Release Notes for Build 66.6 of NetScaler 10.5 Release

July 21, 2017|Release notes version: 2.0
This release notes document describes the enhancements and changes, lists the issues that are fixed, and specifies the issues that exist, for the NetScaler release 10.5 Build 66.6. See Release history.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • The known issues section is cumulative. It includes issues newly found in this release, and issues that were not fixed in previous NetScaler 10.5 releases.
  • The [# XXXXXX] labels under the issue descriptions are internal tracking IDs used by the NetScaler team.

Additional Changes/Fixes Available in Versions

Version 2.0

Fixed Issues

The issues that are addressed in Build 66.6.

AppFlow

  • Service states for the service groups cannot be updated. As a result, client requests are dropped.
    [# 658990]

Application Firewall

  • The NetScaler Application Firewall appliance cannot add HTML relaxation rules (cross-site scripting and SQL injection) from the web GUI.
    [# 678747]
  • When you import signature object to bind signature to the profile, the NetScaler application firewall GUI displays the following error: Signature file has a rule with a response body pattern without the MaxMatchLength attribure.
    [# 613908]

Clustering

  • The Node-to-Node Messaging (NNM) framework for clustering wastes CPU time in the packet engine (PE) loop. With this fix, the appliance implements a yielding logic in the PE loop to reduce the NNM invocation frequency.
    [# 671347]

DNS

  • In ADNS and resolver mode, the NetScaler appliance does not support the OPT option. Therefore, it strips this option when responding to a client. In proxy mode, the query is forwarded as-is to the back end. If the response contains the EDNS Client Subnet (ECS) option, the response is forwarded to the client as-is, but not cached. If the back end does not support ECS option and therefore strips this option from the response, the response is cached as well as forwarded.
    [# 672905]
  • When a NetScaler appliance on which DNSSEC is configured is an authoritative DNS server for two domain zones, the appliance might send the same RRSIG responses to both zones instead of responding to only the appropriate zone.
    [# 671880]
  • The set lb vserver command allows you to assign the same IP address to the DNS name server and the DNS virtual server. With this fix, neither the set lb vserver nor the add dns nameServer command, nor the NetScaler GUI, allows you to assign the same address to both virtual servers.
    [# 665651]

NetScaler Gateway

  • Upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), back-end sites take too long to open.
    [# 679582]
  • In rare scenarios, if the failover versions are different in SSLVPN, then the secondary node reboots due to memory outage.
    [# 676448]
  • In certain cases, when an SSL proxy is configured for Clientless VPN access mode, the NetScaler Gateway appliance dumps core memory because of partial cleanup of connections.
    [# 662668, 671999]
  • If you configure the Windows Gateway plug-in with split tunnel set to Reverse, traffic is not processed after a client's computer wakes up from sleep.
    [# 668768]
  • The initial connection to a particular internal resource use client IP when global USIP is enabled.
    The subsequent new connections do not use the configured global USIP and use SNIP to initiate the back-end connection.
    [# 676522, 385457]
  • It takes longer to access Storefront or in rare scenarios Storefront becomes inaccessible in case "wihome" parameter in vpn session profile is set to a Load balanced v-server configured on the same NetScaler.
    [# 667188, 676111, 680660, 675548]
  • If jumbo frames are enabled on loopback, processing of data sent by AAAd in the packetEngine can cause massive memory corruption. This happens because the TCP data in the jumbo frame exceeds the application maximum segment size (MSS).
    [# 656994, 662324, 664318, 664591, 664837, 665693, 665865, 668202, 675230, 672111]
  • The NetScaler appliance fails when the corrupted NSB structure member is de-referenced.
    [# 594963, 604548, 647540, 650845, 665351, 675623]

NetScaler ICA

  • When ICA AppFlow is enabled on a NetScaler appliance, some network traffic patterns might cause the appliance to become unresponsive.
    [# 670826, 671134]
  • If AppFlow for ICA is enabled, some network traffic patterns, when followed by a client reconnect, might cause the appliance to become unresponsive.
    [# 672748]

Networking

  • In a load balancing configuration of type ANY (virtual server or services) with USIP enabled, the NetScaler appliance uses router's MAC address to forward ICMP errors to the servers.
    [# 676653]
  • The NetScaler appliance might not evaluate packets against ACL or ACL6 rules that include not equal operator (!=).
    [# 678030]
  • In a high availability setup, the monitoring process (pitboss) might terminate the file sync daemon (nsfsyncd), if the connection to packet engine gets stuck for a long time (> 25 minutes).
    [# 628439]
  • In a high availability setup, the monitoring process (pitboss) might terminate the file sync daemon (nsfsyncd), if syncing of files takes longer time (> 25 minutes) than expected.
    [# 624522, 655088, 655708]

SSL

  • In a cluster setup, you cannot make any change to a service or service group if you have associated a common name with the service or the service group and enabled or disabled server name indication (SNI).
    [# 665340]

System

  • The NetScaler appliance might stop functioning and report a segmentation violation if your configuration includes policies or actions that use the following functions and one of them fails to obtain the memory that it needs:
    XPATH()
    XPATH_WITH_MARKUP()
    XPATH_JSON()
    XPATH_JSON_WITH_MARKUP()
    XPATH_HTML()
    XPATH_HTML_WITH_MARKUP()
    [# 656646]
  • If the length of the HTTP header name extends to multiple TCP segments, it leads to an out-of-bounds memory access causing a NetScaler appliance to crash.
    [# 673096]
  • The processing of show or stat commands can cause high CPU-usage levels. This fix significantly reduces the time required for processing a show or stat command, especially if the NetScaler configuration is very large.
    [# 688788]
  • If a NetScaler appliance receives an HTTP request with an empty trailer, it aborts the transaction and resets the connection.
    [# 664875]
  • If TCP non-end point mode is enabled in a NetScaler appliance, the appliance generates an acknowledgment (ACK) to the client before getting a link connection with ACK not having the correct timestamp value.
    [# 667006]
  • If an HTTP WebSocket upgrade connection request contains a Content-Length header field, WebSocket applications malfunction.
    [# 673826]
  • Memory usage on a NetScaler appliance might increase over time if Multipath TCP (MPTCP) is enabled and MPTCP to Subflow sequence number mapping fails because of a split packet error in the lower client-side MSS. The appliance becomes unresponsive after the memory is exhausted.
    [# 672009, 670102]
  • Before an event loss In a weblog connection, snd_cwnd sends the weblog client a send_data_0 requesting more data. The event loss causes the appliance to reduce the snd_cwnd congestion window, which causes a pitboss crash because the sack based recovery does not have an interleaving logic.
    [# 674934]
  • The NetScaler appliance sends malformed HTTP headers to the server if insertion of the client address is configured on a service in a non-default traffic domain (TD).
    [# 675352]
  • In a NetScaler appliance, if you enable TCPCIP option through the NetScaler command line, the appliance sends an incorrect sequence in the client IP header information (for example, if the sequence number is 52, the appliance sends an incorrect sequence number as 48). This is because of incorrect sequence number calculation.
    [# 638095, 670322]
  • Warning logs appear in the NetScaler GUI, and the SNMP daemon returns unsuitable responses to requests, if nsaggregatord is busy when snmpd initiates communication between the two daemons. Snmpd loads nsaggregatord with requests, causing the connection to frequently reset. With this fix, the appliance uses a breather logic to prevent the frequent resets.
    [# 645276, 668040]
  • A NetScaler appliance crashes if the content-type header is missing from an HTTP responder.
    [# 681284]
  • If Multipath TCP (MPTCP) is enabled, the NetScaler appliance might dump core memory and restart because a protocol control block (PCB) is freed twice.
    [# 673228]
  • Snmpd communicates with nsaggregatord to process the requests it receives. The SNMP Code also maintains a cache of the responses from aggregator in the form of a CacheTable. If the CacheTable is corrupted, a crash might result. The workaround is to not perform SNMP operations from an SNMP Manager related to the corrupted memory location.
    [# 675631]

Known Issues

The issues that exist in Build 66.6.

AAA-TM

  • In rare scenarios, response cookie from OWA 2013 server is not greater than 70 bytes when the NetScaler appliance is configured with Forms Based SSO. Hence, length check for cookie value in success-rule configured in Forms SSO action on the NetScaler appliance needs to be updated with an appropriate value.
    [# 676450]
  • When SAML is used in a high availability (HA) setup, a SAML single logout operation does not terminate the session on the secondary appliance.
    [# 590384]
  • User-account lockout details for a AAA virtual server cannot be configured at the global level, but only at the AAA virtual server level, because the maxLoginAttempts and failedlogintimeout parameters are not supported at the global level.
    [# 483521]
  • In NetScaler 9.3 and previous versions, the NetScaler ADC used a SNIP address as the source IP address for authentication requests unless the administrator configured a static route to a different interface. In NetScaler 10.1 and subsequent versions, the ADC uses the NSIP address as the source for authentication requests even when a static route points to a different interface.
    To force the ADC to use a SNIP (not the NSIP) as the source IP address in version 10.1 or later, you can set up a load balancing virtual server with an authentication service, and then configure that load balancing virtual server to perform the authentication.
    [# 457817]
  • The NetScaler implementation of Kerberos does not fully implement the ktutil functionality. While this does not affect Kerberos authentication, it restricts some administrative tasks, such as the ability to merge keytab files.
    [# 551091]
  • If you log on to the NetScaler Traffic Management (TM) virtual server using "401 Basic" authentication, you might observe authentication failures if your username or password contains special characters. This is because only UTF-8 characters below ASCII 128 (for example, A-Z, a-z, 0-9, and ~ ! @ # $ % ^ & * ( ) _ + - = [ { ] } \ | ; : ' " / ? . > , < special characters) are allowed.
    [# 620845, 589509, 650263, 672340]
  • Applications that use the AJAX model for logon cannot use the forms-based SSO approach.
    [# 595019]
  • When executing the "unlock aaa user" command, the NetScaler appliance does not check whether that account was actually locked.
    [# 483544]
  • In release 10.5, moving to a higher authentication level is not supported for 401-enabled load balancing virtual servers.
    [# 645501]

Application Firewall

  • Field consistency violations occur when you attempt to access some websites. When you check NetScaler application firewall field consistency logs, the field name entry is missing from the log files.
    [# 660638]
  • When a NetScaler appliance is upgraded from a 10.1 build to a 10.5 build, the application firewall signature names are converted to all lowercase characters. If the name of the signature contains any uppercase character, the conversion affects the binding between profile and signature. Any attempt to modify either the profile or the signature object displays an error message in the configuration utility.
    [# 568705]
  • A NetScaler application firewall appliance is unable to block cross-site scripting attack with a character entity when the POST method is used.
    [# 682643]
  • If a user request triggers an application firewall policy that is bound to the APPFW_BYPASS profile, the application firewall might fail to generate an SNMP alarm.
    [# 489691]
  • When you bind an application firewall policy to a content switching virtual server, the binding is shown as an application flow policy binding instead of an application firewall binding.
    [# 635794]
  • The application firewall Graphical User Interface might display a warning when the Qualys signature file is uploaded to the NetScaler appliance. The transformation program that reads the input file is treating a warning message as an error.
    [# 547282]
  • If the user sends a request that contains the string "Javascript" without a non-alphanumeric delimeter, the Cross-Site Scripting check does not block the request. This is expected behavior. Without a delimiter, the keyword "Javascript" cannot trigger code execution and therefore poses no threat to the protected web application.
    [# 457926, 506333]
  • If the server sends less data than the amount specified in the Content-length header, the NetScaler application firewall might send a 9845 response and reset the connection.
    [# 506653]
  • A NetScaler ADC that has the application firewall feature enabled might reset the connection after a protected web server issues an HTTP 204 response.
    [# 427798]
  • Application Firewall port information about open ports, such as port 443, is not suppressed. It can therefore be detected by port scan tools such as NMAP in targeted hacker attacks.
    [# 674864]
  • A NetScaler AppFirewall appliance with the compression feature enabled sometimes puts blank lines in HTTP response headers, resulting in garbled page rendering by the browser.
    [# 629128]
  • The application firewall has memory limitations on the size of a WSDL that can be imported into the NetScaler appliance. The import operation might fail if the size of the WSDL file exceeds the allocated memory.
    [# 349504]

Audit Logging

  • During synchronization and saving of a system configuration, if Cache Redirection (CR) policy is configured before configuring an audit message action, it results in an improper sequence of CR policy and audit message actions.
    [# 622905]

Cache Redirection

  • In the event of a cache miss, the request is sent to the origin server as an SSL request instead of an HTTP request, even though the backendssl parameter is disabled on the NetScaler ADC.
    [# 442353]

Cisco RISE Integration

  • In a vPC-Direct deployment for RISE, shutting a (RISE) service on the N7k removes the component links from the static LA channel on the NetScaler. They are however still part of the port channel on the N7k and could result in dropped traffic. It is recommended that the administrator manually shut down the port channel as well, on the N7k, when the corresponding RISE service is shut down.
    [# 502591]

Clustering

  • When Layer 2 mode and MBF are enabled in a cluster deployment, access to * 80 services can fail intermittently.
    [# 479899]
  • In a cluster setup, the "add ns httpProfile" command can fail after an upgrade from a NetScaler 10.1 build to a NetScaler 10.5 build. This happens because the NetScaler running configuration does not include the "add ns httpProfile" command, even though it is available in the NetScaler configuration file (ns.conf).
    [# 538489]

DNS

  • Contrary to the information provided in the documentation, DNS Views prevent service selection if a service is not bound to the View.
    [# 580259]

GSLB

  • GSLB force sync fails if the following conditions are met:
    * The same load balancing (LB) monitor is bound to a GSLB service and to other LB entities.
    * The server IP address already exists for a non-GSLB entity on the slave node (an entity with same server IP address but a different server name) and the master node tries to synchronize the configuration.
    [# 530638, 506432, 652849]
  • If you rename a server associated with a GSLB service and then run the sync gslb command, the GSLB configuration might not synchronize to the other GSLB sites.
    Workaround:
    Manually update the server name on the other GSLB sites.
    [# 511994]
  • When a remote GSLB service is configured with an external monitor on a GSLB site node, the state of this service might become inconsistent across packet engines, because of core-to-core message failures. In that case, the NetScaler appliance might generate incorrect replies to GSLB domain queries.
    [# 658108, 679822]

High Availability

  • When upgrading HA nodes that have Web Interface on NetScaler (WIonNS) build 126.x, the updates made in the Webinterface.conf file are overwritten by the previous version of the file. This is due to the rolling upgrade of HA nodes or due to the file sync operation between HA nodes.
    To avoid this issue, use the following steps when upgrading the HA nodes:
    1. Before upgrading, run the "set ns param -internaluserlogin DISABLED" command.
    2. Upgrade the secondary HA node to NetScaler release 10.1 build 126.x.
    3. Force failover to make the upgraded node the primary node.
    4. Upgrade the other HA node to NetScaler release 10.1 build 126.x.
    5. Re-enable the "internaluserlogin" parameter with the "set ns param -internaluserlogin ENABLED" command.
    6. Save the configurations.
    Note: Before upgrading synchronize files between the HA nodes by using the "sync ha files all" command.
    [# 471294]

Integrated Caching

  • A VPX system can repeatedly fail if HA cache persistence is used along with HTML-injection.
    [# 581598]
  • The NetScaler appliance fails while caching a 404 response.
    Workaround: Configure your Cache not to cache a 404 response.
    [# 608477]
  • The details of cache objects are not available in the NetScaler GUI. However, the list of cached objects is available.
    Workaround: Use the CLI command to view the details of a cached object.
    [# 457623]

Load Balancing

  • If a NetScaler appliance sending a DNSSEC negative response over UDP is not able to include the required records (for example, SOA, NSECs, and RRSIG records) in the Authority section, the appliance might send a truncated response in the wrong packet format.
    [# 540965]
  • The Citrix-WI-Extended monitor cannot be used if the Web Interface server is not set up for explicit authentication mode.
    [# 480852]
  • After a high availability failover, Web Interface on NetScaler displays "State Error" if you try to launch an application.
    [# 630435]

NITRO

  • If you make a GET call with the service_args parameter on .NET SDK, the call fails with the exception Invalid argument value [internal].
    Workaround: Instead of the parameter
    $opts.args = "internal:true"
    Use the parameter:
    option.set_args("internal:true")
    [# 595938]
  • For external users that require a challenge and response, authentication through NITRO does not work.
    [# 558715]

NetScaler CLI

  • When you use the Net::SSH::Perl library to connect to the NetScaler appliance, and run a command with an argument that has an @ character, an error message reports that the argument does not exist.
    For example, an error message appears if you use the @ character in the tacacsSecret parameter of the following command:
    > set authentication tacacsAction TACACS-0101 -tacacsSecret Sl4make5f0rd@enc5
    Workaround: Use one of the following alternate approaches:
    - If you use the Net::SSH::Perl library, include double quotes around the command when calling $ssh->cmd().
    - Use the Net::Telnet library.
    - Use the Net::SSH::Expect library.
    [# 346066]
  • The NetScaler command line interface exits abruptly upon executing the "show dns addRec -format old" command.
    [# 512526, 527066, 545578, 631658, 635938, 643466, 652771, 667794]

NetScaler GUI

  • The Service hits and Service hits (Rate) counters by the "stat services" command do not apply to services, but to the service-virtual server binding. These counters are displayed in the graphical view of services and should be ignored.
    [# 538057]
  • On a NetScaler instance deployed on Azure, the welcome page in the GUI prompts you to enter a SNIP address, but a SNIP address is not required to configure NetScaler VPX on Azure. You can skip this step.
    [# 559971]
  • If you use the MAC Safari browser to upgrade a NetScaler ADC and, in the upgrade wizard, you click the browse button to choose a build file on the appliance, the dialog box does not shown any files or folders. If you navigate back to the root folder, the dialog box displays the top level folder, but you cannot browse the files in the folder.
    Workaround: Click the Settings icon and navigate to Preferences > Security > Manage Website Settings > Java, and then change the "When visiting other websites" setting to "Run in unsafe mode."
    [# 466245, 475388]
  • You cannot use the configuration utility to add signatures to an existing application firewall profile using the wizard, if the application firewall policy is not globally bound.
    Workaround: Use the command line interface.
    [# 470941]
  • If you use a Chrome browser to access the NetScaler graphical user interface (GUI), the browser might display the Page Unresponsive error message.
    Workaround:
    If you are using a Windows computer, do the following:
    1. Right-click the shortcut icon that you use to open the Chrome browser, and select Properties from the pop-up menu.
    2. In the Google Chrome Properties dialog box, click the Shortcut tab and, in the Target field, append the following value: --disable-hang-monitor
    For example: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --disable-hang-monitor" http://www.google.com
    3. Close all instances of the Chrome browser, and restart the Chrome browser.
    If you are using a MAC computer, do the following:
    1. Open the terminal.
    2. Launch the Chrome browser from the terminal and append the --disable-hang-monitor value, as follows:
    open -a /Applications/Google\ Chrome.app --args --disable-hang-monitor
    [# 400073, 401262]
  • If you create a load balancing virtual server with a name matching the pattern _XM_LB_MDM the XenMobile dashboard might display incorrect port values.
    [# 486590]
  • When you use the XenMobile wizard to configure load balancing for XenMobile 10, the server certificates for the device management services being load balanced are not automatically bound for application management services also being load balanced. The server certificates for application management load balancing services must be manually bound during the wizard flow.
    [# 524762]
  • When using the expression editor to modify an existing expression, select the expression and click Expression Editor. Alternatively, you can modify the expression directly in the text field.
    [# 483421]
  • If you use the Google Chrome browser to access the NetScaler configuration utility and use the browse button to select a local file, the selected file name displays in the respective field. However, if you click the Browse button again to select a different file, and then, cancel the operation, the previously selected file name is cleared from the field.
    [# 531567]
  • You cannot create load balancing virtual servers or NetScaler Gateway virtual servers with the same name pattern used for virtual servers created in the XenMobile wizards.
    [# 485698]

NetScaler Gateway

  • If you enable a proxy server and disable ICA proxy in a session profile, users are not able to start published applications.
    [# 470220]
  • The si_Cur_Clints counter increments whenever transaction begins at a virtual server, and decrements when the corresponding server transaction is completed. However, this counter seems to be decremented incorrectly, resulting in incorrect statistics.
    [# 595962]
  • A memory leak gradually diminishes the amount of memory available for SSL VPNs. The NetScaler appliance eventually fails unless it is rebooted before memory utilization reaches too high a percentage.
    [# 660223, 677197, 551669, 544066, 684981]
  • An external group user bound to a number of large groups (more than 1000 group members on an external LDAP server) is unable to execute any command. The appliance reports an authorization error even though the user is authorized to use the command.
    [# 636953]
  • The NetScaler AAA daemon can fail during authentication. The error message "kevent: errno =12" was issued under stress conditions when the RADIUS user accounting is turned on. The failure is due to the system limit being reached with respect to timers.
    Workaround: Increase the system limit for the timers.
    [# 551286]
  • If users log on to Outlook Web App by using clientless access in a Firefox web browser, sending email fails.
    [# 418106, 418880]
  • If Pre-Auth EPA is configured and the EPA Plugin is installed, the NPAPI prompts to "Launch Application" before the VPN Plugin is installed. First, download the VPN Plugin, then launch the application.
    [# 583435]
  • Active user sessions GUI view shows Client IP as 0.0.0.0 and Server IP as 0.0.0.0 in the first row of each active user session.
    [# 447670, 504936, 521963, 571041, 585030, 586840]
  • XenMobile and NetScaler Gateway have different licensing methods. XenMobile has per-user licensing, while NetScaler Gateway has per-session licensing. The same user logging in from multiple devices consumes only one license on XenMobile, but consumes multiple licenses on the NetScaler Gateway appliance.
    [# 626160]
  • Expired AD (active directory) accounts produce "Incorrect Credentials" error messages, which is inaccurate and leads the user to keep trying their username and password when they will not work. The message should be similar to: "You user account has expired".
    [# 563034]
  • Earlier versions of the NetScaler Gateway Plug-in do not support OPSWAT endpoint analysis scans. When users connect to NetScaler Gateway, logon fails because the earlier version of the plug-in does not support OPSWAT endpoint analysis scans. Users can log on from a web browser and then select Network Access, which starts the upgrade to the latest version of the NetScaler Gateway Plug-in and the Endpoint Analysis Plug-in.
    [# 454670]
  • Currently, users can bind different VPN virtual servers to only one node group. Binding a VPN virtual server across multiple node group is not supported.
    [# 443118]
  • The Mac epaplugin.log file shows that the EPA Passed; although, the EPA scan failed.
    [# 531394]
  • For customers upgrading their Mac clients from version older than 2.1.3 (224), the DeviceCert check will always fail. Workaround - quit the mac client and start the client again. DeviceCert will work as expected.
    [# 421925]
  • When users log on for the first time by using the NetScaler Gateway Plug-in for Mac, the Safari web browser starts the endpoint analysis web page instead of the NetScaler Gateway Plug-in download page.
    [# 454662]
  • In rare scenarios, NetScaler dumps core while binding Classic session polices to an existing binding entity, when you have multiple VPN policies configured to the NetScaler.
    [# 685463]
  • While using XD/XA wizard on the NetScaler appliance, the GUI dashboard displays the "Web Interface FQDN" as the IP address; even if, the domain name was provided during XA/XD Wizard configuration.
    [# 593927]
  • If you enable the Green Bubble theme and then clear the entire NetScaler configuration, the Green Bubble theme remains instead of reverting back to the Default theme. To reset the value, you can run the command "set vn para uitheme <value>".
    [# 478536, 626974]
  • Under certain condition, Single-Sign-On feature will try to refer authentication resource which has been removed before and finally caused the crash. This has been fixed.
    [# 685389]
  • If you created a Netscaler Gateway virtual server by using the Quick Configuration wizard in NetScaler Gateway 10.1, the virtual server needs to be renamed with the prefix _XM_. For example, if the original virtual server name is XMGateway, you must manually rename it to _XM_Gateway. By changing the name with the correct prefix, you can see the virtual server in the wizard.
    [# 484962]
  • After an upgrade from NetScaler release 10.1 to 10.5, the appliance's logon screen might not show the password text box. If manual customizations have been made, using the older build's GUI files might lead to the absence of the password field on the NetScaler Gateway logon page.
    [# 489302]
  • During VPN session removal, a device failure occurs. It happens while detaching the VPN session policies, inherited from VPN virtual server, due to inconsistent data structures.
    [# 559257, 568456, 661148, 680701, 684558]
  • The customer wants to use the Generic AV scan to check for Kaspersky. We informed the customer that the Generic AV Scan does not support Kaspersky Endpoint Security. Use the specific scan for that product.
    [# 587866]
  • In a GSLB setup, the EPA scan fails intermittently, and the appliance reports a 403 error.
    [# 588537]
  • Citrix recommends that you do not bind Policy Infrastructure (PI) policies to the NetScaler Gateway virtual server. NetScaler Gateway does not support PI policies.
    [# 481722]
  • When there is a multiplexing proxy in the path between the client and Gateway, users will see 403 errors while accessing the Gateway login page. So, connection multiplexing/connection reuse should be turned off by the intervening proxy(NS LB SSL in this case).
    [# 564602]
  • The session does not time out as expected when Citrix Receivers are used.
    [# 558785]
  • The NetScaler appliance fails to detect the latest Chrome or Firefox browsers with OPSWAT EPA.
    [# 616172]
  • Authorization expires during an attempt to execute a command during TACACS server connection.
    [# 604515]
  • The strict node group is not being backed up and the virtual server only binds to one mode.
    [# 443584]
  • When hundreds of users try to log on to NetScaler Gateway at about the same time, the logon page might stop loading, or it might load very slowly, in which case the logon process takes a very long time to complete.
    Workaround: Configure new cache policies to ensure that en.xml and config.xml files get cached only once in the NetScaler cache. To configure new cache policies, use the following CLI commands:
    add cache selector en_config_xml_cache_selector http.req.url.path http.req.method http.req.hostname
    add cache contentGroup en_config_xml_cache_group -relExpiry 120 -maxResSize 16000 -memLimit 28 -hitSelector en_config_xml_cache_selector
    add cache policy en_config_xml_cache_pol -rule "HTTP.REQ.URL.PATH_AND_QUERY.STARTSWITH_ANY("vpn_cache_dirs") && (HTTP.REQ.URL.CONTAINS("/resources/config.xml") || HTTP.REQ.URL.CONTAINS("/resources/en.xml"))" -action CACHE -storeInGroup en_config_xml_cache_group
    bind vpn vserver <name-of-customer's-vpn-vserver> -policy en_config_xml_cache_pol -priority 5 -gotoPriorityExpression END -type REQUEST
    Note: If you have multiple active VPN virtual servers, enter the last command multiple times, once for each active VPN virtual server.
    [# 684774]
  • If PKINIT is employed to obtain a Kerberos ticket to a backend server, while the session on NetScaler is still active, if the certificate of the user expires, then SingleSignOn to backend server fails until session on NetScaler is cleared.
    [# 569444]
  • In addition to the logon page with the user name and password fields, the NetScaler ADC now offers an advanced logon page with support for dynamic form providers for interactive authentication. The dynamic form providers on the advanced logon page can be invoked if you use the Citrix default syntax to configure authentication policies.
    [# 477616]
  • Documentation includes the config changes related to the DNS refactoring changes as part of Tagma release.
    [# 487245]
  • If you configure advanced endpoint analysis policies, endpoint analysis encryption, a proxy server, and client certification authentication, the NetScaler Gateway Plug-in does not connect and users receive the error message " 2017: Your computer does not have the necessary security software to connect to the NetScaler Gateway. Please contact your system administrator."
    [# 466641]
  • Once you start the MAC Gateway plug in and close it, it does not re-open until you close Receiver.
    [# 684676]

NetScaler Insight Center

  • If you navigate to Configuration > Inventory and choose a NetScaler IP address for which to view the Application list, the NetScaler Insight Center configuration utility displays the following error message:
    Error in retrieving Virtual servers configuration.Get Virtual Server from NetScaler failed. Error in get NS resource.
    [# 514990, 523318]
  • Gateway Insight does not report the FQDNs for non-HTTP applications, such as SSH and FTP, on the Applications page. Instead, it reports the destination IP addresses on that page.
    [# 622219]
  • If AppFlow for ICA is enabled on a NetScaler Gateway deployed in a double-hop mode, and if MAC Receiver is used to launch audio or video applications, the NetScaler reports an error counter and triggers skipflow for this session, resulting in NetScaler Insight Center reports not being displayed for that session.
    [# 520394]
  • Session reliability fails and the ICA session does not resume if the session between NetScaler Gateway and a XenApp or XenDesktop server is disconnected because an intermediate router sends a TCP reset. This issue occurs even if you have enabled or disabled data collection for HDX Insight.
    [# 510871]

NetScaler SDX Appliance

  • If you use the release 10.5 Management Service to upload a platform image to NetScaler SDX, the following error message appears:
    "Please select XenServer-*.iso or nssdx-*.iso file"
    Workaround: Change the platform image file name by including the XenServer and nssdx strings. For example: XenServer-10-5-0-7-3-iso-nssdx-10-5-0-7-3.iso.
    [# 652488]
  • Modifying interface operations from the Management Service is not supported with Cisco BD qsfp type.
    [# 634273]
  • The default setting for auto-negotiation is OFF, which causes an error if you configure the interface from the Management Service.
    [# 598688]
  • Regardless of which NetScaler SDX platform license you have installed on the NetScaler SDX appliance, the show hardware command always displays the default platform model, NSSDX 18500.
    [# 622841]
  • Using the Config Reset option in the Management Service to reset the configuration of a NetScaler SDX appliance does not remove the SNMP Manager configuration.
    Workaround: Manually delete the SNMP Manager configuration from the NetScaler SDX appliance.
    [# 650536]
  • A NetScaler cluster on a NetScaler SDX appliance does not support Jumbo Frames.
    [# 507731]
  • If an LACP channel is bound to nine or more interfaces and is a member of a tagged VLAN, deleting the channel from a service VM can cause the NetScaler appliance to fail intermittently.
    [# 524320, 630772]
  • The Management Service displays only 1000 virtual servers on a NetScaler VPX instance hosted on a NetScaler SDX appliance, even if more than 1000 virtual servers are configured on the instance.
    Workaround: Manage the virtual servers directly from the NetScaler VPX instance, instead of using the Management Service.
    [# 645987]
  • In rare cases, the link aggregation (LA) channels might flap if both of the following conditions are met:
    - LACP is configured.
    - You use Management Service release 10.5 and XenServer release 6.1.
    If such flapping occurs, the appliance disables the interface and renegotiates LACP with the peer device. This might result in the LA channel being disabled. In an HA setup, this could cause a failover if the channel is connected to a critical interface and the node is primary.
    Workaround: Do either of the following:
    - Upgrade the SDX platform to 11.x (Management Service version = 11.x and XenServer version = 6.5).
    - Configure the LA channels manually instead of using LACP.
    [# 637403, 621301, 642536, 652899]
  • The current software driver for 1Gbe port does not support hot-swap capability for 1G SFP transceivers on NetScaler SDX 115xx models.
    Workaround: After replacing the 1G SFP transceiver, reset the interface from Management Service. If the issue still persists, restart the appliance.
    [# 668696]

NetScaler VPX Appliance

  • NetScaler VPX cannot be directly imported into Hyper-V on Windows Server 2012 R2 using the "Import Virtual Machine" function of Hyper-V Manager.
    Workaround: Create the VPX instance by using the New > Virtual Machine function and connecting the "Dynamic.vhd" file from the Virtual Hard Disks directory which is present after unzipping the release image.
    Note: The newly created VPX instance MUST be configured with a minimum of 2GB memory and with 2 vcpus; setting the vcpus is done by changing the virtual machine settings after the instance is created, but before booting.
    [# 428107]
  • The NetScaler VPX appliances are now supported on VMware ESX server version 6.0.
    [# 592395]
  • NetScaler VPX instances running on Hyper-V 2012 might consume a high percentage of CPU cycles while processing 2G traffic.
    [# 512284]

Networking

  • When the NetScaler appliance forwards packets that are larger than the interface's MTU value, the appliance fragments the packets into 2048-byte packets, regardless of the MTU value configured.
    For example, if the appliance forwards a 9000-byte packet on an interface that you have configured with an MTU of 4000, the appliance fragments the 9000-byte packets into 2048-byte packets.
    [# 429006]
  • If a NetScaler appliance on which the cache redirection feature is enabled supports jumbo frames on the client-side connection but not supported on the server-side connection, the client-side connection behaves as a regular connection.
    [# 422858]
  • If you have enabled Source IP persistency on multiple IPv4 RNAT rules that have the same condition but with different NAT IP addresses, the NetScaler command line and the configuration utility display Source IP Persistency as ENABLED for only one of these rules.
    [# 459679]
  • High availability (HA) synchronization does not work properly after you upgrade an HA setup from a release 10.5 beta build to a GA build.
    Workaround: Disable HA propagation and HA synchronization before upgrading the HA setup, and enable them after the upgrade process is complete.
    [# 486131]
  • A ZebOS API call to a NetScaler ADC fails when the ns ipv6-routing command is part of the input routing config set.
    [# 439294]
  • The IS-IS level 1-2 adjacency between NetScaler ADC and Cisco Nexus Router might flap.
    [# 485385]
  • For an RNAT connection, the NetScaler appliance drops the first ICMP packet that the server sends to the client.
    [# 543171]
  • The NetScaler appliance does not process the BGP remote-as configuration for an IPv6 peer after a reboot resulting in the loss of BGP configuration for this peer.
    [# 685123]
  • The source IP persistency functionality might not work for an RNAT rule that does not have the NAT IP parameter set to an IP address.
    [# 455936]
  • Configuring a Link Load Balancing virtual server as backup to a Load Balancing virtual server is not supported.
    [# 564040, 587817]
  • The NetScaler appliance does not support IPIP tunnels on the client side.
    [# 623671]
  • In a high availability setup, when a critical interface goes to DOWN state because of TX stall, HA failover might not happen.
    [# 677815, 679068]
  • In an HA configuration in INC mode running the OSPF routing protocol, the secondary node drops all L3 traffic that has the destination that was advertised by the secondary node.
    [# 318684]
  • In an active-active high availability configuration using Virtual Router Redundancy Protocol (VRRP) protocol, a ping to a virtual IP address (VIP) might fail from a node that is a backup node for this VIP address.
    [# 485260]
  • The NetScaler appliance drops ND6 solicitation packets received on interfaces that are on muted state.
    [# 684119]

Platform

  • A NetScaler VPX instance does not reboot successfully when deployed on a KVM linux host with Xeon E5-26xx v2 processors.
    Workaround: Reload the kvm_intel module with enable_apicv=N parameter by using the following command:
    modprobe kvm_intel enable_apicv=N
    [# 587727, 615203, 642617, 657386]
  • If you add an NTP time server by specifying the server name (host name), and the ns.conf file is very large, the result is a race condition in which the NTP daemon (NTPD) is started before host name services are ready.
    Workaround: Do one of the following:
    -Restart the NTP daemon after starting the NetScaler appliance.
    -Add the NTP server by specifying the IP address of the server instead of specifying the host name.
    [# 573306]
  • In an Openstack Environment, if a custom flavor with an Ephemeral Disk of size of less than 8GB is used to a start a NetScaler VPX or Cisco Nexus 1000v instance, the config drive is not attached to the instance.
    [# 578366]

Policies

  • The NetScaler appliance might restart if MySQL traffic that does not contain a valid MySQL query triggers a policy that evaluates a default syntax expression beginning with "MYSQL.REQ.QUERY.COMMAND".
    Workaround: Prefix the advanced expression with "MYSQL.REQ.COMMAND.EQ(QUERY) &&" to verify that the MySQL request data contains a valid MySQL query before evaluating the expression.
    [# 608467]
  • After a restart, a NetScaler auto-provision daemon fails to communicate with the configuration engine.
    [# 604823]
  • The HTTP.REQ.TXID and HTTP.RES.TXID policy expressions return the same "universally unique identifier" (UUID) for different transactions.
    [# 663414, 675873]
  • While evaluating default syntax expression for local time zone, a NetScaler appliance incorrectly applies US daylight savings time (DST) rules in non-US time zone. This results in setting an offset time for an hour. For example, the default expression !(SYS.TIME.GE (LOCAL 8h) & SYS.TIME.LE(LOCAL 17h)) returns 'False' if the local time in US time zone is between 0800 and 1700. In the UK time zone, this expression incorrectly returns 'False' if the local time is between 0700 and 0759 and returns 'True' if the local time is between 1700 and 1759 from 8 Mar 2015 (the start of US DST) to 28 Mar 2015 (the day before the start of UK DST) and also from 25 Oct 2015 (the day after the end of UK DST) to 31 Oct (the day before the end of US DST).
    [# 556230]

SSL

  • The SSL entities to which a policy is bound do not appear in the output of the "show ssl policy" command if it is run on the cluster IP address.
    [# 668520]
  • In a cluster setup, if you include the "cipherdetails" option in the "show ssl service" or "show ssl vserver" command, an incorrect message appears. This is only a display issue.
    For example,
    > show ssl service svc1 -cipherDetails
    ERROR: No such resource [serviceName, svc1]
    [# 402423]
  • If you use the add crl command in release 9.3 to add a certificate revocation list (CRL) with refresh enabled, and you don't specify a method, the add crl command returns an error after an upgrade to a later release. Unlike 9.3, later releases do not have a default method.
    [# 604061]
  • After you bind a profile to an SSL virtual server, the "show running config" command incorrectly displays the settings that were in effect before the profile was bound to the virtual server. The SSL profile settings override any virtual server settings.
    [# 624090]
  • If you run the "sh ssl service group" command on the cluster IP (CLIP) address and on nodes of a cluster setup, ECC curves are displayed as unbound from the CLIP.
    [# 660257]
  • Deprecated commands might be lost from the configuration (ns.conf file) after you upgrade to a build that supports the default SSL profile.
    [# 598974, 671233]
  • The description string of a cipher in the output of the "show ssl service" command differs if the command is run on the NetScaler IP address and on the cluster IP address.
    [# 669128]
  • A "certificate mismatch" error message appears if the order of certificates in the .pfx file is not as follows:
    - Server certificate (should be the first certificate in the file)
    - Intermediate certificate(s)
    - Root CA certificate
    The server key can be anywhere in the file.
    [# 535145]
  • The online certificate status protocol (OCSP) URL does not resolve to the correct IP address after the DNS server resolves it to a new IP address.
    Workaround: See https://support.citrix.com/article/CTX218959.
    [# 654743]
  • An incorrect entry is logged for handshake failure, even though the handshake succeeds, if both of the following conditions are met:
    -You use a Safari browser to access the NetScaler appliance.
    -OCSP responder is configured and client authentication is enabled on the SSL virtual server.
    [# 676629]
  • If you try to add a certificate bundle with the complete path to a certificate-bundle file, an error message appears. For example,
    > add ssl certkey bundle -cert /nsconfig/ssl/bundle3.pem -key /nsconfig/ssl/bundle3.pem -bundle YES
    ERROR: Processing of certificate bundle file failed.
    Workaround: Specify only the file name. For example,
    > add ssl certkey bundle -cert bundle3.pem -key /nsconfig/ssl/bundle3.pem -bundle YES
    [# 481878, 521933]
  • In a cluster setup, if a client certificate is bound to a back-end SSL service or service group, it appears as a "Server Certificate" instead of a "Client Certificate" when you run the "show ssl service" or the "show ssl servicegroup" command on the CLIP address.
    [# 667389]
  • A few extra messages appear in the output if you run the show command for the back-end SSL service, service groups, or internal services on a cluster IP address.
    [# 669064]
  • A NetScaler appliance might dump core and restart if you have configured policy based SSL renegotiation and a client sends multiple SSL records before renegotiation is initiated.
    [# 673348, 682192, 682160, 684547, 684992, 687515]
  • An incorrect error message is displayed in both the following cases:
    1. Client authentication is enabled, root CA certificate is not bound to the SSL virtual server, and a request with a valid client certificate is sent to the virtual server.
    2. Client authentication is enabled, root CA certificate is bound to the SSL virtual server, and a request with a wrong certificate is sent to the virtual server.
    The error message that appears is "Handshake failure-Internal Error" instead of "No client certificate received."
    [# 664574]
  • On a NetScaler VPX instance, an error message does not appear if you enable TLS protocol version 1.1 or 1.2 on the backend SSL service or backend SSL profile. These protocols are not supported on a backend SSL service or profile.
    [# 658396]
  • The output of the "show SSLlogProfile" command does not display the entities to which the log profile is bound.
    [# 658756]
  • If the destination IP address in an OCSP request is an IPv6 address, the NetScaler appliance dumps core memory and restarts.
    [# 678474]
  • In rare cases, a NetScaler appliance might dump core and restart if you add a certificate revocation list (CRL) larger than 256 KB.
    [# 674278, 678890]
  • An incorrect error message appears if you try to associate an SSL log profile with an SSL action of type DATA INSERTION.
    [# 653279]
  • On a platform that has N3 chips, you cannot use the NetScaler GUI to bind ECDHE, AES-GCM, or SHA2 cipher groups to a back-end service or service group, because these cipher groups are not listed in the GUI.
    Workaround: Use the NetScaler command line. At the NetScaler command prompt, type:
    bind ssl service <serviceName> -cipherName <string>
    To bind a cipher to a service group, replace service with servicegroup in the above command.
    [# 640546]
  • If you update a certificate-key pair from DER to PEM format, the message "Invalid Certificate" appears.
    Workaround: Add "-inform PEM" in the update command.
    [# 630248]
  • If CRL auto refresh is enabled and the LDAP method is selected, the following, incorrect, error message appears: "Either URL or server-IP required on CRL."
    This message should indicate that a server IP address is required.
    [# 459987]
  • Some client authentication connections might be dropped if OCSP check is set to mandatory and an OCSP domain name entry is not found in the NetScaler DNS cache.
    [# 675882, 677473]

System

  • A NetScaler appliance might not honor persistence for a load balancing virtual server with a wildcard configuration if information about the back-end server is not available.
    [# 556385]
  • Downloading a file over a TCP connection in which the client side has a non-jumbo MSS (less than or equal to 1460 bytes) and the server side has a jumbo MSS (greater than or equal to 1460 bytes), causes a slight increase in latency.
    [# 428209]
  • For virtual servers and services using the default TCP profile (nstcp_default_profile) with the MSS parameter set to zero, the NetScaler appliance uses 1460 as the value for TCP MSS instead of using a value based on interface MTU and VLAN MTU.
    [# 472833]
  • FreeBSD version for Auditlog Server
    For NetScaler 10.5 and later releases, the auditlog server fails to start if it is deployed on a FreeBSD 6.3 system.
    Background: In this release, the NetScaler supports auditlog servers on FreeBSD 8.4. Therefore, auditlog servers that are deployed on FreeBSD 6.3 systems will not start.
    Workaround: Upgrade to FreeBSD OS on which you have the auditlog server, from 6.3 to 8.4.
    [# 447571]
  • For a client connection to a TCP virtual server, the NetScaler appliance incorrectly decrements the counter for the current number of client connections, even when the TCP connection is terminated before the 3-way handshake is completed. The appliance incorrectly displays a large positive number of client connections even when there are no clients connected to the virtual server.
    [# 622309, 641490, 676640]
  • The updated host name for a NetScaler appliance does not appear on the LCD panel until after the appliance is restarted.
    [# 560854]
  • Wireshark Version for Getting NetScaler Trace
    Wireshark is required to open nstrace files (cap and pcap). For NetScaler 10.5 and later releases, Wireshark must be upgraded to version 1.11.3 or any later version. You can download the latest version from: https://www.wireshark.org/download.html.
    [# 462557]
  • If, when you reboot a NetScaler appliance, the SNMP agent starts before the system monitoring application, the agent reads the Voltage and Fan Speed counter values as zero and sends low-threshold traps. Then, when the system monitoring application starts and updates the counter values, if the values are still less than the threshold values, the SMNP agent does not send traps to clear the low-threshold traps.
    Workaround: Set the alarm threshold value as described at http://docs.citrix.com/en-us/netscaler/11/netscaler-hardware-installation/netscaler-hardware-system-health-attributes.html.
    [# 571914]
  • A NetScaler appliance is designed to work on a standalone or a high availability appliance. As a result, an issue is identified and all the log messages are sent to the NSLOG server.
    [# 609655]
  • Data might be dropped when a client requests a small window size. When client sends a small window size (less than 8190 bytes) in its request packet to a NetScaler appliance, the appliance advertises a window size of 8190 bytes to the back-end server. Upon receiving this information, the server sends up to 8190 bytes of data to the appliance, and in turn the appliance, in transparent mode, sends the same amount of data to the client, even if the actual window size is less than the window size advertised by the client. If a device between the appliance and client checks the window size before accepting the data, that device might drop the data that does not fit in the client's window size.
    Workaround: Enable the end point processing features on NetScaler to control the complete TCP stack independently. Such features are TCP Buffering, SSL Offload etc
    [# 622573]
  • The NetScaler appliance crashes if the total number of TimeWait connections exceeds 7000 while the MPTCP feature is enabled.
    [# 678015]
  • If you access a NetScaler appliance from the GUI, the TCP/IP Connection page supports only a set of classic and advanced policy expressions as a filter. If you use an unsupported expression as a filter, the NetScaler GUI does not display a warning message, and using the unsupported expression leads to an appliance failure.
    Note: You can type the show connectiontable command to view the list of supportable expressions.
    [# 614494]
  • When you run the set command on a NetScaler appliance, the ns.log file stores the command with all parameter values, including customer provided values.
    [# 674165]
  • If appflow and client side measurements are enabled, the NetScaler appliance deletes the NSC_ESNS cookie before forwarding the request to the backend server. A rule was rewritten and configured to insert the Pback cookie in the request sent to the backend server. We are corrupting the OutllookSession cookie when we are trying to do both insert and delete in the HTTP request at the same offset. This is causing sign-on problems. This issue is under investigation.
    [# 633371, 682640]
  • If multiple trap destinations have the same IP address but different SNMP versions, one of which is SNMPv3, modifying an SNMPv3 trap message leads to an appliance failure.
    [# 683622, 683806]
  • If the session ID maintained for clients exceeds the threshold of 16 million entries, the configuration engine might crash. That affects the management traffic. As a result, the management connection closes and the manager must log back on to the NetScaler appliance.
    [# 676599]
  • MPTCP does not support FTP data connections.
    [# 400819]
  • Virtual servers to which a listen policy is bound accept connections from the first subflow only.
    [# 400861]
  • The "unset authentication localPolicy" command is removed from this version onwards.
    [# 483524]
  • When you log web transactions on a web server and on a NSWL server, the cs user name is properly logged in the web server while the user name is logged as a hypen (-) instead of a user name. This issue occurs when you specify a %u in the field format.
    [# 238440, 239481, 247372, 422873]
  • When configuring Web Interface sites through the wizard, when the "Trust ssl certificate" option is checked, certificates bound to the VPN virtual server are not imported to the JVM.
    Workaround: You must import the certificates manually by executing the following command from the shell prompt:
    > /netscaler/wi/export_cert.sh
    [# 481008]
  • In a high availability environment, if you add Network Time Protocol (NTP) to a primary node by specifying the NTP server's DNS name, the command is not propagated to the secondary node.
    Workaround: Specify the NTP server's IP address.
    [# 639529]
  • With USIP enabled, MPTCP requests do not go through.
    [# 331338]
  • The NetScaler appliance may display messages that are a result of file system compatibility checks that are performed when booting up. These messages are informational only, and do not have any adverse impact on the functioning of the NetScaler.
    [# 452382, 459464, 530627]
  • In a TACACS authentication configuration, if you clear the system global TACACS policy, the NetScaler appliance displays a warning error message: "Config NodeGroup changed, force cluster sync should be fired on the newly added node to be in sync."
    [# 666392]

Upgrade and Downgrade

  • You cannot log on to the NetScaler appliance after upgrading its firmware. This issue is caused by insufficient storage space. To verify that that is the problem, check to see if the /var directory is 100% full. To fix the problem, delete unnecessary files. The following procedure is recommended:
    1) At the shell prompt, type the df -h command to display the disk-usage statistics. If they indicate that the /var directory is full, take the following steps.
    2) Check for any trace files in the /var/nstrace directory. Delete unnecessary files. Back up required files, including files that need to be analyzed, to a location outside the NetScaler appliance.
    Note: For more information about how to back up NetScaler files, see
    https://docs.citrix.com/en-us/netscaler/10-5/ns-system-wrapper-10-con/ns-sys-basic-operations-wrapper-con/ns-sys-backup-restore-tsk.html
    3) Check for files in the /var/core or /var/crash directory. These files indicate a problematic condition and should be analyzed. Back up these files to a location outside the NetScaler appliance and send them to Citrix Technical Support for further analysis. Delete the backed up files from the NetScaler appliance.
    4) Check for any user-initiated downloads, such as build files, and delete the older ones. Generally, build files are downloaded to the /var/nsinstall directory.
    For more information about how to free up storage space, see https://support.citrix.com/article/CTX133588
    [# 638818]
  • When you upgrade the NetScaler firmware by using the NetScaler GUI, the appliance restarts in the background as soon as the upgrade is complete, but the GUI does not show that the upgrade has been completed.
    Workaround: Log off and log back on to the NetScaler appliance to check the firmware version.
    [# 646046]

User Interface

  • The names of GSLB entities are case sensitive. If you have entities with the same name in different cases (uppercase or lowercase) on different nodes in your GSLB deployment, GSLB synchronization fails.
    Workaround:
    Change the entity names so that the same name is always in same case (either uppercase or lowercase).
    [# 533475]

Web Interface on NetScaler (WIonNS)

  • On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.
    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.
    [# 397150]
  • If the NetScaler appliance is upgraded from version 10.1 to 10.5 and the maxSite setting of Web Interface on NetScaler is 3, the system does not have sufficient memory to handle 5000 users accessing Web Interface on NetScaler.
    [# 601304]

What's New in Previous NetScaler 10.5 Releases

The enhancements and changes that were available in NetScaler 10.5 releases prior to Build 66.6. The build number provided below the issue description indicates the build in which this enhancement or change was provided.

