Release Notes for Build 135.18 of NetScaler 10.1 Release

September 25, 2017|Release notes version: 1.0

NoteBuild 135.18 replaces Build 135.12

This release notes document describes the enhancements and changes, lists the issues that are fixed, and specifies the issues that exist, for the NetScaler release 10.1 Build 135.18. See Release history.

NotesThis release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
The known issues section is cumulative. It includes issues newly found in this release, and issues that were not fixed in previous NetScaler 10.1 releases.
The [# XXXXXX] labels under the issue descriptions are internal tracking IDs used by the NetScaler team.

Version 1.0

Fixed Issues: 676323

The issues that are addressed in Build 135.18.

Networking

Higher TTL Value for DHCP Requests
Time to Live (TTL) value in IP packets carrying DHCP requests from a NetScaler appliance to a DHCP server has been increased from 16 to 225. A higher TTL value is useful in cases where the DHCP server is several hops away from the NetScaler appliance.
[# 676323]

The issues that exist in Build 135.18.

AAA-TM

Forms-based single sign-on does not work if the form is customized to include Javascript.
[# 565740]

The rule (expression) in a AAA-TM policy can be from one to 1434 characters in length. If you enter a longer rule, AAA-TM displays an "invalid rule" error.
[# 332831]

In NetScaler 9.3 and previous versions, the NetScaler ADC used a SNIP address as the source IP address for authentication requests unless the administrator configured a static route to a different interface. In NetScaler 10.1 and subsequent versions, the ADC uses the NSIP address as the source for authentication requests even when a static route points to a different interface.
To force the ADC to use a SNIP (not the NSIP) as the source IP address in version 10.1 or later, you can set up a load balancing virtual server with an authentication service, and then configure that load balancing virtual server to perform the authentication.
[# 457817]

The NetScaler implementation of Kerberos does not fully implement the ktutil functionality. While this does not affect Kerberos authentication, it restricts some administrative tasks, such as the ability to merge keytab files.
[# 551091]

In rare scenarios, response cookie from OWA 2013 server is not greater than 70 bytes when the NetScaler appliance is configured with Forms Based SSO. Hence, length check for cookie value in success-rule configured in Forms SSO action on the NetScaler appliance needs to be updated with an appropriate value.
[# 676450]

AppFlow

Service states for the service groups cannot be updated. As a result, client requests are dropped.
[# 658990]

The timestamp in AppFlow records are not in NTP format.
[# 525568]

If a NetScaler high-availability failover occurs when ICA AppFlow is enabled, the session reliability feature will now restore the session. This capability is currently disabled by default and configurable via CLI. The CLI command to enable/disable the feature is
set ica parameter EnableSRonHAFailover YES/NO
[# 456218, 438710, 547601, 620411]

ICA parsing uses a lot of memory, so the NetScaler appliance reaches its memory limit with a lower than expected number of connections.
[# 459458]

Application Firewall

A NetScaler ADC that has the application firewall feature enabled might reset the connection after a protected web server issues an HTTP 204 response.
[# 427798]

The application firewall has memory limitations on the size of a WSDL that can be imported into the NetScaler appliance. The import operation might fail if the size of the WSDL file exceeds the allocated memory.
[# 349504]

If the server sends less data than the amount specified in the Content-length header, the NetScaler application firewall might send a 9845 response and reset the connection.
[# 506653]

If the user sends a request that contains the string "Javascript" without a non-alphanumeric delimeter, the Cross-Site Scripting check does not block the request. This is expected behavior. Without a delimiter, the keyword "Javascript" cannot trigger code execution and therefore poses no threat to the protected web application.
[# 457926, 506333]

The auto-update operation restores the default SQL/XSS patterns in the signatures. If the user edits a signature to remove any of the SQL/XSS patterns, the removed patterns might reappear in the signature when it is auto-updated.
[# 455652]

If a user request triggers an application firewall policy that is bound to the APPFW_BYPASS profile, the application firewall might fail to generate an SNMP alarm.
[# 489691]

When you enable the sessionless URL closure feature, you must also enable the URL closure feature. If you do not enable URL closure, the sessionless URL closure feature does not work.
[# 283780]

Cluster

In a cluster setup, the "show ns trace" command displays the trace only of the cluster configuration coordinator node. It does not show the trace of the other cluster nodes.
[# 568518]

Command Line Interface

The NetScaler command line interface exits abruptly upon executing the "show dns addRec -format old" command.
[# 512526, 527066, 545578, 631658, 635938, 643466, 652771, 667794]

Configuration Utility

If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.
Workaround: Use the arrow keys on the keyboard to scroll the screen.
[# 389328]

If, when using the configuration utility to configure a NetScaler ADC, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
[# 374437]

In a high availability setup, if you run the "add ssl certkey" command on the primary node, and the certificate and key files are not present on the secondary node, the command fails on the secondary node. However, the configuration utility does not display an error message.
[# 459703]

If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.
Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml
[# 388534]

GSLB

A NetScaler appliance does not allow creation of a GSLB service entity if the entity's IP address and port number match those of an existing load balancing virtual server or service entity but the service type does not match.
[# 578930]

In all releases of 10.0 and 10.1, the "show server" output does not include IP address and state information for GSLB services.
This feature works in all builds of the 9.3 and 10.5 releases.
[# 499523]

GSLB force sync fails if the following conditions are met:
* The same load balancing (LB) monitor is bound to a GSLB service and to other LB entities.
* The server IP address already exists for a non-GSLB entity on the slave node (an entity with same server IP address but a different server name) and the master node tries to synchronize the configuration.
[# 530638, 506432, 652849]

High Availability

When upgrading HA nodes that have Web Interface on NetScaler (WIonNS) build 126.x, the updates made in the Webinterface.conf file are overwritten by the previous version of the file. This is due to the rolling upgrade of HA nodes or due to the file sync operation between HA nodes.
To avoid this issue, use the following steps when upgrading the HA nodes:
1. Before upgrading, run the "set ns param -internaluserlogin DISABLED" command.
2. Upgrade the secondary HA node to NetScaler release 10.1 build 126.x.
3. Force failover to make the upgraded node the primary node.
4. Upgrade the other HA node to NetScaler release 10.1 build 126.x.
5. Reenable the "internaluserlogin" parameter with the "set ns param -internaluserlogin ENABLED" command.
6. Save the configurations.
Note: Before upgrading synchronize files between the HA nodes by using the "sync ha files all" command.
[# 471294]

Load Balancing

If a NetScaler appliance sending a DNSSEC negative response over UDP is not able to include the required records (for example, SOA, NSECs, and RRSIG records) in the Authority section, the appliance might send a truncated response in the wrong packet format.
[# 540965]

If a DNS autoscale service group is bound to a virtual server, the "show lb vserver" command output displays one extra service bound to the virtual server.
[# 464952]

NITRO API

The session timeout value that is set for a particular user (using the "add/set system user -timeout <value>" command) is not used as the session timeout value for that user when logged on to a NITRO session in NetScaler 10.1 builds. The session timeout value for NITRO API can be specified at login time, otherwise a default value of 30 minutes is taken as the session timeout value.
Note: In NetScaler 10.5 builds, the user session timeout value is by default used as the NITRO API session timeout value for that user.
[# 513938, 525094]

For external users that require a challenge and response, authentication through NITRO does not work.
[# 558715]

NetScaler CLI

When you use the Net::SSH::Perl library to connect to the NetScaler appliance, and run a command with an argument that has an @ character, an error message reports that the argument does not exist.
For example, an error message appears if you use the @ character in the tacacsSecret parameter of the following command:
> set authentication tacacsAction TACACS-0101 -tacacsSecret Sl4make5f0rd@enc5
Workaround: Use one of the following alternate approaches:
- If you use the Net::SSH::Perl library, include double quotes around the command when calling $ssh->cmd().
- Use the Net::Telnet library.
- Use the Net::SSH::Expect library.
[# 346066]

The "alias" command prepends an extraneous quote character. As a result, the command does not work as expected.
[# 531114]

NetScaler GUI

The Upgrade Wizard sometimes does not display a message when the appliance is rebooting. However, the NetScaler appliance reboots and the upgrade is successful.
[# 557379, 585649, 609615, 617161, 646039]

When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
[# 414422]

If you open the NetScaler ADC configuration utility on multiple browser tabs, and if you disable a feature on one of the tabs, the other tabs are not automatically refreshed.
Workaround: Manually refresh the tabs.
[# 469755]

On the Reporting tab of the NetScaler GUI, if you have chosen to use the time zone settings of the NetScaler ADC, the System Overview graph does not reflect the time zone set on the NetScaler ADC. The values in the graph are for the GMT time zone.
[# 485314]

If you use a Chrome browser to access the NetScaler graphical user interface (GUI), the browser might display the Page Unresponsive error message.
Workaround:
If you are using a Windows computer, do the following:
1. Right-click the shortcut icon that you use to open the Chrome browser, and select Properties from the pop-up menu.
2. In the Google Chrome Properties dialog box, click the Shortcut tab and, in the Target field, append the following value: --disable-hang-monitor
For example: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --disable-hang-monitor" http://www.google.com
3. Close all instances of the Chrome browser, and restart the Chrome browser.
If you are using a MAC computer, do the following:
1. Open the terminal.
2. Launch the Chrome browser from the terminal and append the --disable-hang-monitor value, as follows:
open -a /Applications/Google\ Chrome.app --args --disable-hang-monitor
[# 400073, 401262]

