368982: After you have imported a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2

    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.


Build 118.7

Release version: Citrix NetScaler, version 10.1 build 118.7

Replaces build: None

Release date: June 2013

Release notes version: 3.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

NetScaler VPX Support on Microsoft Hyper-V and VMware ESX virtualization platforms

The NetScaler VPX virtual appliance is supported on Microsoft Hyper-V Server 2012 and VMware ESX 5.1 virtualization platforms.

Oracle Monitor Support

ENH ID 0364085: You can now create a load balancing monitor for an Oracle DBMS server by using the new Oracle-ECV monitor type. The supported data types are BINARY_DOUBLE, BINARY_FLOAT, CHAR, DATE, INTERVALDS, INTERVALYM, NUMBER, NVARCHAR, TIMESTAMP, TIMESTAMP_WITH_LOCAL_TIME_ZONE, and TIMESTAMP_WITH_TIME_ZONE.

You can configure the monitor by using the NetScaler command line or the configuration utility.

To create and configure an Oracle-ECV monitor at the command line, type:
 add lb monitor <monitorName> oracle-ecv [ parameters... ]
Example:
add lb monitor oracle-monitor5 ORACLE-ECV -userName hr -database xe -sqlQuery 
"select Name from testlb" -evalRule "ORACLE.RES.ATLEAST_ROWS_COUNT(1)"
Where:
  • username is the name of the database user.
  • database is the database for query
  • sqlQuery is the query to be sent to server
  • evalrule is the rule to be evaluated against the response
Note: Database user has to be configured using add db user hr -password passwd

To create or configure an Oracle-ECV monitor by using the configuration utility, navigate to Traffic Management => Load Balancing => Monitors, and then click Add to create the monitor or select an existing monitor and then click Open to configure the monitor.

The new expressions that support the Oracle-ECV monitor are as follows:
  • ORACLE.RES.ATLEAST_ROWS_COUNT(n) Determines whether the query response contains at least the specified number of rows.
  • ORACLE.RES.ROW(i).NUM_ELEM(j).eq(n) Determines whether the value located at the specified row and column is equal to the specified number. You can substitute other valid numeric operations for "eq". ORACLE.RES.ROW(i).IS_NULL_ELEM(j) Determines whether the value located at the specified row and column is NULL.
  • ORACLE.RES.ROW(i).TEXT_ELEM(j).eq("pattern") Determines whether the value located at the specified row and column matches the specified pattern. You can substitute other valid text operations for "eq".

NetScaler and XenMobile Solution for Enterprise Mobility

ENH ID 0365382: Citrix NetScaler deployed with XenMobile Mobile Device Management (MDM) provides the ability to scale, ensure high availability for apps, and maintain security.

Use the XenMobile MDM Setup wizard on the NetScaler configuration utility to configure the following two deployment scenarios:
  • Load balance XenMobile Device Managers (MDM servers): In this scenario, the NetScaler appliance sits between the client and the XenMobile MDM servers to load balance encrypted data from mobile devices to the XDM servers.
  • Load balance MS Exchange servers with email filtering: In this scenario, the NetScaler appliance sits between the client and the XNC and CAS servers. All requests from the client devices go to the NetScaler appliance, which then communicates with the XNC to retrieve information about the device. Based on the response from the XNC, the NetScaler either forwards the request from a whitelisted device to the backend server, or drops the connection from a blacklisted device.

For more information, see the "NetScaler and XenMobile Solution for Enterprise Mobility" deployment guide.

Low Encryption Licenses for Russia

ENH ID 0349674: A NetScaler MPX appliance for customers in Russia initially ships with a low encryption license. After proper authorization from the Russian agency, customers can upgrade to a Standard, Enterprise, or Platinum software edition, which enables high-encryption SSL performance on the appliance.

First Time User Wizard Changes

The look and feel of the first time user wizard has changed.