AAA-TM

  • Responder After AAA
    On a NetScaler ADC that has AAA configured, the ADC now invokes responder policies after authenticating users. Previously, users could not bookmark the authentication sign-on page. This limitation no longer exists.
    [From Build 50.10] [# 258274, 258277]
  • Web-based Authentication
    AAA-TM is now able to authenticate a user to a web server, providing the credentials that the web server requires in an HTTP request and analyzing the web server response to determine that user authentication was successful.
    To set up web-based authentication with a specific web server, first you create a web authentication action. Since authentication to web servers does not use a rigid format, you must specify exactly which information the web server requires and in which format when creating the action. To do this, you create an expression in NetScaler default syntax. Next you create a policy associated with that action. The policy is similar to an LDAP policy, and like LDAP policies uses NetScaler classic syntax.
    [From Build 50.10] [# 431391]
  • Extracting SAML Attributes from Keytab
    The AAA Negotiate Action command can now extract user information from a keytab file instead of requiring you to enter that information manually. If a keytab has more than one SPN, AAA selects the correct SPN. You can configure this feature at the NetScaler command line, or by using the configuration utility.
    To configure AAA to extract user information from a keytab file at the command line, type the appropriate command:
    add authentication negotiateAction <name> [-keytab <string>]
    set authentication negotiateAction <name> [-keytab <string>]
    For <name>, substitute the name of the negotiateAction. If you are adding a new action, the name can be from one to 127 characters in length and can consist of upper- and lowercase letters, numbers, and the hyphen (-) and underscore (_) characters. For <string>, substitute the full path and filename of the keytab file that you want to use.
    To configure AAA to extract user information from a keytab file by using the configuration utility, do the following steps:
    1) Open Security, AAA, Policies, Authentication, Negotiate.
    2) In the Data pane, click the Servers tab.
    3) Do one of the following:
    * If you want to create a new Negotiate action, click Add.
    * If you want to modify an existing Negotiate action, in the data pane select the action, and then click Edit.
    4) If you are creating a new Negotiate action, in the Name text box, type a name for your new action.
    The name can be from one to 127 characters in length and can consist of upper- and lowercase letters, numbers, and the hyphen (-) and underscore (_) characters.
    If you are modifying an existing Negotiate action, skip this step. The name is read-only; you cannot change it.
    5) Under Negotiate, if the Use Keytab file check box is not already checked, check it.
    6) In the Keytab file path text box, type the full path and filename of the keytab file that you want to use.
    7) In the Default authentication group text box, type the authentication group that you want to set as default for this user.
    8) Click Create or OK to save your changes.
    [From Build 50.10] [# 405134]
  • NetScaler as SAML IDP
    The NetScaler ADC can now act as a SAML identity provider (IDP). As an IDP, the ADP accepts SAML tokens from user sthat request access to a protected application, redirecting users to the SAML service provider (SP) logon page to authenticate. After the user authenticates, the ADC generates a SAML assertion that grants access to the protected resource and redirects the user to it. When the user logs out or is logged out by any SP, the ADC sends logout requests to all other SPs that the user accessed during the current session and terminates the session.
    For more information, see the NetScaler documentation.
    [From Build 50.10] [# 406525]
  • With previous versions of the NetScaler ADC, OWA 2010 connections did not timeout because OWA sends repeated keepalive requests to the server to prevent timeouts, which interfered with single sign-n and posed a security risk. AAA-tm now supports forced timeouts that ensure that OWA 2010 sessions timeout after the specified period of inactivity.
    For more information and configuration instructions, see the documentation.
    [From Build 50.10] [# 247952, 419622, 426196]
  • KCD Performance Improvements
    When creating a KCD Account with a delegated user certificate and CA certificate, AAA now searches the /nsconfig/ssl directory for the two certificate files, where those certificates are kept, instead of searching /nsconfig/krb.
    [From Build 50.10] [# 412687]
  • AAA-TM can now be configured to authenticate users with an external RADIUS or LDAP authentication server at a specific FQDN instead of only at a specific IP. Configuration via FQDN can simplify an otherwise much more complex AAA configuration in environments where the authentication server might appear on any of several IPs, but always uses a single FQDN.
    Note: When you configure AAA to authenticate to an external server via FQDN instead of IP, you add an extra step to the authentication process because the ADC must resolve the FQDN each time that it authenticates a user. If a great many users attempt to authenticate simultaneously, the DNS lookups might slow the authentication process.
    To configure authentication by using a server's FQDN instead of IP, follow the normal configuration process except when creating the authentication action, where you substitute the serverName parameter for the serverIP parameter, as shown below:
    > add authentication ldapAction <name> -serverName <serverName>
    > add authentication radiusAction <name> -serverName <serverName>
    For <serverName>, substitute the fully-qualified domain name (FQDN) of the LDAP or RADIUS authentication server.
    [From Build 50.10] [# 338718, 314443]
  • Authentication Server Stickiness
    After a user authenticates successfully to an LDAP, RADIUS, or TACACS authentication or authorization server, the NetScaler ADC now connects to the same server for subsequent user authentications or authorizations. When a primary server is unavailable, this feature prevents delays while the ADC waits for the first server to time out before resending the request to the second server.
    For example, assume that you have AAA configured on your ADC with three authentication policies--authpol1, authpol2, and authpol3--with priorities set to 10, 20, and 30 respectively. A user requests authentication, and the ADC discovers that the authentication server behind authpol1 does not respond to authentication requests. The ADC then tries authpol2, which responds. When other users attempt to authenticate after this situation occurs, the ADC skips authpol1 and proceeds directly to authpol2.
    [From Build 50.10] [# 358894]
  • Unlocking Locked-Out User Accounts
    You can now unlock a user account that was locked out after too many failed logon attempts or after repeated violations of logon attempt time slice limits. To unlock a locked-out user account by using the configuration utility, navigate to Security > AAA-Application Traffic > Users. In the data pane, select the user account to unlock, and then in the Actions drop-down list, choose Unlock. To unlock a locked-out user account from the command line, type the following command:
    unlock aaa user <userName>
    [From Build 50.10] [# 437164]
  • NetScaler Default Expressions support for authentication subsystem
    AAA-TM now supports NetScaler default syntax expressions in the following parts of the authentication subsystem:
    * Authentication policy rules. You can use default syntax expressions as Authentication policy rules. The default syntax expression editor now appears in the configuration utility when you create or configure an authentication policy, From the command line, you can simply use default syntax to create the rule for your policy and AAA-TM will recognize and implement it.
    * Authentication policy bindings. Authentication policies, when bound, can each be associated with the "nextFactor" policyset. The nextFactor policyset is evaluated if the policy to which it is associated succeeds. nextFactor support permits policy pairing and grouping, and allows you to create cascading chains of policies all of which can be evaluated in turn. There is no upper limit to the number of policies that can be chained in this manner.
    All policies bound to a single authentication server must be either NetScaler default syntax policies or NetScaler classic syntax policies. You cannot mix both types of policy on a single authentication server.
    [From Build 50.10] [# 418615]
  • Renegotiate Support for Certificate-based Policies
    AAA-TM now prompts for the client certificate only when it requires the certificate to authenticate a user, not every time that a protected application requests authentication. It retrieves the certificate if two factor authentication is not enabled, or if it is configured to extract the user name from the certificate.
    [From Build 50.10] [# 425621]
  • Strong Encryption Support in Kerberos KCD
    AAA-TM now supports the aes256-sha1 and aes128-sha1 strong encryption methods for Kerberos KCD. Previously, when KCD was configured to use delegated user credentials, AAA used the relatively weak RC4-HMAC encryption algorithm to encrypt the timestamp when sending a ticket-granting request to the Kerberos server. If the system administrator had restricted use of weak encryption algorithms on the Kerberos server, the Kerberos server would respond with an error instead of the requested ticket, causing KCD to fail. AAA now uses aes256-sha1 to encrypt timestamps for delegated user credentials.
    [From Build 50.10] [# 427766]
  • When sending SAML Authentication request to external identity provider, the NetScaler ADC now offers an option to send the thumbprint of the certificate that was used to sign the message instead of sending the complete certificate. When the "sendThumbprint" option in SAML action is set to ON, the ADC allows putting the thumbprint in SAML auth request instead of the full X509 certificate. The "sendThumbprint" option is off by default.
    [From Build 54.9] [# 505673]
  • SHA256 Signature and Digest Algorithms Support
    AAA now supports encrypted SAML assertions. The NetScaler implementation of SAML allows signing certificates of less than 2048 bits, but displays a warning message. It also supports the SHA256 hash algorithm for signatures and digests. Citrix recommends that all signing certificates be of at least 2048 bits, and that you use SHA256 as SHA-1 is no longer considered secure.
    [From Build 56.22] [# 440382, 457134]

AAA-TM, Responder

  • Using a Responder HTML Response Page to provide Customized Error Responses
    You can use the Citrix NetScaler Responder feature to create custom error responses when a user attempts to authenticate with AAA-TM and authentication fails. The Responder feature is flexible; you can create as many error responses as you wish, and respond to as many different error conditions. For example, if your users log on to different authentication servers in different geographic areas, you can customize responses to each region. A user in the United States can receive an error message that is appropriate to his or her authentication server, and be directed to a customer service telephone number in the United States. A user in Japan can receive the same for his or her different authentication server and customer service telephone number.
    Briefly, to create a Responder configuration for this scenario, first create each error message and place that error message on a web server. The web server should not be located on the same physical server as the authentication server, and preferably not on the same subnet. If you have multiple regional data centers that host separate authentication servers, it is advisable to locate each error response in a different data center than hosts the authentication server that it is used for, so that local power outages or Internet connectivity problems do not affect the web server that hosts the error messages. Then, on the ADC, do the following steps:
    1) Create one load balancing virtual server for each error message.
    2) Create a policy for each error message that selects the requests that should receive this error message if authentication fails, and bind each policy to the appropriate load balancing virtual server.
    3) Create a responder action for each error message that contains an HTTP 307 Redirect that points to the URL of the customized error message.
    4) Create a responder policy for each error message that selects connections that should receive that error message, and bind that policy to the appropriate responder actions. You must craft a rule for the responder policy that selects connections that meet the appropriate criteria. For example, if you want connections that originate in the USA and that fail authentication to receive this error message, the rule could identify the region by source IP, and the authentication failure by error message.
    5) Bind each responder policy to the correct virtual server, as shown below.
    > bind lb vserver <vServerName> -policyName <policyName> -priority 1 -gotoPriorityExpression END
    For detailed instructions on how to set up a responder configuration of this type by using the command line, see the following article on the Citrix Customer Support web site:
    http://support.citrix.com/article/CTX129108
    [From Build 50.10] [# 414985]

AppFlow

  • The process of collecting the load time and render time of web pages has been simplified by including the clientSideMeasurements parameter as part of the add appflow action command.
    On the command line interface, enable this option by running the following command:
    > add appflow action <name> -clientSideMeasurements ENABLED
    For details about configuring an AppFlow action, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-ag-appflow-config-actn-tsk.html.
    [From Build 50.10] [# 434577]
  • Indication for End of Transaction
    A transaction flag now indicates, to external collectors, whether the transaction was successfully completed or was aborted.
    [From Build 50.10] [# 252000]
  • NetScaler ADC now exports AppFlow records to a set of collectors if the transaction responses are served from the NetScaler cache.
    [From Build 50.10] [# 423567]
  • NetScaler ADC now supports the session reliability feature, so that sessions that are monitored by the ADC for ICA traffic can seamlessly reconnect even after a network disruption. This feature keeps sessions active even if network connectivity is interrupted, and to indicate that connectivity is lost, the user's device display freezes and the cursor changes to a spinning hourglass until connectivity resumes. The user can resume interacting with the application once the network connection is restored.
    Note: Make sure to enable the session reliability feature on XenApp or XenDesktop for NetScaler ADC to support this feature.
    [From Build 54.9] [# 388563, 417260, 438710, 488206]

Cisco RISE Integration

  • Configuring RISE with NetScaler ADC and Cisco Nexus 7000 Switches.
    You can now use Remote Integrated Service Engine (RISE) technology to integrate a NetScaler ADC and a Cisco Nexus 7000 Series switch. This combination offers layered network services, including robust application delivery capabilities that accelerate application performance for all users.
    With a RISE based implementation, the NetScaler functionality is available as a centralized resource that can be leveraged across the application infrastructure supported by the Cisco Nexus 7000 series switch. The key functionalities of the RISE architecture include:
    - Plug and play auto-provisioning. RISE provides a plug and play auto-provisioning feature. When you directly connect the NetScaler ADC to the Cisco Nexus 7000 series switch, auto-discovery commences.
    - Discovery and bootstrapping. The discovery and bootstrap mechanism enables the Cisco Nexus 7000 Series switch to communicate with the NetScaler ADC by exchanging information to set up a RISE channel, which transmits control and data packets.
    - Health Monitoring. The NetScaler ADC uses its health monitoring feature to track and support server health by sending health probes to verify server responses.
    - Automatic Policy Based Routing (APBR). Automatic Policy Based Routing (APBR) automatically routes the return traffic from the servers to the NetScaler ADC, preserving the client IP addresses. The automatic policy based routes are defined on the Cisco Nexus 7000 series switch. When the return traffic from the server reaches the Cisco Nexus 7000 series switch, the APBR policies defined on the switch route the traffic to the NetScaler ADC, which in turn routes the traffic to the client.
    [From Build 50.10] [# 413833]

Cluster

  • A NetScaler cluster can now be configured to run with less than (n/2 + 1) number of nodes online. To do this, while creating a cluster instance, you must set the "quorumType" parameter to none as shown here:
    > add cluster instance <clid> -quorumType None
    [From Build 50.10] [# 407139]
  • Layer2 Mode Support in a Cluster
    You can now use the Layer2 mode in a NetScaler cluster. For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-cluster-l2-mode-con.html.
    [From Build 50.10] [# 441320]
  • VRID/VRRP is now supported on a NetScaler cluster.
    [From Build 50.10] [# 407100]
  • Link Redundancy Support in a Cluster
    The NetScaler cluster now provides link redundancy with LACP. For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-cluster-traf-dist-link-redundancy-con.html.
    [From Build 50.10] [# 415116]
  • Spotted VIP for NetScaler Gateway clusters. Spotted VIP functionality has been expanded to enable clustering for NetScaler Gateway.
    [From Build 50.10] [# 317314]
  • You can now add a failover interface set (FIS) on the nodes of a NetScaler cluster. On the cluster IP address, specify the ID of the cluster node on which the FIS must be added as follows:
    > add fis <name> -ownerNode <nodeId>
    Note:
    - The FIS name for each cluster node must be unique.
    - A cluster LA channel can be added to a FIS. You must make sure that the cluster LA channel has a local interface as a member interface.
    [From Build 50.10] [# 430035]
  • Traffic domains are now supported on a NetScaler cluster.
    [From Build 50.10] [# 415065]
  • MPTCP is now supported on a NetScaler cluster.
    [From Build 50.10] [# 423654]
  • Net profiles are now supported on a NetScaler cluster. You can bind spotted IP addresses to a net profile which can then be bound to spotted load balancing virtual server or service (defined using a node group) with the following recommendations:
    - If the "strict" parameter of the node group is "Yes", the net profile must contain a minimum of one IP address from each node of the node group member.
    - If the "strict" parameter of the node group is "No", the net profile must include at least one IP address from each of the cluster nodes.
    - If the above recommendations are not followed, the net profile configurations will not be honored and the USIP/USNIP settings will be used.
    [From Build 50.10] [# 416827]
  • GSLB support in a Cluster
    Global server load balancing can now be configured on a NetScaler cluster. To do this, you must log on to the cluster IP address to define the GSLB entities and then bind these entities to a a single member cluster node group.
    For detailed information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-cluster-gslb-con.html.
    [From Build 52.11] [# 326601]
  • From NetScaler 10.5 Build 52.11, the cluster feature is licensed with the Platinum and Enterprise licenses. In earlier releases, the cluster feature was licensed by a separate cluster license file.
    Note:
    - If you have configured a cluster in an earlier build, the cluster will work with the separate cluster license file. No changes are required.
    - When you configure a new cluster in Build 52.11 and then downgrade to an earlier build, the cluster will not work as it now expects the separate cluster license file.
    [From Build 52.11] [# 486259]

Compression

  • Specifying a Vary Header Value
    When using HTTP compression, you can explicitly specify a "vary" header value for compressed responses. Prior to this enhancement, the vary header was implied to be "Accept-Encoding, User-Agent".
    To specify the customized vary header globally:
    > set cmp parameter -addVaryHeader ENABLED -varyHeaderValue <string>
    To specify the customized vary header for a specific compression action:
    > add cmp action <name> <cmpType> -addVaryHeader ENABLED -varyHeaderValue <string>
    [From Build 50.10] [# 346214]

Configuration Utility

  • The NetScaler graphical user interface (GUI) has been enhanced to provide a better user interaction experience. It now provides you with a workflow-based experience, which guides you through the entire configuration. The configuration settings have been classified as basic and advanced for some features. The NetScaler ADC configuration utility and NetScaler Gateway configuration utility has also been reimplemented in HTML. As a result of these enhancements, the GUI does not display pop-up dialog boxes for most features and you no longer need Java Runtime Environment (JRE) to access these features through the GUI.
    For more information, see http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-5-map/ns-rn-changes-gui-10-5-con.html
    [From Build 50.10] [# 251336, 251607, 251645, 251760, 251797, 257879, 257949, 261240, 261339, 285382]
  • Distinguish between Commands Executed from Different NetScaler Interfaces
    The NetScaler now keeps track of the interfaces through which operations are executed. You can view this information in syslogs (in the NetScaler GUI, navigate to Configuration > System > Auditing > Audit Messages > Syslog messages) or in the ns.log (located at the /var/log/ directory) file.
    For example, operations that are performed through the API are flagged as "API CMD_EXECUTED".
    [From Build 50.10] [# 361917]

Content Accelerator

  • Content accelerator is a NetScaler feature that you can use in a Citrix ByteMobile T1100 deployment, to store data on a Citrix ByteMobile T2100 appliance. This saves bandwidth and provides faster response times, because the NetScaler does not have to connect to the server for repeated requests of the same data.
    For more information, see http://support.citrix.com/proddocs/topic/ns-optimization-10-5-map/ns-content-accl-con.html.
    [From Build 50.10] [# 427565]

Content Switching

  • Multiple Port Content Switching Support for SSL_TCP Virtual Servers
    You can now configure the NetScaler ADC so that SSL_TCP content switching virtual servers listen on multiple ports without having to configure separate virtual servers. Instead of configuring multiple virtual servers with the same IP address and different ports, you can now configure one IP address and specify the port as * . As a result, the configuration size is also reduced.
    [From Build 50.10] [# 450367]
  • Content Switching Support for Diameter
    The NetScaler ADC now supports content switching for the Diameter protocol. A number of expressions have been added, and you can use them to examine the header and the attribute-value pairs (AVPs) in a Diameter packet. On the basis of that information, you can forward the request to the selected load balancing virtual server.
    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-cs-customizing-diameter-for-cs-tsk.html.
    [From Build 50.10] [# 413072]
  • When you create a content switching virtual server, NetScaler now supports using DNS TCP as the protocol used by the virtual server.
    [From Build 50.10] [# 365650]
  • Multiple Port Content Switching Support for HTTP and SSL Virtual Servers
    You can now configure the NetScaler ADC so that HTTP and SSL content switching virtual servers listen on multiple ports without having to configure separate virtual servers. This feature is especially useful if you want to base a content switching decision on a part of the URL and other L7 parameters. Instead of configuring multiple virtual servers with the same IP address and different ports, you can now configure one IP address and specify the port as *. As a result, the configuration size is also reduced.
    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-cs-customizing-multiport-http-ssl-tsk.html
    [From Build 50.10] [# 386601]

DNS

  • NAPTR DNS Record
    NetScaler ADC supports DNS NAPTR (Naming Address Pointer) record type. NAPTR records are generic DNS record type, but are commonly used in internet telephony for service discovery. They therefore enable clients to discover which server the request should go to for a particular service and which protocol to use to connect to the server.
    NetScaler ADCs support NAPTR in two modes: ADNS mode and proxy mode. You can create a NAPTR record using both, command line interface and the NetScaler Configuration Utility.
    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-tmg-dns-crt-naptr-rec-tsk.html
    [From Build 50.10] [# 413773]
  • AA bit set for response from NetScaler Cache
    In the previous releases, for NODATA responses with AA bit, NetScaler would ignore AA bit (authoritative bit) while caching. For such DNS queries NetScaler would reply with NODATA response from cache without setting the AA bit. The behavior has been enhanced with current release. NetScaler will respond with the AA bit for negative cached responses just as it does for positive cache responses.
    [From Build 50.10] [# 285009]
  • Enabling or Disabling the Recursion Available Flag
    A new parameter -RecursionAvailabe (YES|NO) is introduced in load balancing virtual server (for DNS and DNS_TCP types). The option by default has a value of NO. When you use the load balancing virtual server to load balance recursive resolvers, you can turn this option to YES. This will cause NetScaler to respond with RA bit set on all responses.
    [From Build 50.10] [# 403114, 248936, 269857, 388338]
  • CNAME Record Caching
    NetScaler ADC when deployed in a proxy mode does not always send the query for an address record to the back-end server. This happens when for an answer to a query for an address record, a partial CNAME chain is present in the cache. Under few conditions, ADC caches the partial CNAME record and serves the query from the cache.
    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-tmg-dns-caching-cname-record-con.html
    [From Build 50.10] [# 422509]

DataStream

  • Support for Database Specific Load Balancing for MySQL
    Database specific load balancing is now supported for MySQL databases. If a database is available on multiple servers but is online on only some of these servers, the client request is forwarded to the server on which the database is online. Enable the DBSLB option when you create a load balancing virtual server. To store the database list on the NetScaler ADC, while creating a MYSQL-ECV monitor, enable storeDB.
    [From Build 50.10] [# 418490]
  • Support for SQL Server High-Availability (HA) Group Deployment
    The NetScaler ADC now supports AlwaysOn Availability group deployment in database specific load balancing for MSSQL 2012.
    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-dbproxy-db-specific-lb-for-mssql-2012-tsk.html
    [From Build 50.10] [# 415485]
  • Support for Fallback to NTLM Authentication
    Currently AAA supports Kerberos authentication only with Datastream Windows Authentication. AAA does not support fallback to NTLM if Kerberos authentication fails.
    [From Build 50.10] [# 382693]
  • Support for Transparent Deployment Mode in MySQL
    You can now configure the NetScaler ADC to operate transparently between MySQL clients and servers, and to only log or analyze details of all client-server transactions. Transparent mode is designed so that the ADC only forwards MySQL requests to the server, and then relays the server's responses to the clients. As the requests and responses pass through the ADC, the ADC logs information gathered from them, as specified by the audit logging or AppFlow configuration, or collects statistics, as specified by the Action Analytics configuration. You do not have to add database users to the ADC.
    [From Build 50.10] [# 410824]
  • Any NetScaler MPX or VPX appliance subject to a limit on the number of DataStream transactions per second will no longer be restricted by license or platform model number.
    [From Build 52.11] [# 479490]

Enhancements

  • There are no enhancements in this build.
    [From Build 65.11] [# 680937]

GSLB

  • GSLB Auto Sync Enhanced to to Sync Static Proximity Database
    GSLB autosync has been enhanced to synchronize global server load balancing (GSLB) static proximity databases. When autosync is triggered on the master site, first the static proximity database is synchronized followed by the synchronization of configuration.
    For more information see, http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-gslb-synchro-static-proximity-db.html
    [From Build 50.10] [# 286236]
  • Viewing the configuration details of the entities bound to a GSLB domain
    You can now view the configuration details of the entities bound to a GSLB domain. The details include the configuration of the virtual servers, services, and the monitors bound to the GSLB domain. To view the details, you can use either the command line or the configuration utility.
    For more information, see http://docs.citrix.com/en-us/netscaler/10-5/ns-tmg-wrapper-10-con/netscaler-gslb-gen-wrapper-10-con/ns-gslb-config-con/ns-gslb-bind-dom-vsvr-tsk.html.
    [From Build 56.22] [# 343525]

Integrated Caching

  • Increased Metadata Cache Capacity
    The number of cached objects that the cache memory can store has now been increased.
    [From Build 50.10] [# 417677]
  • Cache Object Persistence in a High Availability Setup
    When integrated caching is used in a high availability setup, in addition to storing the cached objects on the primary appliance, the objects are also stored on the secondary appliance. This reduces bandwidth usage as cached objects are not lost during failover and the request can then be served directly from the cache of the secondary appliance.
    To enable this functionality globally, execute the following command:
    > set cache parameter -enableHaObjPersist Yes
    To enable this functionality on a specific content group, execute the following command:
    > set cache contentGroup <name> -persistHA Yes
    [From Build 50.10] [# 329012]

Load Balancing

  • Monitors for XenMobile Device Manger (XDM) and XenMobile Device Connector (XNC)
    NetScaler allows a user to create monitors to check the status of the XenMobile Device Manager (XDM) and XenMobile NetScaler Connector (XNC) servers. The citrix-xdm monitor is used to monitor the XDM server while the citrix-xnc-ecv monitor is used to monitor the XNC server. You can add these monitors by using the add lb monitor command from the command-line interface or by using the GUI.
    * The XDM monitor uses the username, password, and site path strings to probe the XDM server.
    * The XNC monitor uses the username, password, send, and recv strings to probe the XNC monitor.
    [From Build 50.10] [# 402361]
  • Rate Limiting Support for Diameter
    You can now configure rate limiting for diameter messages. In the following example, NetScaler limits the rate to 100 messages per second and sends UNABLE_TO_DELIVER if the rate exceeds that limit.
    > add ns limitidentifier rslm1 -threshold 100 -timeSlice 1000 -mode REQUEST_RATE -limittype bursty
    > add responder action rsact1 respondwith "DIAMETER.NEW_ERROR_ANSWER + DIAMETER.NEW_AVP(263, DIAMETER.REQ.SESSION_ID.VALUE) + DIAMETER.NEW_AVP_UNSIGNED32(268, 3002)"
    > add responder policy rspol1 "SYS.CHECK_LIMIT("rslm1")" rsact1
    [From Build 50.10] [# 399053]
  • Increased Limits on the Number of Service Groups
    You can now configure up to 8K (8192) service groups on a NetScaler appliance. The earlier limit was 4K (4096) service groups.
    [From Build 50.10] [# 406355]
  • Support for Jumbo Frames in RADIUS
    The NetScaler ADC now supports RADIUS jumbo frames.
    For more information on jumbo frames, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-jf-overview-con.html.
    [From Build 50.10] [# 429415]

NITRO API

  • Uploading and Retrieving Files for NetScaler SDX Using NITRO
    NetScaler SDX operations such as configuring SSL certificates requires the input files to be available locally on the appliance. NITRO allows you to perform file operations such as uploading file to the SDX, retrieving a list of files and the file content from the SDX, and also delete files from the SDX. These operations can be performed for files of type: cert,key, software images etc.
    [From Build 50.10] [# 408441]
  • Python SDK for NetScaler SDX and NetScaler Insight Center NITRO
    NITRO now provides Python SDKs for configuring the NetScaler SDX appliance and the NetScaler Insight Center appliance. The SDKs can be downloaded from the Downloads page of the appliance's configuration utility.
    [From Build 50.10] [# 451606]
  • Uploading and Retrieving Files for NetScaler Using NITRO
    NetScaler operations such as configuring SSL certificates requires the input files to be available locally on the NetScaler appliance. NITRO allows you to perform file operations such as uploading file to the NetScaler, retrieving a list of files and the file content from the NetScaler, and also delete files from the NetScaler. These operations can be performed for files of type: txt, cert, req, xml, and key.
    For more information, see http://support.citrix.com/proddocs/topic/netscaler-main-api-10-5-map/ns-nitro-rest-file-ops-ref.html.
    [From Build 50.10] [# 262824, 257935, 259969]
  • Python SDK for NetScaler NITRO
    NITRO now provides a Python SDK for configuring the NetScaler appliance. The SDK can be downloaded from the Downloads page of the NetScaler appliance's configuration utility.
    [From Build 50.10] [# 425725]
  • Viewing the Statistics of Services and Service Groups that are Bound to a Load Balancing Virtual Server
    You can now view the statistics of services and service groups that are bound to a load balancing virtual server by using the following URL:
    http://<netscaler-ip-address>/nitro/v1/stat/lbvserver/<name>?statbindings=yes
    You cannot view these details by using the "http://<netscaler-ip-address>/nitro/v1/stat/lbvserver/<name>" URL which only gives the statistics of the load balancing virtual server.
    [From Build 58.11] [# 241950, 244603, 523907, 534804, 538057]

NetScaler Gateway

  • Tranferring ICA Proxy Sessions Between Devices
    If you configure a SmartAccess virtual server, when users log on from multiple devices, you can transfer the ICA Proxy session to another device and restrict users to one Universal license. For example, if users log on by using Citrix Receiver on their computer and then log on again from a mobile device, this consumes two NetScaler Gateway Universal licenses and creates two sessions for one user. You can prevent the two sessions by enabling the setting ICA Proxy Session Migration on the virtual server. When you enable this setting, the user session transfers to the new device and uses one Universal license.
    To enable session transfer
    1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Virtual Servers.
    2. In the details pane, select a SmartAccess virtual server and then click Open.
    3. Select ICA Proxy Session Migration and then click OK.
    [From Build 50.10] [# 428669, 436370]
  • Advanced endpoint analysis
    NetScaler Gateway contains built-in scans for a wide variety of applications and services with the Endpoint Analysis Plug-in for Windows- based computers and Mac OS X computers. Additionally, the expression editor for advanced endpoint analysis has been implemented in HTML within the configuration utility.
    [From Build 50.10] [# 417360]
  • RADIUS accounting.
    RADIUS accounting functionality has been added to RADIUS authentication.
    [From Build 50.10] [# 388723]
  • NetScaler Gateway does not support single sign-on (SSO) to public servers unless single sign-on is enabled in a traffic profile or if split tunneling is enabled.
    [From Build 54.9] [# 518414]
  • Upgrade EPA (Endpoint Analysis) libraries in NetScaler Gateway
    The Endpoint Analysis feature enables administrators to analyze and make client connection choices based on client endpoint settings for plug-in sessions connecting through the NetScaler Gateway. Previously, NetScaler Gateway administrators had to manually upload a new EPA library using the command line in order to upgrade the EPA libraries in NetScaler Gateway. This task required administrators to manually extract the file on the NetScaler and then copy the extracted files to appropriate directories. NetScaler Gateway 10.5.52.1115.e presents a one-click interface for upgrading EPA libraries without upgrading or rebooting the system.
    [From Build 54.9] [# 504584]
  • NetScaler Gateway supports network traffic through a forward proxy between the appliance and servers in the internal network when users log on by using clientless access and when Secure Browse is enabled on the Security tab in a session profile.
    [From Build 54.9] [# 451933, 455617, 470014]
  • NetScaler Gateway now supports Windows 10 clients.
    [From Build 59.13] [# 579428]

NetScaler Insight Center

  • Authentication and Authorization Support.
    Authentication with the NetScaler Insight Center virtual appliance can be local or external. With external authentication, NetScaler Insight Center grants user access on the basis of the response from an external server. It supports the following external authentication protocols:
    -Remote Authentication Dial In User Service (RADIUS)
    -Terminal Access Controller Access-Control System (TACACS)
    -Lightweight Directory Access Protocol (LDAP)
    Authorization through the NetScaler Insight Center virtual appliance is local. The virtual appliance supports two levels of authorization. Users with superuser privileges are allowed to perform any action. Users with readonly privileges are allowed to perform only read operations. The authorization of SSH users requires superuser privileges. Users with readonly privileges cannot log on through SSH.
    For more information see, http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-configuring-authentication-authorization-settings.html
    [From Build 50.10] [# 412466]
  • HDX Insight Center reports now support the following metrics:
    -Client side zero window size event: This counter indicates how many times the client advertised a zero TCP window.
    -Server side zero window size event: This counter indicates how many times the server advertised a zero TCP window.
    -Client side fast RTO: This counter indicates how many times the retransmit timeout was invoked on the client-side connection.
    -Server side fast RTO: This counter indicates how many times the retransmit timeout was invoked on the server-side connection.
    [From Build 50.10] [# 424355]
  • The top-right corner of the page now displays a percentile icon, which you can click to display percentile values and the highest and lowest values for a selected metric.
    [From Build 50.10] [# 418196]
  • NetScaler Insight Center adaptive threshold functionality dynamically sets the threshold value for the maximum number of hits on each URL.
    For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-manage-threshold-tsk.html
    [From Build 50.10] [# 378995]
  • You can now configure the ICA session timeout value for inactive sessions on the NetScaler Insight Center configuration tab.
    For details, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-ica-session-timeout-tsk.html
    [From Build 50.10] [# 431957]
  • Hop Diagram Support
    The HDX Insight reports now support hop diagrams, which provide complete details about the client, NetScaler ADC, and server in an active session.
    To display the hop diagram, on the dashboard tab, navigate to HDX Insight > Users >, click on a user name and, in the Current Application Sessions table, click on the session diagram icon.
    [From Build 50.10] [# 443824]
  • EUEM Session Data on HDX Insight Reports
    HDX Insight reports now displays EUEM session data, which indicates the availability of EUEM data when an EUEM channel is established between the client and the server.
    [From Build 50.10] [# 367114]
  • HDX Insight reports now include details about session reconnects, client-side retransmissions, and server-side retransmissions.
    [From Build 50.10] [# 392016]
  • The database cache functionality of NetScaler Insight Center stores database content locally in the cache and serves the content to users without accessing the database server.
    For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-db-cache-settings.html.
    [From Build 50.10] [# 456295]
  • In the dashboard, you can now select and rearrange the columns displayed in the tables. These changes persist across user sessions.
    [From Build 50.10] [# 423451]
  • NetScaler Insight Center now saves the following data for a specific time period before it is purged:
    * 30 second data - Saves for 6 minutes
    * 5 minute data - Saves for 65 minutes
    * Hourly data - Saves for 25 hours
    * Daily data - Saves for 31 days
    [From Build 50.10] [# 404805]
  • HDX Insight now provides a report about active sessions, grouped by server IP and gateway IP.
    [From Build 50.10] [# 398322]
  • The active sessions data on the dashboard now include the following metrics:
    Client IP: IP address of the client
    Server IP: IP address of the server
    NetScaler IP: NetScaler IP address
    [From Build 50.10] [# 427504]
  • Cache Redirection Insight Support
    NetScaler Insight Center now analyzes the traffic flowing through NetScaler ADC to cache servers and origin servers, and provides useful information about the cache performance, such as:
    - Bandwidth saved while serving requests from the cache server instead of the origin server.
    - Bandwidth consumed when requests bypassed the cache server and were served from the origin server.
    - Number of times a URL was accessed from the cache server instead of the origin server.
    For details on Cache Redirection Insight, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-usecase-webinsight-cache.html.
    [From Build 50.10] [# 409842]
  • Geo Map Support
    The NetScaler Insight Center geo maps feature displays the usage of web applications across different geographical locations on a map. Administrators can use this
    information to understand the trends in application usage and for capacity planning.
    Geo maps provide information that answers questions such as the following:
    -Which region has the highest number of clients accessing an application?
    -Which region has the highest response time?
    -Which region is consuming the most bandwidth?
    For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-usecase-geo-maps.html
    [From Build 50.10] [# 322120]
  • Managing Session Timeout Period
    You can now configure the timeout period for how long a user or a group can remain in an idle state before being terminated.
    Enable this option while configuring user accounts or user groups.
    For more details on configuring a user account or a group account, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-add-user.html or http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-add-group.html.
    [From Build 50.10] [# 452424]
  • Even if Appflow is disabled for a virtual server, you can clear the configuration in the NetScaler Insight Center by selecting Clear AppFlow Configurations from the Action list.
    [From Build 50.10] [# 399329]
  • On the dashboard, if you move the columns in a table and refresh the page, the column ordering is sometimes reset to default.
    [From Build 50.10] [# 414155]
  • You can now customize NetScaler Insight Center reports to display the metrics that you want, and you can specify bar graphs or line graphs.
    To make these changes, open the drop-down list next to the percentage icon in the top-right corner of the dashboard.
    [From Build 50.10] [# 427187]
  • If the length of URLs displayed in the Web Insight reports is very long, you can enable the trim URL functionality to remove the query string from the URL.
    For details about configuring this functionality, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-url-parameter-settings.html
    [From Build 50.10] [# 463741]
  • Exporting Reports
    You can now save the Web Insight reports or HDX Insight reports in PDF, JPEG or PNG format on your local computer. You can also schedule the export of the reports to specified email addresses at various intervals.
    For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-export-report-con.html.
    [From Build 50.10] [# 320860]
  • For debugging an issue, the technical support bundle that you generate to send to the technical support team now automatically includes NetScaler ADC data along with the NetScaler Insight Center data.
    You can also choose to include the debug logs and data distribution logs.
    [From Build 50.10] [# 474070]
  • Data record logs provide detailed information about appflow records that NetScaler Insight Center collects from NetScaler ADCs.
    For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-data-record-log-settings.html.
    [From Build 50.10] [# 471025]
  • NetScaler Insight Center can now dynamically set the threshold value for the maximum number of hits on each URL. For details, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-manage-threshold-tsk.html
    NetScaler Insight Center now facilitates efficient querying of its database.
    For details on enabling this functionality, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-db-index-settings.html
    You can now enable NetScaler Insight Center to periodically remove the out-of-date content from its database. For details, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-db-cleanup-settings.html
    [From Build 50.10] [# 479004]
  • The GUI displays a real-time graphical representation of the CPU, memory, and disk resources used by the NetScaler Insight Center virtual appliance.
    To display additional details, on the Configuration tab, navigate to NetScaler Insight Center and click Statistics.
    [From Build 50.10] [# 474067]
  • Data Record Log Settings
    NetScaler Insight Center now supports data record logs, which provide detailed information about AppFlow records that NetScaler Insight Center collects from NetScaler ADCs.
    For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-data-record-log-settings.html
    [From Build 50.10] [# 421777]
  • NetScaler Insight Center now supports monitoring of CloudBridge 2000, 3000, 4000, and 5000 appliances. It analyzes the ICA traffic flowing through the CloudBridge appliances and generates HDX Insight performance reports. With this feature, datacenter administrators can gather information about traffic flowing between XenApp/XenDesktop clients and XenApp/XenDesktop servers.
    [From Build 51.10] [# 430880]
  • NetScaler Insight Center now displays reports for multi-stream ICA connections. All statistics that are maintained and reported for single-stream ICA connections are also displayed for multi-stream ICA connections.
    [From Build 52.11] [# 478744]
  • You can now install NetScaler Insight Center on Microsoft Hyper-V version 6.2.
    [From Build 52.11] [# 463402]
  • If you do not want the URL reports to be displayed on the Web Insight node of the dashboard, you can now disable the URL data collection settings.
    To modify the setting, on the Configuration tab, navigate to System, and in the right-pane, from the System Settings group, click Change URL Data Collection Settings.
    [From Build 54.9] [# 522345]
  • You can now limit the number of days for which the generated reports can persist in the database, after which the reports are permanently deleted.
    To change the value, on the Configuration tab, click System and in the right-pane from the System Settings group, click Limit Data Duration Persistency.
    [From Build 54.9] [# 521503]
  • NetScaler Insight Center now displays the session reconnect count and the Automatic Client Reconnection (ACR) count for ICA traffic flowing through NetScaler ADCs.
    These values are displayed only if the session reliability feature is enabled on XenApp or XenDesktop.
    [From Build 54.9] [# 504955]
  • NetScaler Insight Center now displays reports for NetScaler Gateway appliances deployed in a double-hop mode.
    [From Build 54.9] [# 481300, 482071, 487985]
  • NetScaler Insight Center now supports monitoring NetScaler appliances deployed in LAN user mode. The dashboard now displays the following user access types, depending on the NetScaler deployment:
    - Remote user: User connected to XenApp or XenDesktop server through a NetScaler Gateway.
    - Transparent mode user: User connected to XenApp or XenDesktop server directly, with no intervening virtual server.
    - LAN user: Internal user connected to XenApp or XenDesktop server directly, without configuring the routing rules on a NetScaler ADC.
    [From Build 56.22] [# 490147, 482900]