NetScaler Gateway

If group extraction authentication policies are configured and the Authentication subsystem is unexpectedly restarted, the group extraction policies are not sent to the Authentication subsystem. Therefore, the group extraction policies are not evaluated during authentication attempts.
[# 456724, 606332]

During login, the client authenticates, but the kernel module did not compile.
Cause and solution: The Linux NSGClient expects linux kernel headers to be installed. The user needs to install linux headers manually before installing NSGClient. The command would be,
apt-get install linux-headers-`uname -r`
[# 545810]

If you configure an intranet IP address, when users log on by using clientless access and then open SharePoint 2007, when they try to open a folder with Windows Explorer, a blank page appears.
[# 376303, 394800]

Installing and uninstalling the NetScaler Gateway Plug-in can take a long time. This is due to multiple entries of the Citrix Virtual Adapter in the registry.
[# 398693]

The NetScaler Gateway Plug-in for Java does not compress network traffic even when compression is configured on the NetScaler Gateway.
[# 400050]

On an nCore appliances, when users attempt to access the subnet IP address through the VPN tunnel over HTTP, a 401 Access Denied error message appears. Connecting to the subnet IP address works if users make the attempt by using HTTPS.
[# 373991]

Java Plug-in: Intranet Application fails to connect if AG VIP is running on non default port
[# 399405]

The core terminates in SAML due to a reference to a unaccessible memory in the certkey structure.
[# 645906, 652648]

If you configure NetScaler Gateway as a high availability pair and if there is a failover from the primary to the secondary appliance, the ICA connection to published apps that are already open on the user device is reestablished. If users attempt to open more applications from the Web Interface, the applications fail to open and user receive an error message
[# 384998]

In a Double-Hop deployment, if a STA server on the first hop is DOWN, the ns.log file is filled with SSLVPN Message: "Sent IPv4 Socks connect reply to client. Connection Refused "
[# 559879]

When users log on with the NetScaler Gateway Plug-in, when WiFi roaming occurs, intermittent ICMP requests time out and users cannot access network resources.
[# 392389]

When using the TM SAMLSSO, the SAML response is sent incorrectly. The NetScaler appliance is not sending correct data within the X509Certificate tags that results in assertion verification failure.
[# 586203]

If you have configured a proxy server and you configure NetScaler Gateway to route traffic through the proxy server, when users log off from a clientless access session, a 403 error occurs.
[# 385318]

If you apply the Citrix Receiver theme to the NetScaler Gateway logon page, the layout appears garbled on computers running Windows XP Service Pack 3 with Internet Explorer 7 browsers.
[# 346729]

The running configuration does not include group extraction policies bound to the NetScaler Gateway virtual server.
[# 368229]

The URL rewrite label, which is set at the global level, overrides the rewrite label that is set at the virtual server level. The settings in the global level should not override the virtual server level settings.
[# 444715]

If Pre-authentication scan is configured on NetScaler and users launch NetScaler Gateway plugin when browser is already opened then users intermittently get redirected to "Internal error" page.
[# 393357]

NetScaler Insight Center

If an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name "(user-id@domain-name)."
[# 385821]

Upgrading NetScaler Insight Center on a VMware ESX server from build 118.7 or 119.7 to build 120.13 or later is not supported. However, upgrading from build 120.13 to later build is supported.
Workaround: To upgrade to build 120.13 or later, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same.
[# 424673]

The following error message appears when NetScaler Insight Center running on VMware ESX is powered on or off:
The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.
[# 414160]

In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates, and it resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
[# 399626]

When launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
[# 386911]

The AppFlow exporter might not export the correct information. Therefore, the client IP address shown on the NetScaler Insight Center dashboard might be incorrect.
[# 396892]

NetScaler SDX Appliance

If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.
[# 434687]

If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
[# 384909]

If an LACP channel is bound to nine or more interfaces and is a member of a tagged VLAN, deleting the channel from a service VM can cause the NetScaler appliance to fail intermittently.
[# 524320, 630772]

NetScaler VPX Appliance

NetScaler VPX cannot be directly imported into Hyper-V on Windows Server 2012 R2 using the "Import Virtual Machine" function of Hyper-V Manager.
Workaround: Create the VPX instance by using the New > Virtual Machine function and connecting the "Dynamic.vhd" file from the Virtual Hard Disks directory which is present after unzipping the release image.
Note: The newly created VPX instance MUST be configured with a minimum of 2GB memory and with 2 vcpus; setting the vcpus is done by changing the virtual machine settings after the instance is created, but before booting.
[# 428107]

Networking

For an RNAT connection, the NetScaler appliance drops the first ICMP packet that the server sends to the client.
[# 543171]

In an active-active high availability configuration using Virtual Router Redundancy Protocol (VRRP) protocol, a ping to a virtual IP address (VIP) might fail from a node that is a backup node for this VIP address.
[# 485260]

The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.
[# 399436]

In an HA configuration in INC mode running the OSPF routing protocol, the secondary node drops all L3 traffic that has the destination that was advertised by the secondary node.
[# 318684]

The NetScaler appliance forwards TCP packets to the destination without processing them if they are destined to port 69 and match an RNAT rule.
[# 670455]

The NetScaler ADC might become unresponsive if you run the show route operation during a dynamic route addition or deletion process.
[# 323127]

In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the "sync HA files" command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.
Workaround: Add the following extended ACL on each node of the HA configuration:
> add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22
For example, for an HA configuration in which the primary node's NSIP address is 198.51.100.9 and the secondary node's NSIP address is 198.51.100.27, you would run the following commands:
On the primary node:
> add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22
On the secondary node:
> add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
[# 371613]

Platform

If you add an NTP time server by specifying the server name (host name), and the ns.conf file is very large, the result is a race condition in which the NTP daemon (NTPD) is started before host name services are ready.
Workaround: Do one of the following:
-Restart the NTP daemon after starting the NetScaler appliance.
-Add the NTP server by specifying the IP address of the server instead of specifying the host name.
[# 573306]

On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.
[# 385217]

Live migration of a NetScaler virtual machine running on a Linux-KVM host is not supported.
[# 407185]

Policies

You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.
Workaround: Use the CLI to define classic SSL policies.
Note: Citrix encourages the use of default syntax policies rather than classic policies.
[# 390584]

While evaluating default syntax expression for local time zone, a NetScaler appliance incorrectly applies US daylight savings time (DST) rules in non-US time zone. This results in setting an offset time for an hour. For example, the default expression !(SYS.TIME.GE (LOCAL 8h) & SYS.TIME.LE(LOCAL 17h)) returns 'False' if the local time in US time zone is between 0800 and 1700. In the UK time zone, this expression incorrectly returns 'False' if the local time is between 0700 and 0759 and returns 'True' if the local time is between 1700 and 1759 from 8 Mar 2015 (the start of US DST) to 28 Mar 2015 (the day before the start of UK DST) and also from 25 Oct 2015 (the day after the end of UK DST) to 31 Oct (the day before the end of US DST).
[# 556230]

After a restart, a NetScaler auto-provision daemon fails to communicate with the configuration engine.
[# 604823]

Reporting

After you import a custom data source, the charts for the counters under "System entities statistics" are inaccurate, because of issues in the third party charting engine.
[# 368982]

SSL

In a cluster setup, if you include the "cipherdetails" option in the "show ssl service" or "show ssl vserver" command, an incorrect message appears. This is only a display issue.
For example,
> show ssl service svc1 -cipherDetails
ERROR: No such resource [serviceName, svc1]
[# 402423]

If a certificate has a validity of 100 years, Days to Expiration incorrectly appears as 0 in the NetScaler command line interface and the configuration utility.
[# 509608]

System

The NetScaler appliance displays cluster related logs even if it is not in a clustered configuration or does not have a cluster license.
[# 543429]

Connection failover might fail if it is enabled on virtual servers that have the same IP address and port but different listen policies.
[# 582087, 587620]

Virtual servers to which a listen policy is bound accept connections from the first subflow only.
[# 400861]

The virtual IP (VIP) address of a load balancing virtual server cannot be changed if the LB virtual server and syslog server have same configuration (ip, port, service) and use the same server information. In such cases, if the syslog server's IP address is changed, the syslog server uses different server information and does not update the server information used by the LB virtual server. As a result, the LB virtual server displays an error message when you try to change its VIP address.
[# 522665]

If an HTTP WebSocket upgrade connection request contains a Content-Length header field, WebSocket applications malfunction.
[# 673826]

If the session ID maintained for clients exceeds the threshold of 16 million entries, the configuration engine might crash. That affects the management traffic. As a result, the management connection closes and the manager must log back on to the NetScaler appliance.
[# 676599]

If a wildcard virtual server's redirection mode is set to IP (-m IP), the NetScaler appliance cannot forward a TCP connection request to a service bound to that virtual server if the back-end server is down.
[# 331889]

With USIP enabled, MPTCP requests do not go through.
[# 331338]

Data might be dropped when a client requests a small window size. When client sends a small window size (less than 8190 bytes) in its request packet to a NetScaler appliance, the appliance advertises a window size of 8190 bytes to the back-end server. Upon receiving this information, the server sends up to 8190 bytes of data to the appliance, and in turn the appliance, in transparent mode, sends the same amount of data to the client, even if the actual window size is less than the window size advertised by the client. If a device between the appliance and client checks the window size before accepting the data, that device might drop the data that does not fit in the client's window size.
Workaround: Enable the end point processing features on NetScaler to control the complete TCP stack independently. Such features are TCP Buffering, SSL Offload etc
[# 622573]

MPTCP does not support FTP data connections.
[# 400819]

The updated host name for a NetScaler appliance does not appear on the LCD panel until after the appliance is restarted.
[# 560854]

Web Interface on NetScaler (WIonNS)

On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.
Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.
[# 397150]

XML API

The following APIs are not available in version 10.1 or later:
- bindservicegroup_state2
- unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.
[# 363145]

The enhancements and changes that were available in NetScaler 10.1 releases prior to Build 135.18. The build number provided below the issue description indicates the build in which this enhancement or change was provided.

