Release Notes for NetScaler 10.1 Maintenance Releases

DNS64

• ENH ID 0318404: The NetScaler DNS64 feature responds with a synthesized DNS AAAA record to an IPv6 client sending an AAAA request for an IPv4-only domain. The DNS64 feature is used with the NAT64 feature to enable seamless communication between IPv6-only clients and IPv4-only servers. DNS64 enables discovery of the IPv4 domain by the IPV6 only clients, and NAT64 enables communication between the clients and servers.

  For synthesizing an AAAA record, the NetScaler appliance fetches a DNS A record from a DNS server. The DNS64 prefix is a 96-bit IPv6 prefix configured on the NetScaler appliance. The NetScaler appliance synthesizes the AAAA record by concatenation of the DNS64 Prefix (96 bits) and the IPv4 address (32 bits).

Setting Up NetScaler for XenApp/XenDesktop

• ENH ID 0345912: The NetScaler now provides a wizard that simplifies the task of setting up a NetScaler appliance for a XenApp/XenDesktop deployment. For more information, see Setting Up NetScaler for XenApp/XenDesktop.

New Subnet Mask Field for the SNIP Address in the First-time Setup Wizard

• ENH ID 0413542: The first-time setup wizard now has separate subnet mask fields for the NetScaler IP (NSIP) and subnet IP (SNIP) addresses.

Upgrade Progress

• ENH ID 0346988: When you upgrade a NetScaler VPX instance on an SDX appliance, a new window, Upgrade Progress, shows the status of the upgrade operation, including any error messages. This feature is also available for SecureMatrixGSB and Websense Protector virtual machines.

Support for 8 Channels

• ENH ID 0401113: The SDX SVM now allows you to configure 8 channels on a VPX instance.

AAA Application Traffic

• Issue ID 0401000: When AAA is configured by authentication profile on a NetScaler appliance that has content switching enabled, users can use the Microsoft Internet Explorer or Mozilla Firefox browsers to log on, but might not be permitted to access all resources that they should be able to access. Users who log on using the Google Chrome browser do not experience this problem. The underlying cause was that authentication level is checked only once per connection rather than at each request.

Application Firewall

• Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.

Configuration Utility

• Issue ID 0361970: When a NetScaler session expires, a session expiry message appears in the graphical user interface, and the user has to manually enter the IP address or the domain name of the NetScaler appliance in the address bar to log back on.

Domain Name System

• Issue ID 0401451: The NetScaler appliance, configured to function as DNS forwarder or DNS resolver, may becomes unresponsive whenever it receives UDP DNS truncated response from a name server.

Load Balancing

• Issue ID 0390545 (nCore): A NetScaler nCore appliance uses multiple CPU cores (Packet Engines) for packet handling. Every session on the appliance is owned by a packet engine (PE). If the appliance receives a request for which a session does not already exist, a session is created, and one of the PEs is designated as the owner of that session. Subsequent requests that belong to that session might not always arrive at and be handled by the owner PE. During the time that the PE gets details about the session from the owner PE, the packet is corrupted.

• Issue ID 0398327: You can now bind a StoreFront monitor to a service group. Each member of a service group is now monitored by using the member's IP address.

  The -hostname parameter is no longer required and is deprecated.

  To determine whether to use HTTP (the default) or HTTPS to send monitor probes, you must now use the -secure parameter. If your current StoreFront monitor configuration uses HTTP, you only have to remove the hostname parameter.

  To use HTTPS, set the -secure option to Yes.

  Example:

  add lb monitor storefront_ssl STOREFRONT -storename myStore -storefrontacctservice YES -secure yes

• Issue ID 0409028: If you unbind a load balancing (LB) monitor from its service, all the connections to the configured destination IP address (destip) and port (destport) of the LB monitor are closed. In a typical L3 Direct Server Return (DSR) deployment mode, the destip and destport of the LB monitor are actually the IP address and port of the virtual server. Therefore, in a typical L3 DSR deployment, if you unbind an LB monitor from its service, all the existing connections to the virtual server are closed. The same behavior is observed if you delete a service.