NetScaler SDX Appliance

  • Monitoring and Managing Real-Time Status of Entities Configured on NetScaler Devices
    You can use NetScaler SDX to monitor and manage the states of virtual servers, services, service groups, and servers across the NetScaler virtual appliances hosted on SDX. You can monitor values, such as the health of a virtual server and the time elapsed since the last state change of a service or service group. This gives you visibility into the real-time status of the entities and makes management of these entities easy when you have a large number of entities configured on your NetScaler devices.
    [From Build 50.10] [# 247823, 291022]
  • Security Enhancements on NetScaler SDX Appliance
    NetScaler SDX appliance now supports a configuring a password policy and a user-lockout policy to provide security against hackers and password-cracking software.
    The password policy enforces a user-specified minimum length and a minimum level of complexity. The password must have at least one uppercase, one lowercase, one numeric, and one special character. The user-lockout policy disables a user-account if an incorrect password is entered a specified number of times.
    You can specify the time period (user lockout interval) for how long the user account remains disabled, after which the user account is enabled automatically.
    Note: User lockout is disabled by default
    [From Build 50.10] [# 353854]
  • Provisioning Palo Alto VM-Series Instances on a NetScaler SDX Appliance
    Palo Alto Networks VM-Series on Citrix NetScaler SDX enables consolidation of best-in-class security and ADC capabilities on a single platform, for secure, reliable access to applications by businesses, business units, and service-provider customers. The combination of VM-Series on Citrix NetScaler SDX also provides a complete, validated, security and ADC solution for Citrix XenApp and XenDesktop deployments.
    You can provision, monitor, manage, and troubleshoot an instance from the Management Service.
    Note: The total number of instances that you can provision on an SDX appliance depends on the license installed on the appliance.
    For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-ag-third-party-paloalto-con.html
    [From Build 50.10] [# 357214]
  • XenServer IP Address Support in Network Configuration Utility
    Now you can use the network configuration utility to assign both the Management Service IP address as well as the XenServer IP address on a new appliance.
    [From Build 50.10] [# 437974]
  • SSL certificates and keys for NetScaler instances
    Enhanced usability achieved by providing separate view for SSL certificates and keys for NetScaler instances. A new node, SSL Certificate Files, on the Management Service interface allows you to upload and manage the SSL certificates and corresponding public and private key pairs that can be installed on NetScaler instances.
    Management Service certificates can be managed from Configuration > Management Service > SSL Certificates Files and NetScaler certificates can be managed from "Configuration > NetScaler > SSL Certificate Files.
    [From Build 50.10] [# 437973]
  • Wizard for Initial Configuration Setting in Management Service
    You can use the Setup Wizard to complete all the first time configurations in a single flow. The wizard helps you in configuring network configuration details, system settings, changing the default administrative password, and manage and update licenses.
    For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-initial-setup-wizard-con.html
    [From Build 50.10] [# 384569]
  • Monitoring and Managing Events Generated on NetScaler Instances
    The Events feature to monitor and manage the events generated on the NetScaler instances. The Management Service identifies events in real time, thereby helping you address issues immediately and keep the NetScaler instances running effectively. You can also configure event rules to filter the events generated and get notified to take actions on the filtered list of events.
    [From Build 50.10] [# 247820]
  • Change Management
    You can now schedule Management Service to run NeSclaer configuration difference against a template and show appropriate reporting. Further, you can use the report on the Change Management page of Management Service to view whether there is any difference between the saved configuration and the running configuration of any instance. You can click on the chart to further drill down and view the list of instances, their running configuration, saved configuration, history of configuration changes, any difference between the configurations before and after an upgrade, and any difference between the running configurations and the configuration of the associated audit templates.
    [From Build 50.10] [# 418165]
  • New inline wizard for provisioning NetScaler instances with simplified networking configuration steps
    You can now use the new inline wizard to provision NetScaler instances from the Management Service. The networking configuration portion of the provisioning workflow has been simplified and streamlined for ease of use. To use the inline wizard, click Configuration > NetScaler > Instances and click Add to add a new instance or Edit to modify a highlighted instance.
    [From Build 50.10] [# 391749]
  • Management Service Statistics
    A new gadget, Management Service Statistics has been introduced on the Dashboard to help you monitor the statistics such as Memory, CPU, and Disk usage, of Management Service on NetScaler SDX appliance.
    [From Build 50.10] [# 400698]
  • Authentication and Authorization Enhancements
    With this release, the following authentication and authorization capabilities are supported for the Management Service on NetScaler SDX appliance:
    - External authentication support for for the Management Service using RADIUS, TACACS,
    or LDAP servers.
    - Group extraction capability for LDAP and RADIUS authentication types.
    - Authentication and authorization for requests through SSH. However, the authorization of
    SSH users is limited to super-user privileges only.
    - Audit logs for RADIUS and TACACS servers. You can enable audit logs by checking the
    Accounting option while adding the RADIUS or TACACS server to the Management Service.
    [From Build 50.10] [# 399086]
  • The Call Home feature monitors your NetScaler instances for common error conditions.
    You can now configure, enable or disable the Call Home feature on NetScaler instances
    from the Management Service user interface.
    For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-call-home-support-con.html
    [From Build 50.10] [# 430105]
  • No change in state of shut down NetScaler instance through appliance reboot
    If any of the NetScaler VPX instances are in shutdown state, and an appliance reboot is carried out then the instances which were in the shut down state continue to be in the same state through the reboot process.
    [From Build 50.10] [# 437979, 412103]
  • Provisioning support even when none of data ports are connected
    When deployments are being set up, usually the interfaces are not connected. Management Service now allows provisioning of NetScaler instances on SDX with data ports as management interface even if they are down.
    [From Build 50.10] [# 437980]
  • Improved Dashboard
    NetScaler SDX provides an improved Dashboard. The new Dashboard provides a compact and a better view of key parameters. The fields that are displayed in the Dashboard are not user configurable.
    [From Build 50.10] [# 437995]
  • CLI Support for NetScaler SDX Appliance
    You can now use the command line interface to perform operations on the Management Service. Add, Set, Delete, Do and Save commands are supported through command-line interface.
    For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-cli-support-svm-con.html
    [From Build 50.10] [# 257899]
  • Console Access for NetScaler SDX Appliance
    You can access the console of NetScaler instances, the Management Service, XenServer, and third party VMs from the Management Service interface. This is particularly helpful in debugging and troubleshooting the instances hosted on the NetScaler SDX appliance when the instance is not reachable over the network.
    For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-console-access-con.html
    [From Build 50.10] [# 246263]
  • LACP Statistics
    You can now view the real time status and stats for the LACP channels configured on the SDX appliance from the Management Service. If you have added an LACP channel, you can view the LACP details by clicking on Configuration > System > Channels > LACP Details.
    [From Build 50.10] [# 394210]
  • When system sends any e-mail notification, it will contain host name along with IP address as sender.
    [From Build 51.10] [# 464856]
  • You do not require a separate license file to set up a cluster on an SDX appliance. Clustering support will be provided with a valid SDX Platform License.
    [From Build 52.11] [# 492668]
  • Jumbo Frame is supported on all data interfaces and channels on NetScaler SDX. Management interfaces are not included. For configuring Jumbo Frame, user has to change the MTU of channel or Interface from the Management Service. All the NetScaler virtual machines sharing this port will get the effective MTU. For third party virtual machines, user has to change the MTU explicitly from the virtual machine to make it effective.
    [From Build 53.9] [# 482191, 434401, 460917]
  • NetScaler SDX supports provisioning and managing a new guest VM CA Access Gateway. For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-ag-third-party-ca-siteminder-con.html
    [From Build 53.9] [# 462651]
  • Management Service now supports Trend Micro InterScan Web Security Virtual Appliance guest VM. Navigate to TrendMicro IWSVA under the Configuration tab.
    [From Build 55.8] [# 498282]
  • The 10.5 62.x SDX platform release now supports the following SDX appliances: SDX 14000, SDX 14000-40G, and SDX 25000-40G.
    The SDX platform release consists of two separate images, one for SVM and one for the SDX platform. When upgrading to this platform release from an earlier release, upgrade the two images in the order suggested above.
    Also, NetScaler VPX instances based on release 10.5 62.9 can be used on SDX 14xxx/25000 series appliances running either 10.5 62.x or an earlier version of the platform software.
    Note: NetScaler VPX is not part of SDX platform release, and it can be based on any NetScaler release version / build that supports SDX 14xxx/25xxx series.
    [From Build 62.9] [# 616616, 626463]
  • New kernel packages have been added to support software RAID on the following new platforms:
    -14000 10G series models
    -14000 40G Series models
    -25000 40G series models
    Note: These packages are not supported on older platforms.
    [From Build 62.9] [# 552047]
  • Previously, SDX platform components were distributed separately: 1. XenServer image with kernel packages, 2) hotfixes, and 3) supplemental pack.
    To simplify installation, facilitate meeting all the platform requirements, and streamline the order in which the components are installed, all the components are now in one image, called the SDX Platform image.
    Note: The XenServer component is based on XenServer-6.1, so devices using XenServer-6.0 are upgraded to XenServer-6.1 when you upgrade to this build.
    [From Build 62.9] [# 630447]

NetScaler VPX Appliance

  • The NetScaler VPX appliance is now supported on VMware ESX server version 6.0.
    [From Build 59.13] [# 592395]

Networking

  • NetScaler MPX appliances support receiving and transmitting jumbo frames containing up to 9216 bytes of IP data. Jumbo frames can transfer large files more efficiently than it is possible with the standard IP MTU size of 1500 bytes.
    A NetScaler MPX appliance can use jumbo frames in the following deployment scenarios:
    - Jumbo to Jumbo. The appliance receives data as jumbo frames and sends it as jumbo frames.
    - Non-Jumbo to Jumbo. The appliance receives data as regular frames and sends it as jumbo frames.
    - Jumbo to Non-Jumbo. The appliance receives data as jumbo frames and sends it as regular frames.
    The NetScaler appliance supports jumbo frames in a load balancing configuration for the following protocols:
    - TCP
    - Any protocol over TCP (for example, HTTP)
    - SIP
    - Radius
    -TFTP
    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-jf-overview-con.html.
    [From Build 50.10] [# 407504, 244274, 336389, 407861]
  • The ZebOS dynamic routing software package has been upgraded to version 7.10.2.
    [From Build 50.10] [# 435000]
  • VMAC Based Traffic Domains
    You can now associate a traffic domain with a VMAC address instead of with VLANs. The NetScaler ADC then sends the traffic domain's VMAC address in all responses to ARP queries for network entities in that domain. As a result, the ADC can segregate subsequent incoming traffic for different traffic domains on the basis of the destination MAC address. The NetScaler ADC identifies traffic for a traffic domain if it is destined to the same VMAC address that is associated with the traffic domain.
    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/nw-td-vmac-traffic-domain-intro-tsk.html.
    [From Build 50.10] [# 425108]
  • Increased Number of Interfaces for Link Aggregation Channels
    You can now bind up to 16 interfaces to a link aggregation channel. The channel can be either static or LACP.
    [From Build 50.10] [# 437366, 389319]
  • Support for Inter Traffic Domain Entity Bindings
    You can now bind services in one traffic domain to a virtual server in another traffic domain. All the services to be bound to a virtual server in a different traffic domain must reside in the same traffic domain.
    There is no command or parameter introduced for this support. You configure this support by using the existing bind lb vserver command or the related configuration utility procedure. This capability can facilitate interaction between different traffic domains. In an enterprise, servers can be grouped in different traffic domains. Virtual servers are created in a traffic domain that faces the internet. A virtual server from this traffic domain can be configured to load balance servers in another traffic domain. This virtual server receives connection requests from the Internet to be forwarded to the bound servers.
    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-supp-traff-enty-tsk.html.
    [From Build 50.10] [# 405295]
  • A parameter Source IP Persistency has been introduced in RNAT rules and Netprofiles:
    Source IP Persistency for RNAT Sessions
    The source IP persistency of a RNAT rule enables the NetScaler ADC to use the same NAT IP address for all RNAT sessions initiated from a particular server.
    Source IP Persistency for NetProfiles
    The source IP persistency of a netprofile associated with a virtual server or service enables the NetScaler ADC to use the same address, specified in the net profile, for all sessions initiated from a particular client.
    [From Build 50.10] [# 437359]
  • IPv6 Forwarding Session Rules
    Now, you can create forwarding session rules for IPv6 traffic. By default, the NetScaler appliance does not create session entries for traffic that it only forwards (L3 mode). For a case in which a client request that the appliance forwards to a server results in a response that has to return by the same path, you can create a forwarding-session rule. A forwarding-session rule creates forwardingsession entries for traffic that originates from or is destined for a particular network and is forwarded by the NetScaler appliance.
    When configuring an IPv6 forwarding-session rule, you can specify either an IPv6 prefix or an ACL6 as the condition for identifying IPv6 traffic for which the forwarding-session entry to be created:
    - Using an IPv6 prefix . When you specify an IPv6 prefix, the appliance creates forwarding sessions for those IPv6 traffic that are sourced from networks that matches the IPv6 prefix.
    - Using an ACL6 rule . When you use an ACL6 rule, the appliance creates forwarding sessions for those IPv6 traffic that match the conditions specified in the ACL6 rule.
    Note: When the appliance is configured as a high availability node, Connection Failover for synchronizing IPv6 forwarding session entries with the secondary node is not supported.
    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-interfaces-confrng-fwd-sessions-tsk.html.
    [From Build 50.10] [# 251234]
  • The NetScaler ADC now supports the industry standard (EEE 802.1AB) Link Layer Discovery Protocol (LLDP). LLDP is a layer 2 protocol that enables the NetScaler ADC to advertise its identity and capabilities to the directly connected devices, and also learn the identity and capabilities of these neighbour devices.
    Using LLDP, the NetScaler ADC transmits and receives information in the form of LLDP messages known as LLDP packet data units (LLDPDUs). An LLDPDU is a sequence of type, length, value (TLV) information elements. Each TLV holds a specific type of information about the device that transmits the LLDPDU. The NetScaler ADC sends the following TLVs in each LLDPDU:
    * Chassis ID
    * Port ID
    * Time-to-live value
    * System name
    * System description
    * Port description
    * System capabilities
    * Management address
    * Port VLAN ID
    * Link aggregation
    Note: You cannot specify the TLVs to be sent in LLDP messages.
    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-config-llayer-dics-protocol-tsk.html.
    [From Build 50.10] [# 235640]
  • Support for VXLANs
    Now the NetScaler ADC supports Virtual eXtensiable Local Area Network (VXLANs). A VXLAN is an overlay solution that creates layer 2 overlay networks over layer 3 infrastructure by encapsulating Layer-2 frames in UDP packets. Each VXLAN is identified by a unique 24-bit identifier called the VXLAN Network Identifier (VNI). Only network devices within the same VXLAN can communicate with each other.
    [From Build 50.10] [# 366992]
  • ZebOS API Access
    With a new configuration object, router DynamicRouting, you can use NITRO APIs to configure dynamic routing protocols on a NetScaler appliance.
    [From Build 50.10] [# 229714, 222015, 406589]
  • Configuring Link Redundancy by using LACP channels
    Link Redundancy by using LACP channels enables the NetScaler appliance to logically create sub channels from a LACP channel where one of the sub channel is active and the remaining sub channels stay in standby mode. If the active sub channel fails or does not meet a minimum threshold throughput, one of the standby sub channel takes over and becomes active.
    The NetScaler appliance forms a sub channels from links that are part of the LACP channel and are connected to a particular device. For example, for a LACP channel with four interfaces on a NetScaler appliance, where two of the interface is connected to device A, and the other two interfaces are connected to device B, then the NetScaler appliance logically creates two sub channels, one sub channel with two links to device A, and the other sub channel with the remaining two links to device B.
    The lrMinThroughput parameter is introduced for configuring link redundancy for a LACP channel. This parameter specifies the minimum throughput threshold to be met by the active sub channel of a LACP channel. When the throughput of the active channel falls below the lrMinThroughput , link failover occurs and one of the standby sub channels becomes active.
    For example, set channel la/1 -lrMinThroughput 2000
    Link redundancy for a LACP channel is disabled, which is also the default setting, when you set the lrMinThroughput parameter of the LACP channel to zero or when you unset this parameter.
    Note: In an HA configuration, if you want to configure throughput (throughput parameter) based HA failover and link redundancy ( lrMinThroughput parameter) on a LACP channel, you must set a lesser or equal value to the throughput parameter as compared to the lrMinThroughput parameter.
    For example, set channel la/1 throughput 2000 -lrMinThroughput 2000
    HA failover does not occur if any of the sub channels meets the lrMinThroughput parameter value even when the total throughput of the LACP channel does not meet the throughput parameter value.
    HA failover occurs only when the entire sub channels of the LACP channel does not meet the lrMinThroughput parameter value and the total throughput of the LACP channel does not meet the throughput parameter value.
    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-config-lr-lacp-tsk.html.
    [From Build 50.10] [# 346763]
  • Netprofile Support for Link Load Balancing Configurations
    You can now associate a netprofile with a link load balancing configuration. The NetScaler ADC then uses one of the IP addresses in the netprofile as the source address for outbound traffic related to the link load balancing configuration.
    A netprofile can include a NetScaler owned IP address or an IP set, which is a set of NetScaler owned IP addresses. You can associate a netprofile with link load balancing virtual servers as well as with the bound services. A netprofile associated with a link load balancing virtual server always take precedence over netprofiles associated with the bound services.
    For more information on netprofiles, http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-lb-clienttraffic-usespecifiedsrcip-tsk.html.
    [From Build 50.10] [# 356081]
  • vPath feature is available for all the NetScaler platforms from version 10.5 Build 52.11 onwards. To use this feature no special license file is required. For more information on vPath, see http://support.citrix.com/proddocs/topic/netscaler-vpx-10-5/ns-vpath-con.html
    [From Build 52.11] [# 416393]
  • The CloudBridge connector feature now supports establishment of Phase-2/IPsec SA (Security Association) between a NetScaler ADC and AWS gateway when AWS sends traffic selectors with IP address 0.0.0.0.
    [From Build 53.9] [# 482697]

Optimization

  • Front End Optimization Support
    The NetScaler ADC now supports the front end optimization feature, which reduces the load time and render time of web pages by simplifying and optimizing the content to be served to the client browser.
    This feature optimizes HTML content, and the cascading style sheets (CSS), JavaScript, and images that are embedded in the HTML content.
    For details, see http://support.citrix.com/proddocs/topic/ns-optimization-10-5-map/ns-feo-con.html.
    [From Build 50.10] [# 292039, 392818, 449669, 450295]

Platform

  • Release 10.5 51.x is now supported on the MPX 22040/22060/22080/22100/22120 platform, but a LOM firmware upgrade is required.
    [From Build 51.10] [# 471641, 471642, 472044]
  • The MPX 25100T and MPX 25160T platforms are now supported in this release.
    [From Build 57.7] [# 486703, 495591, 552218]
  • Support for New Hardware Platforms
    The T1120 and T1300-40G platforms with NIC firmware 4.53 are now supported in this release.
    Note: T1300-40G platform with NIC firmware 4.26 has backward compatibility.
    [From Build 63.8] [# 593888]
  • New firmware version for SDX platforms
    NetScaler SDX provides the latest XL710 v5.04 firmware for the following platforms:
    * SDX Model: 14xxx 40G
    * SDX Model: 25xxx 40G
    The XL710 v5.04 firmware includes a tool to automatically upgrade the XL710 firmware from the previous version to v5.04.
    [From Build 64.9] [# 620786]

Policies

  • Variable Support for Policies
    Policy variables are named objects that can hold one or more values that can be set and modified at runtime. The concept of variables is essentially the same as in programming languages. Variable values can be of two types:
    - ulong (a 64-bit unsigned integer, with values from 0 to 2^64-1)
    - text (a sequence of bytes with a configured maximum length).
    Additionally, there are two variable types:
    - Singletons variables hold one ulong or text value.
    - Maps hold one or more entries, each entry having a text key and a ulong or text value. The key can be used to find the value. In a map, more than one map entry may have the same value, but each map entry must have a different key.
    For more information, see http://support.citrix.com/proddocs/topic/ns-main-appexpert-10-5-map/ns-pol-variable-con.html.
    [From Build 50.10] [# 368447]

Responder

  • The Responder feature now supports the Diameter protocol.
    A number of NetScaler expressions have been added that enable the user to examine the header and the attribute-value pairs (AVPs) in a diameter packet. These expressions enable the user to look up AVPs by index, ID, or name, examine the information in the AVP, and send a response based on that information.
    [From Build 50.10] [# 318387]
  • Embedded Expressions in Responder Responses
    You can now add Netscaler expressions with default syntax to HTML pages that are used with responder actions of the respondWithHtmlpage type. Any expression that is supported for use in a respondWith response can be used in a respondWithHTMLPage response. To embed expressions in HTML pages simply surround the expressions with "${" and "}". This functionality enables you to include information about the request that generated the Responder action in the response.
    [From Build 50.10] [# 423928]

Rewrite

  • The Rewrite feature now supports the Diameter protocol.
    A number of NetScaler expressions have been added that enable the user to examine the header and the attribute-value pairs (AVPs) in a diameter packet. These expressions enable the user to look up AVPs by index, ID, or name, examine the information in the AVP, and replace/insert/delete AVPs if necessary.
    [From Build 50.10] [# 318382]

SSL

  • Sending an SSLv2 Compliant Client Hello Message
    As part of the SSL handshake with the server, the NetScaler appliance now sends a Client Hello message based on the version (for example SSLv3 or TLS1.0) that is configured on the appliance. Earlier, it sent an SSLv2 compliant Client Hello message to the server.
    [From Build 50.10] [# 378806, 204465, 406907]
  • Importing SSL Resources from Remote Hosts
    The NetScaler appliance now supports importing SSL resources, such as certificates, private keys, CRLs, and DH keys, from remote hosts even if FTP access to these hosts is not available. This is especially helpful in environments where shell access to the remote host is restricted.
    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-importing-ssl-files-from-remote-hosts-tsk.html
    [From Build 50.10] [# 210405]
  • SSL Renegotiation
    SSL renegotiation is now blocked by default. In earlier releases, the default setting was to allow SSL renegotiation.
    [From Build 50.10] [# 481577]
  • SSL Certificate Chain
    As part of the SSL handshake, when a client requests a certificate, the NetScaler ADC presents a certificate and the chain of issuer certificates that are present on the ADC. An administrator can view the certificate chain for the certificates present on the ADC and install any missing certificates.
    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-display-cert-chain-tsk.html
    [From Build 50.10] [# 437610]
  • Support for Common Name Check during Server Authentication
    In end-to-end encryption with server authentication enabled, you can include a common name in the configuration of an SSL service or service group. The name that you specify is compared to the common name in the server certificate during an SSL handshake. If the two names match, the handshake is successful. This configuration is especially useful if there are, for example, two servers behind a firewall and one of the servers spoofs the identity of the other. If the common name is not checked, a certificate presented by either server is accepted if the IP address matches.
    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-config-common-name-for-cert-tsk.html
    [From Build 50.10] [# 381821, 332628]
  • Support for ECDHE Ciphers
    The Citrix NetScaler MPX 11515/11520/11530/11540/11542 appliances and the VPX virtual appliance now support the ECDHE cipher group. On the SDX 11515/11520/11530/11540/11542 appliances, the cipher group is supported only if an SSL chip is assigned to a VPX instance. This group contains the following ciphers:
    - TLS1-ECDHE-RSA-RC4-SHA
    - TLS1-ECDHE-RSA-DES-CBC3-SHA
    - TLS1-ECDHE-RSA-AES128-SHA
    - TLS1-ECDHE-RSA-AES256-SHA
    Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.
    The following ECC curves are supported:
    - P_256
    - P_384
    - P_224
    - P_521
    By default all four curves are bound to an SSL virtual server.
    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-config-ecdhe-ciphers-tsk.html
    [From Build 50.10] [# 329257, 198673, 401256]
  • Support for DTLS Protocol
    The NetScaler ADC now supports DTLS protocol to secure UDP traffic. The DTLS protocol (RFC 4347), can be used to secure UDP applications such as media streaming, VOIP, and online gaming for communication.
    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-config-dtls-server-tsk.html
    [From Build 50.10] [# 400350]
  • Setting the Limit for Disabled SSL Chips
    You can now set a limit to the number of disabled SSL chips after which the appliance restarts.
    At the command prompt, type:
    > set ssl parameter -cryptodevDisableLimit <positive_integer>
    A chip is marked disabled after the third failed reinitialization attempt.
    [From Build 50.10] [# 376153]
  • Creating an SSL Profile
    You can use an SSL profile to specify how a NetScaler appliance processes SSL traffic. The profile is a collection of SSL parameter settings for SSL entities, such as virtual servers, services, and service groups, and offers ease of configuration and flexibility. Previously, you could specify only one set of global parameters. Now, you can create multiple sets (profiles) of global parameters and assign different sets to different SSL entities. SSL profiles are classified into two categories:
    -Front end profiles, containing parameters applicable to the front-end entity. That is, they apply to the entity that receives requests from a client. For example, an SSL virtual server.
    -Backend profiles, containing parameters applicable to the back-end entity. That is, they apply to the entity that sends client requests to a server. For example, an SSL service.
    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-profiles-tsk.html
    [From Build 50.10] [# 401011, 321967]
  • Display HSM Model Number
    The output of the "show fips" command now displays the HSM model number as shown below. This is especially helpful if you are conducting an audit of the FIPS card in a NetScaler appliance and cannot open the appliance without voiding the warranty.
    > sh fips
    FIPS HSM Info:
    HSM Label : NetScaler FIPS
    Initialization : FIPS-140-2 Level-2
    HSM Serial Number : 2.1G1037-IC000253
    HSM State : 2
    HSM Model : NITROX XL CN1620-NFBE
    Hardware Version : 2.0-G
    Firmware Version : 1.1
    Firmware Release Date : Jun04,2010
    Max FIPS Key Memory : 3996
    Free FIPS Key Memory : 3994
    Total SRAM Memory : 467348
    Free SRAM Memory : 62580
    Total Crypto Cores : 3
    Enabled Crypto Cores : 3
    Done
    [From Build 52.11] [# 385499]
  • Support for additional ciphers with TLS protocol version 1.2
    Twelve new ciphers are supported with TLS protocol version 1.2 on all MPX platforms, and on SDX platforms if an SSL chip is assigned to the instance when you provision it.
    1) Cipher Name: TLS1.2-AES128-GCM-SHA256
    Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(128) Mac=SHA-256
    2) Cipher Name: TLS1.2-AES256-GCM-SHA384
    Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(256) Mac=SHA-384
    3) Cipher Name: TLS1.2-DHE-RSA-AES128-GCM-SHA256
    Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(128) Mac=SHA-256
    4) Cipher Name: TLS1.2-DHE-RSA-AES256-GCM-SHA384
    Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(256) Mac=SHA-384
    5) Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
    Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(128) Mac=SHA-256
    6) Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
    Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(256) Mac=SHA-384
    7) Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256
    Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(128) Mac=SHA-256
    8) Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384
    Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA-384
    9) Cipher Name: TLS1.2-AES-256-SHA256
    Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA-256
    10) Cipher Name: TLS1.2-AES-128-SHA256
    Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA-256
    11) Cipher Name: TLS1.2-DHE-RSA-AES-128-SHA256
    Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA-256
    12) Cipher Name: TLS1.2-DHE-RSA-AES-256-SHA256
    Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA-256
    [From Build 53.9] [# 460472]
  • Support for TLS Protocol Version 1.1 and 1.2 on the NetScaler VPX Appliance
    The NetScaler VPX appliance now supports TLS protocol versions 1.1 and 1.2.
    [From Build 57.7] [# 424463, 481970]
  • Stricter Control on Client Certificate Validation
    You can configure the SSL virtual server to accept only client certificates that are signed by a CA certificate bound to the virtual server. To do so, enable the ClientAuthUseBoundCAChain setting in the SSL profile bound to the virtual server.
    [From Build 57.7] [# 533241]
  • Support for TLS_FALLBACK_SCSV signaling cipher suite value
    The NetScaler appliance now supports the TLS_FALLBACK_SCSV signaling cipher suite value. The presence of this SCSV extension in the Client Hello indicates that the client is retrying to connect to the server by using a lower SSL version, after its previous attempt to communicate with a higher version failed. Therefore, if the server finds this extension in Client Hello and also finds that the client is proposing a version that is lower than the maximum version supported by the server, it is a likely indication of a "man in the middle attack." The server drops these handshakes.
    [From Build 57.7] [# 509666]
  • Support for ECDHE Ciphers at the Back End
    The NetScaler appliance now supports the following ECDHE ciphers at the backend:
    - TLS1-ECDHE-RSA-RC4-SHA
    - TLS1-ECDHE-RSA-DES-CBC3-SHA
    - TLS1-ECDHE-RSA-AES128-SHA
    - TLS1-ECDHE-RSA-AES256-SHA
    Note: This feature is available only for NetScaler MPX platforms.
    [From Build 58.11] [# 523464]
  • Support for TLS Protocol Version 1.1 and 1.2 on the backend on the NetScaler MPX and SDX Appliances
    The NetScaler MPX appliance now supports TLS protocol versions 1.1 and 1.2 on the backend. On an SDX appliance, TLSv1.1/1.2 is supported on the backend only if an SSL chip is assigned to the VPX instance.
    [From Build 59.13] [# 494082, 566364]

System

  • From NetScaler 10.5 onwards, if the MSS value of the bound TCP profile is 0, the MSS value is derived from the interface (and if applicable, VLAN) MTUs.
    [From Build 50.10] [# 422126, 425696]
  • SNMP V3 Support for Traps
    Trap class, destination along with version will now act as unique identifier for a trap destination. This will allow configuration of same destination with different versions. All commands will take version V2 as default value. Set and Unset commands can no longer change version.
    [From Build 50.10] [# 416930]
  • NetScaler now supports BIC and CUBIC TCP congestion control algorithms.
    [From Build 50.10] [# 406270]
  • TCP Timestamp based on RFC 1323
    The NetScaler now provides the TCP timestamp as detailed in RFC 1323. Using this timestamp, the NetScaler can provide the Round Trip Time Measurement (RTTM). For this option to work, at least one side of the connection (client or server) must support it.
    [From Build 50.10] [# 204374, 249144, 317249, 401162]
  • Differentiated services code point (DSCP) Support
    The NetScaler ADC can now retain and forward received DSCP code in end-point mode. This capability supports end-to-end quality of service (QOS) checks for load balanced traffic.
    [From Build 50.10] [# 436946]
  • Restrict Interface-level System Session Timeout
    The system session timeout for a specific NetScaler interface (GUI, CLI, API) is now restricted to the timeout value that the administrator has configured for the user that is accessing the interface. For example, let us consider an user "publicadmin" who has a timeout value of 20 minutes. Now, when accessing an interface, the user must specify a timeout value that is within 20 minutes.
    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-sys-session-timeout-tsk.html.
    [From Build 50.10] [# 405501, 439031]
  • Explicit Congestion Notification (ECN)
    The NetScaler appliance now supports ECN, which sends notification of network congestion state to the sender and takes corrective measures for data congestion or data corruption. When ECN is enabled, the NetScaler automatically differentiates between corruption loss and congestion loss. The NetScaler implementation of ECN is RFC 3168 compliant.
    ECN must be enabled on the TCP profile to which you want it to apply.
    To enable ECN using the CLI:
    > add ns tcpProfile <name> -ecn ENABLED
    [From Build 50.10] [# 249145]
  • Application Layer Protocol Negotiation (ALPN) Extension support
    The NetScaler now supports the APLN extension for negotiating the SPDY protocol over SSL/TLS. The use of ALPN provides higher rate of TPS performance on the NetScaler. APLN replaces the previous method of NPN (Next Protocol Negotiation).
    [From Build 50.10] [# 430862]
  • When the configured external authentication server is not available, the NetScaler can be configured to allow local user access to perform administrative tasks. To enable this function, enable the "localAuth" parameter of the "set system parameter" command.
    [From Build 50.10] [# 315474]
  • MPTCP Enhancements
    The NetScaler now supports the following MPTCP enhancements:
    - One RTT subflow setup
    - Long-lived MPTCP sessions
    - MPTCP fast open
    [From Build 50.10] [# 435632]
  • SPDY v3 Support
    The NetScaler appliance now supports SPDY v3 with Application Layer Protocol Negotiation (ALPN).
    [From Build 50.10] [# 329669]
  • NetScaler support for D-SACK AND F-RTO
    The NetScaler appliance can now detect spurious re-transmissions by using TCP duplicate selective acknowledgement (D-SACK) and Forward RTO-Recovery (F-RTO). In case of spurious re-transmissions, the congestion control configurations are reverted to their original state. The NetScaler implementation of D-SACK is RFC 2883 compliant and F-RTO is RFC 5682 compliant.
    D-SACK and F-RTO must be enabled on the TCP profile to which you want it to apply.
    To enable these settings by using the CLI:
    > add ns tcpProfile <name> -dsack ENABLED -frto ENABLED
    [From Build 50.10] [# 439129]
  • SNMP Trap for Port Allocation Failures
    NetScaler ADC sends SNMP trap when port allocation fails on the NetScaler. The following SNMP OID is added: dstip (1.3.6.1.4.1.5951.1.1.0.143)
    [From Build 50.10] [# 360334]

Traffic Domain

  • You can now configure rate limiting for traffic domains. The following expression has been added to the NetScaler expressions language for identifying traffic associated with traffic domains.
    client.traffic_domain.id
    You can configure rate limiting for traffic associated with a particular traffic domain, a set of traffic domains, or all traffic domains.
    For more information, see http://support.citrix.com/proddocs/topic/ns-main-appexpert-10-5-map/ns-nw-ratelimit-td-con.html.
    [From Build 50.10] [# 403748]
  • Features Supported in Traffic Domains
    The following NetScaler features are now supported in all traffic domains configured on a NetScaler appliance:
    * RNAT6
    * IPv4 and IPv6 Forwarding Sessions
    * NAT64
    * NAT46
    You can use the new Traffic Domain (TD) parameter to specify or identify a traffic domain in commands and GUI elements related to these features.
    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/nw-td-supportd-unsupportd-ns-featurs-con.html.
    [From Build 50.10] [# 383056]

WIonNS

  • You can now optionally configure agCallbackURL from agURL. The agURL would represent the front end Access Gateway (AG) for the client. The agCallback is for communication between Web Interface (WI) and AG. Also, The agCallbackURL is an optional parameter. Use the following command to configure agCallbackURL:
    add wi site /Citrix/new http://agee.citrix.com http://sta.citrix.com -agCallbackUrl http://callback.citrix.com
    [From Build 57.7] [# 508743]

Fixed Issues in Previous NetScaler 10.5 Releases

The issues that were addressed in NetScaler 10.5 releases prior to Build 66.6. The build number provided below the issue description indicates the build in which this issue was addressed.

AAA-TM

  • To unlock an external user account, you must first add that user to the NetScaler ADC, and then run the "unlock aaa user <user name>" command.
    [From Build 51.10] [# 483526]
  • Occasionally a AAA-TM session on one core of an nCore or cluster ADC is not duplicated to other cores. When this condition occurs, counters do not include the session, which causes monitoring and statistics displays to show incorrect information.
    [From Build 52.11] [# 480298]
  • The NetScaler ADC no longer sets the NSC_TMAA session cookie during a secure load balancing virtual server session.
    [From Build 52.11] [# 474918, 502915]
  • The NetScaler SAML service provider (SP) feature now supports SiteMinder.
    [From Build 52.11] [# 488077]
  • If the hostname that sends an incoming request does not match the domain configured on the authentication virtual server, the NetScaler ADC returns an HTTP 500 error.
    [From Build 52.11] [# 488015]
  • The AAA-TM SAML service provider (SP) now includes a parameter indicating the trust level assigned to a user authentication request in SAML redirects to the identity provider (IDP). This information enables the IDP to request appropriate authentication credentials.
    [From Build 52.11] [# 484933]
  • In forms-based single sign-on (SSO), if the designated response size is 0, the NetScaler ADC does not search for the complete response, as it normally would for responses with sizes above 0. It therefore fails to find the login form, and forms-based SSO authentication fails.
    [From Build 52.11] [# 493308]
  • AAA now supports SAML HTTP Redirect bindings. These bindings include an HTTP Refresh command and target URL as a base64-encoded SAMLResponse query string parameter in a SAML HTTP GET response.
    [From Build 52.11] [# 482174]
  • When AAA is configured to authenticate users to a Microsoft Sharepoint 2013 server by using NTLM, the user might be prompted to retype his or her credentials even though the user entered those credentials correctly. After the user retypes the credentials, he or she is logged on successfully. The issue is that initially the NetScaler ADC sends an incorrect domain to Sharepoint.
    [From Build 52.11] [# 476885]
  • If, after successful completion of the single factor authentication, the user attempts to access a resource that requires a higher level (level 2) authentication, in some load balancing topologies, the NetScaler ADC might,respond with a generic 404 message. With this fix, if the initial user authentication used single factor authentication, the ADC sends a logon page to prompt the user to again provide credentials for level 2 authentication.
    [From Build 53.9] [# 501883]
  • As part of enhancement for Office365 integration, the NetScaler SAML IDP now sends Destination, SubjectConfirmationData, InResponseTo, and a Conditions section with an Audience field in the SAML Response.
    [From Build 53.9] [# 505951]
  • The NetScaler ADC now offers the ability to configure 16 attributes in an LDAP action. These attributes are sent to the Active Directory (AD) during a user search. These values are extracted and stored. During the user session, they can be invoked/referenced in PI expressions.
    [From Build 53.9] [# 301241]
  • The NetScaler ADC does not handle an authentication request if the incoming base64 decoded kerberos ticket is more than 10 kilobytes. This fix increases the buffer-size limit to accommodate tickets of up to 65 kilobytes.
    [From Build 53.9] [# 505809, 507692]
  • The NetScaler SAMLIDP now offers 16 SAML attributes. Four options are available for configuring each of these attributes to include attribute name, attribute value, attribute friendly name, and attribute URI specification. You can use the Citrix default syntax expressions to set the attribute values.
    [From Build 53.9] [# 460680, 504703]
  • In the NetScaler configuration utility, filtering the active AAA sessions does not work if the filtering is based on Intranet IP addresses. All active AAA sessions are shown, regardless of IP address. With this fix, the configuration utility successfully displays only the AAA sessions active at the IP addresses that you specify.
    [From Build 53.9] [# 446755, 468475]
  • The NetScaler AAA SAML service provider (SP) does not send a SAML logout message to the SAML identity provider (IdP), so users who log onto SAML are unable to log off.
    [From Build 53.9] [# 501565]
  • If a user name or password consists of UTF8 characters, basic authentication fails on the NetScaler ADC. With this fix, the ADC now passes the encoding type in the 401 challenge so that the incoming data is accurately encoded.
    [From Build 54.9] [# 507386]
  • The NetScaler Gateway and AAA-TM now support advanced expressions in SSO (single sign-on). The attribute values that are extracted as part of the authentication "http.req.user.attribute(1..16)" can now be used for setting the username and password credentials. For more information, see http://support.citrix.com/article/CTX200261
    [From Build 54.9] [# 452352, 482255, 495610]
  • If an authentication profile has a space in its name, the NetScaler parser only takes the first part of the string up to the space character as the name of the profile. The NetScaler ADC may fail if during user authentication it comes across another entity that matches this partial string. With this fix, we now use URLencoding for the profile name to accurately process special characters.
    [From Build 54.9] [# 512078]
  • The NetScaler fails to parse incoming assertions if it finds a duplicate Status code tag. As per SAML specification, unlike other tags, the StatusCode tag can come nested within itself. With this fix, the nested StatusCode tags are allowed in the assertion during SAML Authentication.
    [From Build 54.9] [# 523158]
  • NetScaler ADC as a SAML service-provider now supports SAML single logout through the front channel. Only service-provider initiated single logout flow is currently supported. Identity-provider initiated logout is not yet supported.
    [From Build 55.8] [# 517314]
  • When a user attempts to use the two form factor method to log on to AAA-TM, the NetScaler ADC might become unresponsive.
    [From Build 55.8] [# 502710, 522858]
  • When you upgrade the firmware of a HA setup to NetScaler 10.5 Build 56.12, the secondary appliance becomes unresponsive if the primary appliance has active AAA-TM sessions.
    [From Build 56.22] [# 554849, 555618]
  • In a AAA-TM setup that has 401 authentication enabled on the load balancing virtual server, the NetScaler appliance can, in some cases, go down if it receives a malformed authorization header.
    [From Build 56.22] [# 530792]
  • The NetScaler appliance sometimes sends a 401 error message to a client that sent a valid authorization header.
    [From Build 56.22] [# 532675]
  • For Kerberos authentication, due to the reuse of server-side connections, the server does not display the appropriate user's page.
    [From Build 56.22] [# 532861]
  • The NetScaler appliance can fail if the logout of the AAA-TM session is initiated through a traffic policy. The configuration that can lead to this is of the form:
    > add tm trafficAction testAction1 -InitiateLogout ON
    > add tm trafficPolicy testPolicy1 <rule> testAction1
    [From Build 56.22] [# 527651]
  • The NetScaler appliance can crash if there is an authentication failure in 401-based authentication when web authentication is used.
    [From Build 56.22] [# 527131]
  • Currently, the NetScaler appliance does not fallback to NTLM if PKINIT over back-channel fails.
    [From Build 56.22] [# 532718]
  • When doing Kerberos authentication, the nskrb binary may leak memory for each transaction.
    [From Build 57.7] [# 547284, 533888]
  • During an upgrade from NetScaler 10.5 Build 54.x, or earlier releases, to Build 55.x, the NetScaler appliance becomes unavailable if the primary node of the HA pair has any active AAA-TM sessions.
    [From Build 57.7] [# 542327]
  • The NetScaler GUI does not show bindings for SAML policies.
    [From Build 57.7] [# 550885]
  • When traffic domains are used with AAA-TM deployment, user login might fail at times during password change or password challenge messages.
    [From Build 57.7] [# 551205]
  • The NetScaler appliance fails to respond if the SAML Identity Provider (IdP) sends an invalid SAML response with no data or invalid tags.
    [From Build 58.11] [# 563983, 564310]
  • If an organization has users and services in multiple domains, then when doing Kerberos Constrained Delegation, the NetScaler appliance might pick incorrect ticket when accessed in a particular order. This can result in users not being able to access the sites.
    [From Build 59.13] [# 575572, 589222]
  • If AAA-TM is configured to use NTLM authentication, either by itself or as fallback when Kerberos is not available, the NetScaler ADC might become unresponsive when a user attempts to authenticate through NTLM.
    [From Build 59.13] [# 492626]
  • The "show aaa session" command causes a high level of CPU usage when executed with the "-username" or "-group" option.
    [From Build 60.7] [# 577778, 595104, 595185]
  • When a Kerberos ticket in a file (the AAA-TM system stores kerberos TGT in files) has expired, the NetScaler appliance updates the time offset in the request to KDC (Key Distribution Centre). This might cause Kerberos single sign-on to fail. You can remove the cached ticket files from the appliance.
    [From Build 60.7] [# 556464]
  • When IBM Tivoli IdP is used for SAML authentication with NetScaler appliance as the service provider, there could be an issue with SAML assertion verification.
    [From Build 61.11] [# 540396]
  • When the NetScaler appliance is configured as SAML Service Provider (SP), the SAML Identity Provider (IdP) dishonors a logout request that is performed on the traffic management virtual server (load balancing or content switching) that uses a AAA-TM traffic policy.
    This happens because the NetScaler SP sends to the SAML IdP a SAML logoutRequest that contains "Conditions" XML tag.
    [From Build 61.11] [# 613700]
  • In a multi-core NetScaler environment, user sessions sometimes do not get terminated if the decision to terminate is based on a force timeout value that is configured on a TM traffic action.
    [From Build 62.9] [# 610604, 618760, 623053]
  • If AAA-TM logout is configured through a traffic policy on the Netscaler appliance, and the server sends a chunked response, the user encounters an error.
    [From Build 62.9] [# 623005]
  • If the AAA virtual server is configured to an non-ActiveDirectory LDAP server, and an invalid password is used to logon, the NetScaler appliance becomes unresponsive.
    [From Build 62.9] [# 599264, 610045, 618322, 619123]
  • When using AAA-TM on a plain HTTP virtual server with no endpoint features enabled, the NetScaler appliance might acknowledge less data than the client has sent. That might cause some elements of pages to load incompletely, or time out.
    [From Build 62.9] [# 615885]
  • When doing forms based SSO, if the backend server sets a cookie with the login form, NetScaler does not send those cookies to the client. This behavior was observed after a successful forms SSO attempt. This applies to forms based SSO access in both Gateway and AAA-TM products.
    [From Build 62.9] [# 624165]
  • If you use the Kerberos protocol for single sign-on (SSO) to access a back-end server, the NetScaler appliance might fail if heavy traffic causes allocation failures, because the appliance might detect a call to free memory that has already been freed.
    [From Build 63.8] [# 637125]
  • If SAML authentication is used to log on a user, and the SAML action is removed while there are active sessions, addition of a high availability node might cause occasional failures on the secondary node.
    [From Build 63.8] [# 621787]
  • If NetScaler Gateway is deployed with PKINIT as the Single Sign-On (SSO) method, upon upgrade SSO might fail.
    [From Build 64.9] [# 659044]
  • The NetScaler appliance fails if authentication is disabled while user authentication is in progress.
    [From Build 64.9] [# 617370]
  • In a high availability setup, a session does not time out even if a force timeout is configured on a traffic action that is bound to a load balancing or content switching virtual server and a force fail over is performed.
    [From Build 65.11] [# 623053]
  • In a multi-core NetScaler environment, user sessions sometimes do not get terminated if the decision to terminate is based on a force timeout value that is configured on a TM traffic action.
    [From Build 65.11] [# 610604, 618760]
  • The NetScaler appliance does not set cookie to the domain that is configured in the authentication profile specified at the Load Balancing and Content Switching vservers.
    [From Build 65.11] [# 594634]