Provisioning Third-Party Instances on a NetScaler SDX Appliance

You can now provision the following third-party virtual machines (instances):
  • ENH ID 0329072: SECUREMATRIX® GSB—Provides a highly secure password system that eliminates the need to carry any token devices.
  • ENH ID 0329072: Websense® Protector—Allows enterprises to deploy a data loss prevention (DLP) solution to protect sensitive enterprise information.
  • ENH ID 0349549: BlueCat DNS/DHCP Server—Provides a DNS, DHCP, and IP Address Management software solution for enterprises.
Important: You must upgrade to XenServer version 6.1.0 before provisioning a third-party instance on the SDX appliance.

Upgrading the XenServer Software

ENH ID 0322368: You must upgrade the NetScaler SDX appliance to XenServer version 6.1.0 to enable functionality of some features, such as LACP and third-party virtual machines. The process of upgrading the XenServer software involves uploading the build file of the target build to the Management Service, and then upgrading the XenServer software.

Configure Link Aggregation from the Management Service

ENH ID 0257892: You can now configure link aggregation from the Management Service at the time of provisioning a NetScaler instance, or later by modifying an instance. An aggregated link is also known as a channel. The interfaces that form part of a channel are not listed in the Network Settings view shown when you add or modify a NetScaler instance. Instead of the interfaces, the channels are listed.

NetScaler Insight Center

  • ENH ID 0341904: NetScaler Insight Center supports clearing AppFlow configurations from a virtual server.
  • ENH ID 0381072: NetScaler Insight Center supports sending syslog messages to an external syslog server.
  • ENH ID 0388409: On the Dashboard > HDX Insight > Users > <user name> page, the application and gateway reports display the active applications by default.
  • ENH ID 0392732: The HTML Injection feature is now available for Web Insight data collection on platinum licenses of NetScaler 10.0 appliances and on all licenses of NetScaler 10.1 appliances.

Changes and Fixes

AAA Application Traffic

  • Issue ID 0372362: When KCD is configured with a content switching virtual server, the NetScaler appliance might hang or crash. The cause is a GET request with multiple authorization headers. (Only one authorization header is expected.)
  • Issue ID 0387076: On a NetScaler appliance with AAA enabled and KCD single sign-on configured, after several single sign-on requests are successfully authenticated, the virtual server principle can unexpectedly become blank. When this happens, subsequent authentication requests fail.
  • Issue ID 0390037: After authentication, if AAA generates the URL redirect, it rewrites the query portions of certain URLs into base 8 ASCII string equivalents instead of passing on the original strings.
  • Issue ID 0391105: A NetScaler appliance that has AAA-TM configured for authentication with a RADIUS Server might generate intermittent logon failures with the error message HTTP/1.1 Internal Server Error 6.

Application Firewall

  • Issue ID 0351544: The application firewall now supports sessionless cookie proxying on NetScaler cluster configurations that do not use the spotted VIP feature.

Application Firewall Signatures

  • Issue ID 0376437: To improve performance, when processing buffer overflow signatures the application firewall now evaluates PCRE regular expressions only when the minLength parameter is set.
  • Issue ID 0384103: You can now configure the JSON content types for your application firewall in the Manage JSON Content Types dialog box in the global settings. The dialog box is nearly identical to the Manage XML Content Types dialog box.
  • Issue ID 0390804: If you configure an application firewall profile but do not bind any signatures to it, the NetScaler appliance becomes unresponsive or fails if a user sends a request with a JSON body to a web site protected by that profile.

Cluster

  • Issue ID 0370814: A newly added node cannot synchronize the cluster configuration, because it cannot establish a connection to the cluster configuration coordinator. This issue might arise if the configuration coordinator rpcNode password on the new node is not the same as that on the configuration coordinator.