AAA Application Traffic

Smart Group Option for LDAP Authentication
When configuring AAA for LDAP, you can now set the default authentication group attribute explicitly, instead of allowing AAA to set the Group attribute from information that it extracts from credentials. In complex organizations that have multiple domains, smart group support allows simpler and more fool-proof implementation of SSO.
To configure the smart group option at the command line, type the following command:
> set aaa ldapParams -defaultAuthenticationGroup <string>
For <string>, substitute the group identifier that you want to use.
To configure the smart group option by using the configuration utility, in the Create Authentication Server or Modify Authentication Server dialog box, fill in the Default Authentication Group text box.
[From Build 112.15] [# 357837]

AAA-TM

Extracting Group Credentials from a Third Authentication Server
When performing two-factor authentication, the AAA feature now supports extraction of the group membership credential from a third authentication server. This function is supported by use of a third authentication chain that is invoked only if the first and second authentication attempts succeed.
To enable extraction of group membership credentials from a third authentication server, create an LDAP policy with authentication disabled. Then, bind that policy to the authentication virtual server, with the -groupExtraction flag set, as shown below.
bind authentication vserver <name> [-policy <string> [-priority <positive_integer>]
[-groupExtraction]]
If -groupExtraction is set, the policy is an LDAP policy, and the policy has authentication disabled, then the policy is added to the third authentication chain. Otherwise, the binding will fail.
For more information, see http://support.citrix.com/proddocs/topic/ns-security-10-1-map/ns-aaa-setup-policies-authntcn-tsk.html.
[From Build 112.15] [# 308118, 305567]

Two-Factor SAML Authentication
AAA now supports two-factor SAML authentication. When a user requests a resource, AAA checks for SAML policies. If a SAML policy with two-factor authentication is present, AAA redirects the user to the specified third-party authentication server. Once the user has authenticated and obtained a valid assertion, AAA redirects the user to the secondary login page for the resource.
To enable two-factor SAML authentication, type the following command at the NetScaler command line:
> add authentication samlAction <name> -samlTwoFactor ON
For more information, see http://support.citrix.com/proddocs/topic/ns-security-10-1-map/ns-aaa-setup-policies-auth-saml-tsk.html.
[From Build 112.15] [# 277562]

KCD Support for Microsoft SQL Data Stream
Kerberos Constrained Delegation (KCD) is now supported for the Microsoft SQL server and the MSSQL data stream.
For more information, see http://support.citrix.com/proddocs/topic/ns-security-10-1-map/ns-aaa-kerberos-kcd-con.html.
[From Build 112.15] [# 307491, 243724]

Cluster Support
Support for AAA-TM has been added to the NetScaler cluster when operated in spotted VIP mode. AAA-TM authenticates users correctly. AAA-TM commands run correctly at the command line, and the configuration utility displays the AAA-TM node and screens.
[From Build 112.15] [# 317306]

Kerberos SSO
The AAA-TM Kerberos functionality now supports single sign-on (SSO) with all supported authentication mechanisms. The CAC (Smart Card) and SAML SSO mechanisms are supported in all cases, regardless of the authentication method that the client uses to log onto the NetScaler appliance. The HTTP-Basic, HTTP-Digest, Forms-based, and NTLM (versions 1 and 2) SSO mechanisms are also supported if the client uses either HTTP-Basic or Forms-Based authentication to log onto the NetScaler appliance.
You can configure Kerberos SSO to work in one of two ways: by impersonation or by delegation. To configure Kerberos SSO by impersonation, you must have the user’s password or client certificate. To configure impersonation using a client certificate, the user must also have a properly-configured version of the Citrix Receiver installed on his or her personal computer. To configure Kerberos SSO by delegation, you must have the delegated user’s credentials in one of the following formats: the user’s password, the keytab configuration that includes an encrypted password, or the client cert and the matching CA certificate.
To configure Kerberos SSO, first configure your NetScaler appliance to manage traffic to the web application servers that users will access through SSO. Next, configure AAA-TM for your preferred authentication method. Verify that the NetScaler appliance can communicate with your LDAP Active Directory (AD) server and your Kerberos server.
What you do next depends on whether you want to configure Kerberos SSO by Impersonation or by Delegation. Follow the instructions in the appropriate section below.
Configuring Kerberos SSO by Impersonation
To configure Kerberos SSO by Impersonation, enable integrated authentication on each web application server. After you have done this, create and configure the NetScaler KCD account that will impersonate users.
To create the KCD account for SSO by impersonation with a password
At the NetScaler command prompt, type the following command:
add aaa kcdaccount <accountname> -realmStr <realm>
For each variable, substitute the following values:
* accountname - The KCD account name.
* realm - The domain assigned to Kerberos SSO.
Example:
add aaa kcdAccount kcdaccount1 –realmStr EXAMPLE.COM
To create the KCD account for SSO by impersonation with a client certificate
At the NetScaler command prompt, type the following command:
add aaa kcdAccount <accountname> –cacert <cacert>
For each variable, substitute the following values:
* accountname - The KCD account name.
* cacert - The full path and name of the CA certificate file on the NetScaler appliance.
Example:
add aaa kcdAccount kcdaccount1 –cacert <path to certificate>
Configuring Kerberos SSO by Delegation
To configure Kerberos SSO by Delegation, next create an account (the Kerberos Service Account, or KSA) on the AD server for the NetScaler appliance to use as the delegated user. Next, in the KSA account Properties dialog box, Delegation tab, enable the following options: "Trust this user for delegation to specified services only" and "Use any Authentication protocol." Finally, add the HTTP service and any other services that Kerberos SSO will manage to the services list, which is located on the Properties tab beneath the two settings.
After you configure the NetScaler account on AD, enable integrated authentication on each web application server. Finally, create and configure the NetScaler KCD account that will serve as the delegated user.
To create the KCD account for SSO by delegation with a password
At the NetScaler command prompt, type the following commands:
add aaa kcdaccount <accountname> –delegatedUser root -kcdPassword <password> - realmStr <realm>
For each variable, substitute the following values:
* accountname - The KCD account name.
* password - The password for the KCD account.
* realm - The domain assigned to Kerberos SSO.
Example (UPN format):
add aaa kcdaccount kcdaccount1 –delegatedUser root -kcdPassword passsword1 -realmStr EXAMPLE.COM
Example (SPN format):
add aaa kcdAccount kcdaccount1 -realmStr EXAMPLE.COM -delegatedUser "host/kcdvserver.example.com" -kcdPassword password1
To create the KCD account for SSO by delegation with a keytab file
First, on the AD server, use the ktpass utility to create the appropriate keytab file. Next, use the file transfer utility of your choice to copy the keytab file from the AD server to the NetScaler appliance, and put it in /nsconfig/krb under the filename kcdvserver.keytab.
Next, at the NetScaler command prompt, type the following command:
add aaa kcdaccount <accountname> –keytab <keytab>
Example:
add aaa kcdaccount kcdaccount1 –keytab kcdvserver.keytab
Finally, verify that the new KCD account has the proper keytab file and virtual server principle associated with it:
To verify the KCD account on the NetScaler appliance
sh kcdAccount <accountname>
To create the KCD account for SSO by delegation with a client cert
At the NetScaler command prompt, type the following commands:
add aaa kcdaccount <accountname> -realmStr <realm> –delegatedUser <spnuser> -usercert <cert> -cacert <cacert>
For each variable, substitute the following values:
* accountname - The KCD account name.
* realm - The domain assigned to Kerberos SSO.
* spnuser - The username in SPN format.
* usercert - The full path and name of the user client certificate file on the NetScaler appliance.
* cacert - The full path and name of the CA certificate file on the NetScaler appliance.
Example:
add aaa kcdaccount kcdaccount1 -realmStr EXAMPLE.COM -delegatedUser "host/kcdvserver.example.com" -usercert /certs/usercert -cacert /cacerts/cacert
[From Build 121.10] [# 361257]