Acceleration

  • The classic-policy expression used by the default acceleration policy fails to identify an Internet Explorer browser whose signature does not comply with the IE user-agent string standards.
    [From Build 58.11] [# 535130]

Action Analytics

  • The NetScaler crashes due to an issue in hash calculation and comparison of the action analytics records. The crash is observed when the NetScaler receives URLs that differ only in case.
    Examples:
    http://10.217.6.239/TesT/
    http://10.217.6.239/TEST/
    http://10.217.6.239/TEsT/
    http://10.217.6.239/TeST/
    Note post fix:
    Stream analytics record creation will be case sensitive. For example, WWW.GOOGLE.COM and www.google.com will result in two seperate records.
    If this is not desired, stream selector results should be converted to one case. Example:
    add stream selector sel1 HTTP.REQ.hostname.to_lower
    [From Build 53.9] [# 406457]
  • A global flag that tracks stream sessions when the ICMP traffic processing begins is not initiated properly.
    [From Build 61.11] [# 595915, 602701]

Admin Partitions

  • If you remove an admin partition, the NetScaler appliance fails or corrupts an SNMPD packet queue.
    [From Build 63.8] [# 618251]

AppExpert

  • If you use AppExpert templates to create applications or public endpoints that have names longer than 18 characters, an "HTTP 1.1 Service Unavailable" error message is displayed to the users.
    [From Build 55.8] [# 524252]
  • The order in which AppExpert evaluates application units cannot be changed. With this fix, the NetScaler GUI displays a burger icon for each application unit. After hovering over the icon, you can move an application unit up or down in the order of evaluation.
    Navigation: Configuration > AppExpert > Application > Application Unit section
    [From Build 61.11] [# 567425]

AppFlow

  • If you delete an appflow action, the NetScaler ADC might fail.
    [From Build 53.9] [# 499172, 501216]
  • The HTML Injection JavaScript is incorrectly inserted into one of the JavaScript responses sent by the server, causing the page to fail to load.
    [From Build 55.8] [# 472971]
  • When AppFlow for ICA is enabled, the session reconnection can fail because of a handshake error. This issue occurs with Linux Receiver.
    [From Build 55.8] [# 511183]
  • If a NetScaler failover occurs when ICA AppFlow is enabled, the Citrix Receiver reconnect fails because the Citrix Receiver does not support Automatic Client Reconnect (ACR) feature.
    [From Build 55.8] [# 522315, 522265]
  • NetScaler Insight Center displays the WAN latency and DC latency values to be higher than the ICA RTT value.
    [From Build 56.22] [# 539118, 542627, 547563, 554799, 557958]
  • The NetScaler appliance can become unavailable if there is a connection disruption and if the NetScaler is configured to generate AppFlow reports for ICA sessions, and the ICA session reconnects using Session Reliability.
    [From Build 56.22] [# 558848, 559231]
  • If a low-memory condition occurs on a NetScaler multicore appliance on which AppFlow for ICA is enabled, the appliance might fail while processing records.
    [From Build 56.22] [# 540860]
  • If you enable AppFlow for ICA on a NetScaler appliance, the appliance might fail if it encounters a parsing error.
    [From Build 56.22] [# 531876, 492626, 532632, 539504, 541190, 556898, 559960]
  • If you enable AppFlow for ICA, the NetScaler appliance might fail while launching applications from a MAC client.
    [From Build 56.22] [# 534821, 544421]
  • The NetScaler appliance might fail if you clear the AppFlow actions and policies when ICA traffic flows through the NetScaler appliance.
    The NetScaler appliance might also fail in scenarios where there are multiple reconnects from same client.
    [From Build 56.22] [# 544665, 547914, 548297, 555833, 564952]
  • Applications might fail to launch if you enable AppFlow for ICA on a NetScaler appliance and TCP options are present in the ICA packets.
    [From Build 56.22] [# 511618, 527169, 536450, 542715]
  • If the HTML injection feature is enabled, the NetScaler appliance injects JavaScript into responses sent to clients. If a subsequent request from one of the clients is generated from the JavaScript, the appliance responds with a 404 error.
    [From Build 56.22] [# 365404]
  • The NetScaler appliance might fail if, while AppFlow for ICA is enabled, a network glitch disrupts the Citrix Receiver connection and Receiver attempts to reconnect.
    [From Build 56.22] [# 531017, 532712, 544421, 547598, 547984, 548297, 548749, 548771, 549044, 549370, 549511]
  • If you enable AppFlow for ICA on a NetScaler appliance, the appliance might fail if it encounters a parsing error.
    [From Build 57.7] [# 531876, 492626, 532632, 539504, 541190, 556898, 559960]
  • Applications might fail to launch if you enable AppFlow for ICA on a NetScaler appliance and TCP options are present in the ICA packets.
    [From Build 57.7] [# 511618, 527169, 536450, 542715]
  • The NetScaler appliance might fail if you clear the AppFlow actions and policies when ICA traffic flows through the NetScaler appliance.
    The NetScaler appliance might also fail in scenarios where there are multiple reconnects from same client.
    [From Build 57.7] [# 544665, 547914, 548297, 555833, 564952]
  • Applications might fail to launch through a MAC Receiver if:
    -You enable data collection for LAN user mode by configuring a cache redirection virtual server of type HDX.
    -You configure global ICA ports.
    [From Build 58.11] [# 532714, 566994]
  • AppFlow should not export the records for internal connections, like the Kernel RPC. When it attempts to export records for such an internal connection, it leads to AppFlow failure.
    [From Build 58.11] [# 547892, 531101]
  • NetScaler Insight Center displays the WAN latency and DC latency values to be higher than the ICA RTT value.
    [From Build 58.11] [# 539118, 542627, 547563, 554799, 557958]
  • The NetScaler appliance can become unavailable if there is a connection disruption and if the NetScaler is configured to generate AppFlow reports for ICA sessions, and the ICA session reconnects using Session Reliability.
    [From Build 58.11] [# 558848, 559231, 571878]
  • When routes are updated after an AppFlow collector is added, the NetScaler appliance sends ARP requests for the AppFlow collector IP address, even when the collector is reachable only through a router.
    [From Build 59.13] [# 574420]
  • The NetScaler appliance does not perform policy evaluation for traffic other than related to SSL and Load balancing configurations. As a result, the appliance does not create AppFlow records for these traffic.
    [From Build 59.13] [# 552655, 563387]
  • The NetScaler appliance might become unresponsive if a request generated by a client is corrupted after execution of the client-side measurement script. This issue can occur if you enable the client side measurement option for an AppFlow action.
    [From Build 61.11] [# 601915, 601924, 607217]
  • The NetScaler appliance might become unresponsive if you attempt to delete an AppFlow action while the traffic is flowing.
    [From Build 61.11] [# 585914, 613238]
  • When AppFlow for ICA is enabled on a NetScaler appliance in a multicore environment, the Netscaler appliance might become unresponsive.
    [From Build 64.9] [# 647713]
  • If Appflow for ICA is enabled on a NetScaler appliance, the appliance might become unresponsive under certain circumstances during ICA capability negotiation in ICA PROXY mode.
    [From Build 64.9] [# 653385, 655823, 661720]
  • The NetScaler ADC fails if AppFlow is enabled and it receives an ICA command longer than 2048 bytes.
    [From Build 64.9] [# 504990, 508918, 542802, 544209, 577282, 598862, 616785]
  • A NetScaler load balanced server responds with a 411 error code for a corrupted HTTP request.
    [From Build 65.11] [# 629223]
  • If non-http traffic is received on HTTP/SSL virtual servers, the NetScaler instance might become unresponsive.
    [From Build 65.11] [# 636639, 646280, 647656]

AppFlow Insight

  • In cases where NetScaler generates an ACK packet, RTT calculation should be skipped because ACK is not coming from an external entity. This leads to NetScaler failure.
    [From Build 58.11] [# 571035, 573360, 576786]

Application Firewall

  • If you update default signatures on the primary NetScaler ADC in an HA pair, you cannot sync the updated signatures to the secondary ADC.
    [From Build 51.10] [# 486231]
  • On a NetScaler ADC that has the application firewall enabled and the Learning feature enabled for one or more security checks, the Learning module might become unresponsive. When this happens, no additional learning takes place and no recommendations for new relaxations or rules are generated.
    [From Build 51.10] [# 478109, 484323]
  • If you use the configuration utility to make changes to the HTML Cross-Site Scripting check, Allowed/Denied patterns, the application firewall becomes unresponsive after the first POST request it receives after you save your changes. (The Allowed/Denied patterns are accessed through the Modify Signature dialog box.) If you use the command line to make the same changes, no problems occur.
    [From Build 52.11] [# 459031, 463351]
  • If the application firewall receives a multipart POST request with a Content-Type header that contains a charset, it blocks that request as malformed.
    [From Build 52.11] [# 464641]
  • The application firewall parses multipart forms correctly according to the appropriate RFC.
    [From Build 52.11] [# 479840, 472476, 482042]
  • The application firewall PCI-DSS report does not contain information about the "SQLInjectionCheckSQLWildChars" parameter.
    [From Build 53.9] [# 423150]
  • If a NetScaler ADC receives a request for an object that it cached before the application firewall configuration was modified to add any advanced security check protection, the ADC responds with HTTP Error 503 for subsequent requests to access this cached object, because the object does not contain the expected application firewall metadata. With this fix, the existing cached objects without the required metadata are considered stale and are flushed. The request is served from the origin server and the cache is updated with refreshed data.
    [From Build 53.9] [# 473322, 466491]
  • NetScaler Application Firewall Default Signature object now has rules that can be enabled to protect against Shellshock vulnerability (CVE-2014-6271, CVE-2014-7169) which could allow arbitrary code execution.
    [From Build 53.9] [# 505272, 505039]
  • If a response contains href links that include query parameters, the NetScaler application firewall triggers false positives for CSRF and form field consistency violations if these links are accessed. With this fix, if CSRF or Field Consistency checks are enabled, the URLs in the hrefs are added to the URL Closure table even if startURL Closure is not enabled.
    [From Build 53.9] [# 488369]
  • The NetScaler ADC might fail if a transaction is aborted before the application firewall completes processing the request.
    [From Build 53.9] [# 481899]
  • Signature Bindings Not Shown in PCI-DSS Report
    The Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as "Not Set".
    [From Build 53.9] [# 443673]
  • If CEF logging is turned on, only the format of application firewall log messages is expected to change, but the format of other logs is also affected, causing problem with their display. With this fix, turning on the application firewall CEF logging does not modify the format or display of other logs.
    [From Build 53.9] [# 476206]
  • During upgrade from release 10 to 10.1, the names of the application firewall learning database files with uppercase or mixed case characters get converted to all lowercase characters. This results in two sets of database files and breaks the learned rule functionality. With this fix, learning data can be successfully retrieved after upgrade for profiles with names in mixed case characters.
    [From Build 54.9] [# 446134, 483207]
  • If a user-created signature has an uppercase character in the name, the application firewall profile bound to the signature is not saved in the configuration during an upgrade from a release 10.1 build to a release 10.5 build. If a user creates a signature name with uppercase characters, release 10.1 stores it that way. But in release 10.5, the signature name is converted to a lowercase string in the database. As a result of the database mismatch, the command to add the application firewall profile fails during an upgrade to a release 10.5 build.
    [From Build 54.9] [# 511657, 512129]
  • If the NetScaler application firewall receives a request with percent-encoded space character, such as "login%20name" for a form field login name, the deployed learned rule containing the encoded character (%20) fails to work as relaxation rule. The security check violation is still triggered. Note that the browser converts the space to a "+" character. For such a request, the corresponding learned rule with "login+name" for "login name" works as expected when deployed as a startURL relaxation rule.
    [From Build 54.9] [# 315183]
  • The NetScaler ADC might display an error message when you bind a classic application firewall policy to a load balancing virtual server or to the global bind point, because classic application firewall policies do not support the "gotopriorityexpression" and "invoke" properties. With this fix, properties that are not supported for application firewall policies are no longer included in the bind command. The binding is now successful, and you can see the bound entities.
    [From Build 55.8] [# 522720]
  • The NetScaler ADC might fail if a request attempts to access uninitialized variable for an application firewall protected resource. This might be seen when the path ends with "/..".
    [From Build 56.22] [# 517750, 530793]
  • The external syslog servers are not able to properly display the audit-log messages from the NetScaler application firewall, because the messages are longer than expected. With this fix, the messages are the correct length.
    [From Build 56.22] [# 528170]
  • Configuration changes in the action settings of the Content Type security check in the application firewall profile are not saved accurately. Changes made by using the configuration utility are not reflected in the command line interface, and vice versa. With this fix, changes made through any user interface are saved and displayed accurately in both the configuration utility and the command line.
    [From Build 56.22] [# 537910]
  • The PCI DSS report is showing version 2 in the Configuration Utility. With this fix, the PCI DSS compliance report is updated with version 3 information.
    [From Build 56.22] [# 452012]
  • The naming convention for application firewall import objects has changed from 10.1 build to 10.5 build. If a user creates a signature name with uppercase or mixed case characters, release 10.1 stores it that way. But in release 10.5, the signature name is converted to a lowercase string in the database. As a result of the database mismatch, these signatures become unusable after the 10.1 build to a 10.5 build upgrade. With this fix, the configuration is migrated accurately during the upgrade.
    [From Build 56.22] [# 539766, 546424, 548286]
  • URL Transformation, SSL VPN, and CVPN features leverage the application firewall processing engine and enforce the content-length check of the built-in dummy application firewall profile. For some transactions, this check truncates the processed data.
    [From Build 57.7] [# 532338, 526029, 539487]
  • The response for an XML GET request might be truncated if, in addition to any of the XML checks, the creditcard or safeobject checks are enabled for the application firewall profile.
    [From Build 57.7] [# 539777]
  • A 64 bit memory leak in the application firewall module might lead to cache misses. The memory leak occurs when the cache is turned on and any of the advanced application firewall security checks are enabled. The application firewall memory leak is now fixed, and the fix resolves the interoperability issue with the cache module.
    [From Build 57.7] [# 549466]
  • Enabling the NetScaler application firewall XML Format check might block the contents of a response when the user accesses an embedded link in some applications. The response might be truncated even when the XML format check is deployed in a non-block mode.
    [From Build 57.7] [# 528902, 558724]
  • The application firewall recommended learned rules for the Start URL security check do not contain the ^ in the beginning and the $ at the end of the URL.
    [From Build 58.11] [# 556847]
  • If a large number of long standing sessions expire and are freed during application firewall processing, a tight-loop condition might occur, causing the NetScaler appliance to fail.
    [From Build 58.11] [# 550657]
  • If a server sends a large value for the viewstate attribute in its HTML response, this value might get truncated during application firewall processing and display an error: "view state MAC fail".
    [From Build 58.11] [# 539487, 526029, 547104]
  • In the RDX Graphical User Interface (GUI), the deploy or skip operation might not work for application-firewall recommended learned rules that contain non-printable characters.
    [From Build 58.11] [# 551621, 549232]
  • When cookie consistency check is deployed in the proxing mode, the application firewall does not expire the cookies as expected. This occurs when the server sends the Set-cookie header without the domain information. Protected resources are vulnerable to access through reuse of these cookies after the session has expired.
    [From Build 58.11] [# 548577]
  • When any form protection check is enabled and the default request content-type parameter of the application firewall profile is not configured, an incoming request without a content-type header is treated as a form, even if it is not a form. The transfer-encoding header gets deleted, and a content-length header gets added, but the request is forwarded to the server as a chunked request. The server is unable to process the chunked data and determines it to be a bad request. With this fix, the form analysis is carried out only when "multipart/form-data", or "application/x-www-form-urlencoded" content type is either specified in the request or set as the default request content type in the profile that is applied when the content-type is not specified in the request.
    [From Build 58.11] [# 559348]
  • During binding a signature to an application firewall profile, the NetScaler appliance might fail when it is under memory pressure.
    [From Build 58.11] [# 559060]
  • In the configuration utility (GUI), selecting the "Remove All Learned Data" action in the application firewall Learned Rules section might not remove the learned data for some of the security checks for the profile.
    [From Build 59.13] [# 549255]
  • During operations that require a large amount of memory, the NetScaler application firewall might not be able to allocate memory for active transactions. The NetScaler appliance might fail under such conditions.
    [From Build 59.13] [# 513506, 574322]
  • The Citrix application firewall silently resets the connection when it receives a malformed or invalid request. With this fix, the application firewall logs such events.
    [From Build 59.13] [# 577742]
  • During application firewall processing, if the length of the pattern in the signature rule is longer than the payload text string currently being searched for a pattern match, the NetScaler appliance might fail. With this fix, application firewall skips such a rule and moves on to process the next signature rule.
    [From Build 59.13] [# 570830, 528946]
  • In 10.5 builds, the application firewall does not support white space character in the name of the imported object. After upgrading a 9.3 build to a 10.5 build, an error message might be displayed when removing an imported object which has white space character in the name.
    [From Build 59.13] [# 549954]
  • When a user attempts to upload a file to a server that is protected by the application firewall, the file upload fails. The underlying cause is that the application firewall included an invalid character in the MIME boundary when encoding the file.
    [From Build 59.13] [# 472476, 418036]
  • When an HTTPS virtual server is processing the traffic, the violation logs that the application firewall generates for a blocked malformed request might show the wrong IP address, and the transaction ID might be shown as zero.
    [From Build 59.13] [# 500933]
  • The application firewall allows you to configure Credit Card security check by offering a set of check boxes to select the credit card(s) to protect. In the 10.5 release, the configuration utility offers this option when you navigate to the profile's relaxation rule section and select the credit card entry in the displayed table. This functionality is missing in the 58.11 build. With this fix, the option to configure Protected Credit cards has been relocated. From build 59.x onwards, you can navigate to the Advanced Settings pane of the target profile and double click Credit Card, or select the row and click Action Settings to display the Protected Credit Card check boxes .
    [From Build 59.13] [# 586016]
  • During an application firewall security check inspection, a compressed response from the server might trigger a violation if the XML format check is enabled. With this fix, the Accept-Encoding request header is removed when the XML protections are enabled. If content compression is enabled on the server, the XML check inspection is bypassed when the server sends a compressed response.
    [From Build 59.13] [# 580273]
  • An attempt to make a copy of the application firewall default signature object might fail in some appliances if there is insufficient space in the /tmp (on MFS, ram disk) folder. With this fix, the intermediary files that are created during the import operation to make a copy of the default signature object are now written in the /var/tmp (on HDD/SSD) that has more space.
    [From Build 59.13] [# 583298]
  • An attempt to make a copy of the application firewall default signature object might fail in some appliances if there is insufficient space in the /tmp (on MFS, ram disk) folder. With this fix, the intermediary files that are created during the import operation to make a copy of the default signature object are now written in the /var/tmp (on HDD/SSD) that has more space.
    [From Build 60.7] [# 583298]
  • The NetScaler appliance might fail when the application firewall is processing the cookie header(s) in an HTTP request. This occurs when the cookie transform action is enabled and all other security checks that apply to establishing a user session are disabled.
    [From Build 60.7] [# 597440]
  • With application firewall enabled, the presence of stale debug printf statements leads to an increase in the latency and CPU usage.
    [From Build 61.11] [# 598829, 621260]
  • Application firewall profiles that are exported and archived from one build cannot be restored to a system running a different build, because changes introduced in the newer releases can lead to compatibility issues. With this fix, the application firewall now logs an error message, in ns.log, if you attempt to restore an archived profile to a different build than the one from which it was exported.
    [From Build 61.11] [# 601064]
  • The StarURL Relaxation rule might not work if the regular expression contains two sets of groups (). The following example shows a relaxation rule with two groups, (nstimmy.deva|abcd) and (login|enter|logout). The PI engine is not able to parse such Regular Expressions.
    Example: ^https://(nstimmy.deva|abcd)\.citrite\.net/admin/(login|enter|logout)/$
    [From Build 61.11] [# 578333]
  • When a new node is added to cluster, the configuration might get pushed to the new node before the imported objects are synced. As a result, the profile configuration might be lost if the profile has signature or other import object bindings. With this fix, a file sync is triggered to pull all the files from the CCO node to all the new nodes of the cluster before the configuration commands are pushed to new node.
    [From Build 61.11] [# 537375, 611422]
  • The application firewall uses a cached PCB pointer to retrieve connection information during asynchronous DHT operation. In a corner case scenario, this stale PCB gets freed which might cause the NetScaler appliance to fail.
    [From Build 61.11] [# 589321, 603432]
  • The application firewall might experience a transient low-memory condition during a traffic surge if advanced security check protections (such as Form Field consistency, CSRF, form tagging and so on, which require rewriting the HTML forms in the response) are enabled for the profiles. This might result in a memory leak, and memory allocation failures might occur even after the traffic surge subsides.
    [From Build 61.11] [# 598776, 597952]
  • If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.
    [From Build 61.11] [# 372768]
  • When the application firewall signature has upper case or mixed case characters in the name, the configured profile bindings for such a signature are not displayed in the signatures pane in the configuration utility.
    [From Build 62.9] [# 561845, 620915]
  • If learning thresholds for the application firewall security checks are set to a value greater than 1, the configuration utility displays the following error message when you try to access the learned data: "communication error with aslearn."
    [From Build 62.9] [# 622678]
  • In NetScaler web application firewall high availability deployments, application firewall sessions are not cleaned up on the secondary node. As a result, memory usage increases on the secondary node.
    [From Build 62.9] [# 612284, 619056]
  • If you use the Mozilla Firefox browser to access the NetScaler GUI, you cannot make changes to the application firewall configuration.
    [From Build 62.9] [# 619978]
  • The Skip operation for the application firewall learned rules might take longer than expected.
    [From Build 62.9] [# 547978]
  • If a client submits a form that includes a field named "as_fid", and the application-firewall profile has signatures enabled, the signatures might block form submissions from that client.
    [From Build 62.9] [# 628525]
  • Starturl relaxations might not work if regex expressions use grouping for matching multiple terms. The URL might not get matched against all the terms in the group.
    [From Build 62.9] [# 628789]
  • The import command to import an application firewall profile does not work, when the NetScaler appliance is deployed in a high availability set-up.
    [From Build 62.9] [# 560676]
  • When you use the NetScaler GUI to perform the Skip operation, the application firewall learned rules might not be deleted. This occurs because NITRO is sending wrong "Location" ("Field") data to the GUI. With this fix, the GUI converts "Field" into "FORMFIELD," and the Skip operation removes the skipped rules, as expected.
    [From Build 62.9] [# 603473]
  • Application Firewall memory allocation errors might occur if the license on the NetScaler appliance restricts the number of packet engines.
    [From Build 62.9] [# 621798]
  • The NetScaler appliance might fail when application firewall is attempting to log messages regarding the user's session but the source string is NULL due to memory corruption.
    [From Build 63.8] [# 635738]
  • When an application firewall signature object from an earlier release is imported to the NetScaler appliance using the CLI, it might not display the version of the existing *Default signature object. It might display an older version, even though during the import, the version gets updated to the same version as the version of the existing *Default signature object. However, if the same object is imported using GUI, the version reflects the version of the *Default signature object. This is a display issue and is only observed when CLI is used to import an object.
    [From Build 64.9] [# 614173]
  • If the HTML response page contains a pair of hyphens (--) in the comment tag, the NetScaler appliance might parse the response page incorrectly. This could result in a violation.
    [From Build 64.9] [# 648104]
  • A NetScaler AppFirewall appliance might run out of memory, because firewall sessions might not get cleaned up in a high availability environment if sync or propagation is disabled or the software versions running on a pair of nodes do not match. This is due to DHT not being able to clean up entries properly.
    [From Build 64.9] [# 646293, 645547, 658502]
  • If a user-created signature name includes a space, the application firewall profile bound to the signature is not saved in the configuration after you upgrade to release 10.5 build 63.8.
    [From Build 64.9] [# 647080]
  • The name of a user defined signature object must not contain a hash-mark character (#), but the feedback message lists it as an allowed character.
    [From Build 64.9] [# 648010]
  • Applications might not load properly when the memory_max_allowed value for the AppFW pool is low. This low memory condition can also cause memory allocation errors that result in numerous connection resets.
    [From Build 64.9] [# 649031, 651536]
  • A NetScaler appliance fails under the following set of conditions:
    - The appliance is configured to log for parsing errors in XML responses, and the configuration includes a confidential field. Webform fields can be designated as confidential fields to protect the information that users type into them.
    - The appliance receives a request in which query parameters are set.
    - A parsing error occurs during processing of the XML response.
    [From Build 64.9] [# 658561, 639647]
  • Under high memory utilization, the NetScaler appliance fails if you try to bind trusted learning clients to an application firewall profile. The following command might not work if the appliance is running low on memory.
    bind appfw profile <profile_name> - trustedLearningClients
    [From Build 64.9] [# 657009]
  • If memory corruption results in a NULL source string, the NetScaler appliance might fail if the application firewall attempts to log messages about the user's session.
    [From Build 64.9] [# 635738]
  • The NetScaler appliance fails if the signature match function accesses invalid memory while matching signature rules.
    [From Build 64.9] [# 643854]
  • The application firewall allows configuring default field format parameters. The valid range for the maximum field format length is 1-65535. The GUI as well as CLI currently accepts zero as input even though zero is outside the allowed range.
    [From Build 64.9] [# 608010, 603763, 629859]
  • Executing force sync operation using the nssync -s command from the shell triggers NetScaler appliance reboot and crash. The nsnetsvc crash occurs when the import filename length exceeds MAX_FILE_PATH_LEN.
    [From Build 65.11] [# 657920]
  • The Onhover pattern has been added to the default list of cross-site scripting (XSS) denied patterns that the Application Firewall looks for when scanning traffic.
    [From Build 65.11] [# 665595]
  • The Application firewall signature rule #14990 has an PCRE expression pattern to detect the presence of violation string in Accept-Charset header. This expression is computationally intensive and results in generation of log message "PCRE match limit exceeded with regex...". With this fix, rule #14990 is deprecated and replaced by a new signature rule #999972 which now has an optimized PCRE expression. The new rule #999972 shows the source as snort and the snort ID as 14990.
    [From Build 65.11] [# 669824]

Cache Redirection

  • An invalid HTTP request received on a cache redirection virtual server configured on the NetScaler ADC is sent to the cache server. This results in errors and degraded performance.
    With the fix, invalid HTTP requests are redirected to the origin server instead of the cache server.
    [From Build 53.9] [# 497866, 502366]
  • Applying multiple ACL rules causes excessive consumption of CPU cycles. As a result, the NetScaler ADC might become unresponsive.
    [From Build 53.9] [# 502366, 505091]
  • The NetScaler ADC fails if the cache redirection virtual server and the httpport parameter point to the same service. For example, the following configuration causes the ADC to fail:
    set ns param -httpport 80
    add cr vserver cr1 http * 80
    set cr vserver cr1 -listenpoliciy "client.ip.src.eq(1.1.1.1)"
    [From Build 55.8] [# 509690]
  • In a fully transparent CR deployment if a client sends two HTTP GET requests for the same connection, the first connection to the CACHE is closed when the second GET request is received. This happens because a specific flag is set to open new connection which forwards the second GET request to the cache. Since the first connection for the same 4 tuple is still open, NetScaler sends a reset signal.
    Fix: Do not set the flag to initiate the connection for the second GET request, since the previous connection already exists.
    [From Build 58.11] [# 541395]
  • The Cache Redirection configuration is deleted when the NetScaler appliance is rebooted.
    [From Build 60.7] [# 432311, 582383]

Cache Redirection/NetScaler Gateway

  • When performing DNS resolution, the NetScaler appliance fails because of an ASYNC block if the appliance is configured as a forward proxy for cache redirection or if it tries to access a CVPN resource.
    [From Build 54.9] [# 486578, 491485, 502030, 519399]

CloudBridge

  • IPv6 management access was blocked when it arrived on an accelerated bridge.
    [From Build 58.11] [# 558960]

CloudBridge Connector

  • Traffic latency might be greater than 100 milliseconds in a CloudBridge connector tunnel between two NetScaler appliances.
    [From Build 52.11] [# 498541]
  • In a CloudBridge connector tunnel between two NetScaler appliances, encrypted IPSec packets might get re-segmented, causing the NetScaler to become unresponsive.
    [From Build 53.9] [# 496942]
  • Memory leaks might occur on NetScaler ADCs connected to a CloudBridge Connector tunnel when one of the ADCs sends monitor probes, through the tunnel, to a service that is bound to an HTTP or SSH load balancing virtual server.
    [From Build 54.9] [# 512191, 513775]
  • When the state of a CloudBridge connector tunnel is DOWN, there is a delay in displaying the related log messages (from the /tmp/iked.debug file) on the Create CloudBridge Connector page of the configuration utility.
    [From Build 54.9] [# 440781]
  • With the L2 mode enabled, if a packet is sent on a PBR based plain IPSEC (not GRE) tunnel, and an ARP broadcast is sent over the same tunnel, the NetScaler ADC fails.
    [From Build 57.7] [# 534625]
  • In a CloudBridge Connector tunnel between a NetScaler appliance and the Amazon AWS cloud, Security Associations (SA) lifetime is not negotiated between the CloudBridge Connector endpoints. As a result, multiple SAs are created at both endpoints, causing traffic loss in the tunnel.
    [From Build 57.7] [# 525643, 537896]
  • A CloudBridge Connector tunnel configuration between a NetScaler appliance and the Microsoft Azure cloud fails, because Perfect Forward Secrecy (PFS) is enabled by default on the NetScaler appliance and currently cannot be disabled. PFS must be disabled to configure a CloudBridge Connector tunnel between the appliance and the Microsoft Azure cloud.
    [From Build 58.11] [# 537995]

Cluster

  • In a cluster setup, if a NSVLAN is configured, you cannot bind a VLAN to a traffic domain.
    [From Build 54.9] [# 517663]
  • If you upgrade a node in a cluster to NetScaler 10.5 build 54.9 or later while the other nodes are running an earlier build, the node being upgraded might stop responding.
    [From Build 56.22] [# 543117, 511764, 544264]
  • The load balancing configurations of a cluster node that is shut down are not available when you access the cluster configuration coordinator through its NetScaler IP address, instead of through the cluster IP address.
    [From Build 56.22] [# 522245]
  • In a cluster, for services that need probing, SYN packets are processed locally (on the flow receiver) even though syncookie is disabled. Therefore, the NetScaler 10.5 54.x and 55.x builds are not suitable for cluster deployment.
    [From Build 56.22] [# 539657]
  • NetScaler cluster nodes may send a large number of ARP requests if a large number of ARP entries are learned over a cluster LA interface.
    [From Build 56.22] [# 519327, 542633]
  • In a cluster setup, HTTP profile configurations are lost when a cluster node is rebooted.
    [From Build 59.13] [# 570877]
  • On a low bandwidth system, you get the following message when running the showtechsupport feature with the scope configured for the cluster:
    "This is a low bandwidth instance. Showtechsupport cannot be run with scope cluster. Please execute showtechsupport on each node."
    [From Build 59.13] [# 543558]
  • During an upgrade from a NetScaler 10.1 build to a NetScaler 10.5 build, running the "show audit messages" command can cause the NetScaler appliance to fail.
    [From Build 60.7] [# 546038]
  • A NetScaler cluster does not respond to cURL HTTP requests from outside the datacenter, because the Path MTU Discovery (PMTUD) mode gets disabled when a cluster is created.
    [From Build 61.11] [# 541223]
  • Important! Every NetScaler command is internally assigned a unique ID.
    For some commands like 'add cs policy' and 'add server', the unique ID generated on the cluster configuration coordinator (CCO) already exists for another command of same type in a non-CCO node. Therefore, the command execution on the non-CCO node fails.
    [From Build 62.9] [# 614718, 615459]
  • The VRRP Feature does not work in a cluster setup that includes a node with a node ID of zero (0).
    [From Build 62.9] [# 618663]

Clustering

  • If a load balancing server is trying to synchronize its states, occasionally one or more cluster nodes might get stuck in a Service state. As a result, the other nodes in the cluster might be unavailable, which leads to an improper cluster formation.
    [From Build 64.9] [# 651828]

Command Line Interface

  • The command line interface fails when a non-nsroot user without superuser permission executes the "show techsupport" command from the command line interface.
    [From Build 51.10] [# 488781]
  • The rbaOnResponse system parameter fails to work after you upgrade NetScaler ADC nCore or nCore VPX from version 9.3 to 10.x.
    [From Build 52.11] [# 480639]
  • The user monitor scripts that use SOAP::Lite might not work.
    [From Build 54.9] [# 503214]
  • NetScaler ADC fails to run the commands that have arguments accepting string values and starting with a hyphen (-).
    For example, NetScaler ADC fails to run the following command because the expected value is a string for uat argument that begins with a hyphen.
    bind policy patset ps_adi_any_robots_deny -uat -index 1
    [From Build 56.22] [# 508618, 508815]
  • Superusers, besides nsroot are not allowed to redirect the shell output from the NetScaler CLI. This issue is now fixed.
    [From Build 57.7] [# 543702]
  • A customized CLI prompt is not persisted after rebooting the appliance.
    [From Build 60.7] [# 583625]
  • The NetScaler CLI exhibits the following issues on running the "show" and "stat" commands on a service group.
    - When using the "show servicegroup -includeMembers" command: This command lists only one service per service group, although more than 1 service are bound to the service group(s).
    - When using the "stat servicegroupMember <ServiceGroupName> <Service-IP-address> <port>" command: This command does not work if you specify the <Service-IP-address>. Instead, you must specify the <Service-Name>.
    [From Build 63.8] [# 554652, 596571]

Configuration Utility

  • When configuring a Web Interface on NetScaler (WIonNS) site by using the configuration utility, you cannot modify the NetScaler Gateway URL if the SSL certificate that is bound to the VPN virtual server is a wildcard (has an *).
    [From Build 51.10] [# 490027, 489788]
  • Java Runtime Environment (JRE) does not work on Internet Explorer version 10.
    [From Build 51.10] [# 482135]
  • When using the XenApp/XenDesktop wizard, when you click on "Getting Started", you get an error message that says that you need a AAA license. Therefore, you cannot proceed with the wizard. In an ideal case, the AAA license is not needed when using the wizard.
    [From Build 51.10] [# 488199]
  • The "XenApp and XenDesktop" wizard is not available in the configuration utility when the appliance is a part of a cluster.
    [From Build 51.10] [# 483517]
  • The "STA Auth ID" property is not shown along with the details of the STA Server.
    [From Build 51.10] [# 482609, 485852]
  • Some usability issues while configuring content switching by using the NetScaler configuration utility.
    [From Build 51.10] [# 491215]
  • The NetScaler graphical user interface (GUI) has been enhanced to provide a better user interaction experience. It now provides you with a workflow-based experience, which guides you through the entire configuration. The configuration settings have been classified as basic and advanced for some features. The NetScaler ADC configuration utility and NetScaler Gateway configuration utility has also been reimplemented in HTML. As a result of these enhancements, the GUI does not display pop-up dialog boxes for most features and you no longer need Java Runtime Environment (JRE) to access these features through the GUI.
    For more information, see http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-5-map/ns-rn-changes-gui-10-5-con.html
    [From Build 51.10] [# 251336, 251607, 251645, 251760, 251797, 257879, 257949, 261240, 261339, 285382]
  • In the configuration utility, you cannot apply an SSL profile to an SSL VPN virtual server.
    [From Build 51.10] [# 484583]
  • The configuration utility might display an error message while adding IPv6 routes in non-default traffic domains.
    [From Build 52.11] [# 499592]
  • After installing Java, if you disable Java on the Java Control Panel, the graphical user interface (GUI) applet remains blank.
    [From Build 52.11] [# 460020]
  • If you have configured Mobile Device Manager by using the XenMobile wizard in release 10.1.e build, and then upgraded to release 10.5, the service configuration does not appear in the configuration utility.
    [From Build 52.11] [# 493946]
  • The default value for packet count is 45, and the default Encryption Trigger Timeout is 1 ms, but the configuration utility displays both values, incorrectly, as 0.
    [From Build 52.11] [# 494915]
  • A NetScaler ADC displays a Java error if you access it by using an sshd connection.
    [From Build 52.11] [# 451546]
  • To display the newly added HTML imports, you have to refresh the page on the browser.
    [From Build 52.11] [# 441408]
  • The configuration utility displays the "Resource already exists" error if you configure a content switching virtual server with the IP address 10.69.129.128.
    [From Build 52.11] [# 490142]
  • The configuration utility displays the "Resource already exists" error if you configure a content switching virtual server with the IP address 10.69.129.128 .
    [From Build 53.9] [# 490142]
  • After the first reboot of a cluster setup that has large configurations, the NetScaler ADC takes more time to load those configurations and to log you on.
    [From Build 53.9] [# 483442]
  • The IP Bindings tab on the Create VLAN and Configure VLAN pages does not display IP addresses that are in the same subnet as the management IP (NSIP) address.
    [From Build 53.9] [# 456428]
  • If you configure a NetScaler Gateway wizard, and you upload a certificate that does not belong to the current chain, the configuration utility does not display any warning message.
    [From Build 53.9] [# 482804]
  • An error message appears if you try to replace an SSL client certificate that is bound to an SSL service.
    [From Build 54.9] [# 514538, 513837]
  • If an unauthorized user logs on to a NetScaler ADC. the ADC displays the following error message:
    "Error in retrieving version. Cannot read property 'replace' of undefined".
    [From Build 54.9] [# 517146, 513730]
  • If, in the NetScaler configuration utility, after you navigate to AppExpert > Responder> Policies and click "Hide built-in responder policies" or "Show built-in responder policies," the page does not immediately refresh, and continuous clicking prevents the page from refreshing.
    [From Build 54.9] [# 496336]
  • To create a certificate signing request, you must click "Create Certificate Signing Request (CSR)" on the SSL overview page for each CSR. To view or manage your CSRs, click "Manage Certificates / Keys / CSRs" under Tools on the SSL overview page.
    [From Build 54.9] [# 503590]
  • The statistics of service group members do not appear correctly in the configuration utility.
    [From Build 54.9] [# 521579, 508630, 519918, 521983]
  • If a NetScaler connection from a client is closed without the client logging out, the session created for that connection remains active until the configured timeout period elapses. If this happens frequently, after about the 20th occurrence the user might get a "Connection limit to CFE exceeded" error message.
    [From Build 54.9] [# 375277, 322602, 334465, 396405, 412455, 419503, 438382, 438534, 438796, 441853, 446387, 448361]
  • If you create a GSLB service by using a server name with alphanumeric characters, the server name does not get converted to a server IP address, and the server IP address value is null. As a result, GSLB synchronization fails.
    [From Build 54.9] [# 501644, 505641, 509379]
  • The graphical user interface (GUI) does not display the following search fields on the Cache Objects page:
    * HTTP Status Code
    * Ignore Marker Objects
    * Include-Not Ready Object
    [From Build 54.9] [# 447915]
  • If you bind a CA certificate to a load balancing virtual server using the configuration utility, the Link Certificate view is not displayed in the foreground.
    [From Build 54.9] [# 485539, 502285]
  • The NetScaler Graphical User Interface does not support the search functionality to search records in the file browser.
    [From Build 55.8] [# 503589]
  • Evaluating an advanced expression on different browsers gives different results. This issue arises because the sample payload gets changed on different browsers.
    [From Build 55.8] [# 524123, 521279]
  • Load balancing virtual servers that are used by AppExpert applications are displayed in nodes other than the AppExpert node. For example, they are displayed in the Available Virtual Servers list in the "Create Persistency Group" dialog box (Load Balancing > Persistency Groups > Add) and in the "Create Persistency Group" dialog box list that appears when you click the "Name" button in the list "Create Content Switching Action" dialog box "Content Switching > Actions > Add).
    [From Build 55.8] [# 353015]
  • When you are configuring an admin partition, the state of the LACP channel is incorrectly displayed in the list of channels (Network > Channels). This issue is not present in the default partition.
    [From Build 55.8] [# 517606, 518444]
  • If you use the configuration utility to update an existing certificate-key pair (load the updated certificate or key using the same certificate-key file name), the old details continue to appear until you restart the appliance.
    [From Build 56.22] [# 533255]
  • If, while using the configuration utility to create a service group member for a load balancing service group (Traffic Management > Load Balancing > Service Groups), you specify the port value as a wild card (*), the Configure Service Group screen displays an incorrect value.
    [From Build 56.22] [# 530025]
  • NetScaler authentication fails if you use special characters such as %0 or %1 in the password.
    [From Build 56.22] [# 505536]
  • The key filename property of Import FIPS key (Configuration > Traffic Management > SSL > FIPS > FIPS keys > Action > Import > Key Filename) fails if you enter an incomplete file path consisting folder1/folder2/rsa.key, where folder1 and folder2 are the folders within the nsconfig/ssl path.
    [From Build 56.22] [# 483226]
  • NetScaler authentication fails if you use special characters such as & or ; in the password.
    [From Build 56.22] [# 542557, 542644, 544420, 547508]
  • After you create a virtual server by using the XenApp and XenDesktop wizard, if you delete the virtual server and restart the appliance, the deleted virtual server still exists.
    [From Build 56.22] [# 524975]
  • The Upgrade Wizard does not work intermittently in some browsers in NetScaler 10.5 Build 56.12. This issue is fixed in NetScaler 10.5 Build 56.15.
    [From Build 56.22] [# 544588, 557380]
  • In the configuration utility, you cannot create a virtual server with port number 0.
    [From Build 57.7] [# 547877]
  • The Create Rewrite Action screen (AppExpert> Rewrite> Actions> Add) does not list the correct descriptions for some Action Types.
    [From Build 57.7] [# 553583]
  • The user expression and password expression fields of a TM traffic action cannot be configured through the configuration utility.
    [From Build 57.7] [# 489894]
  • On the Configuration Utility, the Downloads page does not have the Gadgets option anymore.
    [From Build 57.7] [# 544420]
  • When you open a content switching policy in the configuration utility (Traffic Management > Content Switching > Policies), an editing window appears unexpectedly.
    [From Build 58.11] [# 558656]
  • If you are binding classic policies, set empty values for the "Gotoexpression" and "Invoke" columns as these parameters are not applicable for classic policies.
    [From Build 58.11] [# 454246, 478532, 500166]
  • The system backup and restore functionality is not available on the Cisco NetScaler GUI.
    [From Build 58.11] [# 553373]
  • If you create an SSL RSA key by using the NetScaler configuration utility, the default public exponent value incorrectly appears as 3.
    [From Build 58.11] [# 561151]
  • The configuration utility does not display a No Policy button in the binding section of policy label configuration at System > AppFlow > Policy Labels.
    [From Build 58.11] [# 558893]
  • The Upgrade Wizard sometimes does not display a message when the appliance is rebooting. However, the NetScaler appliance reboots and the upgrade is successful.
    [From Build 59.13] [# 557379]
  • An issue with the file download manager handler had with large files has been fixed.
    [From Build 59.13] [# 586879]
  • If the number of interfaces that you created are more than eight, the Reporting tab in the configuration utility displays only eight interfaces to be monitored.
    [From Build 60.7] [# 494804]
  • The connection to the appliance might be lost while generating the support file.
    [From Build 60.7] [# 531628, 543400, 567392, 585451]
  • You cannot add user-defined values for the user name and group name fields on the Authentication CERT Profile page.
    With this fix, you can specify a user-defined value by navigating to Security > AAA - Application Traffic > Policies > Authentication > Basic Policies > CERT > Profiles or NetScaler Gateway > Policies > Authentication > CERT > Profiles and selecting New in the User Name Field list and the Group Name Field list.
    [From Build 61.11] [# 597708]
  • If you are using the configuration utility to run diagnostics on the NetScaler appliance, you cannot specify a traffic domain.
    [From Build 61.11] [# 609334]
  • The Upgrade Wizard sometimes does not display a message when the appliance is rebooting. However, the NetScaler appliance reboots and the upgrade is successful.
    [From Build 63.8] [# 557379, 585649, 609615, 617161, 646039]
  • If you create a cipher group and do not add any ciphers to it, an error message appears when you try to open the cipher group in the configuration utility.
    [From Build 65.11] [# 604646]

Content Optimization

  • If you enable FEO and the Web traffic that reaches NetScaler has "//" at the beginning of the URL, then NetScaler may not respond as intended.
    [From Build 55.8] [# 529356, 533790, 534403]

Content Switching

  • If an invalid HTTP request that spans multiple TCP segments is sent to a content switching virtual server, the NetScaler ADC might skip the load balancing decision and initiate a connection from the SNIP address to the content switching virtual server. This can cause the ADC to fail.
    To prevent this problem, the ADC closes the client connection when this situation arises.
    [From Build 54.9] [# 501856]
  • If you perform the following sequence of actions, the second command fails when the restart process runs the commands, because that process adds the gotopriorityexpression to the second binding:
    1. Bind a policy to a content switching virtual server and specify a gotopriorityexpression.
    2. Bind a filter or compression policy to another content switching virtual server without specifying a gotopriorityexpression.
    3. Save the configuration and restart the appliance.
    [From Build 55.8] [# 523636, 532832, 533690]
  • If you use the configuration utility to edit a URL-based content switching policy that is bound to a content switching virtual server, an error message appears, stating that the binding already exists. You must first unbind the policy from the virtual server, and then edit it while rebinding it to the same virtual server.
    [From Build 58.11] [# 555497]
  • If you bind a policy to a content switching virtual server, the ?-invoke policylabel? option is automatically appended to the bind command. This might cause a loss in the configuration after the appliance is restarted.
    [From Build 58.11] [# 547174]
  • If a large number of content switching policies are bound to a content switching virtual server, using the configuration utility to bind a new policy without explicitly assigning a priority might result in the policy being assigned the priority of the first policy on the next page of the display. Since a policy is already assigned that priority, an error message stating that the priority is already used appears.
    [From Build 61.11] [# 601203]
  • In certain cases, if the state of a load balancing virtual server changes, the NetScaler appliance might fail while changing the state of the associated content switching virtual server.
    [From Build 62.9] [# 522510, 528782, 538223, 552913, 602829]