Configuration Utility

  • Issue ID 0360163: You cannot configure a GSLB service for which a server is not configured on the NetScaler appliance. The configuration utility displays the message Server must be specified.
  • Issue ID 0369583: If you use the configuration utility to view a Responder action, the Responder Actions page is reloaded.
  • Issue ID 0369900: When search results do not fit onto one page, duplicate records might appear on the second and subsequent pages.
  • Issue ID 0387554: On NetScaler appliances that run the cluster OS, user-defined control policies are not listed in the control flow and therefore do not appear in the Policy Manager. After these policies are bound to Global or an appropriate bind point, they are listed in the data flow.

Content Switching

  • Issue ID 0397673: When you configure a content switching rule that is evaluated before the user authenticates with AAA-TM, and the rule is supposed to redirect users to a specific virtual server on the basis of the user name, the rule fails.

Documentation

  • Issue IDs 0395277 and 0395282: The PDF format of NetScaler product documentation is no longer packaged with the NetScaler MPX, VPX, and SDX software. NetScaler product documentation is available in HTML format on the eDocs product library web site. You can generate a PDF for any topic from eDocs.

    To access NetScaler documentation on eDocs, see http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html.

Global Server Load Balancing

  • Issue ID 0394328: On a NetScaler appliance that has both a monitor and a GSLB view bound to a GSLB service, occasionally the view binding is not visible from the CLI and is not saved in ns.conf although the GSLB service is properly configured and UP.

Load Balancing

  • Issue ID 0376173: If two NetScaler appliances in a high-availability configuration have TCPB mode enabled globally, and you create a DNS TCP service, the service might be successfully created on the primary NetScaler appliance but fail on the secondary appliance.
  • Issue ID 0387253: When you create a new load balancing server on the configuration utility, occasionally a series of error messages appear indicating that the Load Balancing feature is not licensed, and you are unable to create the virtual server.
  • Issue ID 0391273: When you add a new server to an existing service group, the services in the group might be designated as DOWN even though monitoring probes succeed. To enable the services, unset the virtual server spillover method. They are then correctly designated as UP.

NetScaler Insight Center

  • Issue IDs 0377737 and 0365977: NetScaler Insight Center appliance fails to respond.
  • Issue ID 0378044: On the Configuration > Inventory > Application List page, the values for number of applications displayed and total number of applications can be incorrect.
  • Issue ID 0378652: The Page analysis button is in the wrong place and not functional on the Dashboard > Web Insight > URL page.
  • Issue ID 0381522: On the Dashboard > HDX Insight > Applications page, the Total Session Launch count displays an incorrect number of sessions launched.
  • Issue ID 0385895: The graph of user applications, which appears when you navigate to Dashboard > HDX Insight > Users <username> > <sessionID> >Applications > More <application name>, is incorrectly plotted.
  • Issue ID 0386543: No graph is plotted for users on the page that appears when you click the Dashboard > HDX Insight > Users <username> > <SessionID> > Applications > More button.
  • Issue ID 0387257: The introduction that appears when you log on to a new NetScaler Insight Center appliance provides only Web Insight information. It does not provide information about HDX Insight.
  • Issue ID 0388093: When the Dashboard tab displays reports, the text that appears when you on click the orange icon beside a metric does not accurately describe the licensing issue.
  • Issue ID 0388453: On the Configuration > Inventory > Application List page, after you right-click a VPN application and select Enable AppFlow, then clear the ICA check-box and click Enable AppFlow, AppFlow is shown enabled, but no data is collected and therefore no reports are displayed on the Dashboard > HDX Insight page.
  • Issue ID 0388650: NetScaler appliance crashes when AppFlow is enabled on the virtual servers from Netscaler Insight Center appliance.
  • Issue ID 0390581: On the Dashboard tab, in some cases, the breadcrumb navigation does not display any text for labels.
  • Issue ID 0391336: The HDX Insight node appears even if all NetScaler appliances have only standard licenses. The node is supposed to appear only when at least one appliance has an Enterprise or Platinum license.
  • Issue ID 0391477: You cannot enable Appflow on a VPN application for which you have specified an expression from the drop-down list.
  • Issue ID 0392515: Data collection cannot be enabled on virtual servers (load balancing, content switching, or VPN) that have space characters in their names.