AppExpert

Support for Additional Public Endpoints
AppExpert applications and the deployment files created from them now support two or more endpoints. However, when importing an AppExpert template file, if you do not include a deployment file, the AppExpert Template Wizard displays a screen on which you can configure a maximum of two public endpoints: one endpoint of type HTTP and one endpoint of type HTTPS. So, if you want more than two endpoints, you have to configure additional endpoints after you create the application. You can then export the application to obtain a deployment file that contains all the configured endpoints.
For information about importing an AppExpert template, configuring public endpoints after importing an application, and exporting an AppExpert to a template file, see http://support.citrix.com/proddocs/topic/ns-main-appexpert-10-1-map/ns-aapexpert-apptemp-get-started-tsk.html.
[From Build 112.15] [# 259600]

Configure a Persistency Group for Application Units
You can now configure a persistency group for the application units in an AppExpert application. In the context of an AppExpert application, a persistency group is a group of application units that you can treat as a single entity for the purpose of applying common persistence settings. When the application is exported to an application template file, the persistency group settings are included, and they are automatically applied to the application units when you import the AppExpert application.
For more information about configuring a persistency group for the application units in an AppExpert application, see http://support.citrix.com/proddocs/topic/ns-main-appexpert-10-1-map/ns-appexpert-apptemp-config-pers-groups-for-app-units-tsk.html.
[From Build 112.15] [# 243716]

Enhanced Target Support for RefineSearch Parameter in Rewrite
The RefineSearch and Target parameters can now be used together in a single Rewrite action. The following types of search are supported:
* TCP with regular expressions
* HTTP with regular expressions
* HTTP with XPath expressions
* HTTP body payload expressions
[From Build 112.15] [# 245438, 243248, 247097]

Service and Service Group Configurations Exported to Application Templates
When you export an AppExpert application, all services and service groups that are part of the application configuration are exported to the deployment file. During import, the appliance compares the deployment file's contents with its own configuration, and manages conflicts in the following way:
- If a service in the file has the same name and service type as a service on the appliance, the appliance does not import the service. It binds the existing service to all the application units created during import.
- If a service in the file has the same name as a service on the appliance, but its service type is different, the appliance does not import the service. It displays a message indicating a protocol mismatch.
- If a service in the file has the IP address and port combination of a service on the appliance, and both services use the same underlying transport protocol (for example, HTTP and SSL services both use TCP), the appliance does not import the service, even if their names are different. It displays a message indicating a port and service type conflict. If the IP address and port combination is same, but the name and underlying transport protocol are different, the appliance imports the service.
- If a service group in the file has the same name and service type as a service group on the appliance, the appliance does not import the service group. It binds the existing service group to all application units created during import.
- If a service group in the file has the same name as a service group on the appliance, but its service type is different, the appliance does not import the service group. It displays a message indicating a protocol mismatch.
If a conflict is detected during import, the appliance ends the import process and rolls back any configuration changes that were made, preserving the configuration that was in place before the template was imported.
[From Build 112.15] [# 248273]

AppExpert Template for Microsoft Outlook Web Access
An AppExpert template has been created to help users configure the application firewall to protect a web server that runs Microsoft Outlook Web Access. The template and associated signatures file provide an appropriate default configuration for the application firewall when protecting OWA. The template is posted on the Citrix Community Web Site, and can be downloaded from within the configuration utility, in the main AppExpert pane, by clicking Download AppExpert Templates.
To install the downloaded templates, first extract them from the archive to a temporary location on your local computer. The archive contains four files:
* OWA_Template.xml—The actual template
* OWA_signatures.xml—The associated signatures
* OWA_deployment.xml—The deployment file
* OWA_NS10_what is new.txt—A brief list of changes to the template since the previous version
After you extract the template archive, in the AppExpert pane click Import AppExpert Template to run the AppExpert wizard, and follow the instructions in the Wizard to install the template and create the OWA configuration.
For more information, see http://support.citrix.com/proddocs/topic/netscaler-10-1/ns-appexpert-con-10.html.
[From Build 112.15] [# 246845]

AppFlow

Configuring SourceIP for AppFlow Traffic
You can now configure the source IP address (SNIP or MIP address), to be used for AppFlow traffic. When you add an Appflow collector by using the add appflow collector command, you can use the -netprofile option to associate a netprofile to which the source IP address is bound. By default, the Appflow exporter takes NSIP address as the source IP address if you do not specify the -netprofile option.
> add appflow collector <col_name> -IPAddress <IP_addr> [-netprofile {netprofile_name}]
[From Build 112.15] [# 288343]

Export Multiple Set-cookies in AppFlow Records
The HTTP response can contain multiple values in the set-cookie header. This enhancement extends support to export all those values in the appflow record instead of just one value as was the case earlier.
[From Build 112.15] [# 329122]

X-Forwarded-For HTTP Header Support
AppFlow records can now log X-Forwarded-For HTTP header information. You can enable the logging with the "set appflow param -httpXForwardedFor ENABLED" command or by using the configuration utility.
[From Build 112.15] [# 311033]

NetScaler Insight Center appliances now support exporting ICA AppFlow records from NetScaler appliances with enterprise licenses.
[From Build 119.7] [# 395659]

AppQoE

Application-level Quality of Experience (AppQoE) integrates several existing policy-based security features of the NetScaler appliance into a single integrated feature that takes advantage of a new queuing mechanism, fair queuing. Fair queuing manages requests to load-balanced web servers and applications at the virtual server level instead of at the service level, allowing it to handle queuing of all requests to a web site or application as one group before load balancing, instead of as separate streams after load balancing. The integrated features are:
- HTTP Denial-of-Service Protection (HDOSP)
- Priority Queuing
- SureConnect
By implementing these features at the virtual server level instead of the individual service level, the NetScaler appliance can maintain absolute priority of connections, prevent flushing of connection if a service transitions state, and detect and divert unwanted or lower priority traffic during DDoS attacks or other periods of extremely high load without having to first expend CPU to load balance these unwanted connections and assign them to a service queue.
For more information about AppQoE and instructions on how to implement it, see http://support.citrix.com/proddocs/topic/ns-main-appexpert-10-1-map/ns-appqoe-wrapper-con.html.
[From Build 112.15] [# 379091]

Application Firewall

HTML Cross-Site Scripting Check Might Transform Allowed Tags and Attributes
If an application firewall profile has the HTML cross-site scripting check configured to transform unsafe HTML, in some situations the application firewall might transform all HTML tags, including allowed HTML tags and attributes.
[From Build 112.15] [# 369529]

Application Firewall Improved Diagnostics and Tracking Tools for Troubleshooting
The application firewall now generates log messages for system resets, packets dropped because of violations of RFC strict checks or malformed request/response header checks, or due to errors within the application firewall itself. These logs provide additional information for troubleshooting.
[From Build 112.15] [# 248186]

Application Firewall Cluster Support
Support for the application firewall has been added to the NetScaler cluster when operated in single node spotted VIP mode. Application firewall commands run correctly at the command line, and the configuration utility displays the application firewall node and screens. Users should keep in mind that session state sharing between nodes is disabled when using the application firewall on a cluster.
[From Build 112.15] [# 326635]

Application Firewall Learning Support on Cluster
Support for the application firewall learning feature has been added to the NetScaler cluster. The cluster controller node now aggregates learning data from all nodes in the cluster and stores the learned data in a temporary database file. It then provides the data set to each node in the cluster upon request, enabling the learning feature to operate on the complete set of requests and responses to a protected web server, application, or service.
[From Build 112.15] [# 327601, 315156, 318640]

Application Firewall Performance Improvements
A number of performance improvements have increased the performance of the application firewall overall by approximately 10%. These improvements include caching of frequently used objects, significant enhancements to processing of HTTP POST bodies, and more efficient Signatures string operations.
[From Build 112.15] [# 327608, 206010]

Application Firewall Scan Tool Integration
The Citrix NetScaler Application Firewall now supports signatures generated by the IBM AppScan, Trend Microsystems, and WhiteHat vulnerability scanners. You can import WhiteHat WASC 1.0, WASC 2.0, and best practices signatures, IBM AppScan Standard and Enterprise signatures, and Trend Microsystems Vulnerability Scanner (TMVS) signatures into the application firewall. These signatures can either be added to existing signatures objects, or can be used to create new signatures objects. Once imported, the signatures can be used to protect web applications exactly like any other signatures.
Once imported, the signatures can be used to protect web applications exactly like any other signatures.
For more information, see http://support.citrix.com/proddocs/topic/ns-security-10-1-map/appfw-signatures-con.html and http://support.citrix.com/proddocs/topic/ns-security-10-1-map/appfw-signatures-updatingcenzic-tsk.html.
[From Build 112.15] [# 317580]