DNS

  • Statistics do not appear correctly for a DNS load balancing virtual server.
    [From Build 51.10] [# 462862]
  • The DNS cache entries are not flushed if the DNS caching feature has been disabled for approximately 250 days.
    [From Build 52.11] [# 471707]
  • If a server sends a NODATA response that has CNAME record in the answer section and no records in the authoritative and additional sections, the response is marked for CNAME caching on the NetScaler ADC, because it is incorrectly assumed to be a referral response. As a result, the ADC sends a blank response to subsequent queries, of any query type, for the canonical name.
    [From Build 52.11] [# 477552]
  • If the number of records in a DNS response for a domain exceeds the Netscaler ADC limit, or if one of the records in the response contains invalid data, the NetScaler ADC does not cache the response. As a result, DNS resolution using NetScaler nameserver entities fails.
    [From Build 52.11] [# 437529]
  • If, while adding a DNS record (such as addrec and nsrec) from the GUI or by using the NITRO API, you specify the TTL value as 3600, the value of the minimum TTL of the SOA record is used instead.
    [From Build 53.9] [# 382478]
  • When a NetScaler ADC is deployed as a DNS server with caching enabled, and "flush dns proxyRecords" is used when the ADC is serving a large volume of traffic and has a large number of records in its cache, the ADC might fail.
    [From Build 53.9] [# 484069]
  • Non-standard query packets are altered before they are forwarded to back-end servers, which causes the server to respond with a "FORMAT error" message.
    [From Build 59.13] [# 559064]
  • If caching is enabled, records present in the additional and authoritative section of a response are cached. If a request for the same records is answered by DNS cache, the Authoritative Answer (AA) bit is not set in the response but if the request for the same records is answered by querying the back-end server then the AA bit is set in the response.
    [From Build 59.13] [# 543222, 257952]
  • If, while adding a DNS record (such as addrec and nsrec) from the GUI or by using the NITRO API, you specify the TTL value as 3600, the value of the minimum TTL of the SOA record is used instead.
    [From Build 60.7] [# 382478]
  • If, while a DNS-TCP client request is in surge queue, the NetScaler appliance receives a FIN from the client and responds with a FIN or ACK before the queued request is forwarded to the backend server, the appliance might fail.
    [From Build 60.7] [# 581723]
  • A DNS key cannot be created by using the default units for the "Expires" or "Notification Period" fields.
    [From Build 61.11] [# 512372]
  • If a NetScaler appliance in DNS resolver mode is configured to resolve queries with suffixes, the appliance fails if there is no address record for the NS record associated with one of the suffixes.
    [From Build 61.11] [# 605861]
  • When the NetScaler appliance receives a DNS TCP packet that has dnspayloadlen as zero, the NetScaler appliance might dump core memory.
    [From Build 65.11] [# 666803]
  • A NetScaler appliance might fail while performing DNSSEC offloading if insufficient memory results in memory allocation failures.
    [From Build 65.11] [# 594535]
  • If the DNS server from which the cached DNS records are being served goes DOWN, the proactive DNS update queries are redirected to the back-end server.
    [From Build 65.11] [# 660562]

DataStream

  • If you use SQL server driver for SQL Server 2000 SP1, the databases are not enumerated for Kerberos authentication on the NetScaler ADC, because the ADC does not process the SSPI packet correctly.
    [From Build 54.9] [# 507709]
  • The NetScaler ADC fails if source IP persistence is enabled on a MySQL or MSSQL virtual server that is receiving traffic.
    [From Build 54.9] [# 510805, 516687]
  • The NetScaler appliance fails if both of the following conditions are met:
    - The appliance is configured in transparent mode.
    - The appliance performs Windows authentication for MSSQL requests.
    [From Build 56.22] [# 539922]
  • A NetScaler client becomes unresponsive if:
    1. The NetScaler appliance receives the complete response to the client's query from the server.
    2. At the same time, the client sends an attention packet to the appliance.
    The client becomes unresponsive because the appliance closes the server-side connection but does not send the client a response to the attention packet.
    [From Build 62.9] [# 560401]
  • If the NetScaler appliance receives a prelogin message request from a Visual Studio 2015 client, it sends an incorrect response. As a result, the client becomes unresponsive.
    [From Build 62.9] [# 613239, 616404]
  • The DataStream feature does not work if you use a MySQL database at the back end.
    [From Build 65.11] [# 629504]

Front End Optimization

  • If you define an FEO policy to match only the HTML traffic, the domain sharding configuration in the policy's action is lost when the policy is triggered.
    [From Build 55.8] [# 529329]

GSLB

  • If a GSLB domain is queried through VPN, NetScaler fails.This issue is fixed in this release.
    [From Build 51.10] [# 488161]
  • In rare cases, high management-CPU usage occurs and a large number of error messages appear in the log file. As a result, queries to the location database might fail, and the backup load balancing method is used for site load balancing.
    [From Build 52.11] [# 453144, 455417]
  • Configuring a hash based backup load balancing method on a GSLB virtual server might cause the NetScaler ADC to fail if traffic triggers the backup method.
    [From Build 53.9] [# 496676]
  • If you change the GSLB configuration while the GSLB feature is disabled, the NetScaler ADC might process some stale messages when you enable the feature. As a result, the ADC might dump core and restart.
    [From Build 53.9] [# 485811]
  • If you force synchronization of the GSLB configuration, the non-default settings on the RPC node are lost. As a result, the GSLB auto-sync functionality is lost.
    [From Build 54.9] [# 497412]
  • If you have deployed the NetScaler ADC in a high availability (HA) setup in INC mode, you cannot leverage a SNIP address to host the ADNS Service or a site IP address, because these addresses do not float across the HA nodes. An independent site IP address with SSH enabled is required. With this fix, SSH can be enabled on an independent site IP address.
    [From Build 54.9] [# 505546, 505526, 523055]
  • Synchronization of the GSLB configuration fails if the RPC-node password of the GSLB sites contains an exclamation point (!).
    [From Build 54.9] [# 511192, 511521, 524390]
  • If the length of the domain name bound to a GSLB virtual server exceeds 31 characters, the domain name is displayed as HASHED STRING during an SNMP MIB Walk operation.
    [From Build 55.8] [# 511878]
  • If the disablePrimaryOnDown parameter is configured on the primary GSLB virtual server, the primary GSLB virtual server remains in DISABLED state even after its health state is UP. The backup GSLB virtual server continues to serve the traffic until HA failover or you manually enable the primary GSLB virtual server.
    [From Build 55.8] [# 517961]
  • The NetScaler ADC fails if a VPN session action, a WI home page, or DBS services are configured with a domain name that at the same time is managed by a GSLB virtual server configured with static proximity or RTT load balancing methods.
    [From Build 55.8] [# 433094, 469937, 517974]
  • The show gslb service command now displays the following values related to the GSLB service:
    -Last State Change
    -Time since last state change
    -Client and Server idle timeout
    [From Build 55.8] [# 498854]
  • All GSLB features except DNS views, auto sync, and static proximity are supported for IPv6.
    [From Build 56.22] [# 519589]
  • If a spillover policy is bound to a GSLB virtual server of type UDP, the show ns runningConfig command does not display the policy binding. The policy binding functions properly, but the configuration might be lost if a failover occurs or if the appliance is restarted.
    [From Build 56.22] [# 528060]
  • If you set the backup load balancing method to the same method that is already configured, the backup load balancing method defaults to round robin.
    [From Build 56.22] [# 531553]
  • GSLB synchronization fails if you change the RPC node passwords.
    [From Build 56.22] [# 497338, 516259, 522602, 548845]
  • Loading a new location file that has a coordinate outside the correct range (-90 to +90 latitude or -180 to +180 longitude) can cause the appliance to fail.
    Recommendation: After loading any location file, use the command, "show locationparameters" to get a summary of the coordinates loaded and any parsing errors. The specific problems are reported in /var/log/ns.log.
    [From Build 58.11] [# 550294]
  • If you have configured the canonical name as the GSLB domain in NetScaler appliance, when the backend server returns the CNAME record without the requested record, NetScaler appliance changes the TTL value of the GSLB domain with the TTL value of the CNAME record.
    [From Build 59.13] [# 582925]
  • GSLB virtual server configured with Dynamic Proximity as LB method fails.
    [From Build 59.13] [# 578969]
  • If a server entity (for example, a server IP address or server name) is associated with both a GSLB entity and a non-GSLB entity on a GSLB site, and the GSLB configuration is synced to another site that does not include this server entity, the synchronization removes the server entity and all other entities associated with that server.
    [From Build 61.11] [# 590336]
  • In the GUI, on the GSLB statistics page, the local site MEP state is always displayed as DOWN instead of as a blank field.
    [From Build 62.9] [# 617267]
  • The NetScaler appliance fails if you run the "show gslb domain" command on a non-gslb domain record.
    [From Build 62.9] [# 618789]
  • When the MEP connection between two GSLB sites is reestablished after going down, the connection becomes active immediately, but the NetScaler GUI and CLI do not show it as UP for about 9 seconds.
    [From Build 62.9] [# 615886]
  • The GSLB synchronization command sync gslb config displays incorrect information when used with the -preview argument.
    [From Build 63.8] [# 537944]
  • In a GSLB deployment, if monitors are bound to GSLB services and the trigger monitor is set to MEP_DOWN. The remote GSLB services are incorrectly marked as down when MEP goes down due to temporary network outage but the MEP connection is still active.
    [From Build 63.8] [# 610065]
  • In a GSLB high availability setup, if a node stays in secondary state for more than 249 days, the service state might not be updated on this node after it becomes the primary node.
    [From Build 65.11] [# 658093]
  • The MEP connection for site metrics goes DOWN if the dynamic RTT and GSLB server persistence features are unused for more than 249 days. In some cases, however, the MEP connection for site metrics remains UP, but the MEP connection for network metrics goes DOWN.
    [From Build 65.11] [# 658890]

Graphical User Interface

  • If you enable NTP synchronization on a NetScaler ADC, the ntpd service binds to port 3010. The binding causes resource conflicts, because the port was reserved for the nsnetsvc service.
    [From Build 54.9] [# 502309, 503357]

HTML Injection

  • The JavaScript inserted by NetScaler ADC for obtaining client side measurements contains a syntax error. This interferes with page rendering which leads to Outlook Web App displaying error popups.
    [From Build 55.8] [# 518072, 518272]

High Availability

  • By default, HA synchronization enables the following features and modes on the secondary appliance:
    - Features: Web logging (WL) and surge protection (SP)
    - Modes: L3 and Edge
    [From Build 54.9] [# 512034, 516783]
  • When there are a large number of sessions (in the order of millions, due to, for example load balancing persistence) to be synchronized, and the link between the primary and secondary appliance is very slow, the primary appliance quickly consumes all the NetScaler buffer. Therefore, there is no buffer to allocate to other sub-systems. This can result in various disruptions such as failover.
    [From Build 55.8] [# 519085, 525203, 533671]
  • With Layer 2 mode enabled, the secondary node in a high availability configuration forwards DHCP packets coming from the server.
    [From Build 56.22] [# 521424]
  • In a high availability configuration, if the diff ns config command includes the -ignoreDeviceSpecific parameter, the command fails and does not display the difference in configurations between the two nodes.
    [From Build 56.22] [# 524146, 526699]
  • After an HA configuration is stabilized from a "spilt brain" condition (both nodes primary), connections are not immediately synchronized between the current primary and the current secondary node. This latency might result in an HA failover.
    [From Build 57.7] [# 537496]
  • In a high availability configuration, with failSafe mode enabled on the secondary node, the node might briefly become primary when restarted.
    [From Build 57.7] [# 534795]
  • The configuration utility might not display the sync VLAN if you bind IP addresses to VLANs other than the sync VLAN. This issue occurs on NetScaler instances running on NetScaler SDX appliances.
    [From Build 58.11] [# 562752]
  • In a high availability configuration, if a NetScaler packet processing engine (NSPPE) fails on the primary node, both the nodes might go into a warm reboot loop.
    [From Build 58.11] [# 479666, 507519, 541503]
  • In a high availability configuration with throughput based failover configured for an LA channel, failover might not happen when the maximum throughput of the LA channel falls below the configured threshold.
    [From Build 58.11] [# 546938, 470980]
  • The HA traffic between the HA pair is abnormally high. This issue is caused by a loop that repeatedly tries to push the same sessions to the secondary appliance after failover.
    [From Build 59.13] [# 560640, 566710, 576012, 576096, 579037, 582354, 590730]
  • When there is a HA issue, the synchronization of persistence sessions between the primary and secondary appliances can fail. This can cause some of the persistence sessions not being replicated on the secondary appliance.
    [From Build 59.13] [# 580703, 579037, 595491, 595506, 596002, 596215, 604164, 605112]
  • When there is a HA issue, the synchronization of persistence sessions between the primary and secondary appliances can fail. This can cause some of the persistence sessions not being replicated on the secondary appliance.
    [From Build 60.7] [# 580703, 579037, 595491, 595506, 596002, 596215, 599396, 604164, 605112]

Integrated Caching

  • With integrated caching enabled, the NetScaler can crash when the evaluation of a callout 'result expression' (configured with the resultExpr parameter) results in a UNDEF condition.
    [From Build 51.10] [# 488145]
  • When a byte-range request is sent for an object, and if that object is expired, a request is sent to the server to revalidate the object. If that object is now modified on the server, the full response is served to the NetScaler. In such a scenario, the NetScaler appliance can crash.
    [From Build 52.11] [# 494910, 497793]
  • In an HA setup, if the integrated caching (IC) feature is not licensed, the IC configurations are not stored on the secondary appliance even though they are available on the primary appliance. With this fix, the IC configurations are also available on the secondary appliance.
    [From Build 58.11] [# 556437]
  • In a NetScaler deployment that has integrated caching and SSL enabled, the NetScaler can crash in the following scenario:
    1. Client1 requests for an object that is not in cache.
    2. While the NetScaler fetches the object from the backend server, client2 (a slow client) sends a request for the same object.
    3. Client1 now decides to reset the connection.
    4. When available, NetScaler serves the object to the client2.
    However, since client2 is slow, large data is piled up on the NetScaler that needs to be forwarded to client2. When the NetScaler tries to send this large data to the client, the NetScaler can crash.
    [From Build 60.7] [# 486535]
  • The NetScaler GUI does not reflect the correct count of cached objects whereas this number is shown correctly through the CLI.
    [From Build 61.11] [# 607622, 608517]
  • When a flash cache is in use with HTTPS traffic, only the initial client request is serviced. Subsequent client requests fail.
    [From Build 61.11] [# 602984]
  • The NetScaler can stop responding when cache object persistency is configured in a HA setup.
    [From Build 61.11] [# 589322]
  • If you set the PINNED option for a cache content group, caching continues in this group even if the group uses more than its allocated memory, until the integrated caching memory is exhausted. Because cached objects in these groups cannot be removed until the appliance is restarted, there might be a situation in which no more objects can be cached and the appliance resets the connections of clients who send additional requests.
    [From Build 62.9] [# 621356, 631356]
  • The NetScaler appliance caches objects if front-end optimization (FEO) feature is enabled but the integrated caching feature is disabled.
    [From Build 63.8] [# 619578]

Load Balancing

  • If the secure option is enabled on a CITRIX-WI-EXTENDED monitor that is bound to a service, then the monitor incorrectly marks the monitor probes as failed.
    [From Build 51.10] [# 488007, 487724]
  • The NetScaler ADC fails if both the following conditions are met:
    - a large number of SIP messages are received.
    - the size of the SIP messages is greater than the jumbo MTU configured on the ADC.
    [From Build 51.10] [# 484547]
  • If you have configured the RADIUS PI expression CLIENT.UDP.RADIUS.ATTR_TYPE(<avp code>) for content switching, rule-based persistency, or the token load balancing method, and you typecast the result of this expression to an integer or IP address by using the expression TYPECAST_NUM_AT / TYPECAST_IP_ADDRESS_AT, the typecast operation fails.
    [From Build 52.11] [# 482113]
  • If a client connection is in the CLOSE_WAIT state, the NetScaler ADC does not send PUSH notifications to the client. However, it reports success to the PUSH server.
    [From Build 52.11] [# 489197]
  • A very slow memory leak occurs on the secondary node in a high availability pair if all of the following conditions are met:
    a) The configuration is large (approximately 4MB).
    b) The configuration includes a large number of "bind lb group" commands.
    c) Configuration changes very frequently, resulting in frequent synchronization.
    [From Build 53.9] [# 457639]
  • You can now bind loopback members (for example 127.0.0.1) to service groups. Previously, you could bind loopback members to services only.
    [From Build 53.9] [# 504209]
  • If a semantically incorrect command is entered while a domain based service is being resolved to a NetScaler-owned IP address, the NetScaler ADC displays the state of the service incorrectly.
    [From Build 53.9] [# 502338]
  • The NetScaler ADC might fail if a high idle timeout value is set on a TFTP load balancing virtual server and the ADC runs out of memory.
    [From Build 54.9] [# 505543]
  • If a load balancing virtual server on which persistence is configured is bound to a load balancing group that has no persistence setting, the NetScaler ADC does not change the virtual server's persistence setting. As a result, when traffic arrives at the virtual server, it tries to create a persistence session, but that session fails and the number of sessions increases.
    [From Build 54.9] [# 497470]
  • A Storefront service on a NetScaler ADC is not marked as DOWN even though all the storefront services bound to the StoreFront server are manually brought down.
    [From Build 54.9] [# 460040]
  • The SIP monitor probe has an invalid character in the VIA header. As a result, the probe fails and an incorrect service state might appear.
    [From Build 55.8] [# 519644]
  • If you have set the persistence type to COOKIEINSERT, you can now encrypt the cookie in addition to any existing SSL encryption by using the NetScaler command line and configuration utility.
    At the NetScaler command prompt, type:
    set lb parameter -useSecuredPersistenceCookie Enabled-cookiePassphrase test
    In the configuration utility, navigate to Traffic Management > Load Balancing > Change Load Balancing Parameters and select Use Secured Persistence Cookie and Cookie Passphrase and enter a passphrase.
    [From Build 55.8] [# 347108, 323325, 348588]
  • If your spillover policy contains the ACTIVETRANSACTIONS or the SURGECOUNT expression (for example, <expression>. ACTIVETRANSACTIONS.GT(<N>)), traffic might spill over to the virtual server bound to this policy even though the current value of the counter has not reached N. This is because these two expressions use an arbitrary number for comparison.
    For example, spillover to a virtual server bound to the following policy might occur before the active transactions counter reaches a value of 10:
    SYS.VSERVER("A').ACTIVETRANSACTION.GT(10) -action spillover
    [From Build 55.8] [# 516615]
  • The NetScaler ADC might fail after you rename a server that is bound to a service group. This problem does not occur if you assign a name to a server that was identified by its IP address.
    [From Build 55.8] [# 443027]
  • When you bind a DNS policy to the DEFAULT_GLOBAL bind point, the policy's priority is automatically set to 65545, which exceeds the supported priority range. The "operation not permitted" error message appears.
    [From Build 56.22] [# 488011]
  • If the DNS load balancing virtual server is configured with DNS rate limiting or analytic policies, the appliance might fail under certain heavy load conditions.
    [From Build 56.22] [# 528070]
  • Unsetting one of the load balancing virtual server parameters, such as redirect URL, backup virtual server, push virtual server, or authentication profile, incorrectly unsets the appflowLog parameter.
    [From Build 56.22] [# 523239]
  • IPv6 Support for HTTP based User Monitors
    You can now use IPv6 addresses in the following HTTP based user monitors:
    - StoreFront (SF)
    - AppController (APPC)
    - Web Interface Extended (WI)
    - NT LAN Manager (NTLM)
    [From Build 57.7] [# 510111]
  • In a high availability setup, if custom cookie persistence is configured on a virtual server, part of the secondary node's configuration might not be synchronized with the primary after a failover occurs.
    [From Build 58.11] [# 552799, 552607]
  • IPv6 Support for HTTP based User Monitors
    You can now use IPv6 addresses in the following monitors:
    - USER
    - SMTP
    - NNTP
    - LDAP
    - SNMP
    - POP3
    - FTP_EXTENDED
    - STOREFRONT
    - APPC
    - CITRIX_WI_EXTENDED
    Note: The monitor for MySQL does not support IPv6 addresses.
    [From Build 58.11] [# 510111]
  • If you configure cookie persistence and custom cookie on a virtual server, and later change the name or IP address of the virtual server, persistence is not honored.
    [From Build 58.11] [# 524079, 559022]
  • The output of the "show lb vserver -format text" command shows parameters even that are not applicable for a virtual server type.
    [From Build 58.11] [# 550177]
  • In a RADIUS load balancing setup, requests might be dropped because the memory for the session entries is not freed until the idle timeout expires even though the transaction completed earlier.
    [From Build 59.13] [# 573155]
  • If Single Sign-On (SSO) is enabled for POST requests that have a payload larger than 300MB, request packet accumulation can cause memory allocation failures, and SSO might also fail.
    [From Build 59.13] [# 551623]
  • If the "Invalid argument error" message appears intermittently in nsmund.log, treat it as a false positive. The error appears because a scenario was not handled correctly. However, if this message appears in the log every time a particular script runs, there is an issue with the arguments that are passed to the script.
    [From Build 59.13] [# 568719]
  • In a load balancing group configuration, the "sh run" command sometimes runs in a loop, which exponentially increases the size of the temporary configuration file. As a result, saving the configuration and synchronizing the nodes in a high availability setup might fail.
    [From Build 59.13] [# 587812, 598499, 601918]
  • In a RADIUS load balancing setup, if Use Source IP (USIP) is configured on the RADIUS services, the server side connections are not reused, and requests are dropped.
    [From Build 59.13] [# 574120, 534888]
  • If an SSL monitor is bound to a domain-based service that is configured with non-default SSL settings, the monitor might not show the service as UP.
    [From Build 59.13] [# 575171, 576012]
  • In a load balancing group configuration, the NetScaler appliance might fail while synchronizing the statistics.
    [From Build 59.13] [# 557940, 574551]
  • If the load balancing (LB) feature is not licensed, and you try to enable an LB virtual server, an error message appears.
    [From Build 59.13] [# 466094, 534755]
  • In certain cases, if the name of an FTP virtual server is greater than 32 characters, the virtual server lookup fails and the request is not served.
    [From Build 60.7] [# 566644]
  • If Single Sign-On (SSO) is enabled for POST requests that have a payload larger than 300MB, request packet accumulation can cause memory allocation failures, and SSO might also fail.
    [From Build 60.7] [# 551623]
  • The appliance fails if non-reachable autoscale entities that are part of a service group later become reachable and, in the interim, the service group name has changed.
    [From Build 60.7] [# 583647]
  • In a load balancing group configuration, the "sh run" command sometimes runs in a loop, which exponentially increases the size of the temporary configuration file. As a result, saving the configuration and synchronizing the nodes in a high availability setup might fail.
    [From Build 60.7] [# 587812, 598499, 601918]
  • After editing a service group in the configuration utility, the cacheable option is automatically set to true, even if the value was previously configured as false.
    [From Build 60.7] [# 592235]
  • A secure StoreFront monitor intermittently fails to sends probes.
    [From Build 60.7] [# 559164, 582153]
  • In a link load balancing (LLB) deployment, if persistence is enabled on a NetScaler appliance and a policy based routing (PBR) or LB route is configured, the appliance might fail intermittently.
    [From Build 60.7] [# 574137]
  • In a link load balancing (LLB) deployment, if persistence is enabled on a NetScaler appliance and a policy based routing (PBR) or LB route is configured, the appliance might fail intermittently.
    [From Build 60.7] [# 554841]
  • If the channel between the primary node and the secondary node is disrupted, the session deletion information sent from the primary node to the secondary node might get lost. As a result, while the persistent sessions are reduced to zero on the primary node, the secondary node reaches its limit.
    [From Build 61.11] [# 596524, 597295]
  • The NetScaler appliance fails while trying to load balance a request that was received on a recently closed connection. This happens because the server tries to keep the connection alive by sending an RTSP request but the appliance cannot find the corresponding client side connection.
    [From Build 61.11] [# 612943]
  • While probing the back-end HTTP server by using an HTTP monitor, the appliance does not send the port number in the HTTP host header. This behavior is not compliant with RFC 2616.
    [From Build 61.11] [# 564295]
  • The NetScaler appliance fails while trying to load balance a request that was received on a recently closed connection. This happens because the server tries to keep the connection alive by sending an RTSP request but the appliance cannot find the corresponding client side connection.
    [From Build 62.9] [# 612943]
  • In rare cases, during a high level of CPU usage, if you disable and enable a service with zero delay, the state of the service might be inconsistent on different packet engines.
    [From Build 64.9] [# 622807]
  • In a high availability (HA) setup, after a forced HA synchronization, the configuration is first cleared and then reapplied on the secondary node. As part of the synchronization operation, the service state changes are logged in the ns.log file. Due to repeated forced synchronizations, these messages flood the ns.log file. However, the service state messages are applicable only to the primary node and not relevant to the secondary node. Therefore, these messages are not logged in the ns.log file on the secondary node.
    [From Build 64.9] [# 645197]
  • A secure HTTP-ECV monitor might time out if the back-end server sends a large certificate.
    [From Build 64.9] [# 638148]
  • If a GSLB service goes DOWN and then returns to the UP state, the configured hash-based load balancing methods might produce incorrect load balancing decisions, because the cache maintained for hash-based load balancing algorithms is not cleared when the GSLB service state is updated through MEP.
    [From Build 65.11] [# 658463, 658940]

NITRO

  • When using the NITRO API to upload a file, make sure that each directory in the file path has the 755 (read, write, execute) permission.
    For example, to upload a file to the "/nsconfig/ssl/" directory, the following directories must have the 755 permission:
    - flash (because the "/nsconfig" folder is actually a link to "/flash/nsconfig/" directory)
    - nsconfig
    - ssl
    [From Build 64.9] [# 591970, 597032]

NITRO API

  • The NetScaler appliance might fail to respond when a NITRO request is fetching a large number of bound entities.
    [From Build 60.7] [# 530805, 562748, 567856]
  • Configuring singleton entities such as lbparam, sslparam, csparam, and vpathparam by using the "application/vnd.com.citrix.netscaler.<entityname>+json" content-type, results in error. For example, you get an error when setting the vPath parameter as follows:
    - URL: /nitro/v1/config/vpathparam
    - Method: PUT
    - Content-type: application/vnd.com.citrix.netscaler.vpathparam+json
    - Request payload: {"vpathparam":{"encapsulation":"enabled"}}
    - Response: {"errorcode": -1,"message": "Entityname is missing","severity": "ERROR"}
    [From Build 60.7] [# 574321]
  • The TCP connection is not persistent for NITRO requests. Therefore, the underlying TCP connection is getting closed for each NITRO request.
    [From Build 60.7] [# 583395, 457969]
  • If the NetScaler appliance receives a logon request that contains both the session token and the request payload with the logon credentials, the appliance creates a new connection without closing the previous connection. If the appliance receives multiple such requests, the following error message appears: CFE limit exceeded.
    [From Build 62.9] [# 620458, 619154, 621601]

NS-CBC

  • In an IPSec tunnel, the NetScaler appliance might remove sessions between client and server before encrypting (IPSec) DNS response packets, resulting in the loss of these DNS packets in the tunnel.
    [From Build 60.7] [# 587718]

NetScaler CLI

  • If a stringmap is bound to a NetScaler policy and the stringmap value contains a single word starting with "#" then the stringmap binding is lost after the system reboot.
    [From Build 55.8] [# 383850]

NetScaler GUI

  • The details of a custom monitor bound to a service group are not displayed correctly in the NetScaler GUI. The details appear correctly in the CLI.
    [From Build 63.8] [# 640332]