Monitoring

• Issue ID 0406391: If you bind monitors to services, and then bind a DoS or SureConnect policy to one of these services, save the configuration, and restart the appliance, you lose information about monitors bound to any services created after the service to which you bound the policy was created. Also, if you run the show ns runningConfig command before restarting the appliance, the monitor binding information does not appear.

Multipath TCP Support

• Issue ID 0399708: Syncookie cannot be disabled on a TCP profile that has MPTCP enabled.

• Issue ID 0399938: The NetScaler appliance might not respond when TCP buffering and MPTCP is enabled.

• Issue ID 0400888: The NetScaler appliance does not respond when using client IP insertion with MPTCP.

• Issue ID 0401105: MPTCP transactions of a TCP profile with Selective ACKnowledgement and window scaling might not respond.

NetScaler Insight Center

NetScaler SDX Appliance

• Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of NetScaler instance Modify NetScaler Wizard.

• Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.

• Issue ID 0405115: SSL certificate installation on a NetScaler instance from the SDX Management Service fails during validation if the SSL certificate does not have an associated key file.

• Issue ID 0405921: The SVM restore operation of NetScaler instances fail as the SVM shuts down the NetScaler instances that are still being provisioned.

• Issue ID 0410416: After the SDX appliance restarts, NetScaler VPX instances on the appliance cannot send packets tagged with VLAN IDs through an LACP channel.

Networking

• Issue ID 0401303: When the conditions specified in an ACL rule includes the operator !=, the NetScaler appliance may not properly filter packets based on the ACL rule.

• Issue ID 0402123: The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.

• Issue ID 0404861: If the NetScaler appliance has redundant L2 connectivity with a switch, the NetScaler appliance may mark its link-local IPv6 addresses as duplicate during the DAD (Duplicate address detection) process.

• Issue ID 0405190: When IP fragments are received on a load balancing virtual server with client timeout parameter set to zero, the NetScaler appliance might dump core and then restart.

Platform

• Issue ID 0409202: The NetScaler license is not processed if the configuration file (ns.conf) contains multiple instances of the host name, or if the host name in the ns.conf file is different from the host name in the rc.conf file. With this fix, if the ns.conf file contains multiple host names, only the name set by the set ns hostname command is used. Also, the host name in ns.conf no longer takes precedence over the host name in rc.conf.

Rewrite

• Issue ID 0401455: Modifying the content with more than one callout results in incorrect computation of the content length. This issue is not observed if all the callouts use GET requests.

System

• Issue ID 0353546: When you try to add a second name-based SNMP manager, you get an error message that says an SNMP manger with that name already exists.

• Issue ID 0391632: The output of the stat commands specified with -fullValues option is aligned incorrectly.

• Issue ID 0391754: On a NetScaler MPX system, the SNMP count for the system's hardware memory and the show system memory display are incorrect. The amount of memory shown is larger than the actual amount.

• Issue ID 0401111: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.

• Issue ID 0402677: The NetScaler appliance might fail to respond if an ICMP error occurs when TCP buffering and integrated caching are enabled on the appliance.

• Issue ID 0407868: Remote monitoring of a high capacity appliance, such as a NetScaler MPX 22000, might indicate a drop in performance even though performance remains robust. The apparent problem is the result of a pause in the stream of monitoring data, not an actual drop in throughput.

• Issue ID 0407974: A session is not freed when port allocation fails. The session is getting matched and the NetScaler fails when it tries to access other linked sessions which are NULL.

AppFlow

• Issue ID 0388563: The following behavior occurs during a high availability force failover on a NetScaler appliance that has active ICA session applications launched:

  • The applications stop functioning but are visible in the browser.
  • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
  • When you click OK in the dialog box, the applications disappear.
  • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.

Application Firewall

• Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

  Workaround: Use the Adobe PDF browser plugin.

• Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:

  • update appfw signatures "*Default Signatures"
  • update appfw signatures "custom_signatures"
  • update appfw signatures "custom_signatures_2"

Configuration Utility

• Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

• Issue ID 0361793 (nCore and nCore VPX): The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.

• Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

  Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

• Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

• Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

  Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

• Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

  Workaround: Use the arrow keys on the keyboard to scroll the screen.

• Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

• Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

• Issue ID 0409605: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, the compression feature is not enabled on the appliance and for the service groups.

  Workaround: Enable compression on the appliance by using the enable ns feature CMP command. Also, enable compression for the service groups by using the set servicegroup <name> -CMP on command.

• Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.

  Workaround: Do not apply the optimization settings.

• Issue ID 0413087: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, if you configure XenDesktop and later edit the Xen Farm settings to have only XenApp, the XenDesktop bound to the Web Interface site of type Xenappservices in not modified. Therefore, published resources of both, XenApp and XenDesktop, are displayed when accessing the Web Interface site through Receivers.

• Issue ID 0414361: When you click the Edit link to update the configurations specified in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, an error is displayed when you try to apply the optimization settings.

  Workaround: Edit the XenFarm section (no actual changes required), click Continue and then apply the optimization settings.

• Issue ID 0414422: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.

• Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.

  Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.

• Issue ID 0414760: When editing the Xen Farm settings in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, load balancing configuration is lost if you switch from XenApp or XenDesktop to Both or from Both to XenApp or XenDesktop. This issue is observed only when Web Interface on NetScaler is the integration point.

• Issue ID 0414807: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, an error is displayed if:

  • More than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers.
  • More than one service is bound to the service group.

Content Switching/Load Balancing

• Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Documentation

• Issue ID 0370607: The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes. See http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-1-map/ns-rn-changes-gui-10-1-con.html, for information about the new node structure.

Domain Name System

• Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

  • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

  • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

Monitoring

• Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

• Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.

  Workaround:

  1. Create a monitor of type CiTRIX-wi-EXTENDED.
  2. Set the script name.
  3. Set the site path.
  For example,

  add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
  set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
  set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp

Multipath TCP Support

• Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.

• Issue ID 0400819: MPTCP does not support FTP data connections.

• Issue ID 0400861: Virtual servers to which a listen policy is bound accept connections from the first subflow only.

• Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.

• Issue ID 0401793: MPTCP does not support IPv6 addresses.

NetScaler Insight Center

NetScaler SDX Appliance

• Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

  Workaround: After using the Management Service to create a channel, restart the SDX appliance.

• Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

  Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

• Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.

• Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

• Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

• Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:

  sysctl netscaler.ns_vpx_halt_method=2

  Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:

  sysctl netscaler.ns_vpx_halt_method=2

Networking

• Issue ID 0371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or use the Start HA files synchronization dialog box in the configuration utility.

  Workaround: Add the following extended ACL on each of the nodes of an HA configuration:

  add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

  For example, for an HA configuration in which the primary node’s NSIP address is 198.51.100.9 and the secondary node’s NSIP address is 198.51.100.27, you would run the following command on the primary node:

  add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 

  and the following command on the secondary node:

  add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

• Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

• Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

• Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

• Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:

  • Release 10.1 starting build 112.15 or later

  • Release 10 build 74 or later

  • Release 9.3 build 62.4 or later

  • Release 9.3.e build 59.5003.e or later

Policies

• Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

  Workaround: Use the CLI to define classic SSL policies.

  Note: Citrix encourages the use of default syntax policies rather than classic policies.

Reporting

• Issue ID 0368982: After you import a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

• Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

• Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

• Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

  Note: The same error occurs if you try to set the time for one of these alarms.

  Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

• Issue ID 0411613: The NetScaler appliance can crash when there are split ICA frames that span 2 CGP frames with other CGP packets in between.

XML API

• Issue ID 0363145: The following APIs are not available in version 10.1 or later:

  • bindservicegroup_state2

  • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.

Multipath TCP Support

• ENH ID 0320221: NetScaler appliances now support Multipath TCP (MPTCP). MPTCP is a TCP/IP protocol extension that identifies and uses multiple paths available between hosts to maintain the TCP session. You have to enable MPTCP on a TCP profile and bind it to a virtual server. When MPTCP is enabled, the virtual server functions as an MPTCP gateway and converts MPTCP connections with the clients to TCP connections that it maintains with the servers.