NetScaler SDX Appliance

  • Issue ID 0385037: If the /var/mps/policy/mps_policy_backup.xml file is empty or corrupted, the appliance performs a core dump and the Management Service user interface is blank.

Networking

  • Issue ID 0359348: For an IPv6 load balancing virtual server that belongs to a traffic domain, and for which the persistence is set as cookieinsert, the NetScaler appliance does not insert the correct cookie in its response.

Platform

  • Issue ID 0360223: In certain cases, error messages on the console of an MPX 5550/5650 or MPX 8200/8400/8600 appliance continuously scroll if the physical registers are not correctly read.
  • Issue ID 0373125: The NetScaler hardware might sometimes report incorrect values for system health counters. The health counters are read over the SMBus, which is prone to reporting wrong or zero values.

SNMP

  • Issue ID 0246215: A new SNMP alarm, vridStateChange, indicates the change of the state of a VRID from backup to master in an active-active configuration. The NetScaler appliance in which the state of a VRID changes to master sends a trap message for each VIP address bound to that VRID to the configured SNMP managers, indicating that the NetScaler appliance is currently serving traffic for a particular VIP address bound to that VRID. If no VIP addresses are bound to that VRID, the appliance does not send any trap messages.

SSL

  • Issue ID 0392683: In some cases, parsing an incorrectly formatted client certificate might take more than a few seconds. The delay can trigger the monitoring logic to terminate the process and restart the appliance.

System

  • Issue ID 0384153: When selective acknowledgement (SACK) and partial buffering are enabled on the appliance, acknowledgements with incorrect TCP checksum are forwarded to the server.
  • Issue ID 0392293: The NetScaler wrongly advertises TCP buffer size to the client side when dynamic windows management is enabled and the service-side buffer size is greater than 40k. This issue is observed when two different TCP profiles are bound to the virtual server (buffer size is 8k) and the service (buffer size > 40k) and causes failure when the NetScaler is uploading files.

Known Issues and Workarounds

Application Firewall

  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.
  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.

    For example, if you have two sets of custom signatures named custom_signatures and custom_signatures_2 that are based on copies of the default signatures file, you would update the signatures on your NetScaler appliance by issuing the following commands:

    update appfw signatures "*Default Signatures"
    update appfw signatures "custom_signatures"
    update appfw signatures "custom_signatures_2"

Cluster

  • Issue ID 0395735: The NetScaler appliance dumps a core when creating a cluster or a high availability setup on an appliance that has a TFTP load balancing virtual server.

    Workaround: Make sure you delete existing TFTP load balancing virtual servers before creating the cluster or high availability setup.

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.
  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.
  • Issue ID 0372535: The pagination count on the page listing SSL policies that can be bound does not display the correct values.
  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 0387135: If you access the NetScaler configuration utility through Internet Explorer 8, an attempt to view more than 25 load balancing virtual servers per page results in an alert message about an unresponsive script.

    Workaround: Do not change the default pagination value (25). If you change the default pagination value and the appliance prompts you to stop running the script, choose to continue.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins in the Start screen, and therefore Java cannot run in the Start screen. For information, see http://www.java.com/en/download/faq/win8_faq.xml.

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

Content Switching

  • Issue ID 0399575: When configuring load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you have a load balancing virtual server with a service type of HTTP, and assign a backup virtual server with a service type of TCP to it, any content switching action bound to it fails.

Documentation

  • Issue ID 0370607: The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes.

    See Configuration Utility Changes, for information on the new node structure.

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:
    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.
    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

Global Server Load Balancing

  • Issue ID 0385305: In a GSLB setup, if you perform auto synchronization and the configuration file in your local site contains the add locationFile command, the command is not synchronized to the remote location.