NetScaler Gateway

  • If the maximum number of users is set to a number greater than 5 on a NetScaler Gateway virtual server, if you remove the Universal license, the virtual server configuration is also removed.
    [From Build 51.10] [# 447452, 486009]
  • If Kerberos uses x.509 certificates (PKINIT) for single sign-on, NetScaler Gateway fails to obtain tickets if the Key Distribution Center (KDC) returns a realm referral. This can cause the NetScaler Gateway appliance to fail.
    [From Build 51.10] [# 484245]
  • When there are a very large number of simultaneous user authentication requests and the authentication server is slow to respond, NetScaler Gateway can fail.
    [From Build 51.10] [# 484431, 488182]
  • Attempts to end the session for an external user fails when you enter the command kill aaa session -username <username>.
    [From Build 51.10] [# 446334, 476280]
  • In new NetScaler 10.5 Build 50.9 deployments or after upgrading to NetScaler 10.5 Build 50.9, the priority value of policies that are bound to a VPN virtual server are lost. This issue is fixed in NetScaler 10.5 Build 50.10.
    [From Build 51.10] [# 486857]
  • When there are a very large number of simultaneous user authentication requests and the authentication server is slow to respond, Netscaler Gateway can fail.
    [From Build 51.10] [# 488182, 489345, 493939]
  • If the authentication server is extremely slow to respond, such as 15-30 seconds or more, this can cause delays with users logging on successfully, even if the amount of simultaneous connections is low.
    [From Build 51.10] [# 489343]
  • In a high availability deployment, when users log on with SAML authentication, the secondary appliance fails over.
    [From Build 51.10] [# 490075, 485042]
  • The NetScaler Gateway wizard creates a VPN virtual server with the default authorization set to Deny. When users connect to the VPN virtual server, they cannot access internal network resources. To allow users to connect, set authorization to Allow.
    [From Build 51.10] [# 479548]
  • If you configure a traffic management policy to enable single sign-on to Outlook Web App 2010, enable local authentication on the load balancing virtual server and then change to two-factor authentication with client certificate authentication and LDAP authentication, NetScaler Gateway fails when trying to access the load balancing server.
    [From Build 51.10] [# 485834]
  • If user names contain a period (.) that have a common prefix before the period, NetScaler Gateway creates cache files based on the prefix. When this occurs, tickets for one user are sent to a different user.
    [From Build 52.11] [# 494463]
  • When users connect with clientless access, the appliance fails if the last octet of the IP address of the server in the internal network is equal to or greater than 240.
    [From Build 52.11] [# 494605]
  • If you configure SAML authentication with signed SAML assertions, if the user connection disconnects before the SAML response is normalized, NetScaler Gateway fails.
    [From Build 52.11] [# 489609]
  • Showing active user sessions in the configuration utility or by using the command line might result in high CPU utilization on NetScaler Gateway.
    [From Build 52.11] [# 502043, 498827, 501431]
  • Plug-in Icon Decoupling from Citrix Receiver
    The desktop client plug-ins icons can now be configured to operate independently from Native Citrix Receiver clients. Settings to manage Receiver integration with the NetScaler Gateway Plug-ins can be configured globally and within session policies.
    [From Build 52.11] [# 406312]
  • If you configure endpoint analysis policies, if the session times out and users do not close the web browser, they cannot log on again.
    [From Build 52.11] [# 459149]
  • If you configure load balancing virtual servers and the Secure Ticket Authority (STA) with the same fully qualified domain name (FQDN), attempts to bind the STA to the NetScaler Gateway virtual server fail.
    [From Build 53.9] [# 374296, 466999, 488691]
  • If ICA proxy is set to On and you configure authorization policies, when users attempt to connect, NetScaler Gateway modifies the host header to the FQDN of the Web Interface or StoreFront server. When this occurs, user log on fails with the message "Error: Not a privileged user."
    [From Build 53.9] [# 501369, 500311]
  • If users connect with the NetScaler Gateway Plug-in for Windows and then attempt to receive a call through a softphone, the call fails.
    [From Build 53.9] [# 498679]
  • Showing active user sessions in the configuration utility or by using the command line might result in high CPU utilization on NetScaler Gateway.
    [From Build 53.9] [# 502043, 498827, 501431]
  • When users log on with the NetScaler Gateway Plug-in for Windows, attempts to access internal network resources fail from Windows Metro applications, such as Internet Explorer Metro Mode. This occurs when you configure address pools (intranet IP addresses).
    [From Build 53.9] [# 505029]
  • Responder or URL transform policies that are bound to the Content Switching virtual server are not applied to connection requests that come through NetScaler Gateway
    [From Build 53.9] [# 495867]
  • When users connect from a web browser and enter their SAML credentials, NetScaler Gateway fails. This occurs when you configure pre-authentication policies and two-factor authentication policies with SAML and LDAP with SAML as the primary authentication type and having a higher priority.
    [From Build 53.9] [# 506689]
  • If users do not have administrative rights, the Endpoint Analysis Plug-in installation fails.
    [From Build 53.9] [# 506686]
  • When users log on with the NetScaler Gateway Plug-in, if the users TCP connection closes and the connection to the internal network through NetScaler Gateway is in progress, the appliance might fail.
    [From Build 54.9] [# 500207, 508831]
  • When user connects to a multi-core NetScaler Gateway running out of memory during inter-core communication, NetScaler Gateway fails.
    [From Build 54.9] [# 513385]
  • If you configure advanced endpoint analysis policies, endpoint analysis encryption, a proxy server, and client certification authentication, the NetScaler Gateway Plug-in does not connect and users receive the error message " 2017: Your computer does not have the necessary security software to connect to the NetScaler Gateway. Please contact your system administrator."
    [From Build 54.9] [# 466641]
  • In a double-hop DMZ deployment, if the Receiver connection closes and the connection to XenApp or XenDesktop is in progress, the appliance might fail.
    [From Build 54.9] [# 508831]
  • When the Endpoint Analysis is configured, the users are redirected to index.html. Otherwise, a session is created for any arbitrary URL if the authentication is disabled on the NetScaler Gateway.
    [From Build 54.9] [# 516257]
  • If you enable clientless access and enable Single Sign-on, if the proxy server uses NTLM authentication, NetScaler Gateway fails to respond when users log on.
    [From Build 54.9] [# 515043, 517262]
  • When the NetScaler Gateway virtual server is behind a proxy server and its fully qualified domain name (FQDN) is not resolvable by the local DNS server, endpoint analysis fails with the error message: error "failed sending epaq."
    [From Build 55.8] [# 522700, 531535]
  • For mobile clients accessing the NetScaler Gateway with Secure Browse enabled, some proxy connection attempts would be rejected due to a mishandling of client POST requests in high latency situations. The NetScaler Gateway might incorrectly send the POST body on to the proxy server as a CONNECT request when when it arrives after the CONNECT has been initiated with the proxy server but before the proxy has sent the 200 OK response.
    [From Build 55.8] [# 532508, 530613]
  • When users log on, the IP address assigned from the address pool is overwritten. When this occurs, the destination MAC address changes and the response does not reach the user which results in a time-out in the web browser on the user device.
    [From Build 55.8] [# 518008]
  • After installing Microsoft Security Bulletin MS14-080 (KB3025390) for Internet Explorer 11, when users attempt to log on to a NetScaler Gateway virtual IP with endpoint analysis, either as pre-authentication or post-authentication check, the endpoint analysis fails and the buttons Download or Skip Check appear in the browser.
    [From Build 55.8] [# 527757]
  • The NetScaler Gateway appliance fails during the device certificate check if AppController is configured on the virtual server.
    [From Build 55.8] [# 511805, 532549]
  • When users are authenticated in the NetScaler Gateway against a LDAP server configured on fully qualified domain name (FQDN), authentication fails.
    [From Build 55.8] [# 509970]
  • If calls are made with Voice over IP on a Federal Information Process Standards 140 (FIPS 140) enabled appliance, the audio might be choppy or garbled.
    [From Build 55.8] [# 503811]
  • When NetScaler Gateway is deployed with clientless access and Secure Browse is used with an HTTPS Proxy, the appliance fails if users close the connection when the proxy connection is still being established.
    [From Build 55.8] [# 526890, 531693, 532386]
  • EPA configured device certificate scans will work when users log on for the first time. But when multiple browser tabs are opened during the session through the same VPN virtual server, device certificate scans fail intermittently.
    [From Build 55.8] [# 525775]
  • Microsoft Office365 expects an extra attribute (inResponseTo) in SAML assertion from NetScaler Gateway. Attempts to log on to Office365 with SAML authentication fails with the error message "Sorry, but we're having trouble signing you in. Please try again in a few minutes. If this doesn't work, you might want to contact your admin and report the following error: 800478A2." This occurs when LDAP authentication does not have the settings ssonameattribute and -attribute1 configured.
    [From Build 55.8] [# 528256]
  • Netscaler reboots when hitting the Traffic Management SSO Form Policy. After the user/passwd expressions in the traffic action are unset, Netscaler still has a stale pointer to the freed expression. Due to this, it crashes when the traffic action is removed. The fix is to initialize the enc_len variables after the unset.
    [From Build 56.22] [# 530300]
  • In a high availability deployment, if the NetScaler Gateway virtual server is missing on the secondary appliance, NetScaler Gateway fails during session propagation.
    [From Build 56.22] [# 481889, 486176, 501408, 533390, 544472]
  • If existing AAA sessions exist on a Secondary Netscaler after failover with no associated vpn vservers, then the secondary Netscaler can fail during session sync from Primary.
    [From Build 56.22] [# 529205]
  • If kerberos SSO is used to connect to backend servers, NetScaler is not refreshing a previously obtained kerberos ticket after it expires. Users see issues if the user session on Gateway is active for more than 10 hours.
    [From Build 56.22] [# 539921]
  • For two-factor authentication, when changing the second factor username from the username provided for the first factor, the authentication fails in an nCore system.
    [From Build 56.22] [# 540234]
  • The NetScaler appliance continuously crashes and restarts because custom authentication attributes are not extracted properly as part of a secondary transfer session.
    [From Build 56.22] [# 545235, 554098]
  • If the HTTP CONNECT request is received on the existing connection to a NetScaler Gateway virtual server for a non-owner core before the session is fully authenticated and established, the NetScaler Gateway may fail.
    [From Build 56.22] [# 534326]
  • If the CSIP in the request received by Gateway falls in the reserved ip range, Gateway returns an authorization failure. Gateway still remembers the ip in cps_ip field without mapping to v6tov4. Due to this, while cleaning ns_aaa, it crashes trying to decrement v6tov4 mapping, which is not present. The fix is to store the IP in cps_ip only if the sanity check passes.
    [From Build 56.22] [# 537278]
  • The rba module crashes when rba users send incorrect remote addr data. Sanity checks for remote addrlen were added to prevent failure.
    [From Build 56.22] [# 539286]
  • The CVPN SSL proxy feature was fixed. The fix allows the local LB vserver to access the proxy server.
    [From Build 56.22] [# 534668, 539345]
  • The NetScaler appliance crashed because of the (radius) User Accounting feature. Connections opened to the AAAd by this feature. The (radius) User Accounting feature did not activate a flag during connection termination. This resulted in a crash.
    [From Build 56.22] [# 547177]
  • Microsoft Office365 expects an extra attribute (inResponseTo) in SAML assertion from NetScaler Gateway. Attempts to log on to Office365 with SAML authentication fails with the error message "Sorry, but we're having trouble signing you in. Please try again in a few minutes. If this doesn't work, you might want to contact your admin and report the following error: 800478A2." This occurs when LDAP authentication does not have the settings ssonameattribute and -attribute1 configured.
    [From Build 56.22] [# 528256]
  • Java Runtime Environment (JRE) version 7, update 51 or later, displays a security warning when NetScaler Gateway for Java is launched. In some cases, JRE blocks the launch.
    [From Build 56.22] [# 491076, 535339]
  • After the VPN tunnel is established, external websites fail to load intermittently under the following conditions:
    - If enable_vpn_dnstruncate_fix nsapimgr flag is set on NetScaler.
    - DNS servers on NetScaler are configured to send negative DNS response for external DNS query.
    - Split DNS is set to both
    [From Build 56.22] [# 524028]
  • The NetScaler counters, used to verify connected users, display a value that does not reflect actual connections.
    [From Build 56.22] [# 490991]
  • The NetScaler appliance crashes when LB VIP is used as a proxy server IP in the VPN traffic action, and actual proxy server is bound as a service to the LB vserver. The NetScaler appliance sends a TCP RST and attempts to open a backend TCP connection.
    [From Build 56.22] [# 531707]
  • In a high-availabiltity (HA) configuration, the secondary appliance may fail occasionally due to a duplicate free-attempt of a AAA context.
    [From Build 56.22] [# 531956, 538937, 543221]
  • NetScalers experienced NSPPE crashes due to the presence of stale grp_names pointer in dummy_session.
    [From Build 56.22] [# 539015]
  • Remote users who use the Windows full client/plugin to access Netscaler Gateway can encounter an issue if the Internet Explorer browser has "Automatic Configuration Script" settings configured for Proxy, and the automatic configuration script file is unreachable from the user device at the time of Gateway session establishment. In this scenario, the Windows plugin incorrectly connects to the Proxy server configured in the Manual Settings and fails to establish the session. The expected correct behavior in this situation would be to bypass the proxy and connect to NetScaler Gateway directly.
    Users are affected only if:
    1. They use Windows full client for establishing the gateway session
    AND
    2. They have both Automatic Configuration script and Manual configuration for Proxy in their Internet Explorer settings
    AND
    3. The configured Automatic Proxy script file happens to be unreachable from the user's device (for example the Automatic Proxy script file address is an internal address and not reachable remotely).
    [From Build 56.22] [# 531520]
  • Upon binding a Net Profile to a NetScaler Gateway Virtual Server, the XenApp or XenDesktop launch, via ICA Only mode, fails.
    [From Build 56.22] [# 407025, 419293, 492682]
  • If Storefront (SF) is configured to accept packets, which only contain a specific X-Citriix-Via header, that performs callback and in turn functions. Authentication may fail at the SF side because it received multiple headers. Authentication failure is caused when the Netscaler appliance has multiple VIPs directed to a single LB server, and a re-write action policy is bound to remove any pre-existing X-Citrix-Via headers.
    [From Build 57.7] [# 526119]
  • In a two NetScaler appliances setup:
    - The 1st NetScaler appliance load balances the AGEE VIP as a backend service.
    - The 2nd NetScalers appliance has AGEE VIP configured on it.
    The Apache on the second NetScaler appliance is sending "403 Forbidden or No Permission to Access" errors to monitor on the first NetScaler appliance. The suggested workaround monitors the second NetScaler appliances without overloading apache.
    [From Build 57.7] [# 549415]
  • The NetScaler appliance continuously crashes and restarts because custom authentication attributes are not extracted properly as part of a secondary transfer session.
    [From Build 57.7] [# 545235, 551488, 554098]
  • After upgrading the NetScaler appliance to 10.5_53.9, the user receives the following error when clientAuthentication is configured as an option on a SSL vserver and if the certificate is absent on the end-user device:
    "error access is denied. client ssl certificate required."
    [From Build 57.7] [# 549253]
  • If traffic is sent to the spotted virtual server and traffic falls other than node 1, the request fails because traffic was not steered to the correct node.
    [From Build 57.7] [# 552138, 548300]
  • After upgrading to 10.5.54.9009e from 10.5.54.9, the SSL VPN client experience is degraded. The SSL VPN client performance is slow, and there are issues with the DNS look up.
    [From Build 57.7] [# 549119]
  • After upgrading the NetScaler appliance from 10.1 to 10.5. the SAML authentication fails.
    The NetScaler appliance tries to lookup entries with empty values. The replay attack prevention feature for SAML works for SAML 2.0 assertions, but the replay attack prevention feature does not work for 1.0 assertions because expected tags are absent.
    [From Build 57.7] [# 547710, 549502]
  • If a secondary node is added in a high-availability setup while the primary node has active sessions, secondary node fails upon removal of those sessions on secondary.
    [From Build 57.7] [# 555527]
  • If you configure logon and logoff scripts that are part of a session profile, if the scripts contain Unicode characters, users cannot log on or log off of NetScaler Gateway.
    [From Build 57.7] [# 469799]
  • The NetScaler appliance crashes under the following conditions:
    - An external service is added with the same IP address as wihome
    - There are existing AAA sessions
    - The IP address of this external service is changed and later removed
    The crash happens when a user logs in and launches an app. This is because the http request, which needs to be forwarded to Web Interface/Storefront, accesses the stale server information resulting in the crash.
    [From Build 57.7] [# 529296, 540736]
  • In preauth, at the cgi/login, a new session request is issued to the non-preauth owner. To reuse the previous session, a dummy_session is created. The dummy_session fields are populated from the owner core. In such cases, the NetScaler appliance did not clear up the dummy session.
    Another scenario: a leak can happen if NetScaler Gateway authentication is turned OFF.
    [From Build 57.7] [# 539891, 560587]
  • NetScaler Gateway currently does not support Cross-Domain Constrained Delegation. If the user and service belong to different domains, constrained delegation fails. If the user and the service belong to the same domain and the user logs on with a user name and password, constrained delegation is successful. In addition, if users log on with a user name and password for cross-domain impersonation, constrained delegation works.
    [From Build 57.7] [# 444387]
  • If the NetScaler Gateway appliance is configured in the following way the NetScaler Gateway appliance might crash:
    1. wihome resolves to a vserver
    2. VPN sessions are already logged in
    3. vserver gets deleted
    [From Build 57.7] [# 538430]
  • The NetScaler appliance truncates the Domain Name if the SPN in Keytab is more than 64 characters.
    [From Build 57.7] [# 527743]
  • When SSO is triggered for a POST request with CVPNized urls, the NetScaler appliance sends only the header and not the post body. Then, the server waits indefinitely for the post body, and eventually times out.
    [From Build 57.7] [# 550587]
  • WorxWeb sent content over the network that caused the NetScaler appliance to drop the traffic stream or packets.
    [From Build 57.7] [# 541509]
  • An internet connection is required for publisher verification for the NetScaler Gateway plug-in for Windows. If not connected to the internet when downloading the plug-in from the NetScaler Gateway, the error 'Publisher AGEE_setup.exe couldn't be verified' occurs.
    [From Build 58.11] [# 553463, 558963]
  • Applications that use UDP (User Datagram Protocol) or ICMP (Internet Control Message Protocol) on Mac OS X Yosemite (10.10) such as the ones using audio or video streaming, may be unreliable.
    [From Build 58.11] [# 515013, 512064, 538446]
  • The NetScaler Gateway appliance was incorrectly caching kerberos tickets that were obtained using PKINIT over the backchannel. Due to this, ticket caching fails and causes delays in loading the applications
    [From Build 58.11] [# 564154]
  • With IIP and Split Tunnel on, the local machine's network is configured as part of the intranet application, and DNS queries fail on Windows machines.
    [From Build 58.11] [# 558156, 552774]
  • OS X Yosemite users connecting to VPX NetScaler Gateway will not be able to access internal UDP or ICMP resources. This would not occur with the MPX NetScaler appliance.
    [From Build 58.11] [# 538446]
  • If an incoming request to Gateway does not have a valid cookie, and the requested URL is greater than 4k in size, Gateway causes a buffer overrun. This happens when NetScaler Gateway tries to send authentication request to the configured SAML Identity Provider. The buffer overrun causes issues at random places based on traffic. This issue does not happen if SAML is not used as authentication mechanism, or if the request url is relatively small.
    [From Build 58.11] [# 565982, 566520, 568687]
  • The NetScaler Gateway Plug-in may prevent a system to enter sleep mode. It may produce a BSOD. A hard reset (holding down the power button) maybe necessary. Installing a newer DNE driver (DNEUpdate) will allow the system to enter sleep mode.
    On systems with Intel I218-LM Ethernet adapter and running Windows 7, the Symantec Personal Endpoint can cause the ethernet adapter to loose connectivity when the system is awaken from sleep. A reboot is necessary to regain connectivity.
    On systems with Intel I218-LM Ethernet adapter, the NetScaler Gateway plug-in may need DNEUpdate to function properly.
    [From Build 58.11] [# 554014]
  • When SSO is triggered for a POST request with CVPNized urls, the NetScaler appliance sends only the header and not the post body. Then, the server waits indefinitely for the post body, and eventually times out.
    [From Build 58.11] [# 550587]
  • Gateway may fail if Java Plugin is used for full tunnel establishment.
    [From Build 58.11] [# 541793, 579596]
  • NetScaler now uses SPNEGO encapsulation on Kerberos tickets that are sent to backend web applications and servers.
    [From Build 58.11] [# 404899]
  • Windows:
    EPA Scans FAIL for all Unicode characters on 10.5.X [Existing bug: BUG0526073 ]
    EPA Scans PASS for Unicode characters (including Hebrew) on 11.0.X [Above bug is fixed on this branch]
    Mac:
    EPA Scans fail for Mac browser/Plugin : BUG0505702
    Fails on both 10.5.X and 11.0.x
    No fix available
    Linux:
    Works fine on 11.0
    [From Build 58.11] [# 540720]
  • In a double hop deployment, the STA server status on hop 1 does not go down when the double hop is disabled in hop2. The user can still launch the ICA apps.
    [From Build 59.13] [# 539743]
  • When load balancing two Storefront servers, IP persistence does not work. This results in greyed apps icons.
    [From Build 59.13] [# 558225]
  • When using the XA/XD Wizard to create the AGEE virtual server, the wizard doesn't respond (it keeps spinning without a response). This is specific to the Storefront configuration.
    [From Build 59.13] [# 577663]
  • The Mac OS Endpoint Analysis (EPA) client only supports TLS1.0 and thus cannot perform EPA if the server has only TLS1.1/1.2 enabled.
    [From Build 59.13] [# 572969]
  • Applicable only for Mac VPN clients
    Chrome is phasing out NPAPI support. From Chrome version 42+ all NPAPI plugins will appear as if they are not installed. This will affect all existing customers. Affected customers will see a download prompt even though the VPN plugin is installed.
    [From Build 59.13] [# 572447, 574353, 575609]
  • If the NetScaler appliance is enabled with a LDAP password, and the user changes their password using NetScaler, NetScaler does not retrieve the default authentication group configured for the LDAP action.
    [From Build 59.13] [# 559434]
  • When both the NetScaler VPX and the Storefront server are mounted on the same Microsoft Hyper-V, if you upgrade NetScaler VPX from Version 10.1, Build 121.10 to Version 10.5 Build 51.10, user log on to Storefront fails.
    [From Build 59.13] [# 503614, 505539, 530886, 533878]
  • With IIP and Split Tunnel on, the local machine's network is configured as part of the intranet application, and DNS queries fail on Windows machines.
    [From Build 59.13] [# 558156, 552774]
  • The NetScaler appliance requires an internet connection for publisher verification. This is for the NetScaler Gateway plug-in for Windows. The internet connection is essential when downloading the plug-in from the NetScaler appliance to verify that the following error occurred: "Publisher AGEE_setup.exe couldn't be verified".
    [From Build 59.13] [# 553463, 558963]
  • In a double hop setup, when SSL relay is enabled for XenApp and XenDesktop, the XenApp or XenDesktop resource launch fails. The builds affected: 10.1-118.X to 10.5-55.8.
    [From Build 59.13] [# 550877]
  • When users from INTL domain logon via NetScaler (dual factor with Radius) by entering username only (no domain information in the logon page) it fails.
    When users from Corp domain logon via NetScaler (dual factor with Radius) by entering username only (no domain information in the logon page) it works.
    The above is expected behavior. Storefront needs the domain\username information when a user from INTL domain logon.
    When entering domain\username format on the NetScaler logon page, Radius rejects the logon, and it does not pass the domain\username information to the Storefront server, so the logon fails.
    [From Build 59.13] [# 573406]
  • The RSA Pin change fails if RSA radius servers are load-balanced with the RADIUS type protocol service. The workaround is to change the load-balance protocol service type to UDP or ANY.
    [From Build 59.13] [# 534888, 528950, 542189]
  • If the client launches a SSL VPN tunnel using the windows client, they are unable to access intranet bookmarks or the CVPN page when IIPs are enabled and the client local LAN is included as a network bound to the intranet apps. The following scenarios will allow access to work properly:
    1. If you remove IIPS - all works
    2. If you remove the local LAN from the list of networks in the intranet IP's - all works
    3. If you disable split tunneling - all works
    The mac VPN does not have this issue. It appears to be windows only.
    [From Build 59.13] [# 552774]
  • If the Gateway system is running low on memory, if memory allocation fails while trying to perform user authentication, we do not return proper error code. Due to this, Gateway crashes.
    [From Build 59.13] [# 578072, 578358]
  • NetScaler Gateway EPA and VPN plugins don't get triggered on latest chrome browser. Chrome browser shows download prompt even after installation.
    [From Build 59.13] [# 570493]
  • Client traffic can slow down if ALL of the following conditions are satisfied:
    - Single Sign-on (SSO) is ON.
    - HTTP POST request is involved which requires to do SSO.
    - NTLM authentication is needed to authenticate to back-end.
    - Transferring large payload (greater than 2 MB).
    - The back-end server is responding slow.
    This issue is unlikely to occur if ANY ONE of the following conditions is satisfied:
    - HTTP POST request Payload is in KBs.
    - Back-end authentication method is non-NTLM ( such as AGBasic, Form-based SSO, and KCD).
    - Non-HTTP POST request involved.
    - SSO is not involved or disabled.
    [From Build 59.13] [# 592982]
  • NetScaler produces core dump crash when saml IDP authen is bound to Sharefile VIP and authentication is attempted
    [From Build 59.13] [# 583551]
  • Internet access fails intermittently when connecting to a NetScaler Gateway with Split Tunnel On using a Windows machine.
    [From Build 59.13] [# 572709]
  • If PKINIT is employed in XenMobile deployment to obtain Kerberos tickets for backend servers using Netscaler Gateway and WorxHome, then SingleSignOn to Kerberos sites fails intermittently.
    [From Build 59.13] [# 581106]
  • The "Change Password" Button goes missing intermittently on the portal page. This issue is triggered only in dialog mode.
    [From Build 59.13] [# 569543]
  • When Netscaler Gateway is used in a nCore setup, memory corruption may occur under some conditions when the Gateway Session information is being transmitted from one core to another. Strict checking is now performed to ensure we do avoid corrupting memory when this session information send happens.
    [From Build 59.13] [# 561015]
  • When the maxAAAUsers parameter is UNSET on a VPN virtual server, NetScaler Gateway does not update the value to previously set value. Due to this, numbers of users allowed on a vpn virtual server cannot be increased by applying an UNSET operation. Administrators need to configure a SET operation as a workaround.
    For example, if the administrator configures 10 as the maxAAAUsers value, then issues a SET operation for 5, if he issues another UNSET, the number of allowed users does not go back to 10 users.
    [From Build 59.13] [# 576063]
  • If NetScaler Gateway is configured for PKINIT over the back-channel with Citrix receivers, while PKINIT process is in progress, the TCP connection errors cause Gateway to fail.
    [From Build 59.13] [# 560947]
  • On accessing VPN resources, The VPN plug-in and some running programs hang. Accessing or uploading data on the network drive freezes the session. The Issue happens frequently.
    [From Build 59.13] [# 580261]
  • The NetScaler appliance initiates a DNS query, in which case the mac address should have been a NetScaler MAC interface address. This expected behavior if the NetScaler appliance is under direct server return (DSR) mode but that is not the case here.
    [From Build 59.13] [# 569662]
  • End users are experiencing performance degradation when connecting to their Avaya One-X via VPN connection. End users are able to establish 3-5 calls before the symptoms are exhibited. However, after a period of time, we are able to make calls again. The quality starts to decrease after the first few phone calls are made.
    [From Build 59.13] [# 578469]
  • Gateway may fail if Java Plugin is used for full tunnel establishment.
    [From Build 59.13] [# 541793, 579596]
  • OPSWAT EPA's "ENABLED" scan works for method Symantec Endpoint Protection 12.1.4, but fails for 12.1.5 and 12.1.6.
    [From Build 59.13] [# 572854]
  • For RADIUS authentication, if a customer clicks the submit button without entering a passcode, a 43549 Internal Server Error is issued.
    [From Build 59.13] [# 568093]
  • After upgrading NetScaler Gateway MPX 9700 FIPS using 10.1-118.7 firmware, the Web interface is slow to render.
    [From Build 60.7] [# 502615]
  • The Federated Service SSO fails when using the browser to access the NetScaler appliance.
    [From Build 60.7] [# 582973]
  • The customer experiences long set up times when using the following plug-ins: V10.1-128.8 or V10.5-55.8. If they downgrade back to receiver plugin 10.0-54.6, the issue disappears and they see immediate VPN setup times.
    [From Build 60.7] [# 579027]
  • Two NetScale appliances rebooted themselves because the TACACS accounting code crashed. The crash occurred due to the presence of an invalid flag in the clientPCB.
    [From Build 60.7] [# 546122]
  • If you remove a Negotiate authentication profile that is available on NetScaler Gateway, the appliance can fail when checking for incorrect IPv6 mapping.
    [From Build 60.7] [# 594224, 595596]
  • If EPA encryption is enabled, the plugin sends cipher text after encoding it. If the EPA response string is long, the library used to add line-breaks makes the HTTP request invalid. This causes EPA failure.
    Now, we can set the NO line break flag while encoding, so the line break never gets added and the EPA encryption works properly; even when, there are large many scans.
    [From Build 60.7] [# 596103]
  • The NetScaler counters, used to verify connected users, display a value that does not reflect actual connections.
    [From Build 60.7] [# 490991, 398874]
  • On the Windows 10 system, if users log off from the NetScaler Gateway portal, the Windows VPN plugin crashes intermittently.
    [From Build 60.7] [# 579788, 572866, 581274]
  • The previous connection was not cleaned properly. After waiting, the FIN Acknowledgement was not issued. In this state, a new connection was received with the same 4 tuples as the previous one. There were attempts to free this connection at the TCP level and at the application level. The application did not do a graceful clean-up of the previous connection. Certain fields were not properly initialized leading to a Null pointer dereference and crash.
    [From Build 60.7] [# 574377]
  • Client traffic can slow down if ALL of the following conditions are satisfied:
    - Single Sign-on (SSO) is ON.
    - HTTP POST request is involved which requires to do SSO.
    - NTLM authentication is needed to authenticate to back-end.
    - Transferring large payload (greater than 2 MB).
    - The back-end server is responding slow.
    This issue is unlikely to occur if ANY ONE of the following conditions is satisfied:
    - HTTP POST request Payload is in KBs.
    - Back-end authentication method is non-NTLM ( such as AGBasic, Form-based SSO, and KCD).
    - Non-HTTP POST request involved.
    - SSO is not involved or disabled.
    [From Build 60.7] [# 592982, 605622]
  • If the WI home is configured with FQDN, NetScaler modifies the host header with the IP address of the WI server when sending traffic to WI server. Similarly, if wihome is configured with the IP address, that IP address is sent in the host header to the WI server. In both these cases, the WI server returns an error.
    After the fix, the host header is updated to the FQDN in the wihome as opposed to IPaddress. In cases where wihome FQDN resolves to the domain based server on Netscaler, The host header is updated with the FQDN of the domain based server
    [From Build 60.7] [# 586921, 586949, 598624]
  • The Mac OS Endpoint Analysis (EPA) client only supports TLS1.0 and thus cannot perform EPA if the server has only TLS1.1/1.2 enabled.
    There is no workaround for this problem, but a customer can still perform EPA with the Mac VPN plugin. EPA from a browser will not be available if TLS1.0 is not enabled.
    [From Build 60.7] [# 572969]
  • A crash occurs when the packet engine is set up with an aync call with a NULL NSB pointer.
    [From Build 60.7] [# 578889]
  • Single sign on (SSO) for the NavUI file share view does not honor the ssocredential configuration on the authentication action, and instead sends only the username from the authentication session. If a domain is configured to accept something other than the session username, SSO will fail. This fix makes NavUI file share properly honor the ssocredential setting and send what the administrator has configured.
    [From Build 61.11] [# 607507]
  • NetScaler Gateway sends the wrong error code back to the user when the active directory password has expired, and the user tries to change the password and violates password complexity rules.
    [From Build 61.11] [# 564885, 523154, 593869, 606564]
  • The NetScaler appliance crashed due to invalid memory access. The memory allocation failure occurred due to a bug processing a cookie.
    [From Build 61.11] [# 601668]
  • The NetScaler EPA (Endpoint Analysis) timeout was increased to 5 minutes.
    [From Build 61.11] [# 604253]
  • The Opswat library that the EPA plugin uses for scanning various type of Anti-Malware software, was upgraded to version 3.6.10255.2.
    [From Build 61.11] [# 604233]
  • Applications using more than 128 simultaneous connections over VPN fail on Windows machines.
    [From Build 61.11] [# 596994, 567389]
  • If a user logs into a receiver on a machine, which is configured to use an AutoProxy Script, and that AutoProxy script URL is unreachable, the login fails.
    [From Build 61.11] [# 585722]
  • After the 10.5 NetScaler upgrade, users employing SSL VPN with ICA proxy enabled see authorization failures. The authorization failures are issued, even though; a policy is bound to the AAA group that checks for StoreFront's destination IP.
    [From Build 61.11] [# 611534]
  • While assigning an IntranetIP, if Netscaler Gateway finds a duplicate, it cleans up associated session. In this process, occasionally Gateway might fail.
    [From Build 61.11] [# 596826]
  • If group extraction authentication policies are configured, and the aaad daemon is unexpectedly restarted, the group extraction policies are not sent to the aaad daemon on restart. The group extraction policies won't be evaluated during authentication attempts.
    [From Build 61.11] [# 606332]
  • You cannot bind an ECC curve to a NetScaler Gateway virtual server by using the NetScaler GUI.
    [From Build 61.11] [# 607474]
  • Terminal Access Controller Access Control System (TACACS) counting sometimes causes memory corruption and the authentication daemon crashes. Multiple crashes of the authentication daemon lead to the NetScaler rebooting.
    [From Build 61.11] [# 550695, 594062]
  • The NetScaler used an incorrect IP address in the header while sending H.225 RAS requests to the Avaya PBX. The RAS payload contained the correct IIP and extension, but the Avaya server rejected the request since the payload does not match the IP header.
    [From Build 61.11] [# 593035]
  • If the HTTP connection stats are printed from a CPU other than the one from which the session originated, the TCP port for the HTTP traffic sent over the VPN is displayed incorrectly.
    [From Build 61.11] [# 607213]
  • Users appear to lose connection to Storefront. The user has to disconnect and reconnect to the server.
    [From Build 61.11] [# 588116]
  • The ns.log is flooded with sslvpn logout messages in the clustering.
    [From Build 62.9] [# 618898]
  • The pre-auth EPA scan for F-Secure antivirus fails.
    [From Build 62.9] [# 613648]
  • If CISCO ACS or any TACACS server is used to authorize command execution for NetScaler, executing lengthy CLI commands (>1460 bytes) results in the following ERROR: "Not authorized to execute this command." This issue occurs most frequently with the "set appfw profile" command, because of the large number of parameters, but it can occur with any lengthy CLI command. Frequently used commands are typically less than 1460 bytes, so the issue does not occur very often.
    [From Build 62.9] [# 596184, 519898]
  • The EPA plugin window is now at the top of the screen. Its new position facilitates the user-consent step, especially for new users. The change does not affect EPA scanning.
    [From Build 62.9] [# 612144]
  • Destination IP based expressions cannot be used for traffic policies that use SecureBrowse and CVPN modes.
    [From Build 62.9] [# 614970]
  • If the proxy is configured on the client system, the session doesn't get cleared on NetScaler even after the user logs-off
    [From Build 62.9] [# 617718]
  • If the intranet application feature is enabled, the NetScaler Gateway plug-in intermittently takes more than 2 minutes to complete a logout.
    [From Build 62.9] [# 616208]
  • The [addSpelledOutTerm] (EPA) does not work as expected if the non-default SSL port, which has a GREENBUBBLE theme, is configured for the NetScaler Gateway virtual server. In that case, the EPA clients try to connect to the default SSL port, 443.
    [From Build 62.9] [# 619626]
  • If the client timeout interval is too long (for example, 12 hours), a memory allocation problem results in user disconnections and login failures.
    [From Build 62.9] [# 590561, 598429]
  • The DNS server fails to resolve internal URLs without an FQDN when using WorxWeb on Android devices.
    [From Build 62.9] [# 586475]
  • The NetScaler Gateway plug-in for windows issues a force timeout warning with an incorrect timeout value. Even though the incorrect time is shown in the warning, the session is terminated correctly after a forced timeout.
    [From Build 62.9] [# 611343]
  • If a user logs-in from a browser, the VPN tunnel takes a long time to be established. This is an intermittent problem.
    [From Build 62.9] [# 527387]
  • End Point Analysis (EPA) scans to check if the Windows update agent is enabled/disabled fails intermittently.
    [From Build 62.9] [# 623417]
  • Adding a proxy server to a NetScaler Gateway traffic policy causes monitoring every five seconds. This can cause excessive monitoring of network packets.
    [From Build 63.8] [# 525964, 511552]
  • The computer termination happened because the server-info corresponding to WI-Home configuration was freed and reused.
    [From Build 63.8] [# 597647, 593724, 606509, 606774, 624072]
  • The [addSpelledOutTerm] (EPA) does not work as expected if the non-default SSL port, which has a GREENBUBBLE theme, is configured for the NetScaler Gateway virtual server. In that case, the EPA clients try to connect to the default SSL port, 443.
    [From Build 63.8] [# 619626]
  • Accessing PACS medical images can take several minutes to open using NetScaler full VPN.
    [From Build 63.8] [# 622802]
  • The VPN incorrectly displays the total number of connected users as approximately 4 billion more than the actual number of users connected to the virtual server.
    [From Build 63.8] [# 629401, 632265]
  • If an Autoproxy script is configured on a client's machine, but the Autoproxy URL in that script is inaccessible from the client's machine, the client receives a prompt to overwrite the EPA package files. This issue occurs intermittently.
    [From Build 63.8] [# 622952]
  • The NetScaler appliance failed shortly after an upgrade from software release 10.1 build 129.11 to release 10.5 build 61.11. This failure is rare. It happens when core-to-core (packetEngine-to-packetEngine) copying of AAA sessions exceeds the 64KB limit.
    [From Build 63.8] [# 623228, 627034, 637123]
  • After a warm restart, either intentional or due to another problem, the nskrb process might begin consuming 100% of the CPU cycles, in which case Kerberos authentication ceases to function. Restarting the process temporarily alleviates the issue. With this fix, nskrb behaves appropriately after a warm restart.
    [From Build 63.8] [# 631144, 608283, 615351, 635546, 636495]
  • The NetScaler appliance issued negative values for Total_bytes_recv within the SSLVPN ICAEND_CONNSTAT ns.log message.
    [From Build 63.8] [# 621822]
  • A login script intermittently fails to execute if deployed on a file share that requires domain authentication, if the client machine is joined to a domain whose name is longer than 16 characters.
    [From Build 63.8] [# 623712]
  • AAA authorization frequently fails, and then doesn't function until the NetScaler appliance is rebooted..
    [From Build 63.8] [# 634375]
  • After hotfix 32 was deployed on the XenDesktop 7.1/7.6, end users had intermittent issues reconnecting to disconnected VDA sessions through the their external portal when going through SSLRelay and in non-session reliability mode.
    [From Build 63.8] [# 615364, 613266]
  • An SHA-2 signature restriction that Microsoft has placed on files downloaded from the web causes Internet Explorer to show invalid or corrupt file signatures when EPA or VPN plug-ins are downloaded. This restriction applies only to files signed after 0/01/2016.
    [From Build 63.8] [# 620715, 625340, 638305]
  • When SSO is enabled either on AAATM or Gateway configuration, Netscaler intermittently fails. The appliance fails because a timer was not cleaned-up properly in some corner case. The timer is related to SSO, where HTTP POST requests are involved. The timer was introduced recently for an SSO fix (TSK0551623).
    [From Build 63.8] [# 604129, 616080, 627554, 633413]
  • The Logout script, hosted on the network share, does not execute if the user logs out from the NetScaler Gateway Portal page.
    [From Build 63.8] [# 632721]
  • When Active Sync clients connect to NetScaler Gateway, occasionally they receive 401 prompt from the NetScaler Gateway appliance.
    [From Build 64.9] [# 634336]
  • You can now do an EPA scan for HP drive encryption with Opswat. The Opswat application verifies that the drive is enabled and encrypted. Other Opswat epa scans can be configured to verify HP drive encryption such as check for version match etc.
    [From Build 64.9] [# 647203]
  • NetScaler Gateway fails if a failover occurs with expired ICAProxy VPN session on owner core followed by session reactivation.
    [From Build 64.9] [# 630473, 631465, 633223, 643953, 651285]
  • Client certificate Authentication processing stops if the Subject field of a Client certificate is left blank.
    [From Build 64.9] [# 596802]
  • A NetScaler Gateway appliance might occasionally fail If the AAA context/session size exceeds 64K bytes (due to a large number of groups or large Kerberos tickets).
    [From Build 64.9] [# 641324]
  • The computer termination happened because the server-info corresponding to WI-Home configuration was freed and reused.
    [From Build 64.9] [# 597647, 593724, 606509, 606774, 624072]
  • The console shows many IPv4 Socks errors that are constantly being generated.
    [From Build 64.9] [# 643302, 639579, 639782]
  • When a user accesses a VDA that resolves to load balancing virtual server on the second hop, the NetScaler appliance fails, because the server information is not reused. With this fix, new server information is created when the user is connected to an SSL load balancing virtual server on the second hop.
    [From Build 64.9] [# 650948]
  • A responder policy cannot terminate a session that uses authorization cookies. This issue arose in build 61.11 of release 10.5.
    [From Build 64.9] [# 656664]
  • POST content sent by WorxWeb through SecureBrowse for forms authentication is not passed to the back-end server under the following set of conditions:
    - A traffic policy is on the NetScaler appliance routes traffic coming from the WorxWeb clients that connect to a proxy through SecureBrowse.
    - The proxy requires authentication for every request.
    [From Build 64.9] [# 619438]
  • Microsoft Office 2016 documents trigger authentication prompts when using SSO Sharepoint with the NetScaler Gateway appliance.
    [From Build 64.9] [# 655354]
  • DNS devolution is not available to a NetScaler Gateway Windows plug-in user who is connected to the gateway over a VPN and has the enable_vpn_dns_override flag enabled.
    [From Build 64.9] [# 657866]
  • The NetScaler appliance can fail when the NetScaler Gateway is configured in full tunnel mode and tunnel compression is enabled.
    [From Build 64.9] [# 631467]
  • The NetScaler appliance can fail during VPN client detection because clients might reuse sockets that are in the process of being closed. If the context has already been freed when the socket is reused, the appliance fails.
    [From Build 64.9] [# 648251]
  • Mac OSX users are unable to sign on to the OSX Receiver client and are denied access to their apps and desktops.
    [From Build 64.9] [# 651273]
  • If the NetScaler appliance is used as a SAML Service Provider to support the IBM Tivoli Identity Provider, the SAML assertion verification fails. SAML assertion verification failures occur after upgrading to version 11.0.
    [From Build 64.9] [# 653763]
  • The Citrix virtual adapter is not enabled on a Windows 7 64-bit machine, and its driver is shown as unsigned in the device manager.
    Note: If a Windows 7 64-bit user is logged out immediately after logging in, install security patch KB3033929 on that user's Windows machine.
    [From Build 64.9] [# 655557]
  • A NetScaler appliance occasionally fails if it is configured to perform two-factor authentication after SAML authentication.
    [From Build 64.9] [# 651538]
  • The NetScaler appliance fails if the advanced policy (PI) is configured and NTLM authentication is used on the client side.
    [From Build 64.9] [# 641824]
  • POST EPA scans fail on Windows 8 and 8.1 machines. This problem no longer occurs, because Opswat revised the OESIS 3 library.
    [From Build 64.9] [# 646292]
  • If the NetScaler AAA configuration specifies SAML authentication, the NetScaler appliance fails if a client sends an HTTP request without a Host header (HTTP 1.0 request) to an authentication or gateway virtual server.
    [From Build 64.9] [# 641899]
  • If a NetScaler appliance is used to load balance SharePoint servers with AAA-TM, an upgrade to the Microsoft Office 2016 suite on the client device fails during inline editing of Office documents.
    [From Build 64.9] [# 656067, 658202]
  • In rare cases, NetScaler appliance may incorrectly detect the status of SSO and fail.
    [From Build 65.11] [# 652696, 656760, 665571, 665669]
  • Mac OSX users are unable to sign on to the OSX Receiver client and are denied access to their apps and desktops.
    [From Build 65.11] [# 651273, 652955, 666081]
  • If DNS Truncate configuration is used, all the DNS suffixes are pushed from the NetScaler appliance, but not all of the DNS suffixes are used by the AGEE Client.
    [From Build 65.11] [# 641458, 543403]
  • If a NetScaler appliance is used to load balance SharePoint servers with AAA-TM, then an upgrade to the office 2016 suite on the client device causes failures during inline editing of the documents.
    [From Build 65.11] [# 656067, 658202]

NetScaler ICA

  • When XenApp/XenDesktop users launch applications/desktops that have the Advanced Encryption policy enabled, memory allocation issues cause high-availability failovers.
    [From Build 65.11] [# 659728]

NetScaler Insight Center

  • In the NetScaler Insight Center graphical user interface, you might not be able to configure a Terminal Access Controller Access-Control System (TACACS) server.
    [From Build 51.10] [# 483118]
  • The Applications report might not display any data for geo maps.
    [From Build 51.10] [# 490416]
  • The Applications reports (Dashboard > HDX Insight > Applications) display incorrect values for Active Apps and Active sessions.
    [From Build 51.10] [# 484659, 487457]
  • A NetScaler ADC fails when it receives ICA traffic from metro receiver client.
    [From Build 51.10] [# 482413, 492160]
  • If you add more than one NetScaler or CloudBridge devices to the NetScaler Insight Center inventory, the afdecoder subsystem may stop functioning.
    [From Build 51.10] [# 489534, 491193, 492523, 495674]
  • If you enable AppFlow on a NetScaler ADC, the ADC might crash due an internal memory dependency.
    [From Build 51.10] [# 486792]
  • Even after you delete a CloudBridge device from NetScaler Insight Center, it displays the device in the inventory and continues to collect AppFlow data.
    [From Build 51.10] [# 474616]
  • The following error might occur if you open the dashboard on the NetScaler Insight Center graphical user interface by using Internet Explorer 8:
    Error fetching licensing information.
    For more information about browser support, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-access-ni-con.html.
    [From Build 52.11] [# 496805]
  • In a multi-stream ICA connection consisting of one primary TCP connection and three secondary TCP connections, the NetScaler ADC fails to export the ICA Appflow records for the secondary connections.
    [From Build 52.11] [# 463043]
  • NetScaler Insight Center does not display reports for traffic that passes through any NetScaler virtual servers other than HTTP virtual servers.
    [From Build 52.11] [# 498430]
  • A NetScaler Insight Center report that displays the launch duration value display multiple rows for the same application
    [From Build 52.11] [# 473936, 473967]
  • The NetScaler ADC might fail if you enable AppFlow for ICA and access XenApp or XenDesktop through the Windows Receiver client.
    [From Build 53.9] [# 490680]
  • NetScaler Insight Center displays the following error message if a NetScaler ADC maintains more than 20 active sessions.
    'Excess connection than the CFE limit for NetScaler'
    [From Build 53.9] [# 484492]
  • All the metrics except bandwidth and hits display the average values.
    [From Build 53.9] [# 409634]
  • NetScaler Insight Center might not correctly report user sessions with multi-stream ICA connections.
    [From Build 53.9] [# 470481, 488365, 489718, 489719]
  • If you access NetScaler Insight Center by using a secure connection, the geo maps do not display any data.
    [From Build 53.9] [# 502560]
  • If you enable Appflow for ICA on a NetScaler ADC, the NetScaler ADC might fail under certain conditions while parsing the ICA frames.
    [From Build 54.9] [# 512321, 519402]
  • As part of the bandwidth calculation for active and inactive sessions, NetScaler Insight Center displays the following four metrics instead of the bandwidth metric:
    -Total Bytes: Bytes transferred per session
    -Bytes per Interval: Total bytes transferred per session interval (5 mins, 1 hour, 1 day , 1 week, 1 month)
    -Session Bandwidth: Rate at which data is transferred over the session.
    -Bandwidth per Interval: Rate at which data is transferred over the session interval.
    [From Build 54.9] [# 515365, 518368]
  • The NetScaler ADC fails if AppFlow is enabled and it receives an ICA command longer than 2048 bytes.
    [From Build 54.9] [# 504990, 508918]
  • If you enable AppFlow for ICA traffic and configure a XenApp or XenDesktop server to use advanced encryption, the NetScaler ADC might fail if there is a network disruption. This failure occurs if a user whose session is disconnected because of network disruption is logged off from the server and tries to reconnect.
    [From Build 54.9] [# 509890]
  • In a multi-stream ICA connection, when virtual channels are multiplexed over different TCP connections, some channels are migrated from primary to secondary ICA connections. When an End User Experience Monitoring (EUEM) channel is migrated, some application-launch counts are not sent to NetScaler Insight Center.
    [From Build 55.8] [# 503154, 491157]
  • If Appflow for ICA is enabled on a NetScaler ADC, the NetScaler Insight Center reports should show XenDesktop details, but that is not always the case. When certain users access XenDesktop, the reports show the application details instead. This issue occurs if the Local Access Apps (LAA) feature is enabled on XenDesktop
    [From Build 55.8] [# 482590, 469682, 505036]
  • NetScaler appliance fails because of incorrect handling of HDX Insight's internal data structures. This may happen when HDX Insight skips parsing ICA data in certain error scenarios.
    [From Build 56.22] [# 551081]
  • You cannot export reports on NetScaler Insight Center if the type of communication between the monitored devices and NetScaler Insight Center is HTTPS, and Secure Access only is enabled.
    [From Build 56.22] [# 535450]
  • NetScaler appliance fails because of incorrect handling of HDX Insight's internal data structures. This may happen when HDX Insight skips parsing ICA data in certain error scenarios.
    [From Build 56.22] [# 559043, 553185]
  • The NetScaler Insight Center dashboard sometimes displays the applications as desktops.
    [From Build 56.22] [# 530782]
  • You cannot install an SSL certificate on a NetScaler Insight Center virtual appliance.
    [From Build 56.22] [# 541712]
  • When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
    [From Build 56.22] [# 388096, 423109]
  • If you disable HTML Injection, the Web Insight node of NetScaler Insight Center displays incorrect WAN latency values.
    [From Build 56.22] [# 541469]
  • NetScaler Insight Center might fail if you enable geo data collection.
    [From Build 56.22] [# 533052]
  • When a Netscaler is used to generate Appflow records for ICA traffic, memory is consumed which leaves virtual IPs (VIP) inaccessible. You should restart the appliance to release the memory.
    [From Build 56.22] [# 560924, 562680, 568224, 568584, 571825, 574108]
  • NetScaler Insight Center displays incorrect total bytes values for CloudBridge HDX reports.
    [From Build 56.22] [# 528086]
  • Notifications previously used a hardcoded "from" email address. This fix allows you to configure the email address from which notifications must be sent.
    The "from" email address can be configured in the Email Distribution List (Configuration > System > Notifications > Email).
    [From Build 57.7] [# 531832]
  • Sometimes, the exported NetScaler Insight Center reports contain the following error message:
    Error fetching the information
    [From Build 57.7] [# 550819, 550970]
  • The HDX Insight dashboard might display the host delay value for XenDesktop 7.5 as zero.
    [From Build 58.11] [# 505865]
  • NetScaler appliance fails because of incorrect handling of HDX Insight's internal data structures. This may happen when HDX Insight skips parsing ICA data in certain error scenarios.
    [From Build 58.11] [# 551081]
  • NetScaler appliance fails because of incorrect handling of HDX Insight's internal data structures. This may happen when HDX Insight skips parsing ICA data in certain error scenarios.
    [From Build 58.11] [# 559043, 553185]
  • When a Netscaler is used to generate Appflow records for ICA traffic, memory is consumed which leaves virtual IPs (VIP) inaccessible. You should restart the appliance to release the memory.
    [From Build 58.11] [# 560924, 562680, 568224, 568584, 571825, 574108]
  • If a NetScaler appliance is deployed in Transparent mode along the path including CloudBridge appliances and XenApp/XenDesktop servers, XenApp/XenDesktop sessions will fail to launch.
    [From Build 59.13] [# 542715]
  • The NetScaler appliance might become unresponsive if Appflow reporting is enabled for ICA traffic and network disruptions occur while the ICA connections are being processed.
    [From Build 59.13] [# 580581, 580579, 583831, 584155, 589925, 590656]
  • If you enable the Appflow feature, the NetScaler appliance might become unresponsive while processing ICA connections.
    [From Build 59.13] [# 584795]
  • If you enable Appflow for ICA and there are a large number of ICA connections which have reconnected after a network disruption, the NetScaler appliance will experience a memory leak.
    [From Build 59.13] [# 587725]
  • When a Netscaler is used to generate Appflow records for ICA traffic, memory is consumed which leaves virtual IPs (VIP) inaccessible. You should restart the appliance to release the memory.
    [From Build 59.13] [# 560924, 562680, 568224, 568584, 571825, 574108, 583703]
  • If the AppFlow feature is enabled when Receiver for HTML5 1.6 is used to launch ICA applications and desktops, the NetScaler appliance might become unresponsive while processing ICA connections.
    [From Build 59.13] [# 596264]
  • When Appflow for ICA is enabled, NeScaler can fail if the client reconnects with an invalid ticket and server responds with a CGP BINDRESP followed by some extra data.
    [From Build 59.13] [# 596784, 596953]
  • If you change the session timeout value for a group, the group is deleted from NetScaler Insight Center.
    [From Build 59.13] [# 559362, 566265]
  • Poor performance or latency is observed while accessing published applications over plain ICA port 1494 when AppFlow is enabled. This issue is not observed on ICA over CGP port 2598.
    [From Build 59.13] [# 591437, 586981, 591338, 591696, 602496]
  • If a failover occurs in a high availability configuration, an ICA connection that uses Automatic Client Reconnect (ACR) might fail to reconnect.
    [From Build 60.7] [# 601318, 603208]
  • If the AppFlow feature is enabled when Receiver for HTML5 1.6 is used to launch ICA applications and desktops, the NetScaler appliance might become unresponsive while processing ICA connections.
    [From Build 60.7] [# 596264]
  • When Appflow for ICA is enabled, NeScaler can fail if the client reconnects with an invalid ticket and server responds with a CGP BINDRESP followed by some extra data.
    [From Build 60.7] [# 596784, 596953]
  • If the AppFlow feature is enabled for ICA applications, the NetScaler appliance might become unresponsive when Citrix Receiver performs a session reconnect with a ticket that starts with "NS" and the next two bytes have unrecognizable values.
    [From Build 60.7] [# 605779]
  • Poor performance or latency is observed while accessing published applications over plain ICA port 1494 when AppFlow is enabled. This issue is not observed on ICA over CGP port 2598.
    [From Build 60.7] [# 591437, 586981, 591338, 591696, 602496]
  • The SNMP daemon runs on NetScaler Insight Center even though NetScaler Insight Center does not support SNMP requests.
    [From Build 60.7] [# 537253]
  • If Appflow for ICA is enabled on a NetScaler appliance, fragmented ICA packets might cause the appliance to become unresponsive under some traffic conditions in ICAPROXY mode.
    [From Build 62.9] [# 621903]
  • The NetScaler appliance might become unresponsive if Appflow reporting is enabled for ICA traffic on the appliance.
    [From Build 62.9] [# 622536]
  • If advanced encryption is enabled for ICA in HDX Insight, the following sequence of events might cause the NetScaler appliance to become unresponsive:
    1. A server sends improper public key information during shared-key negotiation.
    2. Either the client or the server disconnects.
    [From Build 63.8] [# 629798, 634013]
  • If Appflow for ICA is enabled on a NetScaler appliance, fragmented ICA packets might cause the appliance to become unresponsive under some traffic conditions in ICAPROXY mode.
    [From Build 63.8] [# 621903]
  • The NetScaler appliance might become unresponsive if Appflow reporting is enabled for ICA traffic on the appliance and the XenApp or XenDesktop server is configured to do advanced encryption.
    [From Build 63.8] [# 613306, 622536]
  • If Appflow for ICA is enabled on a NetScaler appliance, some types of ICA traffic fragmentation might cause the appliance to become unresponsive during the initial ICA capability negotiation between client and server.
    [From Build 64.9] [# 617852, 623118, 637416, 644912, 646516, 650520, 652891]
  • If Appflow for ICA is enabled on a NetScaler appliance, and if ICA expansion is enabled, then the appliance might become unresponsive under certain network traffic conditions.
    [From Build 64.9] [# 628935, 616909, 637634, 641633, 643437, 644440, 652741, 656974]
  • Automatic client reconnection (ACR) for Linux VDA clients fails if NetScaler is in the path and ICA Appflow is enabled for NetScaler.
    [From Build 64.9] [# 648254]
  • If advanced encryption is enabled for ICA in HDX Insight, the following sequence of events might cause the NetScaler appliance to become unresponsive:
    1. A server sends improper public key information during shared-key negotiation.
    2. Either the client or the server disconnects.
    [From Build 64.9] [# 629798, 634013]
  • If Appflow for ICA is enabled on a NetScaler appliance, the appliance might become unresponsive under certain network traffic conditions if ICA expansion is enabled.
    [From Build 64.9] [# 631209, 651260, 652518]
  • NetScaler Insight Center now displays reports for NetScaler Gateway appliances deployed in a double-hop mode.
    [From Build 64.9] [# 481300, 482071, 487985]
  • If you enable the Appflow feature for ICA traffic on a NetScaler appliance running release 11.0, build 64.x, the appliance might become unresponsive.
    [From Build 64.9] [# 623409, 631493, 631732, 632429, 636906, 639577, 640151, 643161, 643167, 648524, 649576, 651664, 651802, 658515]