  For more information, see MPTCP (Multi-Path TCP).

Call Home Proxy Mode Support

• ENH ID 0311623: Call Home can now upload your NetScaler appliance's data to the Citrix TaaS server through a proxy server.

  For more information, see Configuring Call Home.

Custom HTTP Headers Support using Web Server Logging

• ENH ID 0329710: The NetScaler can now export values of custom HTTP headers to the NSWL client. You can configure up to a maximum of two HTTP request header names and two HTTP response header names.

  For more information, see Exporting Custom HTTP Headers.

Backing Up and Restoring a NetScaler Appliance

• ENH ID 0367021: You can now back up the NetScaler appliance at any time and then use the backup to restore the same appliance to that state.

  For more information, see Backing Up and Restoring the NetScaler Appliance.

Checking Content Type of Responses

• ENH ID 0236218: When configuring the Safe Commerce (credit card) check, you can now configure the application firewall to check the MIME/type of HTTP responses and skip responses that are not of the appropriate content type for Safe Commerce filtering. You can use this configuration option to prevent false positives.

  To enable MIME/type checking, at the NetScaler command line type the following command:

   bind appfw profile <name> -inspectResContentType <type>

  For <name>, substitute the name of the profile. For <type>, substitute a string that matches the MIME/type. For example, to check for and skip PDF content sent to the library profile, you would type the following:

   bind appfw profile library -inspectResContentType "text/PDF"

  To disable a MIME/type rule that you have previously enabled, use the unbind command:

   unbind appfw profile <name> -inspectResContentType <type>

Enterprise License Support for AppFlow

• ENH ID 0395659: AppFlow can now export ICA records from NetScaler appliances that have enterprise licenses. This ensures that HDX insight reports for NetScaler appliances with enterprise licenses are now available on the NetScaler Insight Center.

New Metrics Support for NetScaler Insight Center

• ENH ID 0400867: HDX Insight reports now include details about Client Side NS Latency, Server Side NS Latency and Host Delay.

Enabling or Disabling the Recursion Available Flag

• ENH ID 0403114: An option Recursion Available is added for the load balancing virtual servers of type DNS and DNS TCP to control the RA (Recursion Available) flag in all the DNS responses from these virtual servers.

AAA Application Traffic

• Issue ID 0387049: When importing a keytab while setting up a KCD account, AAA might fail to extract the SPN from the keytab, causing the import to fail.

Application Firewall

• Issue ID 0403027: The application firewall includes an extraneous line break in the hidden field that it adds to forms as part of the form field consistency check. This line break is not javascript-compliant and can cause issues with javascript-enhanced forms.

Cache Redirection

• Issue ID 0401148: The NetScaler cache fails to respond to a request in which an absolute URL does not include a slash (/) after the host name.

Configuration Utility

• Issue ID 0372535: The pagination count on the page listing SSL policies that can be bound does not display the correct values.

Global Server Load Balancing

• Issue ID 0385305: In a GSLB setup, if you perform auto synchronization and the configuration file in your local site contains the add locationFile command, the command is not synchronized to the remote location.

Load Balancing

• Issue ID 0351870: If you change the load balancing group of a virtual server that has a large number of SSL sessions, the appliance might fail.

• Issue ID 0383402: If a virtual server is UP because the service(s) are in Transition Out-Of-Service (TROFS) state, the clients do not respond due to requests being queued at the virtual server rather than at the services. Instead, the client must issue 503 or RST.

• Issue ID 0401118: On a NetScaler appliance or VPX that is configured for load balancing in an environment that includes a Microsoft SQL server database, when a client sends a large number of long queries to the MSSQL database, the appliance or VPX might hang or crash.

Load Balancing/AAA-TM

• Issue ID 0402472: If you attempt to create a KCD service account on a NetScaler appliance or virtual appliance that has AAA-TM enabled and integrated caching disabled, a buffer overflow might load the appliance or cause it to fail.