The Citrix NetScaler Application Firewall Signatures feature has received a number of enhancements. The Signatures feature now includes the following new and enhanced functions:
- Automatic updates: You can configure automatic updates for the default application firewall signatures or any signatures object that you have created from a cloud-based service. This feature is disabled by default. You enable and configure it in the configuration utility Signatures pane by selecting the signatures that you want to update, then choosing Auto-Update Settings in the Action drop-down list. If signature updates are enabled, the NetScaler appliance checks the specified URL for updates at the designated interval, hourly by default. If it finds updated signatures, it downloads and installs them.
- Manual per-signature updates: Manual per-signature updates--You can manually update the default application firewall signatures or any signatures object that you have created by using the command line or the configuration utility. To update signatures from the command line, use the following command: update appfw signatures <name> [-mergeDefault].
For <name>, substitute the name of signatures object to update. If you want to merge updates with the default signatures, include the -mergeDefault parameter.
To update signatures by using the configuration utility, in the Signatures pane select the signatures that you want to update, then select Merge from the Action drop-down list. In the Update Signatures Object dialog box, type in the path and name of the signatures update file or use the browse dialog to select it, and then click Update.
- Signature patterns support for JSON payloads: The signatures feature now matches JSON in HTTP requests. You can create patterns that examine JSON payloads for patterns that might signify a security breach on your protected web server or application.
- Signature patterns support for HTTP responses: The signatures feature now matches patterns in the HTTP response as well as the request. You can create patterns that examine HTTP response headers and bodies for patterns that might signify a security breach on your protected web server or application.
The following new patterns apply specifically to responses:
Credit cards
Safe objects
- Per-signature counters: Signature statistics are now maintained on a per-signature basis, allowing you to see exactly how many times a specific signature has matched a request or response.
For more information about enhanced Signatures features, see http://support.citrix.com/proddocs/topic/ns-security-10-1-map/appfw-signatures-con.html.
[From Build 112.15] [# 318148]

When configuring the Safe Commerce (credit card) check, you can now configure the application firewall to check the MIME/type of HTTP responses and skip responses that are not of the appropriate content type for Safe Commerce filtering. You can use this configuration option to prevent false positives.
To enable MIME/type checking, at the NetScaler command line type the following command:
bind appfw profile <name> -inspectResContentType <type>
For <name>, substitute the name of the profile. For <type>, substitute a string that matches the MIME/type. For example, to check for and skip PDF content sent to the library profile, you would type the following:
bind appfw profile library -inspectResContentType "text/PDF"
To disable a MIME/type rule that you have previously enabled, use the unbind command:
unbind appfw profile <name> -inspectResContentType <type>
[From Build 119.7] [# 236218, 213852]

Cache Redirection

Cache Redirection Changes
The following changes have been made in the cache redirection feature:
* The cacheVserver parameter is no longer part of the add cr vserver command. To specify a cache server, you must use the bind cr vserver –lbvserver <string> command.
In the configuration utility, in the Create Virtual Server (Cache Redirection) and Configure Virtual Server (Cache Redirection) dialog boxes, the Cache Server list has been renamed to Default Cache Server and has been moved from the Advanced tab to the area above the tabs. Additionally, a hit counter has been added next to the list. The hit counter maintains a count of the number of hits received by the cache server.
* In the Create Virtual Server (Cache Redirection) and Configure Virtual Server (Cache Redirection) dialog boxes, on the Policies tab, when you click the CSW button and then the Insert Policy button, the list that appears in the Policy Name column no longer includes a Default content switching policy.
[From Build 112.15] [# 319966, 325728, 330010]

You can now bind compression and filter policies to a cache redirection virtual server by using the configuration utility.
[From Build 112.15] [# 330033]

Cloud Integration

AutoScale: Automatically Scaling Your Application Fleet in a CloudPlatform Environment
Issue ID 0311703: In an environment deployed and managed by using Citrix CloudPlatform, automatic scaling of an application fleet can be achieved by using the Citrix NetScaler appliance. CloudPlatform provides a feature called AutoScale, as part of its elastic load balancing feature. A CloudPlatform user can use the AutoScale feature to specify thresholds for various conditions for automatically scaling the application fleet upward and downward. The scale up and scale down conditions can vary from simple use cases, such as a server’s CPU usage, to complex use cases, such as a combination of a server's CPU usage and responsiveness. CloudPlatform, in turn, configures the NetScaler appliance to load balance traffic to the application virtual machines (VMs), monitor application thresholds and performance, and trigger scale up and scale down actions to add or remove VMs from the application fleet.
For more information about how AutoScale works on the NetScaler appliance, see http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-autoscale-automatic-scaling-in-cloudplatform-env-wrapper-con.html.
For answers to frequently asked questions, see http://support.citrix.com/proddocs/topic/ns-faq-map-10-1/ns-faq-autoscale-ref.html.
[From Build 112.15] [# 311703, 326608]

Cluster

The NetScaler cluster now supports the rate limiting and action analytics feature.
[From Build 112.15] [# 341764]

The NetScaler cluster now supports configuring of content switching actions.
[From Build 112.15] [# 317324]

Removing a Cluster Node
You can now remove a cluster node through a single-step procedure. You must log on to the cluster IP address and execute the "rm cluster node" command.
For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-cluster-remove-node-tsk.html.
[From Build 112.15] [# 291771]

Partially Striped Configurations in a NetScaler Cluster
You can now define some configurations to be active only on specific cluster nodes. For example, you can define a virtual server to be active on only three nodes of a 5-node cluster. Such a configuration is referred to as partially striped. To define a partially striped configuration, use a node group, which is a set of cluster nodes to which you can bind the following virtual servers (load balancing, content switching, cache redirection, and authentication).
Note: An entity that is bound to a node group that includes all the cluster nodes is striped across the cluster. Similarly, an entity that is bound to a node group that includes only one node is spotted on that node.
For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-cluster-node-groups-con.html and http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-cluster-config-node-group-tsk.html.
[From Build 112.15] [# 335401]

The NetScaler cluster now supports spillover based on bandwidth.
[From Build 112.15] [# 346786]

The NetScaler cluster now supports Branch Repeater load balancing.
[From Build 112.15] [# 283450]

Viewing and Clearing Node-Specific Routing Information
You can now retrieve node-specific routing configurations by specifying the node(s) in the owner-node argument as follows:
> vtysh
ns# owner-node 0 1
ns(node-0 1)# show cluster state
ns(node-0 1)# exit-owner-node
Similarly, you can also clear node-specific routing configurations by specifying the node(s) in the owner-node argument as follows:
> vtysh
ns# owner-node 0 1
ns(node-0 1)# clear config
ns(node-0 1)# exit-owner-node
[From Build 112.15] [# 309178]

The NetScaler cluster now supports the ISIS routing protocol.
[From Build 112.15] [# 274535]

The NetScaler cluster now supports IP-IP Tunneling.
[From Build 112.15] [# 269113]

Configuring priority for the configuration coordinator
You can now configure the priority for a cluster node to be selected as a configuration coordinator. The node with the highest priority (lowest priority number) is made the configuration coordinator. If the current configuration coordinator goes down, the node with the next lowest priority number takes over as the configuration coordinator. If the priority is not set or if there are multiple nodes with the lowest priority number, the configuration coordinator is selected from one of the available nodes.
You can set the node priority by using the priority parameter of the add cluster node command.
[From Build 112.15] [# 359806]

Configuration Utility

In addition to the reorganization of the nodes within the navigation tree, some of the nodes are now grouped with the configurations options in the details pane (the pane on the right side of the screen) of the configuration utility. For example, LDNS entries, which were a subnode of GSLB, are now with the global GSLB configuration items in the details pane.
The following embedded Java views have been moved to the Overview pages:
- Auto Detected Services Detail View
- FIPS Detail View
- Applications Detail View
- Access Gateway Applications Detail view
- Template Detail view
- GSLB LDNS entries Detail View
- Cache Objects
[From Build 112.15] [# 381622]

Features in the NetScaler configuration utility navigation tree have been reorganized to provide greater logical consistency and ease of navigation. The feature nodes are grouped under the following top-level nodes:
- System: System and infrastructure features
- AppExpert: Grouping of all Application, Policies, templates and Layer 7 features
- Traffic Management: Core traffic management features such as load balancing, GSLB, content switching, cache redirection, SSL, and SSL offload
- Optimization: Core optimization features such as caching and compression
- Security: Security oriented features and functionalities
For more information, see http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-1-map/ns-rn-changes-gui-10-1-con.html.
[From Build 112.15] [# 360658]

Content Switching

Global Setting for Using a Proxy Port
You can now use the NetScaler user interface to configure the Use Proxy Port setting globally.
For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-lb-advancedsettings-useproxyport-tsk.html.
[From Build 112.15] [# 302646]

The content switching feature now supports dynamic selection of a load balancing virtual server at the run time. This feature enables you to analyze the request and accordingly direct it to the correct load balancing virtual server. The target LB virtual server is determined at the run time by the expression defined in the action of the content switching policy.
[From Build 112.15] [# 248750]

Rename a Content Switching Policy Label
You can now rename a content switching policy label, even if the label is already referenced by existing policies. The new name is automatically incorporated into all configurations that include the old name.
For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-cs-basicconfig-policy-labels-tsk.html.
[From Build 112.15] [# 312929]

DNS

Enabling or Disabling the Recursion Available Flag
An option Recursion Available is added for the load balancing virtual servers of type DNS and DNS TCP to control the RA (Recursion Available) flag in all the DNS responses from these virtual servers.
[From Build 119.7] [# 403114, 248936, 269857, 388338]