Load Balancing

  • Issue ID 0383402: If a virtual server is UP by virtue of the service(s) being in Transition Out-Of-Service State (TROFS), the clients do not respond (instead of issuing 503 or RST) due to requests being queued at the virtual server rather than at the services.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.
  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path argument are not explicitly set.
    Workaround:
    1. Create a monitor of type CiTRIX-wi-EXTENDED.
    2. Set the script name.
    3. Set the site path.
    For example,
    add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
    set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
    set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp

NetScaler Insight Center

  • Issue ID 0369664: In HDX Insight mode, data is sent to the AppFlow collector even when the policy rule is set to FALSE.

    Workaround: Start the session again.

  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: In transparent mode, when you launch XenApp through Citrix Receiver (standard edition), the app launch duration is shown as zero.
  • Issue ID 0388875: If the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, and the page size is set to 25, only the first 25 virtual servers are shown. The list does not continue on another page.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0395022: On the Dashboard > HDX Insight > Users page, the Active Apps count is not updated instantly on the left pane.

    Workaround: The correct value is displayed in the Dashboard > HDX Insight > Applications page.

  • Issue ID 0397236 :On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports display session termination records.
  • Issue ID 0400545: The help page on the Graphical User Interface (GUI) displays incorrect information for enabling data collection.

    Workaround: To view the details, click the help icon in the graphical user interface when the help page opens, click on the TOC tab and navigate to NetScaler Insight Center 10.1 > Enabling Data Collection.

  • Issue ID 0400665: The HDX Insight node is not displayed for Enterprise licenses of NetScaler appliances.
  • Issue ID 0400900: The load time and render time metrics are not displayed for Standard Licenses of NetScaler appliances.
  • Issue ID 0402727: If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
  • Issue ID 0408495: During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the status of the member interfaces might appear as Error-Disabled (in the command line) or DOWN (in the configuration utility) of the NetScaler instance.

    Workaround: After creating a channel by using the Management Service, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable on the network.
  • Issue ID 0399630: If a new interface is bound to an LACP channel by using the Management Service, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.
  • Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of the NetScaler instance modify wizard.

    Workaround: Modify the NetScaler instance and remove the non-existent channel from the VLAN settings page.

  • Issue ID 0400409: While modifying a NetScaler instance from the Management Service, binding 1/x and 10/x interfaces to an L2 VLAN fails.

    Workaround: Provision the NetScaler instance again.

  • Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.
  • Issue ID 0400607: If you create a static channel, you cannot use the Management Service to remove more than one member interface at a time from the channel.
  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on this channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613: If you synchronize a high availability configuration with the network firewall mode set to BASIC on the current secondary node, the synchronization of configuration files from the primary to secondary node fails. The failure occurs with both the sync HA file command on the NetScaler command line and the Start HA files synchronization dialog box in the configuration utility.
    Workaround: Add the following extended ACL on each of the nodes of an HA configuration:
    add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node's NSIP address is 198.51.100.9 and the secondary node's NSIP address is 198.51.100.27, you would run the following command on the primary node:

    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22

    and the following command on the secondary node:

    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while configuring an extended ACL by using the configuration utility, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 error message that match a forwarding-session rule.

Platform

  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. You must use the CLI. However, you can use the configuration utility to bind and unbind classic SSL policies.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.
  • Issue ID 0400084: An attempt to establish an HTTPS connection to a NetScaler FIPS appliance through a Chrome browser fails, because the browser sends a SPDY-NPN extension by default, and the NetScaler FIPS appliance does not support the NPN extension.

    Workaround: Disable SPDY in the Chrome browser.

  • Issue ID 0400649: In the NetScaler configuration utility, the FipsKey parameter does not appear in the Install Certificate dialog box. As a result, you cannot add a certificate-key pair on an MPX FIPS appliance by using the configuration utility.

    Workaround: Use the command line interface.

System

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.
    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to 10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

  • Issue ID 0390257: SNMP returns incorrect values for the ifOutOctets and ifInOctets counters.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2
    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.
Back to top