NetScaler Insight Center

• Issue ID 0332854: Unable to add the IP address in the inventory which contains the number 255 in any quadrant.
• Issue ID 0400545: The help page on the Graphical User Interface (GUI) displays incorrect information for enabling data collection.
• Issue ID 0400665: The HDX Insight node is not displayed for Enterprise licenses of NetScaler appliances.
• Issue ID 0400900: The load time and render time metrics are not displayed for standard or enterprise licenses of NetScaler appliances.
• Issue ID 0405177: During an ICA session, the NetScaler appliance fails to respond when you access it's invalid memory space.
• Issue ID 0403134/0403195: During an ICA session, the NetScaler appliance fails to respond due to a NULL pointer access.

NetScaler SDX Appliance

• Issue ID 0400409: If you modify a NetScaler instance from the Management Service, binding 1/x and 10/x interfaces to an L2 VLAN fails.

• Issue ID 0400607: If you create a static channel, you cannot use the Management Service to remove more than one member interface at a time from the channel.

Networking

• Issue ID 0366321: The Network Visualizer does not display the bound IP addresses of a configured VLAN.

• Issue ID 0402068: With Random source port selection for Active FTP enabled on the NetScaler appliance, when an FTP server initiates a connection from the standard TCP port number 20, the NetScaler appliance uses a random port instead of port 20 for the client side data connection.

• Issue ID 0402123: The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.

Policies

• Issue ID 0391238: When an HTTP callout is configured with a virtual server that has a widcard port, the NetScaler appliance fails to respond the first time the callout is triggered.

SSL

• Issue ID 0400084: An attempt to establish an HTTPS connection to a NetScaler FIPS appliance through a Chrome browser fails, because the browser sends a SPDY-NPN extension by default, and the NetScaler FIPS appliance does not support the NPN extension.

• Issue ID 0400649: In the NetScaler configuration utility, the FipsKey parameter does not appear in the Install certificate dialog box. As a result, you cannot add a certificate-key pair on an MPX FIPS appliance by using the configuration utility.

System

• Issue ID 0390257: SNMP returns incorrect values for the ifOutOctets and ifInOctets counters.

• Issue ID 0394724: The SNMP module allocates memory for all OIDs in an SNMP request and queues them for further processing. With a large number of SNMP requests (each request with possibly hundreds of OIDs), the result can be a memory shortage that in turn leads to memory allocation failures.

• Issue ID 0395735: The NetScaler appliance dumps a core when you create a cluster or a high availability setup on an appliance that has a TFTP load balancing virtual server.

• Issue ID 0404094: If the SNMP service has the NSI_NS_SERVICE flag set, and you clear the configuration, the NetScaler appliance crashes.

AppFlow

• Issue ID 0388563: The following behavior occurs during a high availability force failover on a NetScaler appliance that has active ICA session applications launched:

  • The applications stop functioning but are visible in the browser.
  • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
  • When you click OK in the dialog box, the applications disappear.
  • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.

Application Firewall

• Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.

• Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

  Workaround: Use the Adobe PDF browser plugin.

• Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:

  • update appfw signatures "*Default Signatures"
  • update appfw signatures "custom_signatures"
  • update appfw signatures "custom_signatures_2"

Configuration Utility

• Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

• Issue ID 0361793: (nCore and nCore VPX) The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing; Virtual Servers pane.

• Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

  Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

• Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

• Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed. Workaround : Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For information, see http://www.java.com/en/download/faq/win8_faq.xml

• Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

  Workaround: Use the arrow keys on the keyboard to scroll the screen.

Content Switching

• Issue ID 0399575: When configuring load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Documentation

• Issue ID 0370607: The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes. See http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-1-map/ns-rn-changes-gui-10-1-con.html, for information about the new node structure.

Domain Name System

Load Balancing

• Issue ID 0398327: Monitoring of StoreFront servers fails if they are part of a cluster and the StoreFront monitor is bound to the entire service group. The StoreFront monitor probe fails because individual members have different host names.

  Workaround: If the StoreFront servers are part of a cluster, Citrix recommends that you add them as individual services instead of as members of a service group.