DNS64

The NetScaler DNS64 feature responds with a synthesized DNS AAAA record to an IPv6 client sending an AAAA request for an IPv4-only domain. The DNS64 feature is used with the NAT64 feature to enable seamless communication between IPv6-only clients and IPv4-only servers. DNS64 enables discovery of the IPv4 domain by the IPV6 only clients, and NAT64 enables communication between the clients and servers.
For synthesizing an AAAA record, the NetScaler appliance fetches a DNS A record from a DNS server. The DNS64 prefix is a 96-bit IPv6 prefix configured on the NetScaler appliance. The NetScaler appliance synthesizes the AAAA record by concatenation of the DNS64 Prefix (96 bits) and the IPv4 address (32 bits).
For more information on configuring DNS64, see http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-nw-ipaddrssng-DNS64-intro-con.html.
[From Build 120.13] [# 318404]

DataStream

Database Profiles
You can now configure a database profile for virtual servers of type MSSQL and MYSQL. A database profile is a named collection of parameters that is configured once but applied to multiple virtual servers that require those particular parameter settings. After creating a database profile, you bind it to load balancing or content switching virtual servers. You can create as many profiles as you need.
For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-1-map/ns-ac-config-db-profile-tsk.html.
[From Build 112.15] [# 343179]

Transparent Mode for Logging MSSQL Transactions
You can configure the NetScaler appliance to operate transparently between MSSQL clients and servers, and to only log or analyze details of all client-server transactions. Transparent mode is designed so that the NetScaler appliance only forwards MSSQL requests to the server, and then relays the server's responses to the clients. As the requests and responses pass through the appliance, the appliance logs information gathered from them, as specified by the AppFlow configuration, or collects statistics, as specified by the Action Analytics configuration.
For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-dbproxy-usecase-log-mssql-transactions-transparent-mode-tsk.html.
[From Build 112.15] [# 319464]

Database Specific Load Balancing of Services
You can now configure the Citrix NetScaler appliance to retrieve a list of databases that are active on a service and, for a given query, to load balance only the services on which the requested database is available. If the requested database is unavailable on a service, the appliance excludes the service from load balancing decisions until it becomes available. This behavior ensures uninterrupted service to clients.
For more information about database specific load balancing, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-dbproxy-db-specific-lb-wrapper-con.html.
[From Build 112.15] [# 358254]

Support for Microsoft SQL Server 2012
The Citrix NetScaler appliance now supports Microsoft SQL Server 2012. To load balance SQL 2012 database servers, you must set the Server Version (mssqlServerVersion) parameter to 2012 on each of the load balancing and content switching virtual servers in the configuration.
If you have configured availability groups for read-only routing, the appliance can handle the redirect packets with which the primary database server responds to clients who declare read-only application intent in their connection properties. However, when deployed to manage traffic associated with an availability group, the NetScaler appliance provides additional benefits. With the help of content switching policies, the appliance can differentiate between connections in which the ApplicationIntent connection property is set to ReadWrite and those in which the property is set to ReadOnly. A content switching virtual server can then forward all ReadWrite requests to a load balancing virtual server to which you have bound the primary database instance, and all ReadOnly requests to a load balancing virtual server to which you have bound the secondary database servers.
In this configuration, ReadOnly requests are load balanced across all the secondary servers (unlike configurations involving a redirect response, in which only one secondary server is selected for serving ReadOnly requests). In this way, the appliance can optimally utilize all of the secondary database servers while eliminating redirect traffic from your network.
[From Build 112.15] [# 354723]

Caching Stored Procedures and SQL Queries
If connection multiplexing is disabled in a database profile, stored procedures and SQL batch queries are not cached, despite caching being enabled for the profile. With this enhancement, you can enable caching, if connection multiplexing is disabled, by setting the new "enableCachingConMuxOFF" parameter in the profile.
At the command prompt, type:
add dbProfile <name> –conMultiplex DISABLED -enableCachingConMuxOFF ENABLED
or
set dbProfile <name> -enableCachingConMuxOFF ENABLED
In the configuration utility, select "Enable caching when connection multiplexing OFF".
[From Build 126.12] [# 453973]

Global Server Load Balancing

View Site Persistence Cookies for GSLB Services
If site persistence is configured for GSLB services, and the services are bound to a GSLB virtual server, the NetScaler appliance generates a site persistence cookie for each service. Unlike in earlier NetScaler releases, the NetScaler user interface now displays the site persistence cookies that the appliance generates.
To view site persistence cookies by using the NetScaler command line
At the NetScaler command prompt, type:
show gslb vserver <name>
To view site persistence cookies by using the NetScaler configuration utility
1. In the navigation pane, expand GSLB, and then click Virtual Servers.
2. In the details pane, select the virtual server for whose services you want to view site persistence cookies, and then click Open.
3. In the Configure GSLB Virtual Server dialog box, on the Services tab, select the service whose site persistence cookie you want to view.
The site persistence cookie is displayed below the table of services.
[From Build 112.15] [# 242446]

Load Balancing

Diameter Expression Support
Expressions to retrieve AVPs from a Diameter request or response are now available. You can use these expressions for configuring the token load balancing method and for rule-based persistency.
The expressions are of the form DIAMETER.REQ.AVP(<avpcode>). For example, to retrieve the Auth-Application-Id AVP (AVP code 258), you can use the expression: DIAMETER.REQ.AVP(258).
Some important AVPs have aliases. For example, the Auth-Application_Id AVP has the alias AUTH_APPLICATION_ID. So, the expression to retrieve the Auth-Application_Id by using the alias is: DIAMETER.REQ.AUTH_APPLICATION_ID.
[From Build 112.15] [# 318377]

Rate Statistics for Services Bound to a Load Balancing Virtual Server
The stat lb vserver command and the Monitoring page for a load balancing virtual server now display the hit rate (Hits/s), request rate(Req/s), and response rate (Rsp/s) for bound services.
[From Build 112.15] [# 275029]

Automatic State Transition Based on Percentage Health of Bound Services
You can now configure a load balancing virtual server to automatically transition from the UP state to the DOWN state if the percentage of active services falls below a configured threshold. For example, if you bind 10 services to a load balancing virtual server and configure a threshold of 50% for that virtual server, it transitions from UP to DOWN if six or more services are DOWN. When the percentage health rises above the threshold value, the virtual server returns to the UP state. You can also enable an SNMP alarm called ENTITY-STATE if you want the NetScaler appliance to notify you when the percentage health of bound services causes a virtual server to change state.
For instructions, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-lb-advancedsettings-auto-state-transition-svc-health-tsk.html.
[From Build 112.15] [# 361659]

Stateless Connection Failover Supported for IPv6
You can now bind an IPv6 service to a load balancing virtual server with connection failover set to stateless.
[From Build 112.15] [# 276300]

Configure Spillover Based on NetScaler Policies
In earlier NetScaler releases, you can configure spillover by specifying only one of the following spillover methods along with a spillover threshold: CONNECTION, DYNAMICCONNECTION, BANDWIDTH, and HEALTH. Also, of a backup virtual server is not available when spillover occurs, the NetScaler appliance responds to clients with a TCP reset.
In this release, you can also use a NetScaler rule, of your choice, to specify the conditions that should be met for spillover to occur. You specify the rule in a spillover policy. Configuring a spillover rule enables you to configure the NetScaler appliance for a wider range of spillover scenarios. For example, you can configure spillover on the basis of the virtual server's response time, or on the basis of the load on the virtual server.
[From Build 112.15] [# 257226]

Monitor for Citrix StoreFront Stores
You can now configure a user monitor for a Citrix Storefront store.
For more information about monitoring a StoreFront store, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-lb-monitors-builtin-ctx-storefront-stores-tsk.html.
[From Build 112.15] [# 366050]

Ability to Specify a Name for a Persistence Cookie
Unlike in earlier releases, for load balancing virtual servers and load balancing persistency groups for which the COOKIEINSERT persistence type is configured, you can specify a name for the persistency cookie. You specify a name for the persistency cookie by setting the cookieName parameter. If you configure the COOKIEINSERT persistence type, but you do not specify the cookieName parameter, the NetScaler appliance inserts a cookie of the form <NSC_XXXX>= <serviceIP> <servicePort>, where <NSC_XXXX> is the virtual-server ID that is derived from the virtual server's name, <serviceIP> is the hexadecimal value of the IP address of the service, and <servicePort> is the hexadecimal value of the port of the service.
[From Build 112.15] [# 289773, 232227, 289772, 302494]

Counters for the Number of Active and Inactive Bound Services
Issue ID 0275028: The stat lb vserver and stat gslb vserver commands, and the Monitoring pages for load balancing and global server load balancing virtual servers, now display a count of the number of bound services that are UP and DOWN. The counters are called actSvcs (total active services) and inactSvcs (total inactive services), respectively.
[From Build 112.15] [# 275028]

View the Global Spillover Count by Using SNMP
You can use the totSpilloverCount SNMP counter to retrieve a count of the number of times spillover has occurred on various load balancing and content switching virtual servers after the NetScaler appliance was last restarted. The SNMP OID is 1.3.6.1.4.1.5951.4.1.3.5.6.
[From Build 112.15] [# 229026]