NetScaler SDX Appliance

  • Set operation on a channel may lead to channel MAC address becoming zero on a VPX running on an SDX appliance.
    [From Build 51.10] [# 483430]
  • After you unbind the interface from a channel, interface drops the packets sent to the individual interfaces.
    [From Build 51.10] [# 484194]
  • When Management Service which was already using an SSL certificate-key pair with a password is upgraded to 10.5 then its HTTPS server will not start. This is fixed in this release.
    [From Build 51.10] [# 488050]
  • After a user completes challenge response based log in, the user gets -1 as timeout. This issue is not applicable to other log in scenarios.
    [From Build 51.10] [# 478122]
  • On SDX systems, sometime while creating/deleting or modifying a LACP channel, TX stalls are seen on some of the member interfaces.
    [From Build 51.10] [# 476304]
  • On creating a LACP channel, interface MAC address is altered and the new MAC address will be persistent even after the unbind operation.
    [From Build 51.10] [# 482122]
  • For a case under the following conditions, when:
    1. A VLAN is present on XenServer on management interfaces (normally ETH0 and ETH1 on most platforms)
    2. A management channel created from Management Service is present on SDX, and
    3. A VPX is using this management channel.
    Then, If the management channel is deleted from Management Service, then post deletion the VPX may be seen with the VLAN present on its management interfaces.
    [From Build 51.10] [# 482603]
  • SDX-Rome-10G Management Service incorrectly displays '0/2' under Network Settings section in NetScaler Provisioning page. This interface should not be used to configure NetScaler Instance.
    [From Build 51.10] [# 482655]
  • Service Management sends the password to back-end even when the change password field is not checked in the set up wizard. This happens when the nsroot user has set up a simple password which does not meet the criteria for password complexity. An error message is displayed when something is changed using setup wizard.
    [From Build 51.10] [# 485654]
  • A VPX looses the VRID configuration in the following scenario:
    If a VPX is having VRID configuration on interfaces 10/1 and 10/2 and from the Management Service a channel is created using interface 10/1 and 10/2. Now if you modify the VPX from the Management Service using the VPX modification wizard, it makes the VPX loose VRID configuration on 10/1 and 10/2.
    [From Build 51.10] [# 450858, 451631]
  • On Decapolis platforms although the number of interfaces are 36/24 but one cannot form as many channels (18/12) on that appliance.
    [From Build 51.10] [# 442562]
  • If you are modifying an existing NetScaler instance by removing a previously configured interface from the table and again add the same interface, it throws and error.
    [From Build 52.11] [# 477826]
  • On a SDX-VPX, for a management interface, when HA Monitoring or another property in interface is changed via GUI, It throws "operation not permitted" error.
    [From Build 52.11] [# 495067]
  • If you create channels on SDX and use these channels in VPXs and then take a backup of the appliance to restore either the complete appliance or selected instances, then channels are not restored and instances may fail.
    [From Build 52.11] [# 432899, 435206]
  • In case of shared management of CPU in SDX, licenses fail to load on start-up sometimes if the management CPU is overloaded.
    [From Build 52.11] [# 473681]
  • Issue: The backup file contains more NetScaler instance than allowed instance in the license applied. Now instance restore for a single NetScaler fails with error message "License does not allow more than x NetScaler instance".
    Fix: For instance restore operation, licence validation is done against no of NetScaler selected for restore instead of validating against all NetScaler instance in the backup files.
    [From Build 52.11] [# 498440]
  • Setting of Jumbo MTU on interfaces or channels which are shared between NetScaler 10.5 and older version VPXes (10.1,9.3) is not supported.
    [From Build 53.9] [# 498926]
  • If you are logging in Management Service using Public Key authentication, then password less SSH log-in does not work.
    [From Build 53.9] [# 473904]
  • In Management Service, the Tagall setting configured for channels under Management VLAN settings is not available on VPXs.
    [From Build 53.9] [# 506128]
  • The management interface of a SDX-8000/SDX8200/SDX-8400 appliance might loose connectivity if the interface is connected to a CAT switch.
    [From Build 53.9] [# 470002, 460650, 484387, 504145, 505053]
  • If there is an Xenserver console session open for a NS-VPX during shutdown, then the VPX remains in the halt state.
    [From Build 53.9] [# 480351]
  • Restore operation fails when the backup file of newer version is restored in older Management Service version.
    [From Build 53.9] [# 502428]
  • The installation of supplemental pack 100015 fails on NSSDX-8200 10G platforms. The root cause of failure is that the install script treats a warning as an error and aborts the installation.
    There is no workaround for this other than to update to new version 10.1.130.x or 10.5.53.x with supplemental pack version 100016.
    [From Build 53.9] [# 495614]
  • On NetScaler SDX 8000 appliances, the Service Virtual Machine (SVM) might not detect the disk correctly, and it marks the status of the disk as down in system health monitoring. However, the provisioning of NetScaler VPX instances work as expected. This issue occurs in the following releases:
    - NetScaler 10.1 Build 129.11 or earlier
    - NetScaler 10.5 Build 52.11 or earlier
    [From Build 53.9] [# 488794, 497445, 504308]
  • The installation of supplemental pack 100015 fails on NetScaler SDX 8200 10G appliances.
    [From Build 53.9] [# 502975]
  • If you are accessing the Management Service directly through console on NetScaler SDX or Insight Center products, the credentials nsroot/nsroot do not work. The credentials root/nsroot work as before and SSH access to the management service also works as before with either of the credentials.
    [From Build 53.9] [# 438342, 453245, 461286]
  • In SDX NetScaler cluster, SDX management VLAN modifications are not allowed through cluster IP.
    [From Build 53.9] [# 469680]
  • When a NetSclaer VLAN with tagged option for channels is selected , the native VLAN also gets tagged inside the NetScaler VPX for the channel.
    [From Build 54.9] [# 512624]
  • MTU configuration is lost on 10G static LA/ LACP channel after the SDX appliance reboots.
    [From Build 54.9] [# 518423]
  • In prior releases of NetScaler SDX, the unsuccessful authentication attempts were not reported in in SNMP traps. From NetScaler 10.5.54x and later, using SNMP traps the administrator can check for such unsuccessful authentication attempts.
    [From Build 54.9] [# 416720]
  • In a Decapolis platform, the dashboard displays the power supply failure events after five minutes.
    [From Build 55.8] [# 523532]
  • The NetScaler SDX appliance does not generate interface SNMP traps with status UP.
    [From Build 55.8] [# 527658]
  • The Management Service allows sharing of interface configured with Jumbo MTU between 10.5-53.x and prior versions of NetScaler 10.5.
    [From Build 55.8] [# 513574]
  • The NetScaler SDX appliance fails if it receives SNMP requests before system initialization.
    [From Build 55.8] [# 525871]
  • Message of the Day (MOTD) may not render properly because of absence of doctype in HTML file when you are using IE8.
    [From Build 56.22] [# 526298]
  • Some of the Network Interface cards (NIC) may become unusable and may not be visible in Management Service on SDX220XX and SDX241XX platforms running with XenServer 6.1 Supplemental Pack 100016A.
    [From Build 56.22] [# 536844]
  • When you provision the maximum possible number of VPX simultaneously from Management Service, the Xen Server does not provide the details of correct memory space available immediately. There is a lag in recovering the memory space. For this reason although the memory space is available, you may still get "Not enough memory available" error.
    [From Build 56.22] [# 525616]
  • If the channel has a Jumbo configuration is restored, it is restored with the old configuration values. If the old configuration has an MTU greater than 1500, then during restore the channel is not created.
    [From Build 57.7] [# 551411, 552276]
  • If you upgrade the Management Service to 10.5 from 10.1 with the VPXs configured for secure-only management access and Management Service - NetScaler access is set as HTTPS, the migration after upgrade fails to set the SNMP trap configurations in VPXs.
    If there are large number of VPXs, the migration takes a long time to detect the failure and till then the Management Service remains inaccessible. However, if you wait long enough, the Management Service becomes accessible.
    [From Build 57.7] [# 544036]
  • If you have created channels on NetScaler SDX Appliance, the Management Service statistics process may fail in some cases.
    [From Build 58.11] [# 570006]
  • On an SDX appliance, the Management Service may lose connectivity. The issue is seen only with Management Service which is in the UP state for many days, minimum being 277 days.
    [From Build 58.11] [# 444854, 487984, 496194, 506802, 547064, 547571, 549842]
  • User Based Authentication
    NetScaler SDX now allows user based authentication for accessing the CLI based on unique public key for each user. You can set the Authorizedkeysfile parameter in sshd_config file to configure where the public key would be searched. The possible values it can take is:
    * .ssh/authorized_keys
    * ~/authorized_keys
    * <absolute_path>
    * ~/<some_path>
    * Blank or not specified
    [From Build 59.13] [# 532352]
  • Upgrading XenServer on a NetScaler SDX appliance to Revision 1 of XenServer 6.1 causes a loss of information about memory and CPU settings assigned to the control domain. As a result, a subsequent attempt to upgrade to XenServer 6.5 fails.
    [From Build 59.13] [# 578680]
  • On an SDX appliance, the Management Service may lose connectivity. The issue is seen only with Management Service which is in the UP state for many days, minimum being 277 days.
    [From Build 59.13] [# 444854, 487984, 496194, 506802, 547064, 547571, 549842]
  • In some rare cases, SVM fails to get inventory for a NetScaler instance. This issue is observed when HTTPS is used to communicate between the SVM and the NetScaler instance.
    [From Build 59.13] [# 544329]
  • The configuration utility of a NetScaler instance does not display the correct jumbo MTU value for an LA channel if it is configured from the management service.
    [From Build 59.13] [# 573626]
  • Performing SNMP walk using the EMC SMART tool is slow.
    [From Build 60.7] [# 588451]
  • On an SDX appliance, if a NetScaler instance is provisioned with more than 3.5 GB memory,
    the state of the interfaces might continuously change between UP and DOWN (flap) when the instance processes traffic.
    [From Build 60.7] [# 541222, 548301]
  • If there is an unclean shutdown (such a system crash) of a VPX instance that has an additional virtual disk (40G), the additional disk (/dev/ad1) does not mount in /var/crash due to which cores are not available upon failure.
    [From Build 60.7] [# 534767]
  • In the SDX GUI, the Management Service virtual instance displays incorrect memory usage information, because it does not consider the inactive memory.
    [From Build 62.9] [# 612042, 618530]
  • A memory leak in the event subsystem causes all the subsystems in the Management Service virtual instance to go down. As a result, you cannot log onto the SDX appliance through either the GUI or the CLI.
    [From Build 62.9] [# 605690]
  • On an SDX appliance, if a NetScaler instance is provisioned with more than 3.5 GB memory,
    the state of the interfaces might continuously change between UP and DOWN (flap) when the instance processes traffic.
    [From Build 62.9] [# 541222, 548301, 626380]
  • You cannot modify any interface parameters if the Interface Auto Negotiation setting is set to the default (OFF).
    [From Build 63.8] [# 635345]
  • In some cases, on an SDX appliance the bootup sequence cannot name the interfaces appropriately. This causes the interfaces to have nonstandard, temporary names and these names cause subsequent scripts to fail.
    [From Build 64.9] [# 446294]
  • A NetScaler VPX instance on a NetScaler SDX appliance might fail because of kernel memory corruption caused by a problem in the error handling path in the kernel. The issue occurs when a user-space process fails and dumps the core file at a time when the value for "sysctl.kern.corefile" points to a nonexistent directory.
    You can stack trace this issue by searching for the following message in the /var/log/messages file:
    Core dump of pid xxx (yyy) uid zzz could not be done at %s; switching core dump pattern to default: /var/core/%N-%P
    Where xxx, yyy, and zzz are specific values.
    [From Build 65.11] [# 646464, 607629, 634970, 644162, 652390, 657167, 664426, 671795, 671806]
  • If you configure a large number of channels or interfaces on a NetScaler SDX appliance, Management Service UI screens that display the system interface list or channels load slowly.
    [From Build 65.11] [# 659110]
  • The NICs of a 14xxx 40G or 25xxx 40G NetScaler SDX appliance are not shown under Configuration > System > Interfaces if, after a factory reset, you use the Platform Upgrade option in the Management Service to upgrade the appliance to NetScaler SDX release 10.5 or 11.1 with 5.04 firmware.
    [From Build 65.11] [# 663206]

NetScaler VPX Appliance

  • When you upgrade an instance of NetScaler VPX on Amazon AWS to release 10.5 build 50.9, the SSL feature of the VPX instance might not support more than 512 bit encryption.
    [From Build 51.10] [# 487876, 488699]
  • A NetScaler VPX instance that is deployed on the Hyper-V may crash or unexpectedly reboot if it uses three or more virtual interfaces in the VPX instance.
    [From Build 62.9] [# 467734, 469552, 471601, 476833, 484210, 489880, 577162, 587441, 595651, 597960, 611879, 620079]
  • A NetScaler VPX instance that is deployed on the Hyper-V may crash or unexpectedly reboot if it uses three or more virtual interfaces in the VPX instance.
    [From Build 63.8] [# 467734, 469552, 471601, 476833, 484210, 489880, 559176, 559529, 577162, 587441, 595651, 597960, 611879, 619957, 620079, 635124, 635440]
  • A NetScaler VPX instance might stop responding and dump core memory if you allocate a large disk size for log messages. The higher the rate of log messages, the more quickly the instance runs out of memory and fails.
    [From Build 65.11] [# 646674]

Networking

  • The NetScaler ADC might become unresponsive when you run the "bind rnat global" command.
    [From Build 51.10] [# 483502]
  • For an IPv6 load balancing configuration in which the IPv6 virtual server and the bound services are in different traffic domains, and USIP is enabled, the NetScaler ADC might become unresponsive when the IPv6 virtual server receives traffic.
    [From Build 51.10] [# 490398]
  • The CPU usage might be approximately 10% higher in NetScaler 10.5 version as compared to NetScaler 9.3 version.
    [From Build 51.10] [# 432192]
  • The NetScaler ADC might use a large amount of CPU cycles when it receives a burst of GRE traffic, which meets the following criteria:
    - The NetScaler ADC is not the GRE end point for this traffic.
    - The NetScaler ADC creates a NAT session information for this traffic.
    [From Build 51.10] [# 480573]
  • For a link load balancing with RNAT configuration in which persistence is enabled for the virtual server, the NetScaler ADC might become unresponsive when the virtual server receives traffic.
    [From Build 51.10] [# 471651, 479882, 485831, 493232]
  • For a link load balancing with RNAT configuration, the NetScaler ADC might use an incorrect subnet IP (SNIP) address to communicate to the external devices.
    [From Build 51.10] [# 480621]
  • In a CloudBridge connector tunnel, IKED packets might get routed back to the same NetScaler ADC instead of the peer tunnel end point.
    [From Build 52.11] [# 494875, 498447]
  • In a high availability (HA) configuration, VLAN Interface binding configuration might be lost when continuous HA failover happens.
    [From Build 52.11] [# 477415]
  • In a high availability (HA) configuration, VMAC configuration might be lost when continuous HA failover happens.
    [From Build 52.11] [# 477402]
  • For a DHCP load balancing configuration, the NetScaler ADC does not forward any unicast DHCP relay agent (UDP port 67) packets, which are received by the virtual server, to the bound servers.
    [From Build 52.11] [# 497057]
  • On a NetScaler ADC, ND6 entries might get in INCOMPLETE state due to synchronization mismatch among different internal modules. As a result NetScaler fails to serve traffic for that IPV6 address.
    [From Build 52.11] [# 480100, 483728]
  • Old or stale OSPF LSAs might exist after a warm restart, or restart after a power failure, resulting in triple flip.
    [From Build 52.11] [# 441005]
  • The NetScaler ADC drops IPv4 packets related to the following protocols:
    - IPv6 encapsulation (41)
    - Fragment Header for IPv6 (44)
    - ICMP for IPv6 (58)
    [From Build 52.11] [# 490190]
  • The NetScaler ADC might fail to evaluate listen policies, containing source or destination ipv6 address/subnet, for certain IPv6 addresses.
    [From Build 52.11] [# 496564]
  • With more than 1000 IP tunnels configured on a NetScaler ADC, the internal data structure for these IP tunnels might not be updated for some events. This changes the status of these IP tunnels to the DOWN state.
    [From Build 52.11] [# 491473]
  • NetScaler SDX appliances does not support jumbo frames.
    [From Build 53.9] [# 437520]
  • With MAC based forwarding (MBF) option enabled, the NetScaler ADC does not update Layer 2 information such as MAC address, interface ID, and VLAN ID, for a dynamic service even when the associated router is inactive. As a result, the router drops the packets destined to the IP address specified by the dynamic service.
    [From Build 53.9] [# 490341]
  • On running the "show connectiontable -detail LINK" command in NetScaler command line interface, the NetScaler ADC might become unresponsive.
    [From Build 53.9] [# 500720]
  • For a load balancing server configured on a non-default traffic domain, on modifying the IP address of the server also changes the name of the server.
    [From Build 53.9] [# 496237]
  • An Access Control List (ACL) rule specifying the TCP protocol and the Established option might not get evaluated if another ACL rule with a higher priority also specifies TCP.
    [From Build 54.9] [# 510173]
  • The NetScaler ADC might not update its bridge and ARP tables with the information received from GARP messages.
    [From Build 54.9] [# 497277]
  • Now, the NetScaler appliance sends all ARP replies from the first interface (lexicographical order) of an LA channel.
    [From Build 54.9] [# 486632]
  • When the MTU of a VLAN is set to 500, the adjacency of Intermediate System to Intermediate System (IS-IS) protocol fails in this VLAN, because the IS-IS process on a NetScaler ADC works with a minimum MTU value of 520.
    [From Build 55.8] [# 485391]
  • On a NetScaler ADC, when the MTU of a VLAN and Intermediate System to Intermediate System (IS-IS) Link Sate Packet (LSP) is set to a value lower than 1500, the IS-IS process fails to send the IS-IS protocol data units (PDUs) of the specified MTU size until the process is restarted.
    [From Build 55.8] [# 485374]
  • An ACL6 rule might not get evaluated for a series of TCP packets.
    [From Build 55.8] [# 528554]
  • If you bind an interface with a unit number greater than 31 to a VLAN that is used as a Sync VLAN in an HA configuration, the Sync VLAN becomes unoperational.
    [From Build 55.8] [# 507345]
  • In response to a packet sent with IP over IP encapsulation carrying an inner TCP header, the NetScaler packet processing engine (NSPPE) fails if the NetScaler ADC receives an ICMP Need Fragment error response.
    [From Build 55.8] [# 528069]
  • On receiving Generic Routing Encapsulation (GRE) packets as IP fragments on a virtual server with protocol ANY, the NetScaler ADC fails and is rebooted. This occurs only when you do not explicitly configure a GRE tunnel on the NetScaler ADC.
    [From Build 55.8] [# 522538]
  • If you disable the TCP Proxy parameter while creating a Reverse Network Address Translation (RNAT) rule on a multi-core NetScaler ADC, the NAT operation fails.
    [From Build 55.8] [# 508631, 509453]
  • Blocking Traffic on Internal Ports
    The NetScaler appliance does not block traffic that matches an ACL rule if the traffic is destined to the appliance's NSIP address, or one of its SNIP addresses, and a port in the 3008-3011 range.
    This behavior is now specified by the default setting of the new Implicit ACL Allow (implicitACLAllow) parameter (of the L3 param command). You can disable this parameter if you want to block traffic to ports in the 3008-3011 range. An appliance in a high availability configuration makes an exception for its partner (primary or secondary) node. It does not block traffic from that node.
    To disable or enable this parameter by using the command line interface
    At the command prompt, type:
    > set l3param -implicitACLAllow [ENABLED|DISABLED]
    Note: The parameter implicitACLAllow is enabled by default.
    Example:
    > set l3param -implicitACLAllow DISABLED
    Done
    [From Build 56.22] [# 529317]
  • In an active-active configuration, services bound to the backup VIP addresses do not send monitor probes to the associated servers.
    [From Build 56.22] [# 355965, 485260]
  • In an active-active high availability configuration using Virtual Router Redundancy Protocol (VRRP) protocol, a ping to a virtual IP address (VIP) might fail from a node that is a backup node for this VIP address.
    [From Build 56.22] [# 485260]
  • $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
    [From Build 57.7] [# 383958, 411806]
  • In an active-active configuration with the sendToMaster parameter enabled, the backup nodes might not forward packets to the master node.
    [From Build 57.7] [# 554336]
  • The NetScaler appliance might not accept untagged Link Layer Discovery Protocol (LLDP) packets that are received on an interface which has "tagall" enabled.
    [From Build 58.11] [# 539617]
  • An attempt to access the configuration utility might fail if the logon address is an IPv6 address.
    [From Build 58.11] [# 553588]
  • If you have configured an INAT rule in which the private IP address is set to a virtual IP address, the rule is removed after you restart the NetScaler appliance.
    [From Build 58.11] [# 556632]
  • In a high availability configuration, a virtual IP address is removed from the configuration after the appliance is restarted or after HA synchronization if the virtual IP address is specified in a net profile entity.
    [From Build 59.13] [# 567484]
  • An ACL6 rule might not get evaluated if you set the operator option to NEQ (!=) for source and destination IPv6 addresses.
    [From Build 59.13] [# 573516]
  • If the IPv6 routes change, the IPv6-Ipv6 tunnel's encapsulation IP addressess are not obtained based on the latest route information. As a result, the tunnels use old encapsulation IP addresses to encapsulate packets.
    [From Build 59.13] [# 564252]
  • If you configure a PBR rule for the ICMP protocol, and the "forwardicmpfragments" L3 parameter is enabled, the NetScaler appliance might become unresponsive.
    [From Build 59.13] [# 575476]
  • The NetScaler appliance might not properly process packets related to forwarding session entries configured on the appliance.
    [From Build 59.13] [# 565475, 582155]
  • A load balancing monitor fails under the following set of conditions:
    -The site IP address of a GSLB site is the SNIP address of the NetScaler appliance.
    -The monitor is monitoring a load balancing virtual server.
    [From Build 59.13] [# 533270, 533081, 570389, 573536]
  • Both the appliances in a NetScaler HA setup might become unresponsive or fail if you modify/remove two or more ACL/ACL6 rules on the primary node and then force synchronization on the secondary node without applying the ACLs on the primary node.
    [From Build 59.13] [# 576810, 545920, 575433]
  • A large number of IPv6 client connections (more than 2 million) can degrade the performance of a NetScaler appliance.
    [From Build 59.13] [# 575126]
  • A PBR6 rule might not get evaluated if you set the operator option to NEQ (!=) for source and destination IPv6 addresses.
    [From Build 59.13] [# 575906]
  • In a high availability configuration, if you remove an ACL rule from the primary node and modify another ACL rule on the primary node, but you do not apply the ACLs on the primary node before forcing synchronization on the secondary node, the secondary node might become unresponsive.
    [From Build 59.13] [# 545920]
  • A NetScaler appliance might consume a high percentage of CPU cycles, because the appliance repeatedly updates the active connections with changes in MAC addresses of servers.
    [From Build 59.13] [# 579099]
  • TFTP monitor probes might fail with the error "Probe Timed out."
    [From Build 59.13] [# 578663]
  • In a high availability configuration, when the connection between primary and secondary goes down and comes up again, the secondary node receives HA INIT request from the primary node and it terminates all BGP connections.
    [From Build 60.7] [# 588509]
  • The NetScaler appliance might assign the NTP module a port that is used by some other feature module. Therefore, an incoming NTP response can be processed by the feature module. This can result in the failure of the NetScaler appliance.
    [From Build 60.7] [# 588477, 603874]
  • On a NetScaler appliance with a NetScaler owned IP address configured with a VMAC address on a traffic domain, when a peer device sends an ARP request with unicast MAC for this IP address, the NetScaler appliance responds with the physical MAC address instead of the VMAC address. As a result, the NetScaler appliance drops packets forwarded by the peer device if the packets are destined to the physical MAC address for that IP address.
    [From Build 60.7] [# 588912]
  • The NetScaler appliance might erroneously forward DHCP broadcast packets to the default router. As a result, the broadcast packets go in loops between the appliance and the router.
    [From Build 60.7] [# 591657, 595649]
  • For extended ACL rules that are associated in NAT configurations (for example, RNAT rules, Large Scale NAT configurations), the configuration utility displays the TCP established parameter as enabled for these ACL rules.
    [From Build 61.11] [# 597458]
  • You cannot securely access (HTTPS) the NetScaler GUI by using a subnet IP (SNIP) address that is configured on a traffic domain.
    [From Build 61.11] [# 600364]
  • If a connection matches a RNAT rule, the NetScaler appliance probes for the existence of the destination server before processing the connection based on the RNAT rule. The connection that is used for probing is sometimes left idle on the appliance and a new connection is opened once the client connection is successfully established. This probe connection stays idle for the configured idle timeout (2.5 hours) thus holding up resources on the server.
    Now, these probe connections are flushed within a minute if they remain idle.
    [From Build 61.11] [# 588694, 588551]
  • If an IPv6 virtual server with persistency enabled is removed from a traffic domain, the traffic domain information for the existing persistency sessions is lost, and the NetScaler appliance hosting the virtual server becomes unresponsive.
    [From Build 61.11] [# 608558]
  • The NetScaler appliance fails when it processes invalid IPSec IKED related packets.
    [From Build 61.11] [# 609537]
  • The NetScaler appliance might fail if secure management access (HTTPS) is enabled on a SNIP6 address that is configured for a traffic domain.
    [From Build 62.9] [# 618633]
  • After the clear config operation, reconfiguring a VXLAN entity fails to retrieve the VXLAN SNMP counters.
    [From Build 62.9] [# 572525, 574734, 614924]
  • On a NetScaler appliance, connections might get reset between routing processes. As a result, the dynamic routes are occasionally deleted and added back.
    [From Build 62.9] [# 599306]
  • An active FTP connection might get reset for no apparent reason, regardless of the state of the random source port.
    [From Build 62.9] [# 507908, 609496, 611357, 615638]
  • The dynamic routing module on a NetScaler appliance might incorrectly save the command "redistribute intranet" as "redistribute trill" in the ZebOS configuration file. Because the appliance does not support the "redistribute trill" command, after a failover in a high availability setup, the new primary node treats the "redistribute trill" command as an error and does not apply the subsequent commands in the ZebOS configuration file. This results in loss of configuration.
    [From Build 62.9] [# 620152]
  • The NetScaler appliance does not retain the entire 64 bit ID of IPv6 fragments of a session. As a result, the session might fail.
    [From Build 62.9] [# 614042]
  • In a GSLB deployment of NetScaler appliances configured with OSPF routing protocol, the OSPF process running in one of the NetScaler appliances sources OSPF hello packets from the GSLB site IP address configured on the appliance. As a result, neighbour adjacency does not get established.
    [From Build 62.9] [# 612419, 633722]
  • For backend TCP connections, a NetScaler appliance might allocate the subnet IP address and port of an active connection to a new connection. As a result, the new TCP connection fails.
    [From Build 62.9] [# 613454]
  • In a high availability set up, if the primary node has learnt a large number of routes, a failover might result in the new primary node to fail.
    [From Build 62.9] [# 400276, 580029]
  • The NetScaler appliance might become unresponsive while processing a route dependency check for multiple recursive BGP routes if the next hop for any of the routes changes or goes down.
    [From Build 63.8] [# 625841]
  • Because the subnet mask for the GSLB IP address and the SNIP address are the same, the Netscaler appliance incorrectly selects the SNIP address instead of the GSLB IP address for GSLB connections. The user authentication process is affeced because of the wrong selection of the IP address.
    [From Build 63.8] [# 633722]
  • The NetScaler appliance sends GARP request for a non-addressable virtual server when the virtual server's state changes to UP or DOWN.
    [From Build 63.8] [# 620697]
  • In an active-active deployment using VRRP, a NetScaler appliance does not match its configured bridge ACL rules to the packets received from the inactive VIP addresses of the other NetScaler appliances.
    [From Build 63.8] [# 614786]
  • The NetScaler appliance might fail if secure management access (HTTPS) is enabled on a SNIP6 address that is configured for a traffic domain.
    [From Build 63.8] [# 618633]
  • Restarting a NetScaler appliance that has a VLAN bound to a traffic domain and is configured as a SYNC VLAN or NSVLAN might cause configuration loss of binding between the VLAN and the traffic domain.
    [From Build 64.9] [# 648839]
  • When all ports of all IP addresses bound to a netprofile are used in different back-end connections, the NetScaler appliance uses one of the SNIP addresses, which is not bound to the netprofile, for a new back-end connection. Back-end systems reject the connection if the SNIP address is listed in their deny ACL rules. Now, the NetScaler appliance does not initiate any new back-end connection when all the ports of all IP addresses in a netprofile are being used.
    [From Build 64.9] [# 627547]
  • A NetScaler appliance with OSPFv3 dynamic routing protocol configured might measure the length of OSPFv3 LSA packets in Network Byte Order instead of Host Byte Order for comparison with the minimum required packet length. As a result, the NetScaler appliance becomes unresponsive.
    [From Build 64.9] [# 652131]
  • SNMP access to the NSIP address of a NetScaler appliance does not work through a CloudBridge Connector tunnel.
    [From Build 64.9] [# 637018]
  • In a high availability setup, secondary node advertises default routes even after performing "ns block-sec-rtadv" operation in VTYSH shell.
    [From Build 64.9] [# 639541]
  • During a "force sync" operation in a cluster deployment, performing a "save config" operation on a node might lead to a full or partial configuration loss on that node. With this fix, the "save config" operation is not permitted during a "force sync" operation.
    [From Build 64.9] [# 642375, 658619]
  • The NetScaler appliance might become unresponsive when one or both of the following conditions are met:
    - When you remove a traffic domain, which has ACLs, or ACL6s, or PBRs, or PBR6s rules, without performing apply operation for ACLs, or ACL6s, or PBRs, or PBR6s rules.
    - When you remove any ACL, or ACL6, or PBR, or PBR6 rule within a traffic domain and then remove the traffic domain before performing apply operation for ACLs, or ACL6s, or PBRs, or PBR6s rules.
    [From Build 64.9] [# 636269]
  • For extended ACL rules that are associated with NAT configurations (for example, RNAT rules and Large Scale NAT configurations), the NetScaler GUI displays the TCP established parameter as enabled even though the parameter is disabled.
    [From Build 65.11] [# 597458]
  • Restarting a NetScaler appliance that has a VLAN bound to a traffic domain and is configured as a SYNC VLAN or NSVLAN might cause configuration loss of binding between the VLAN and the traffic domain.
    [From Build 65.11] [# 648839]
  • On a NetScaler appliance, when a routing daemon (for example, BGP routing daemon) is restarted multiple times over a short period of time, the corresponding routing configuration (for example, BGP routing configuration) might get removed from the appliance.
    [From Build 65.11] [# 669005]
  • In a high availability (HA) setup, after an HA force failover operation, the NetScaler appliance removes (but not properly) static default route6s of all non-default traffic domains from its memory.
    Though the "show route6 operation" does not display these route6s but adding them again fails with the following error message: "ERROR: Resource already exist". This is because these route6s were not completely removed from memory.
    This issue also happens on a standalone NetScaler appliance when a traffic domain that has default route6s is removed.
    [From Build 65.11] [# 644265]

Optimization

  • Unavailability of the 32-bit metadata memory causes the NetScaler appliance to send cached requests to the servers.
    [From Build 58.11] [# 564643]
  • If the front end optimization feature is enabled on the NetScaler appliance, HTML pages containing question mark (?) characters fail to load in the client browser.
    [From Build 58.11] [# 565746]
  • If the front end optimization feature is enabled, the NetScaler appliance sometimes fails if the HTTP response headers span multiple packets.
    [From Build 58.11] [# 558861, 562680]
  • The NetScaler appliance fails with Front End Optimization enabled and many objects queued for optimization.
    [From Build 58.11] [# 560751]
  • The NetScaler appliance fails if the cached objects are revalidated with the server while the front end optimization feature enabled.
    [From Build 58.11] [# 554497]
  • A NetScaler appliance fails if the front end optimization (FEO) feature is enabled, the FEO action is configured for Extend Page Cache, and the server response does not include a Cache Control or Expires header.
    [From Build 63.8] [# 621122, 629593]

Platform

  • The SDX 24100/24150 and MPX 24100/24150 platforms are now supported in this release.
    [From Build 51.10] [# 487831]
  • NetScaler VPX instances running on Xen server might consume high CPU cycles for processing 1G traffic.
    [From Build 53.9] [# 498929]
  • On a NetScaler ADC that has a Small Form-factor Pluggable (SFP) interface with part number FTLF8519P2BNL, disabling this interface might not disable the interface of the peer device.
    [From Build 53.9] [# 487169]
  • NetScaler supports Multi-PE for Hyper-V.
    [From Build 53.9] [# 484123]
  • For NetScaler platforms that have Small Form-factor Pluggable (SFP) transceivers, with part number FTLF8519P3BNL, the bootup log files show that the SFPs are unsupported, even though they are functioning properly. This issue occurs in the following releases:
    - NetScaler 9.3 (all releases)
    - NetScaler 10.1 Build 129.11 or earlier
    - NetScaler 10.5 Build 52.11 or earlier
    [From Build 53.9] [# 501834]
  • NetScaler VPX instances running on VMware ESXi lose network connectivity when you apply either of the following patches:
    - ESXi550-201410401-BG
    - ESXi510-201410401-BG
    [From Build 55.8] [# 510673, 517241]
  • On NetScaler MPX 15000/17000 appliances, the 1G interfaces begin to flap after you upgrade the NetScaler software to release 10.5 build 52.11.
    [From Build 55.8] [# 526918, 528021]
  • The CPU usage of a NetScaler VPX instance running on VMware is constantly at 50% after an upgrade of the NetScaler software from release 10.1 to release 10.5.
    [From Build 56.22] [# 506700, 461089, 523888, 526203]
  • The user interfaces (command line and configuration utility) of a NetScaler instance running on a SDX appliance do not display the actual state of the management ports.
    [From Build 56.22] [# 251216, 302381]
  • On NetScaler MPX 22040/22060/22080/22100/22120 and ByteMobile T1200 appliances, SNMP based alarms are supported for only first two power supplies.
    [From Build 56.22] [# 525360]
  • Running Jumbo traffic at 10Gbps through a 10G NIC on a NetScaler VPX instance running on a NetScaler SDX appliance can cause a NetScaler packet processing engine (NSPPE) to fail.
    [From Build 57.7] [# 506423]
  • If you have a cluster setup of NetScaler MPX 8005/8015/8200/8400/8600/8800 appliances, time synchronization among the cluster nodes might fail.
    [From Build 59.13] [# 356564, 566811]
  • In an HA configuration on AWS cloud, the NetScaler appliances might become unresponsive if they are unable to reach the DNS server or the AWS API server during a failover.
    [From Build 59.13] [# 550922, 351615]
  • Some AAA bindings are not found in the running configuration on rebooting VPX on ESX platform. However, these bindings are present in the ns.conf configuration file. This happens when the VPN virtual server's parameter UITHEME is set to CUSTOM. This issue is specific to VPX on ESX only.
    [From Build 59.13] [# 524055, 576330, 576582]
  • The MPX 25100T and MPX 25160T platforms are now supported in this release. For more information about these platforms, see http://docs.citrix.com/en-us/netscaler/10-1/ns-gen-hardware-wrapper-10-con/ns-hardware-platforms-con/ns-hardware-25100T-25160T-ref.html.
    [From Build 60.7] [# 486703, 495591, 552218]
  • The memory usage statistic shown on the LCD display of a NetScaler appliance is the allocated memory. The NetScaler configuration utility displays the currently used memory. Therefore, the two values are different.
    [From Build 60.7] [# 334358, 576545]
  • The NetScaler VPX appliance dumps core and fails if you try to provision a VPX instance on some versions of OpenStack that use Ubuntu 14.04.
    [From Build 60.7] [# 584880, 566152]
  • After upgrading to release 10.5 build 59.13, the 10 G physical interfaces on the NetScaler MPX 15000 and MPX 17000 appliances do not automatically return to an UP state when the peer device switches its state from DOWN to UP.
    [From Build 61.11] [# 608329]
  • A T1200 appliance that is used in a NetScaler deployment can become unresponsive or fail when generating the NetScaler tech support logs.
    [From Build 61.11] [# 606247]
  • The LOM firmware on NetScaler MPX 11500/13500/14500/16500/18500/20500 and MPX 11515/11520/11530/11540/11542 appliances can report VTT sensor data, but the NetScaler appliance does not support it.
    [From Build 61.11] [# 563987, 572404]
  • The RAID controller is frequently reset. With this fix the, RAID controller's driver has been modified and the firmware upgraded to version 23.33.0-0023. The frequent resets no longer occur.
    [From Build 61.11] [# 577075, 521790]
  • Different languages use different keyboard layouts, causing problems with using special characters through the LOM console. With this fix, the LOM console supports additional keyboard layouts and keyboard control tools.
    To change the keyboard layout, in the console, navigate to options > preferences and select a language.
    [From Build 61.11] [# 583263, 601405]
  • This release supports the MPX 25100T and MPX 25160T platforms. For more information about these platforms, see http://docs.citrix.com/en-us/netscaler/10-1/ns-gen-hardware-wrapper-10-con/ns-hardware-platforms-con/ns-hardware-25100T-25160T-ref.html.
    [From Build 64.9] [# 486703, 495591, 552218]
  • This build supports NetScaler MPX-14026-40S, MPX-14041-40S, and MPX-14061-40S appliances.
    [From Build 64.9] [# 642783]
  • On the NetScaler 115xx appliances, you can now upgrade the LOM version from 2.52 to 3.39.
    [From Build 64.9] [# 537383, 624903]
  • After a factory reset of the 14xxx 40G or 25xxx 40G NetScaler SDX Appliances, if you upgrade the appliance to NetScaler SDX 10.5 or 11.1 release with 5.04 firmware using the Platform Upgrade option in the Management Service, the interfaces are not displayed under Configuration > System > Interfaces.
    [From Build 64.9] [# 663206]
  • In rare cases, a user-mode process failure can cause kernel failure, either at the same time or later. If the kernel fails, the NetScaler appliance dumps core memory. This failure can occur on nCore MPX, VPX, or SDX, appliances, although the most common occurrence is on a NetScaler VPX instance on a NetScaler SDX appliance.
    [From Build 65.11] [# 634900, 641199]

Policies

  • Using the "SYS.CHECK_LIMIT" expression in conjunction with any boolean expression can cause the NetScaler to crash.
    [From Build 52.11] [# 493045]
  • The NetScaler appliance can crash or the data can get corrupted when the URL (or other string) satisfies the following criteria:
    - Length is more than 1300 bytes (800 bytes for HTML_XML_SAFE).
    - Has at least one unsafe character.
    - A significant initial part of the string does not need encoding (or some smaller initial part of the string does not need encoding and there are lots of characters needing encoding)
    - One of the following functions is used on the string in the expression:
    * HTTP_URL_SAFE - unsafe characters are not allowed. Safe characters are: a-z, A-Z, 0-9, "-", "_", ".", "!", "~", "*", "'", "(", ")", ";", ":", "@", "?", "=", "$", "%", "&amp;", "+", ",", "/".
    * HTTP_HEADER_SAFE - new line ('
    ') characters are unsafe.
    * HTML_XML_SAFE - unsafe characters are '<', '>' and '&'.
    * APPEND_QUERY_PARAMETER - same as HTTP_URL_SAFE
    [From Build 53.9] [# 506761]
  • Rewrite policy bindings to virtual servers can be lost when you upgrade the NetScaler firmware to version 10.1.128.11. If the rewrite policy is bound to a load balancing virtual server, the policy bindings are not displayed as part of the server configuration, but they are saved when the user saves the configuration. If the rewrite policy is bound to a content switching virtual server, the policy bindings are lost when the user saves the configuration.
    [From Build 54.9] [# 508510, 513724, 517150, 518535, 519945]
  • Some IP based expressions might not work for IP addresses starting from octet 128 or greater (128.x.x.x - 254.x.x.x).
    The following expressions are not impacted:
    - EQ, IN_SUBNET, IS_IPV6, GET1, GET2, GET3, GET4, MATCHES, MATCHES_LOCATION, APPEND, TYPECAST_TEXT_T, TYPECAST_IPv6_ADDRESS_AT
    The following expressions do not work:
    GT, GE, LT, LE, BETWEEN, NE, ADD, SUB, MUL, DIV, MOD, NEG, BITAND, BITOR, BITXOR, BITNEG, LSHIFT, RSHIFT, TYPECAST_TIME_AT, TYPECAST_IP_ADDRESS_AT, TYPECAST_DOUBLE_AT, TYPECAST_UNSIGNED_LONG_AT, WEEKDAY_STRING, WEEKDAY_STRING_SHORT, SIGNED8_STRING, UNSIGNED8_STRING, SIGNED16_STRING, UNSIGNED16_STRING, SIGNED32_STRING
    [From Build 60.7] [# 534244]
  • If packet tracing is configured with a default-syntax expression and non-TCP traffic is being processed, and rewrite action applied on a HTTP chunked message is occurring then the rewritten data maybe incorrect or it might crash a NetScaler appliance.
    [From Build 61.11] [# 598465]
  • Under certain conditions, a NetScaler appliance does not insert an X-Forwarded-For field in the HTTP header for an HTTP CONNECT requests that are forwarded to server.
    [From Build 62.9] [# 605089]
  • A NetScaler appliance fails if you perform a Clear Configuration operation.
    [From Build 64.9] [# 634124]
  • If your NetScaler appliance is licensed for 135255 users but has insufficient Mem POLENG memory to support 135255 VPN sessions, the appliance might fail.
    [From Build 65.11] [# 636579, 665701]

Policy

  • A NetScaler appliance that has a rewrite policy configured, becomes unresponsive, if all the following conditions are met:
    1. The rewrite action type is either "replace" or "insert_after".
    2. The HTTP response does not have the content-length header.
    3. The body of the HTTP response is split into multiple TCP packets with different TCP packets arriving with some time delay. This causes the policy rewrite engine to pause and resume the packet processing.
    4. The string specified in the rewrite action is present in the last packet of the HTTP response.
    [From Build 56.22] [# 554460]
  • The Responder's HTML Page Import option fails if the name of the page being imported is in uppercase characters.
    [From Build 56.22] [# 530804]
  • The default SSL virtual server configurations are disturbed, if HTTP callouts are configured on the NetScaler appliance.
    [From Build 57.7] [# 551626]
  • If an HTTP message that includes invalid characters is processed by a rewrite action containing "XPATH_HTML_WITH_MARKUP()" in the target expression, the NetScaler appliance might fail.
    [From Build 58.11] [# 557908]

Responder

  • The NetScaler appliance fails if it receives a new request while an embedded expression in the responder HTML page is in blocking state.
    [From Build 63.8] [# 556035]

SSL

  • In rare cases, if the random number generated for the DH key exchange has a leading zero, DH negotiation fails because of a hardware limitation.
    [From Build 51.10] [# 414388, 345883, 349858, 428257, 428259]
  • On all the NetScaler MPX platforms, DH cryptographic operation is now offloaded to the hardware, reducing the load on the CPU. If your deployment uses DH crypto operations heavily, you will notice a performance improvement.
    [From Build 52.11] [# 490273, 378182, 404081]
  • In a setup with a large number of virtual servers, if only a few virtual servers receive most of the traffic while the other virtual servers are idle, there might be a delay in cleaning up the sessions.
    [From Build 53.9] [# 492087, 510038, 510483]
  • The client certificate that is inserted in the backend HTTP header now conforms to the x509 PEM format, which includes spaces and carriage returns. To use the old method (without spaces and carriage returns), at the NetScaler shell prompt, type:
    nsapimgr -y -s ssl_cert_insertion_space=0
    [From Build 54.9] [# 495316]
  • If the backend service is of type SSL_TCP, SSL reuse handshake using SSLv3 with backend servers fails and the connection is terminated.
    [From Build 56.22] [# 529471]
  • On all NetScaler appliances except MPX 5500 and MPX 5550/5650/5750 appliances, if both the rate of new SSL connections and the percentage of SSL session reuse are high, SSL session buildup causes high usage of memory. If the result is a memory allocation failure, SSL traffic is dropped.
    [From Build 56.22] [# 532136, 525686, 531207, 539902, 547350, 548697, 559753, 561598, 563485, 569063]
  • In a NetScaler cluster setup, if we add a certificate with the subject name greater than 64 characters, then subsequent SSL certkey addition fails with the "No such certificate file exists" error even though the certkey file is present on all cluster nodes.
    [From Build 57.7] [# 554917]
  • If you run the "update ssl certkey" command to modify the certificate-key pair that is bound to a service group, a duplicate entry is seen for the same certificate key pair in the running configuration.
    [From Build 57.7] [# 550138, 552436, 552701]
  • If a spike in traffic occurs while the NetScaler ADC is doing a DH-based handshake, some packets might be dropped, because a DH handshake consumes a high number of CPU cycles.
    [From Build 57.7] [# 484525]
  • In the configuration utility, when binding ciphers to an SSL virtual server, the order in which the ciphers are bound is reversed in the configuration file. For example, if ciphers were bound in order of a, b, c, and d, the configuration file shows the order as d, c, b, a.
    This issue is now fixed.
    [From Build 57.7] [# 552812, 558824]
  • If the backend service is of type SSL_TCP, SSL reuse handshake using SSLv3 with backend servers fails and the connection is terminated.
    [From Build 57.7] [# 529471]
  • On all NetScaler appliances except MPX 5500 and MPX 5550/5650/5750 appliances, if both the rate of new SSL connections and the percentage of SSL session reuse are high, SSL session buildup causes high usage of memory. If the result is a memory allocation failure, SSL traffic is dropped.
    [From Build 57.7] [# 532136, 525686, 531207, 539902, 547350, 548697, 559753, 561598, 563485]
  • On a NetScaler VPX appliance, the configuration for binding an ECC curve to the SSL virtual server is lost if the appliance is restarted.
    [From Build 58.11] [# 560175, 563831, 564931]
  • If you bind ciphers to an SSL virtual server by using the configuration utility, the order in which the ciphers are bound is reversed in the configuration file. For example, if ciphers were bound in order of a, b, c, and d, the configuration file shows the order as d, c, b, a.
    [From Build 58.11] [# 552812, 558824]
  • If application data is received during an SSL renegotiation handshake, the appliance sends a RST flag.
    [From Build 59.13] [# 542034]
  • If TLS1.1/1.2 protocol is used with AES/3DES ciphers, the TCP window at the backend reduces to zero. As a result, after some time, the connection is terminated.
    [From Build 59.13] [# 591600, 595713, 596278, 596556, 596566, 598045, 599524, 600591]
  • Statistics for TLS1.1 and TLS1.2 transactions do not appear in the output of the stat ssl command.
    [From Build 59.13] [# 336395, 559165, 560353]
  • If you have configured optional client-certificate authentication and your policies target client certificate x509 extensions, such as auth keyid, a transaction with a client that doesn't have a certificate might cause the appliance to fail or to use stale values from a previous transaction.
    [From Build 59.13] [# 593091]
  • In some cases, when client authentication is enabled, incorrect data form a client leads to a memory leak on the NetScaler appliance. If a large number of clients send incorrect data, the appliance fails.
    [From Build 59.13] [# 570754]
  • An MPX-FIPS appliance might not restart if you attempt a warm reboot.
    [From Build 60.7] [# 597101]
  • If you have configured optional client-certificate authentication and your policies target client certificate x509 extensions, such as auth keyid, a transaction with a client that doesn't have a certificate might cause the appliance to fail or to use stale values from a previous transaction.
    [From Build 60.7] [# 593091]
  • If you restart a NetScaler appliance that has FIPS firmware version 2.2, the FIPS key might be temporarily unavailable.
    [From Build 60.7] [# 572645, 563418, 576719, 594569, 603072]
  • 2048-bit Default Certificates on the NetScaler Appliance
    With this release, the length of the default certificate on a NetScaler appliance is a 2048 bits. However, upgrading to release 11.0 does not automatically install a 2048-bit certificate.
    Note: Citrix recommends that you replace the default certificate with a certificate issued by a CA.
    After upgrading an MPX appliance to release 11.0, if you want to replace the old internal default certificate (1024 bits), delete all your old certificate-key pairs that have "ns-" as the first three characters, and then restart the appliance to automatically generate a 2048-bit default certificate.
    On a VPX appliance that does not have licenses, you can continue to use the old (512-bit) default certificate after the upgrade, although a 512-bit certificate-key pair is not secure and might not work with the latest browsers. If you have the proper licenses, you can delete all your old certificate-key pairs that have "ns-" as the first three characters, and then restart the appliance to automatically generate a 2048-bit default certificate.
    [From Build 60.7] [# 451441, 405363, 458905, 465280, 540467, 547106, 551603, 559154, 584335, 588128]
  • If you have a large number of SSL services (greater than 3000) in the backend, CPU usage increases exponentially and the appliance fails.
    [From Build 60.7] [# 581193]
  • In release 10.5 or later, TLS protocol versions 1.1 and 1.2 are enabled by default, but can typically be controlled by configuration. For some types of services, however, configuration is not possible and the default settings are used: VPN and dynamically configured services like StoreFront and AppController, and SSL_BRIDGE services to which secure monitors are bound. To allow users to disable TLS 1.1 and 1.2 on these kinds of services, two SSL parameters have been introduced: montls1112disable and svctls1112disable. When set to ENABLED, these parameters disable TLS 1.1 and 1.2 for these types of cases. The montls1112disable option can be toggled on and off during runtime, but the svc1112disable option cannot. If you enable it and then want to disable it, you have to change its setting to DISABLED and then restart the appliance.
    [From Build 60.7] [# 602502, 599209]
  • An incoming SSL record that spans more than 256 TCP packets and contains TCP header options causes memory corruption in the Cavium command buffer structure. As a result, the NetScaler appliance fails.
    [From Build 60.7] [# 573904, 583295, 590222, 606399]
  • Even though SSL renegotiation is set to deny (that is, denySSLReneg is set to ALL), the server responds with the "server reneg" extension in the initial SSL handshake.
    [From Build 60.7] [# 559082]
  • If you update the certificate-key pair for a service group, the change is not reflected in the individual services that are bound to this service group. As a result, the old certificate-key pair continues to be used for negotiation in the SSL handshake.
    [From Build 60.7] [# 554925]
  • If you downgrade the software on your NetScaler appliance that does not have a license to release 9.3 build 61.66 or earlier, some commands related to the default server certificate might not be saved in the running configuration. As a result, after restarting, secure access (HTTPS) to the appliance fails.
    [From Build 60.7] [# 551603, 559154]
  • If TLS1.1/1.2 protocol is used with AES/3DES ciphers, the length of the TCP window at the back end shrinks to zero. As a result, after some time, the connection is terminated.
    [From Build 60.7] [# 591600, 595713, 596278, 596556, 596566, 598045, 599524, 600591, 604929]
  • TLS1.2 handshake fails with some back end servers if SHA2 certificates are bound to the server and client authentication is enabled on the server.
    [From Build 61.11] [# 600155, 601059]
  • If the passphrase for a certificate contains the "$" character, the configuration utility becomes unresponsive.
    [From Build 61.11] [# 591743]
  • If you bind a cipher group to an SSL entity by using the configuration utility, individual ciphers in the group are bound instead of the group.
    [From Build 61.11] [# 564565]
  • In release 10.5 or later, TLS protocol versions 1.1 and 1.2 are enabled by default, but you can disable them for all services except SSL_BRIDGE and dynamic services, which can't otherwise be configured. In this release, you can disable TLS1.1/1.2 on SSL_BRIDGE and dynamic services by enabling the new "svctls1112disable" and "montls1112disable" parameters, as follows:
    > set ssl param -svctls1112disable enable -montls1112disable enable
    After the new parameters are enabled, you cannot disable them by using the "set ssl param" command. You must edit the configuration (ns.conf) file as follows:
    1. Remove these parameters from the "set ssl param" command.
    2. Save the configuration.
    3. Restart the appliance.
    [From Build 61.11] [# 602502, 599209, 609284]
  • After you upgrade to this build, configuring a front-end service, or creating an internal service, with default ciphers results in a cipher inconsistency between a packet engine and the cluster configDB.
    [From Build 63.8] [# 625966]
  • The front end services appear as back-end services on the nodes of a cluster setup.
    [From Build 63.8] [# 632128]
  • SSL internal services might fail if you modify any SSL parameters while the SSL feature is disabled or not licensed.
    [From Build 63.8] [# 601951]
  • The appliance fails if a loop is created while linking the certificates. With this fix, the software checks whether a new certificate is already part of the link.
    [From Build 63.8] [# 612461]
  • The version displayed in syslog is SSLv2.0 even though the session is negotiated using TLSv1.2.
    [From Build 64.9] [# 474417, 474413]
  • In a cluster setup, if you have configured a front end service, or an internal service is created, with default ciphers, and then you upgrade to this build, there is a cipher inconsistency between a packet engine and the cluster configDB.
    [From Build 64.9] [# 631258]
  • Support for ECC curves in Service Groups
    You can now bind ECC curves to back-end service groups by using the NetScaler command line.
    At the command prompt, type:
    bind ssl serviceGroup <serviceGroupName> -eccCurveName <eccCurveName>
    [From Build 64.9] [# 592418, 659240]
  • Adding a certificate revocation list (CRL) on the NetScaler appliance fails with the error message "Certificate Issuer Mismatch" for a DER certificate, and with the error message "Invalid CRL" for a PEM certificate. This issue occurs because the attribute type of the common name field is different for the CA certificate than for the CRL.
    [From Build 64.9] [# 623058, 634017]
  • The NetScaler appliance displays high CPU usage because of a wrong computation of idle time.
    [From Build 64.9] [# 571226, 652915]
  • In a cluster setup, the serial number and validity do not appear correctly in the output of the "sh ssl certkey" command.
    [From Build 64.9] [# 635851, 504829]
  • In a cluster setup, if you rename a load balancing virtual server of type SSL, the local database table, which is used for all GET operations, is not updated.
    [From Build 64.9] [# 620964, 576828, 641041]
  • In a cluster setup, if you try to update an existing certificate by replacing the old files with new certificate and key files, the following error message appears:
    ERROR: Resource already exists [certkeyName Contents, nglab-2016]
    [From Build 64.9] [# 633395]
  • The output of the "stat ssl -detail" command is different for back-end entities than for front-end entities. The output for back-end entities does not include statistics for sessions, handshakes, or client authentications for TLS protocol versions 1.1 and version 1.2.
    At the back end, the label "Authorizations" is incorrect. It should be "Authentications."
    [From Build 64.9] [# 627635]
  • In a cluster setup, you cannot make any change to a service or service group if you have associated a common name with the service or the service group and enabled or disabled server name indication (SNI).
    [From Build 65.11] [# 665340]
  • An SSL handshake fails if all the ECDHE ciphers in the cipher list sent by the client are not supported by the NetScaler appliance even though the list contains some non-ECDHE ciphers that are supported.
    [From Build 65.11] [# 668239]
  • If you try to load large certificate files (> 256kB), the NetScaler appliance might dump core and restart, because of insufficient memory.
    [From Build 65.11] [# 643614, 624364, 646510, 667980]
  • In a cluster setup, if you rename a load balancing virtual server of type SSL, the local database table that is used for all GET operations is not updated.
    [From Build 65.11] [# 620964, 576828, 641041]
  • The NetScaler appliance dumps core memory and restarts if all of the following conditions are met:
    - SNI feature is enabled.
    - Exact server certificate match is unsuccessful.
    - The common name field is greater than 253 characters.
    [From Build 65.11] [# 664338, 670653]
  • If you upgrade to release 10.5, SSL client authentication fails if it uses a 4096-bit client certificate.
    [From Build 65.11] [# 600815, 343395]
  • The version displayed in syslog is SSLv2.0 even though the session is negotiated using TLSv1.2.
    [From Build 65.11] [# 474417, 474413]
  • SSL processing is delayed if the server sends a DES cipher with TLS1.2 protocol in the server_hello message to the NetScaler appliance. Although this combination is deprecated, the appliance tries to process it. The operation fails at the SSL card and blocks the card for a few seconds, causing latency in processing any new requests on the same card.
    [From Build 65.11] [# 661628]