Monitoring

• Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

• Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.

  Workaround:

  1. Create a monitor of type CiTRIX-wi-EXTENDED.
  2. Set the script name.
  3. Set the site path.
  For example,

  add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
  set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
  set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp

• Issue ID 0406391: If you bind monitors to services, and then bind a DoS or SureConnect policy to one of these services, save the configuration, and restart the appliance, you lose information about monitors bound to any services created after the service to which you bound the policy was created. Also, the monitor binding information does not appear if you run the show ns runningConfig command before restarting the appliance.

Multipath TCP Support

• Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.

• Issue ID 0399708: Syncookie cannot be disabled on a TCP profile that has MPTCP enabled.

• Issue ID 0399938: The NetScaler appliance might not respond when TCP buffering and MPTCP is enabled.

• Issue ID 0400819: MPTCP does not support FTP data connections.

• Issue ID 0400861: Virtual servers with listenPolicy specified, accept connections from the first subflow only.

• Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.

• Issue ID 0400888: The NetScaler appliance does not respond when using client IP insertion with MPTCP.

• Issue ID 0401105: MPTCP transactions of a TCP profile with Selective ACKnowledgement and window scaling might not respond.

• Issue ID 0401793: MPTCP does not support IPv6 addresses.

NetScaler Insight Center

• Issue ID 0331944: When there are no devices added in the inventory, the welcome screen is displayed for the configuration tab along with the dashboard tab which makes it unable to perform any basic configurations.
• Issue ID 0369664: In HDX Insight mode, data is sent to the AppFlow collector even if the policy rule is set to FALSE.

  Workaround: Start the session again.

• Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
• Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
• Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
• Issue ID 0388096: In transparent mode, when you launch XenApp through Citrix Receiver (standard edition), the app launch duration is shown as zero.
• Issue ID 0388875: If the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, and the page size is set to 25, only the first 25 virtual servers are shown. The list does not continue on another page.
• Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
• Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
• Issue ID 0395022: On the Dashboard > HDX Insight > Users page, the Active Apps count is not updated instantly on the left pane.

  Workaround: The correct value is displayed in the Dashboard > HDX Insight > Applications page.

• Issue ID 0397236 :On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
• Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
• Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
• Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports display session termination records.
• Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
• Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
• Issue ID 402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

  Object does not support this property or method.

• Issue ID 0402458: If the analytics decoding process requires more than 100% of RAM memory, the system fails to respond to further memory-allocation requests by other modules.
• Issue ID 0402727: If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
• Issue ID 0403665: If the values for certain metrics are zero, the graphs display these values incorrectly.
• Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
• Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
• Issue ID 0405818/ 0405273: On the Dashboard > Users page, ICA RTT values displayed on the graph in the left panel do not match the values displayed below the graph, or there is a delay in the updating the values.
• Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
• Issue ID 0405849: Sometimes, the commands used in the NetScaler Insight Center command line interface are case sensitive.
• Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
• Issue ID 0405936 : If the NetScaler Insight Center virtual appliance remains inactive for a longer duration, the data will not be logged.

  Workaround: Restart the appliance by running the following command on the command line interface:

  #/etc/rc.d/analyticsd restart

• Issue ID 0408495: During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.

NetScaler SDX Appliance

• Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

  Workaround: After creating a channel by using the Management Service, restart the SDX appliance.

• Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

  Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

• Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable on the network.

• Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

• Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of the NetScaler instance's Modify wizard.

  Workaround: Modify the NetScaler instance and remove the nonexistent channel from the VLAN settings page.

• Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.

• Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

• Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:

  sysctl netscaler.ns_vpx_halt_method=2

  Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:

  sysctl netscaler.ns_vpx_halt_method=2

Networking

• Issue ID 0371613 : In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or use the Start HA files synchronization dialog box in the configuration utility.

  Workaround: Add the following extended ACL on each of the nodes of an HA configuration:

  add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

  For example, for an HA configuration in which the primary node’s NSIP is 198.51.100.9 and the secondary node’s NSIP is 198.51.100.27, you would run the following command on the primary node:

  add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 

  and the following command on the secondary node:

  add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

• Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while configuring an extended ACL by using the configuration utility, you set the port parameter to $, no error message appears, but the ACL is not configured.

• Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

• Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

• Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

  Workaround: Use the CLI to define classic SSL policies.

  Note: Citrix encourages the use of default syntax policies over classic policies.

Reporting

• Issue ID 0368982: After you have imported a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

• Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

• Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

• Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

  Note: The same error occurs if you try to set the time for one of these alarms.

  Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

XML API

• Issue ID 0363145: The following APIs are not available in version 10.1 or later:

  • bindservicegroup_state2

  • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.

NetScaler VPX Support on Microsoft Hyper-V and VMware ESX virtualization platforms

The NetScaler VPX virtual appliance is supported on Microsoft Hyper-V Server 2012 and VMware ESX 5.1 virtualization platforms.

Oracle Monitor Support

ENH ID 0364085: You can now create a load balancing monitor for an Oracle DBMS server by using the new Oracle-ECV monitor type. The supported data types are BINARY_DOUBLE, BINARY_FLOAT, CHAR, DATE, INTERVALDS, INTERVALYM, NUMBER, NVARCHAR, TIMESTAMP, TIMESTAMP_WITH_LOCAL_TIME_ZONE, and TIMESTAMP_WITH_TIME_ZONE.

You can configure the monitor by using the NetScaler command line or the configuration utility.

 add lb monitor <monitorName> oracle-ecv [ parameters... ]

add lb monitor oracle-monitor5 ORACLE-ECV -userName hr -database xe -sqlQuery 
"select Name from testlb" -evalRule "ORACLE.RES.ATLEAST_ROWS_COUNT(1)"

To create or configure an Oracle-ECV monitor by using the configuration utility, navigate to Traffic Management => Load Balancing => Monitors, and then click Add to create the monitor or select an existing monitor and then click Open to configure the monitor.

NetScaler and XenMobile Solution for Enterprise Mobility

ENH ID 0365382: Citrix NetScaler deployed with XenMobile Mobile Device Management (MDM) provides the ability to scale, ensure high availability for apps, and maintain security.

For more information, see the "NetScaler and XenMobile Solution for Enterprise Mobility" deployment guide.

Low Encryption Licenses for Russia

ENH ID 0349674: A NetScaler MPX appliance for customers in Russia initially ships with a low encryption license. After proper authorization from the Russian agency, customers can upgrade to a Standard, Enterprise, or Platinum software edition, which enables high-encryption SSL performance on the appliance.

First Time User Wizard Changes

The look and feel of the first time user wizard has changed.

Provisioning Third-Party Instances on a NetScaler SDX Appliance

Upgrading the XenServer Software

ENH ID 0322368: You must upgrade the NetScaler SDX appliance to XenServer version 6.1.0 to enable functionality of some features, such as LACP and third-party virtual machines. The process of upgrading the XenServer software involves uploading the build file of the target build to the Management Service, and then upgrading the XenServer software.

Configure Link Aggregation from the Management Service

ENH ID 0257892: You can now configure link aggregation from the Management Service at the time of provisioning a NetScaler instance, or later by modifying an instance. An aggregated link is also known as a channel. The interfaces that form part of a channel are not listed in the Network Settings view shown when you add or modify a NetScaler instance. Instead of the interfaces, the channels are listed.

NetScaler Insight Center

AAA Application Traffic

Application Firewall

Application Firewall Signatures

Cluster

Configuration Utility

Content Switching

Documentation

Global Server Load Balancing

Load Balancing

NetScaler Insight Center

NetScaler SDX Appliance

Networking

Platform

SNMP

SSL

System

Application Firewall

Cluster

Configuration Utility

Content Switching

Documentation

Domain Name System

Global Server Load Balancing

Load Balancing

Monitoring

NetScaler Insight Center

NetScaler SDX Appliance

NetScaler VPX Appliance

• Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:

  sysctl netscaler.ns_vpx_halt_method=2

  Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:

  sysctl netscaler.ns_vpx_halt_method=2

Networking

Platform

Policies

SSL

System

XML API