Support for Clearing a Specific Persistence Session
Issue ID 0258312: You can specify a persistence parameter in the "clear lb persistentSessions" command to clear the persistence session associated with only that parameter. Following is the command synopsis for clearing the session associated with a specific persistence parameter:
clear lb persistentSessions [<vServer> [-persistenceParam <string>]]
where
persistenceParam is the persistence parameter whose session you want to clear.
For more information about clearing a specific persistence session, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-lb-persistence-clearing-tsk.html.
[From Build 112.15] [# 258312]

Ability to Configure VLAN Transparency
You can now configure a load balancing virtual server to retain the client's VLAN identifier in packets that are to be forwarded to servers. The virtual server must be a wildcard virtual server of type ANY, and must be functioning in MAC mode.
For instructions, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-lb-advancedsettings-retain-vlan-tsk.html.
[From Build 112.15] [# 361552]

Offload DNSSEC Operations to the NetScaler Appliance
For DNS zones for which your DNS servers are authoritative, you can offload DNSSEC operations to the NetScaler appliance. When a DNS server sends a response, the appliance signs the response on the fly before relaying it to the client. The appliance also caches the signed response. Apart from reducing the load on the DNS servers, offloading DNSSEC operations to the appliance gives you the following benefits:
-> You can sign records that the DNS servers generate programmatically. Such records cannot be signed by routine zone signing operations performed on the DNS servers.
-> You can serve signed responses to clients even if you have not implemented DNSSEC on your servers.
[From Build 112.15] [# 249691]

Support for Overriding Persistence for Overloaded Services
When a service is loaded or is otherwise unavailable, service to clients is degraded. To work around this situation, you might have to configure the NetScaler appliance to temporarily forward to other services the requests that would otherwise be included in the persistence session that is associated with the overloaded service. In other words, you might have to override the persistence setting that is configured for the load balancing virtual server until the service returns to a state in which it can accept requests. You can achieve this functionality by binding a load monitor to the virtual server and setting the skippersistency parameter for the virtual server.
For more information about overriding persistence for overloaded services, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-lb-persistence-override-pers-overloaded-server-tsk.html.
[From Build 112.15] [# 258313]

Increase in the Maximum Number of Persistence Sessions
The maximum number of persistence sessions per core on an nCore NetScaler appliance has been raised from 150,000 to 1,000,000 (1 million). The maximum number of persistence sessions that can coexist on an nCore NetScaler appliance is equal to the product of the number of cores and the per-core limit. For example, if the appliance has 6 CPU cores, the maximum number of persistence sessions that can coexist on the appliance is 6,000,000 (6 * 1000000).
For information about how to configure a limit for the number of persistence sessions that can coexist on the NetScaler appliance, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-lb-persistence-config-limit-number-persist-sessions-tsk.html.
[From Build 112.15] [# 328498]

Monitor for Accounting Information Delivery from a RADIUS Server
You can now configure a monitor called a RADIUS accounting monitor to determine whether the Radius server used for Authentication, Authorization, and Accounting (AAA) is delivering accounting information as expected.
For more information about monitoring accounting information delivery from a RADIUS server, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-lb-monitors-builtin-radius-accnting-tsk.html.
[From Build 112.15] [# 348828]

Dynamic Load Balancing of Repeater Appliances
You can now configure the NetScaler appliance for dynamic load balancing of Repeater appliances, by using the Dynamic Load Balancing wizard for Citrix Branch Repeater. In the wizard, you specify the datacenter Repeater IP addresses and the datacenter server subnets to which the NetScaler appliance or instance must forward the branch-office traffic. The wizard creates the required configuration.
[From Build 112.15] [# 333238]

Options for Branch IP Address in the Load Balancing wizard for Citrix Branch Repeater
In the Static Load Balancing wizard for Citrix Branch Repeater, when specifying a branch whose traffic is to be accelerated, you can specify either the primary IP address or the accelerated pair A (apA) IP address of a Branch Repeater appliance.
[From Build 112.15] [# 275289]

NetScaler and XenMobile Solution for Enterprise Mobility
Citrix NetScaler deployed with XenMobile Mobile Device Management (MDM) provides the ability to scale, ensure high availability for apps, and maintain security.
Use the XenMobile MDM Setup wizard on the NetScaler configuration utility to configure the following two deployment scenarios:
* Load balance XenMobile Device Managers (MDM servers): In this scenario, the NetScaler appliance sits between the client and the XenMobile MDM servers to load balance encrypted data from mobile devices to the XDM servers.
* Load balance MS Exchange servers with email filtering: In this scenario, the NetScaler appliance sits between the client and the XNC and CAS servers. All requests from the client devices go to the NetScaler appliance, which then communicates with the XNC to retrieve information about the device. Based on the response from the XNC, the NetScaler either forwards the request from a whitelisted device to the backend server, or drops the connection from a blacklisted device.
[From Build 118.7] [# 365382]

Oracle Monitor Support
You can now create a load balancing monitor for an Oracle DBMS server by using the new Oracle-ECV monitor type. This monitor supports the following data types:
ORACLE_BINARY_DOUBLE = 101,
ORACLE_BINARY_FLOAT = 100,
ORACLE_CHAR = 96,
ORACLE_DATE = 12,
ORACLE_INTERVALDS = 183,
ORACLE_INTERVALYM = 182,
ORACLE_NUMBER1 = 2,
ORACLE_NUMBER2 = 6,
ORACLE_NVARCHAR2 = 1,
ORACLE_TIMESTAMP = 180,
ORACLE_TIMESTAMP_WITH_LOCAL_TIME_ZONE = 231
ORACLE_TIMESTAMP_WITH_TIME_ZONE = 181,
You can configure the monitor by using the NetScaler command line or the configuration utility. To create or configure an Oracle-ECV monitor at the NetScaler command line, type the appropriate command:
add lb monitor <monitorName> oracle-ecv [ parameters... ]
set lb monitor <monitorName> oracle-ecv [ parameters... ]
To create or configure an Oracle-ECV monitor by using the configuration utility, navigate to Traffic Management => Load Balancing => Monitors, and then click Add to create the monitor or select an existing monitor and then click Open to configure the monitor.
The new expressions that support the Oracle-ECV monitor are as follows:
ORACLE.RES.ATLEAST_ROWS_COUNT(n)
Determines whether the query response contains at least the specified
number of rows.
ORACLE.RES.ROW(i).NUM_ELEM(j).eq(n)
Determines whether the value located at the specified row and column
is equal to the specified number. You can substitute other valid
numeric operations for "eq".
ORACLE.RES.ROW(i).IS_NULL_ELEM(j)
Determines whether the value located at the specified row and column
is NULL.
ORACLE.RES.ROW(i).TEXT_ELEM(j).eq("pattern")
Determines whether the value located at the specified row and column
matches the specified pattern. You can substitute other valid
text operations for "eq".
[From Build 118.7] [# 364085]

Setting Up NetScaler for XenApp/XenDesktop
The NetScaler now provides a wizard that simplifies the task of setting up a NetScaler appliance for a XenApp/XenDesktop deployment. For more information, see Setting Up NetScaler for XenApp/XenDesktop.
[From Build 120.13] [# 345912]

You can now configure up to 8K (8192) service groups on a NetScaler appliance. The earlier limit was 4K (4096) service groups.
[From Build 121.10] [# 406355]

Load Balancing and AAA-TM

Native Windows Authentication (Kerberos) for MSSQL Monitors
Microsoft SQL monitors on the NetScaler appliance now support the Kerberos authentication protocol, and can therefore monitor load-balanced application servers in a Kerberos 5 environment that employs Kerberos Protocol Transition (KPT) and Kerberos Constrained Delegation (KCD).
[From Build 112.15] [# 329542]

Monitors

Starting with release 10.1 build 122.17, the script files for user monitors are in a new location.
If you upgrade an MPX or VPX virtual appliance to release 10.1 build 122.17 or later, the changes are as follows:
- A new directory named conflicts is created in /nsconfig/monitors/ and all the built-in scripts of the previous builds are moved to this directory.
- All new built-in scripts are available in the /netscaler/monitors/ directory. All custom scripts are available in the /nsconfig/monitors/ directory.
- You must save a new custom script in the /nsconfig/monitors/ directory.
- After the upgrade is completed, if a custom script is created and saved in the /nsconfig/monitors/ directory, with the same name as that of a built-in script, the script in the /netscaler/monitors/ directory takes priority. That is, the custom script does not run.
If you provision a virtual appliance with release 10.1 build 122.17 or later, the changes are as follows:
- All built-in scripts are available in the /netscaler/monitors/ directory.
- The /nsconfig/monitors/ directory is empty.
- If you create a new custom script, you must save it in the /nsconfig/monitors/ directory.
[From Build 122.17] [# 447105]

NITRO API

Unlicensed Feature Handling
NITRO operations are now restricted to the features that are licensed on the NetScaler appliance.
[From Build 112.15] [# 328055]