SureConnect

  • SureConnect (SC) should be enabled on one entity. If you enable SC or configure SC policies on a load balancing virtual server, do not enable SC on any of the services or service groups that are bound to this virtual server. Doing so can result in configuration loss during reboot or lead to inconsistent configuration across an HA pair.
    [From Build 57.7] [# 526782]

System

  • When using Web Interfaces, after logging in to the VPN, users are not authorized to access published resources.
    [From Build 51.10] [# 484960]
  • When using DNS request pipelining with request switching, the audit log feature causes the NetScaler appliance to crash and reboot.
    [From Build 51.10] [# 488997, 493835]
  • SNMP walk shows the operational status of a LA channel as DOWN even when it is in the PARTIAL-UP state.
    [From Build 51.10] [# 477709]
  • With SPDY enabled, creating an AppFlow structure results in memory initialization issues.
    [From Build 51.10] [# 488487]
  • With USIP mode enabled, when the client FIN comes along with the final ACK for the server response, the NetScaler TCP module does not acknowledge the FIN.
    [From Build 51.10] [# 478356]
  • The Monupload process monitors the power supply and sends a "show techsupport" bundle as soon as a power failure is observed. This behavior is now modified to upload the bundle only in case the power supply does not recover in a 1 minute.
    [From Build 51.10] [# 452240]
  • Changes made to the time zone are not reflected till the NetScaler appliance is warm rebooted.
    [From Build 52.11] [# 471100, 425465, 484159, 484187]
  • When the Call Home feature is disabled before the Call Home enable operation is successful, a second instance of the Call Home process starts to run. This results in high usage of the management CPU.
    [From Build 52.11] [# 498232]
  • A new HTTP profile option "rtspTunnel" allows RTSP over HTTP. The RTSP tunnel is detected by the presence of either one of the following
    - 'Accept: application/x-rtsp-tunnelled' request header
    - 'Content-Type: application/x-rtsp-tunnelled' response header
    Once the tunnel is detected, NetScaler stops HTTP tracking for that TCP connection and lets the RTSP flow go through. The "rtspTunnel" option is disabled by default.
    [From Build 52.11] [# 480219]
  • If you change the IP address of a load balancing virtual server that shares the same server information (IP address, port and service) with an audit server and then clear the configurations, the NetScaler is expected to remove the virtual server, the audit server, and other NetScaler configurations. However, when you now add the virtual server with the original server details, the NetScaler throws an error message that says "resource already exists".
    Note: In a HA setup, this behavior is displayed even when you perform a force sync or a force failover operation.
    [From Build 52.11] [# 484527]
  • When trying to log on to the NetScaler using the GUI or the NITRO API, external users (from LDAP, TACACS, and so on) get the following error message: 'User does not exist'.
    [From Build 52.11] [# 498221, 501681]
  • The NetScaler randomly crashes when SPDY is enabled on a NetScaler deployment which has integrated caching enabled. This occurs due to some interaction issues.
    [From Build 52.11] [# 487437, 494371]
  • When the NetScaler deployment has large configuration size, the NetScaler appliance can crash due to issues with memory allocation.
    [From Build 52.11] [# 478608]
  • The NetScaler appliance can crash when a large HTTP request URL has a space in it and if the request is broken into multiple packets.
    [From Build 52.11] [# 497321, 501856, 502116, 502902]
  • The NetScaler intermittently fails to generate traps due to issues in propagating the alarm state to the SNMP daemon.
    [From Build 52.11] [# 490192]
  • With AppFlow enabled, if any of the HTTP headers (URL, Host, Cookie, and so on) have a length of exactly 255, the NetScaler appliance could crash.
    [From Build 52.11] [# 496726, 495235, 496997, 497181, 499667, 499733, 505523]
  • When an interface of a static channel becomes inactive because of an MTU mismatch, the peer device of the channel still sends traffic to that interface.
    [From Build 52.11] [# 463571]
  • When a HTTP profile is bound to a virtual server or service, the configurations of this profile are considered over the configurations of the global HTTP profile (nshttp_default_profile). However, when connection multiplexing is disabled globally and enabled on the virtual server or service, the global setting for connection multiplexing is being considered. This issue has now been fixed.
    [From Build 53.9] [# 494013]
  • If you enable Front End Optimization (FEO) with SSL, cache extension, and HTTP compression, the NetScaler ADC fails.
    [From Build 54.9] [# 517652, 523715]
  • In a high availability setup, a crash in the nsfsyncd process results in HA failover.
    [From Build 54.9] [# 490622, 496613]
  • Setting 'Request timeout' or 'Request timeout action' in HTTP Profiles can cause the NetScaler to fail in some situations.
    [From Build 54.9] [# 501100]
  • If an incoming URL has two or more slashes at the beginning of the path to the file, the URL is not parsed correctly. This can affect the use of policy expressions and the functioning of features such as Rewrite, which use parsed information to examine URLs.
    [From Build 54.9] [# 519390]
  • If you enable Front End Optimization (FEO) with SSL and HTTP compression, the NetScaler ADC fails.
    [From Build 54.9] [# 518322]
  • If a non-HTTP request is received on an HTTP virtual server, the transaction might fail.
    [From Build 55.8] [# 504910]
  • When the Netscaler ADC hits congestion with HA or LACP packets or continuous congestion in a single-PE environment, it cannot recover and packet transmission stops. This is applicable to the management ports on NetScaler SDX appliances and to all ports on NetScaler VPX instances running on XenServer.
    [From Build 55.8] [# 532316, 532045, 533018, 534634, 534671]
  • The NetScaler appliance generates SNMP clear alarm traps for successful cases of haVersionMismatch, haNoHeartbeats, haBadSecState, haSyncFailure, and haPropFailure error events in an HA configuration.
    [From Build 55.8] [# 368832]
  • The NetScaler randomly crashes when SPDY is enabled on a NetScaler deployment which has integrated caching or front end optimization enabled. This occurs due to some interaction issues.
    [From Build 55.8] [# 486257]
  • NetScaler VPX instances, with build 10.5 and pay per hour license, running on Amazon AWS cloud might not support some Access Gateway features.
    [From Build 55.8] [# 531384]
  • A NetScaler ADC processing SPDY traffic on SPDY enabled virtual servers fails intermittently if an HTTP response body received with chunked transfer-encoding and the response header is modified by other NetScaler features.
    [From Build 55.8] [# 519004, 528861]
  • The memory allocation API, malloc, returns a NULL value if it does not obtain memory for 'nscollect utility'. If the 'nscollect utility' tries to dereference this NULL pointer, it results in a memory segmentation error.
    [From Build 55.8] [# 528818, 529425]
  • A NetScaler appliance fails if it attempts to apply HTML injection to a server response that does not have a content type header.
    [From Build 56.22] [# 529493]
  • If the NetScaler appliance uses the HTTP pipeline to parse an HTTP request, and the parsing process fragments the request packet, the appliance, after processing a fragment, might not unset the flag indicating that the entire packet has been received. In that case, the appliance fails.
    [From Build 56.22] [# 527320, 527211]
  • Multiple instances of the nstraceaggregator daemon can run at the same time. As a result the NetScaler appliance might fail and corrupt the captured files.
    [From Build 56.22] [# 527119, 522584, 525657]
  • If you enable SPDY and the SPDY layer accumulates more than 8912 bytes of set-cookie values while processing a sever response, a buffer overrun causes the NetScaler appliance to fail.
    [From Build 56.22] [# 524949]
  • If you enable the nstrace feature in TX mode with an advanced filter expression, the NetScaler appliance fails.
    [From Build 56.22] [# 494911, 481032, 511763, 528309, 532708, 538507]
  • Multipath TCP does not work with NetScaler cache redirection feature.
    [From Build 56.22] [# 506056]
  • If password based authentication is used to open an SSH session to a NetScaler appliance, the wrong remote IP address is sent to the NetScaler syslog records.
    [From Build 56.22] [# 286861, 301935, 513312, 522183, 541332]
  • Data that the NetScaler VPX appliance sends to a TCP peer might be corrupted if the peer has sent a TCP Maximum Segment Size (MSS) value greater than 1460 bytes on a TCP connection that the appliance initiated.
    [From Build 56.22] [# 549904, 503614, 532794, 543864, 548338, 552628]
  • While handling PLAIN acknowledgement packets in a TCP VIP path, the NetScaler appliance drops FINACK packets.
    [From Build 56.22] [# 572046, 577192]
  • When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error:
    Invalid response from the aggregator [Device not Configured]
    [From Build 56.22] [# 377618, 341460, 351127, 364015, 475359, 481575, 499259]
  • The NetScaler appliance fails if you enable both front end optimization and the application firewall.
    [From Build 56.22] [# 539454]
  • Multiple instances of the nstraceaggregator daemon can run at the same time. As a result the NetScaler appliance might fail and corrupt the captured files.
    [From Build 56.22] [# 532843, 534384]
  • Launching of applications or desktops through a NetScaler appliance can fail, if the appliance is deployed in a multi-hop topology where the first hop performs load balancing and points to the second hop which performs gateway ICAProxy functionality.
    [From Build 56.22] [# 560747]
  • The ns_monuploadd_err.pl script monitors the health of the NetScaler appliance by looking for errors recorded in the log files. The script decompresses the log files and does not remove the decompressed log files, which therefore consume disk space.
    [From Build 56.22] [# 532042, 447664, 532587, 533164]
  • A NetScaler VPX virtual appliance with multiple packet engines fails if you enable the nstrace feature in TX mode with an advanced filter expression.
    [From Build 56.22] [# 528309]
  • The NetScaler Gateway floods the network with acknowledgement packets, sent from its VIP address, when merging the reassembly queue on the NetScaler appliance. The flood of packets causes a firewall outage.
    [From Build 56.22] [# 545133, 550627, 563058, 572273]
  • The NetScaler Gateway floods the network with acknowledgement packets, sent from its VIP address, when merging the reassembly queue on the NetScaler appliance. The flood of packets causes a firewall outage.
    [From Build 57.7] [# 545133, 550627]
  • During the execution of the "nstrace.sh" script (from shell) or the "start nstrace" command (from CLI), when the trace file is rolled over, some packets might not be available in the trace. The number of packets that will be dropped from the trace is directly proportional to the traffic rate.
    [From Build 57.7] [# 480258, 494482, 523853]
  • If an authentication policy is bound to NetScaler system global, authentication of weblog and auditlog services fails.
    [From Build 57.7] [# 498025, 521636, 534432]
  • Data that the NetScaler VPX appliance sends to a TCP peer might be corrupted if the peer has sent a TCP Maximum Segment Size (MSS) value greater than 1460 bytes on a TCP connection that the appliance initiated.
    [From Build 57.7] [# 549904, 503614, 532794, 543864, 548338, 552628]
  • The NetScaler appliance can become unavailable if you perform the following sequence of operations multiple times:
    1. Create a UDP load balancing virtual server (lbvserver).
    2. Configure a syslog audit server that has the same IP address and port as the UDP lbvserver.
    3. Bind the syslog audit policy to system global.
    4. Execute the "set audit syslogPolicy" command.
    5. Execute the "clear ns config" command.
    [From Build 57.7] [# 558143]
  • Enabling the AppFlow feature during a transaction causes the NetScaler appliance to fail.
    [From Build 57.7] [# 547739, 527797, 531101]
  • In a cluster or HA setup, when you perform an operation that adds a new file (create/import SSL/APPFW), the files is synchronized to the other nodes (non-CCO nodes in a cluster or the secondary appliance in an HA setup). This synchronization either happens either periodically or when manually executed. If an operation that uses this file is executed before the file is synchronized, the operation fails, because the required file is not available.
    For example, if you import a certificate file, and then execute the "show cert key" command immediately, the command fails.
    This issue is fixed by synchronizing the files across all the nodes automatically, after they are added.
    [From Build 57.7] [# 535162, 288743, 389394, 470729, 562724]
  • If the NetScaler appliance receives a Websocket upgrade request, and an HTTP-body based policy is bound globally or to a virtual server, the appliance does not forward the request to server until a TCP FIN flag is received from the client.
    [From Build 57.7] [# 536576, 549318]
  • NetScaler appliance may fail when trying to re-use the probe connection on wildcard vserver or service due to incorrect maximum segment size value learned from server.
    [From Build 58.11] [# 567413, 568270]
  • While handling PLAIN acknowledgement packets in a TCP VIP path, the NetScaler appliance drops FINACK packets.
    [From Build 58.11] [# 572046, 577192]
  • Launching of applications or desktops through a NetScaler appliance can fail, if the appliance is deployed in a multi-hop topology where the first hop performs load balancing and points to the second hop which performs gateway ICAProxy functionality.
    [From Build 58.11] [# 560747]
  • The NetScaler appliance can become unavailable if you perform the following sequence of operations multiple times:
    1. Create a UDP load balancing virtual server (lbvserver).
    2. Configure a syslog audit server that has the same IP address and port as the UDP lbvserver.
    3. Bind the syslog audit policy to system global.
    4. Execute the "set audit syslogPolicy" command.
    5. Execute the "clear ns config" command.
    [From Build 58.11] [# 558143]
  • NTP Version Update
    In NetScaler release 11, the NTP version has been updated from 4.2.6p3 to 4.2.8p2.
    If you upgrade your NetScaler appliance from any earlier release to release 11, the NTP configuration is automatically upgraded with additional security policies. For more information about configuring an NTP server, see http://support.citrix.com/proddocs/topic/ns-system-11-map/ns-ac-config-clk-sync-con.html.
    [From Build 58.11] [# 440375, 440591]
  • The NetScaler backup and restore functionality now creates a backup of each of the following configuration files: inetd.conf, ntp.conf, syslog.conf, newsyslog.conf, crontab, host.conf, hosts, ttys, sshd_config, httpd.conf, monitrc, rc.conf, ssh_config, localtime, issue, and issue.net.
    [From Build 58.11] [# 506378]
  • On performing the batch operation on the NetScaler appliance, the commands that are dependent on other commands can be lost from the NetScaler configuration file.
    [From Build 58.11] [# 527887]
  • You can now enable the Call Home feature while upgrading or downgrading the NetScaler software.
    If you are using the command line interface to upgrade or downgrade the NetScaler software, run the installns script with the -L option to enable the Call Home feature.
    To enable the Call Home feature by using the configuration utility, select the Enable Call Home option in the System Upgrade wizard.
    This option is available for the following cases:
    -Upgrading the NetScaler software to a later build within release 11.0.
    -Upgrading the NetScaler software from release 10.5 build 59.x or later to a later build within release 10.5, or to any build within release 11.0.
    -Downgrading the NetScaler software to an earlier build within release 11.0.
    -Downgrading the NetScaler software to release 10.5 build 59.x or later from a later 10.5 build or from release 11.0.
    [From Build 59.13] [# 558066]
  • If you execute NTP commands, such as enable ntp sync and show ntp status, the NetScaler appliance might become unresponsive because of a memory leak.
    [From Build 59.13] [# 529787, 574866, 581849]
  • The NetScaler appliance might become unresponsive if it receives a retransmitted TCP jumbo frame that carries the TCP FIN flag.
    [From Build 59.13] [# 571176]
  • The appliance might fail under the following set of conditions:
    1. A pipelined HTTP request is received that spans multiple TCP segments.
    2. An internal HTTP response generated by NetScaler for the HTTP request in condition 1, is terminated by a TCP segment that has the TCP FIN flag set.
    3. The appliance receives another HTTP request on the same connection.
    [From Build 59.13] [# 587817, 587879, 589416, 594044, 595927, 601915]
  • On rebooting the NetScaler appliance, the timeout is not set to the value specified by the "set ns timeout" command.
    [From Build 59.13] [# 587074]
  • Management CPU usage is high when you use the configuration utility's memory usage diagnostic tool (System > Diagnostics > Memory usage).
    [From Build 59.13] [# 586328]
  • After cleaning up an MPTCP session, the NetScaler appliance might not set the DATA_FIN flag in the TCP header of the data or acknowledgement packet if there is no subflow for sending the data.
    [From Build 59.13] [# 553650]
  • While handling PLAIN acknowledgement packets in a TCP VIP path, the NetScaler appliance drops FINACK packets.
    [From Build 59.13] [# 572046, 577192, 586755]
  • If you enable the snmp alarm SERVICEGROUP-MEMBER-MAXCLIENTS, varbinds such as svcGrpMemberName, svcGrpMemberEstablishedConn, alarmHighThreshold, svcGrpMemberFullName, and sysIpAddress might be missing from the alert.
    [From Build 59.13] [# 578673]
  • For a load balancing configuration, the NetScaler appliance uses the server-side session information instead of the client-side session information for handling a client-side packet. As a result, the NetScaler appliance becomes unresponsive.
    [From Build 60.7] [# 584531, 576932, 597895, 607060]
  • A Netscaler appliance has high memory consumption if Front End Optimization (FEO) feature is enabled.
    Work around: To resolve this configuration issue, the customer needs to disable the FEO feature. Otherwise, the customer needs to reboot the Netscaler appliance.
    [From Build 60.7] [# 591928]
  • Management access to the NetScaler appliance can slow down or become unavailable when the traffic domain identifier is not initialized for jumbo frames. However, virtual servers continue to serve traffic.
    [From Build 60.7] [# 583579, 594722]
  • The host name configured for the NetScaler appliance is now displayed on the LCD panel.
    [From Build 60.7] [# 498991, 498994]
  • If the NetScaler appliance receives a data or an acknowledgement packet without the Data Sequence Signal (DSS) option before the MPTCP connection is established, the appliance does not seamlessly fallback to regular TCP.
    [From Build 60.7] [# 588909]
  • The appliance might fail under the following set of conditions:
    1. A pipelined HTTP request is received that spans multiple TCP segments.
    2. An internal HTTP response generated by NetScaler for the HTTP request in condition 1, is terminated by a TCP segment that has the TCP FIN flag set.
    3. The appliance receives another HTTP request on the same connection.
    [From Build 60.7] [# 587817, 587879, 589416, 594044, 595927, 601915]
  • The upgrade wizard in the configuration utility puts the NetScaler software in the /var directory instead of the /var/nsinstall/<build id> directory.
    [From Build 60.7] [# 586721]
  • If a server advertises a maximum segment size (MSS) greater than 1460 bytes, a TCP transaction might not generate a response after passing through the NetScaler appliance.
    [From Build 60.7] [# 584079]
  • The NetScaler appliance might become unresponsive if front end optimization (FEO) is enabled with the SSL and rewrite features.
    [From Build 60.7] [# 583829]
  • Failed SNMP requests were not removed properly, therefore, subsequent set requests were retained in the queue. This lead to all SNMP requests getting blocked and high memory usage, due to which the SNMP module stops responding.
    [From Build 60.7] [# 590289, 584527, 596242]
  • When SPDY Protocol is enabled and SPDY Traffic is received on the NetScaler appliance, the TCP current clients counter goes to negative values and shows a very large value in the stat or the SNMP OID.
    [From Build 60.7] [# 551562, 551786, 568554]
  • When the NetScaler appliance receives MPTCP traffic, the number of established client connections is high, because both MPTCP sessions and subflows are treated as client connections.
    With this fix, the snmp oid of following mibs have changhttp://reno.citrite.net/images/edit-review.png?1427997750ed to:
    mptcpCurSessWithoutSFs: 130
    vsvrCurMptcpSessions: 73
    vsvrCursubflowConn: 74
    [From Build 60.7] [# 583292]
  • The NetScaler appliance fails to respond when the HTML injection feature is enabled.
    [From Build 60.7] [# 542418]
  • When you run multiple instances of nstcpdump.sh command, the system results in bad dump bad dump file format errors.
    [From Build 60.7] [# 584825]
  • Entering the nstcpdump.sh command causes the Management CPU utilization to reach 100 recent.
    [From Build 60.7] [# 513048]
  • Support for MPTCP Version Negotiation
    A client can now establish an MPTCP connection with NetScaler appliance even if the client's and the NetScaler appliance's MPTCP versions does not match. If the MPTCP version of the client is higher than the one supported on the appliance, the client falls back to a lower or equal version. If the appliance supports that version, the MPTCP session continues. Otherwise, the appliance falls back to a normal TCP session.
    [From Build 60.7] [# 529883]
  • A NetScaler appliance might crash if you attempt to start the nstrace instance with advanced filter expression.
    [From Build 60.7] [# 493737, 526095, 598148]
  • In a HA setup, if a domain-based SNMP manager is added on the secondary appliance, the NetScaler appliance stops responding eventually. You must configure the SNMP manager on the primary appliance.
    [From Build 60.7] [# 581355, 593292, 595943]
  • You can now enable the Call Home feature while upgrading or downgrading the NetScaler software.
    If you are using the command line interface to upgrade or downgrade the NetScaler software, run the installns script with the -L option to enable the Call Home feature.
    To enable the Call Home feature by using the configuration utility, select the Enable Call Home option in the System Upgrade wizard.
    This option is available for the following cases:
    -Upgrading the NetScaler software to a later build within release 11.0.
    -Upgrading the NetScaler software from release 10.5 build 59.x or later to a later build within release 10.5, or to any build within release 11.0.
    -Downgrading the NetScaler software to an earlier build within release 11.0.
    -Downgrading the NetScaler software to release 10.5 build 59.x or later from a later 10.5 build or from release 11.0.
    [From Build 60.7] [# 558066]
  • While upgrading the NetScaler appliance from 10.5.53.x to 10.5.54.9 version, the Client-Server Link Mapping check box was unavailable on TCP/IP connections page. The check box is now available in the TCP Connections page.
    [From Build 60.7] [# 551611, 519966]
  • Some events may be logged twice if DEBUG level is enabled for syslog, by using the "set audit syslogParam" command.
    [From Build 61.11] [# 594485]
  • When parsing a host name with no Path component, the URL parsing logic does not search for a question mark (?), so an entire string might be interpreted as the host name. This causes an error when the appliance tries to resolve the DNS name. With this fix, the parsing logic searches for question marks.
    Eg: http://example.com.php?&curuserid=94315577&host=wscdny203.live.changba.com&token=T59d105c1c74042e&localip=221.235.187.75&clientip=80.95.239.1&bless=1&channelsrc=market_%E7%99%BE%E5%BA%A6
    [From Build 61.11] [# 587858]
  • A NetScaler appliance fails when it receives an MP_CAPABLE final acknowledgement in a single packet with the FIN flag set.
    [From Build 61.11] [# 583853, 583855, 588078, 601746, 602955]
  • With the default TCP congestion control, a NetScaler appliance recovering from packet loss reduces the congestion window to half its previous length. With multiple packet loss events, the congestion window becomes small and delays transactions.
    [From Build 61.11] [# 606493, 601655]
  • The tech support bundle that is generated for a NetScaler MPX appliance that has a LOM port, generates a list of LOM sensors and stores this list in the support bundle in the "shell/ipmitool_sensor_list.out" file.
    [From Build 61.11] [# 596315]
  • In a high availability setup with stateful connection failover option enabled on a virtual sever, if a network link that is used for synchronizing connection information between the nodes becomes DOWN.
    Both nodes take a lot a time to reestablish connection information synchronization through the remaining active links, as a result some connection information might not get synchronize to the secondary node.
    [From Build 61.11] [# 590574]
  • Syslog messages generated by user action are logged as error messages instead of informational messages.
    [From Build 61.11] [# 538212]
  • NIC Failures detected during boot up do not prevent a NetScaler appliance from booting up and successfully starting the packet engines. The appliance displays an error message about the missing NICs.
    With this fix, if a NIC failure is detected during boot up, the appliance will not start Packet Engines and display an error message about the missing NICs.
    [From Build 61.11] [# 547260]
  • In certain cases, the NetScaler appliance might not retransmit the lost TCP segments resulting in a transaction failure.
    [From Build 61.11] [# 565938, 560394, 592227, 597160, 607864, 609068]
  • If, when establishing an MPTCP connection, a NetScaler appliance receives a duplicate acknowledgment in the 3-way handshake process, the appliance reverts to a normal TCP connection.
    [From Build 61.11] [# 601372]
  • If, when processing a URL, the parser encounters a tag that has "#"as a source attribute, the URL is considered to be empty as # is a fragment identifier. This leads to corrupted values because we continue processing the empty URL.
    [From Build 61.11] [# 605258]
  • A NetScaler appliance might occasionally fail when a client connects to an HTTP/SSL server and the server sends a 101 (switching protocols) response. The connection is closed before data can be sent or received from the client.
    [From Build 61.11] [# 576561, 587759]
  • The NetScaler appliance does not reduce the received Maximum Segment Size (MSS) to accommodate TCP options (such as timestamps). Therefore, the NIC drops such packets.
    [From Build 61.11] [# 593209]
  • A NetScaler appliance becomes unresponsive when passing an HTML response with the HTML tag exceeding 16 characters.
    [From Build 61.11] [# 611723]
  • Under stressful conditions (too many API requests) the NetScaler appliance is unable to retrieve LCD counters from the back end.
    [From Build 61.11] [# 533156, 599100]
  • Commands entered in the NetScaler CLI or GUI might fail because of a shortage of system resources or failure of system socket connections.
    With this fix, the NetScaler appliance attempts to reestablish the socket connections. After the socket connections are established, the appliance runs the failed commands internally.
    [From Build 62.9] [# 615487]
  • The NetScaler appliance might fail if both of the following conditions are met:
    - One or more of the following features are configured on the appliance: cache redirection, content switching, AAA-TM, Clientless VPN, full tunnel VPN, forward proxy.
    - The client connection times out while the DNS name is being resolved using the FQDN of back-end servers.
    [From Build 62.9] [# 608479]
  • Due to a bug in Hard Disk Drive (HDD) monitoring logic, if a message in /var/log/messages matches "*ad* Device not configured" string pattern, it results in producing false positive errors.
    [From Build 62.9] [# 611774, 598774]
  • A high availability pair fails if an HTTP response from a back-end server contains carriage return line feeds (CRLFs) after the HTTP Content Length and at the start of a new packet.
    [From Build 62.9] [# 547267, 623146]
  • In a wildcard virtual server configuration, a NetScaler appliance dynamically identifies an origin service by opening a probe connection. If the origin responds with a jumbo Maximum Segment Size (MSS), the appliance uses the MSS for future connections with the origin. If the jumbo frame support is disabled, it results in transactions failure.
    [From Build 62.9] [# 605873]
  • A warning error message "Error =80000004 in nsagg_process_stat_request, closing connection" displays when a nscollect module requests counter information from a nsagregator daemon at every 5 minute interval. The nsaggregator daemon prints the warning message as response to the request received from nscollect module for more than 256 counters.
    [From Build 62.9] [# 610809, 577474, 579560, 622553]
  • A NetScaler appliance fails if the Front End Optimization (FEO), Application Firewall, and SSL features are all enabled and the appliance encounters an error while parsing an HTML response.
    [From Build 62.9] [# 624327]
  • When a NetScaler appliance is integrated with ESP or VPX devices functioning as E100 devices, it encounters buffer-allocation failure and packet-reception failure.
    [From Build 62.9] [# 604971, 611176]
  • A NetScaler appliance fails when an MPTCP subflow receives an Infinite DSS mapping in a partially retransmitted packet.
    [From Build 62.9] [# 614842, 623426]
  • Client-based virtual machines are unable to access a NetScaler appliance if they are running on the same server (for example, VPX on Linux KVM). However, they are accessible if they are running on different servers.
    [From Build 62.9] [# 613108]
  • The NetScaler appliance might fail if both of the following conditions are met:
    - One or more of the following features are configured on the appliance: cache redirection, content switching, AAA-TM, Clientless VPN, full tunnel VPN, forward proxy.
    - The client connection times out while the DNS name is being resolved using the FQDN of back-end servers.
    [From Build 62.9] [# 543293, 578993, 579965, 593378, 599535, 608479, 614368, 628579, 628763, 634338]
  • A NetScaler appliance fails on a network interface if it receives retransmitted data for which the maximum transmission unit (MTU) is larger than 1500 bytes.
    [From Build 63.8] [# 625776, 624763, 624779, 629314, 630646, 636283, 637479]
  • If, in a Multipath TCP (MPTCP) session with a single subflow, the client in the subflow signals a zero-window condition before the subflow connection times out, the NetScaler appliance uses small-window-protection logic to mark the subflow connection as a small-window attack from the client. The logic checks to determine whether the existing number of small window connections are more than the threshold value (set to 100, by default) and if true, the appliance resets the subflow causing the appliance to fail.
    [From Build 63.8] [# 639081]
  • If a client on an IPV6 connection advertises an MSS value below 1360 (bytes), the NetScaler appliance responds with a MSS value below the (RFC) required minimum value of 1220 (bytes).
    [From Build 63.8] [# 556475]
  • The NetScaler appliance might fail if both of the following conditions are met:
    - One or more of the following features are configured on the appliance: cache redirection, content switching, AAA-TM, Clientless VPN, full tunnel VPN, forward proxy.
    - The client connection times out while the DNS name is being resolved using the FQDN of back-end servers.
    [From Build 63.8] [# 543293, 578993, 579965, 593378, 599535, 608479, 614368, 628579, 628763, 634338]
  • A NetScaler Policy Infrastructure (PI) connection reset code for a non HTTP type virtual server might cause a memory leak.
    [From Build 63.8] [# 626562, 632738, 634610]
  • In a high availability setup, command propagation and configuration synchronization using secure RPC might fail if SSLv3 and TLS1.0 protocols are disabled for SSL internal services.
    [From Build 63.8] [# 613966]
  • The TCP wait queue counter might be incorrect, because the NetScaler appliance does not update the counter properly during persistence probes.
    [From Build 64.9] [# 637919]
  • A NetScaler appliance fails if a TCP/IP session is simultaneously reused for TCP and Multipath TCP (MPTCP) operation and not mutually exclusive with TCP KeepAlive enabled for MPTCP subflows.
    [From Build 64.9] [# 654080]
  • In a NetScaler appliance, if the Ring Receive buffer is full, the appliance starts to discard data packets at the Network Interface Card (NIC). As a result, the appliance drops packets leading to a probe failure.
    [From Build 64.9] [# 623977, 649735]
  • The NetScaler appliance might fail, because of memory corruption, if a policy uses an expression that applies the MATCHES (not MATCHES_LOCATION) function to an IPv4 or IPv6 address and there is an issue in communicating with the DNS server.
    [From Build 64.9] [# 630782, 630436, 631279, 637396, 650939, 650964]
  • A NetScaler appliance might become unresponsive if it has a TCP profile with the TCP keepalive option enabled and is bound to a load balancing virtual server. The cause is an interoperability issue between the TCP keepalive and TCP packet retransmission functionalities.
    [From Build 64.9] [# 619349, 626027]
  • The CPU parameter value on the LCD panel does not match the value reported by the NetScaler CLI or GUI.
    [From Build 64.9] [# 643237]
  • An invalid compressed header in SPDY frames causes a NetScaler appliance to restart.
    [From Build 64.9] [# 637651]
  • The Configd daemon fails if the number of session IDs exceeds the preset limit and existing client sessions are renumbered.
    [From Build 64.9] [# 639380, 657168, 657781]
  • When parsing a host name with no Path component, the URL parsing logic does not search for a question mark (?), so an entire string might be interpreted as the host name. This causes an error when the appliance tries to resolve the DNS name. With this fix, the parsing logic searches for question marks.
    E.g.: http://example.com.php?&curuserid=94315577&host=wscdny203.live.changba.com&token=T59d105c1c74042e&localip=221.235.187.75&clientip=80.95.239.1&bless=1&channelsrc=market_%E7%99%BE%E5%BA%A6
    [From Build 64.9] [# 587858]
  • If an imported responderhtmlpage content ends with an embedded expression or escaped embedded expression and if the responderhtmlpage is specified in the Add Responder Action command, it causes a NetScaler appliance to fail.
    [From Build 64.9] [# 629091]
  • During a TCP transaction, when the client advertises zero window to a NetScaler appliance, the appliance periodically sends zero window probe to ascertain if the client can open the window so that the NetScaler appliance can send in new data. When sending such a probe, the appliance sends a full maximum segment size (MSS) packet during first probe and from the second probe onwards, sends a 1-byte packet. If the client does not open the window after sending such a probe, but instead sends a TCP Reset or if the connection on the NetScaler appliance gets flushed for other reasons, then it may lead to duplicate buffer free on the appliance that might cause the appliance to fail.
    [From Build 64.9] [# 657742, 657753, 657771, 658352, 658507, 658526, 659842, 659849, 660345, 660812, 660998, 661018, 661266, 661511, 662353, 662493]
  • When a NetScaler appliance sends out full sized persist probe packet that is more than the client advertised window, firewall drops the packet causing the connection to fail.
    [From Build 64.9] [# 576980]
  • If an imported responderhtmlpage content ends with an embedded expression or escaped embedded expression and if the responderhtmlpage is specified in the Add Responder Action command, it causes a NetScaler appliance to fail.
    [From Build 64.9] [# 640075]
  • If a NetScaler appliance has "TCP timestamp" parameter enabled in a TCP profile, some internal configurations and connections fail when the appliance attempts to communicate with the underlying freebsd.
    [From Build 64.9] [# 612251]
  • On a NetScaler VPX appliance provisioned on Microsoft Hyper-V servers, if more than 4 interfaces are assigned to the appliance, the interfaces might get scrambled and appear in a different order in both the NetScaler command line and the NetScaler GUI.
    [From Build 64.9] [# 599122]
  • If, after restarting a NetScaler appliance, you increase the cache memory limit while the front end optimization (FEO) feature is enabled, the appliance fails.
    [From Build 64.9] [# 626082, 628536, 633772, 642939]
  • The HTML-injection feature might cause dropped requests, closed connections, and possible failure of the NetScaler appliance. The HTML-injection feature generates a special request for each embedded object, for sending timestamp-related information to the EdgeSight server. The request URL contains the content type of the object. If the Content-Type field in the request contains a space, it should be percent-encoded, but the HTML-injection feature inserts the space as is. Therefore, by HTTP standards, the request is invalid. If the "drop invalid requests" option is enabled in the applicable HTTP profile, the request is dropped and the connection is closed. Also, if the URL spans multiple packets, the NetScaler appliance fails while processing the next packet after the request is marked invalid.
    [From Build 65.11] [# 626848]
  • The NetScaler command line does not come out of the execution logic and does not display the command prompt when multiple grep with pipe operations are performed.
    [From Build 65.11] [# 667214]
  • The TCP timestamp is now an interoperable parameter for TCP and Multipath TCP (MPTCP) data transmission.
    [From Build 65.11] [# 646496]
  • In an MPTCP connection, a NetScaler appliance sets the TCP PSH flag during retransmission of FastClose and DataFIN packets.
    [From Build 65.11] [# 667765]
  • start nstrace operation fails with the following error message: "one instance is already running".
    [From Build 65.11] [# 668051]
  • In a MPTCP connection, if a client negotiates a Maximum Segment Size (MSS) value of more than 1460 bytes, and the NetScaler appliance receives an ICMP protocol error message after fragmenting and sending a Data Security Standard (DSS) packet, the appliance fails. This happens because of incorrect handling of DSS packets with a segment sizes.
    [From Build 65.11] [# 648275]
  • A NetScaler appliance constantly fails and dumps core memory, filling the Var directory with core files.
    [From Build 65.11] [# 647955]
  • If a FASTCLOSE packet from a NetScaler appliance to a client is lost, the multipath TCP (MPTCP) session does not notify the application about the abrupt connection closure and close the socket. As a result, the appliance does not retransmit the lost packet.
    [From Build 65.11] [# 649968]
  • In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.
    [From Build 65.11] [# 449234, 457629, 496448]
  • NetScaler appliance crashes when a large host-name header is received and AppFlow logging for host-name and domain-name is enabled.
    [From Build 65.11] [# 660075, 664886]
  • By default, a NetScaler appliance ignores the non-standard and obsolete "Proxy-Connection" HTTP header. To change this behavior, use the nsamimgr command to set the proxyConnection parameter to 1. This setting prioritizes the Proxy-Connection header over the Connection header.
    For example, nsapimgr -ys proxyconnection=1
    [From Build 65.11] [# 654560]

User Interface

  • Issue ID 0440208: If a new SSL certificate that requires a key is installed without the key, access to management service GUI is lost.
    [From Build 55.8] [# 440208]
  • SSL
    If you add new ciphers by using the configuration utility, the order in which the configured ciphers are bound is not preserved.
    [From Build 55.8] [# 520088, 524139, 524140]
  • Configuration Utility
    If you create a service on one of the screens that appear while you are configuring a virtual server, you cannot bind the service to the virtual server, because the OK button is not enabled.
    [From Build 55.8] [# 527388]
  • Configuration Utility
    You can bind multiple services at the same time to a virtual server or a service group. However, you cannot unbind multiple services at the same time from a virtual server or from a service group.
    [From Build 55.8] [# 520751]
  • If you use an invalid filter expression when you start the nstrace process, an error message appears, but the NetScaler appliance starts two nstrace aggregator instances.
    [From Build 56.22] [# 536544]
  • The SNMP counter of type cntr32 has been changed to a gauge counter.
    [From Build 56.22] [# 524080, 448724]
  • The NetScaler appliance serves erroneous cache content if you use the XenApp/XenDesktop wizard's auto-configured cache policies.
    [From Build 56.22] [# 426551, 545422]
  • In certain cases, an attempt to add or bind a load balancing virtual server, service, or service group can fail if the internal ID assigned to the virtual server, service or service group conflicts with the internal ID of an existing virtual server, service, or service group.
    [From Build 56.22] [# 516162, 358664, 538009, 540912, 542248, 542721, 546566, 549368]
  • In certain cases, an attempt to add or bind a load balancing virtual server, service, or service group can fail if the internal ID assigned to the virtual server, service or service group conflicts with the internal ID of an existing virtual server, service, or service group.
    [From Build 57.7] [# 516162, 358664, 538009, 540912, 542248, 542721, 546566, 549368]
  • A customer reported that the Configuration Wizard hangs when used to set-up a new XenDesktop portal on the NetScaler Gateway appliance. This behavior seems to be related to the IP address.
    [From Build 59.13] [# 573617]
  • CB management service (SVM) causes failure due to memory leak..
    [From Build 59.13] [# 565742, 573215, 576357]

XML

  • Users who access a Microsoft Sharepoint server through a NetScaler ADC that has the application firewall enabled are unable to open any document type that requires software that is not part of the browser, such as Microsoft Office files.
    [From Build 52.11] [# 450232]

Release history

For details of a specific release, see the corresponding release notes.
  • Build 66.6 (2017-05-16) (Current build)
  • Build 65.11 (2017-01-27)
  • Build 64.9 (2016-10-19)
  • Build 63.8 (2016-06-23)
  • Build 62.9 (2016-04-20)
  • Build 61.11 (2016-02-06)
  • Build 60.7 (2015-11-18)
  • Build 59.13 (2015-09-08) Replaces: 59.11
  • Build 58.11 (2015-07-16)
  • Build 57.7 (2015-05-18)
  • Build 56.22 (2015-03-30) Replaces: 56.21
  • Build 55.8 (2015-02-02)
  • Build 54.9 (2014-12-17)
  • Build 53.9 (2014-11-14)
  • Build 52.11 (2014-11-03)
  • Build 51.10 (2014-11-03)
  • Build 50.10 (2014-10-21)