You can now view the virtual servers to which a specified service is bound. The REST URL for this is http://<nsip>/nitro/v1/config/svcbindings/svcname.
[From Build 112.15] [# 257279]

Log Support
All NITRO operations are now logged in the /var/nitro/nitro.log file on the appliance.
[From Build 112.15] [# 328051]

NetScaler Gateway

Plug-in Icon Decoupling from Citrix Receiver
The desktop client plug-ins icons can now be configured to operate independently from Native Citrix Receiver clients. Settings to manage Receiver integration with the NetScaler Gateway Plug-ins can be configured globally and within session policies.
[From Build 129.22] [# 406312]

NetScaler Insight Center

The HTML Injection feature is now available for Web Insight data collection on platinum licenses of NetScaler 10.0 appliances and on all licenses of NetScaler 10.1 appliances.
[From Build 118.7] [# 392732]

On the Dashboard > HDX Insight > Users > <user name> page, the application and gateway reports display the active applications by default.
[From Build 118.7] [# 388409]

NetScaler Insight Center supports clearing AppFlow configurations from a virtual server.
[From Build 118.7] [# 341904, 375905, 383246]

NetScaler Insight Center supports sending syslog messages to an external syslog server.
[From Build 118.7] [# 381072]

HDX Insight reports now include details about Client Side NS Latency, Server Side NS Latency and Host Delay.
[From Build 119.7] [# 400867]

NetScaler Insight Center now saves the following:
Granular data: Time to Purge
7 sec data: 6 min
5 min data: 65 min.
Hourly data: 25 hrs.
Daily data: 8 days.
Weekly data: 5 weeks.
[From Build 121.10] [# 404805]

HDX Insight reports now include details about session reconnects, client-side retransmissions, and server-side retransmissions.
[From Build 122.17] [# 392016]

All the metrics except bandwidth and hits display the average values.
[From Build 122.17] [# 409634]

HDX Insight now provides a report about active sessions, grouped by server IP and gateway IP.
[From Build 122.17] [# 398322]

The top-right corner of the page now displays a percentile icon, which you can click to display percentile values and the highest and lowest values for a selected metric.
[From Build 122.17] [# 418196]

In this release you can select and show columns in the tables on the NetScaler Insight Center graphical user interface (GUI) and also rearrange them. The changes can also be made persistent to reflect these changes when the same user logs in the next time.
[From Build 122.17] [# 423207]

HDX Insight reports now include details about CloudBridge in an ICA session path.
[From Build 123.11] [# 432702, 430583]

You can now configure the ICA session timeout value for inactive sessions on the configuration tab of the NetScaler Insight Center.
For details, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-ica-session-timeout-tsk.html
[From Build 123.11] [# 431957]

NetScaler SDX Appliance

Configuring VLANs on Management Interfaces
You can now configure a VLAN on the management interfaces, 0/1 and 0/2, while provisioning a NetScaler instance.
[From Build 112.15] [# 318609]

Support for SNMPv3 Queries on the NetScaler SDX Appliance
Simple Network Management Protocol Version 3 (SNMPv3) queries are now supported on the NetScaler SDX appliance. SNMPv3 enhances the basic architecture of SNMPv1 and SNMPv2 to incorporate administration and security capabilities, such as authentication, access control, data integrity check, data origin verification, message timeliness check, and data confidentiality.
For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-1-map/sdx-ag-manage-mon-appliance-config-snmp-v3-con.html.
[From Build 112.15] [# 328392]

Support of Regular Expressions for Search Text Fields
The Search text fields on the pagination views of the Management Service utility now support regular expressions.
[From Build 112.15] [# 309358, 312469]

Changing the Hostname of the Appliance
You can now change the hostname of the Management Service. On the Configuration tab, navigate to System > System Settings > Change Hostname, and enter a new hostname.
[From Build 112.15] [# 323534]

Password Management on the NetScaler SDX Appliance
If you log on to a NetScaler VPX instance and change the password for access to the instance, instead of changing the password from the Management Service, connectivity from the Management Service to the instance is lost. With this release, you can restore connectivity by creating a new profile from the Management Service, assigning it the same password that you specified on the NetScaler VPX instance, and then binding the new profile to the NetScaler VPX instance.
[From Build 112.15] [# 318968]

Support for System Notifications
You can now configure Syslog, mail, and SMS notifications on the SDX appliance.
[From Build 112.15] [# 291016]

Restrict a VLAN to a Specific Virtual Interface
The NetScaler SDX appliance administrator can enforce specific 802.1Q VLANs on the virtual interfaces associated with NetScaler instances. This capability is especially helpful in restricting the usage of 802.1Q VLANs by the instance administrators. If two instances belonging to two different companies are hosted on an SDX appliance, you can restrict the two companies from using the same VLAN ID, so that one company does not see the other company's traffic. If an instance administrator, while provisioning or modifying a VPX instance, tries to assign an interface to an 802.1Q VLAN, a validation is performed to verify that the VLAN ID specified is part of the allowed list.
For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-1-map/sdx-ag-prov-ns-instances-restrict-vlans-to-vfs-tsk.html.
[From Build 112.15] [# 323926]

Audit Templates for NetScaler Instances
You can create an audit template by copying the commands from an existing configuration file. You can later use this template to find any changes in the configuration of an instance and take corrective action if required.
[From Build 112.15] [# 322404]

Simplification of NetScaler SDX Licensing Process
The process of allocating your licenses has been greatly simplified. The new licensing framework allows you to focus on getting maximum value from Citrix products.
In the Management Service configuration utility (GUI), you can use your hardware serial number (HSN) or your license activation code (LAC) to allocate your licenses. Alternatively, if a license is already present on your local computer, you can upload it to the appliance.
[From Build 112.15] [# 323681, 331160]

Display the Mapping of virtual interfaces on the VPX instance to the physical interfaces on the NetScaler SDX Appliance
If you log on to the NetScaler virtual instance, the configuration utility and the command line interface display the mapping of the virtual interfaces on the instance to the physical interfaces on the appliance.
For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-1-map/sdx-ag-interface-naming-tsk.html.
[From Build 112.15] [# 261346, 335910]

Cluster of NetScaler Instances Provisioned on NetScaler SDX Appliances
You can now create a cluster of NetScaler instances that are provisioned on the NetScaler SDX appliance. The instances can be available on the same SDX appliance or on any SDX appliance within the same subnet.
For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-1-map/sdx-setup-cluster-tsk.html.
[From Build 112.15] [# 317258, 286049, 345509]

Retrieving Tech Support tar file of Instances from Management Service Utility
Now you can generate support tar archive for instances running on SDX through the Management Service utility.
[From Build 112.15] [# 240391]

MAC-Address Assignment by System Administrator
If, while you are provisioning a NetScaler instance on an SDX appliance, XenServer internally assigns a MAC address to a virtual interface associated with that instance, the same MAC address might be assigned to a virtual interface associated with another instance on the same appliance or on another appliance. To prevent assignment of duplicate MAC addresses, you can enforce unique MAC addresses.
For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-1-map/sdx-ag-config-svm-assign-mac-addr-to-interface-tsk.html.
[From Build 112.15] [# 325507]

Provisioning Third-Party Instances on a NetScaler SDX Appliance
You can now provision the following third-party virtual machines (instances):
BlueCat DNS/DHCP Server—Provides a DNS, DHCP, and IP Address Management software solution for enterprises.
[From Build 118.7] [# 349549]

Provisioning Third-Party Instances on a NetScaler SDX Appliance
You can now provision the following third-party virtual machines (instances):
* SECUREMATRIX(R) GSB—Provides a highly secure password system that eliminates the need to carry any token devices.
* Websense(R) Protector—Allows enterprises to deploy a data loss prevention (DLP) solution to protect sensitive enterprise information.
[From Build 118.7] [# 329072]

Upgrading the XenServer Software
You must upgrade the NetScaler SDX appliance to XenServer version 6.1.0 to enable functionality of some features, such as LACP and third-party virtual machines. The process of upgrading the XenServer software involves uploading the build file of the target build to the Management Service, and then upgrading the XenServer software.
[From Build 118.7] [# 322368]

Configure Link Aggregation from the Management Service
You can now configure link aggregation from the Management Service at the time of provisioning a NetScaler instance, or later by modifying an instance. An aggregated link is also known as a channel. The interfaces that form part of a channel are not listed in the Network Settings view shown when you add or modify a NetScaler instance. Instead of the interfaces, the channels are listed.
[From Build 118.7] [# 257892]

Upgrade Progress
When you upgrade a NetScaler VPX instance on an SDX appliance, a new window, Upgrade Progress, shows the status of the upgrade operation, including any error messages. This feature is also available for SecureMatrixGSB and Websense Protector virtual machines.
[From Build 120.13] [# 346988]

Multi-interface Support for BlueCat DNS/DHCP Server Virtual Machines
Management Service now supports assigning interfaces explicitly for high availability and service along with the management for BlueCat DNS/DHCP Server virtual machines.
[From Build 122.17] [# 413839]

22040/22060/22080/22100/22120 Platform
The SDX 22040/22060/22080/22100/22120 platform now supports NetScaler release 10.1 build 122.x.
For more information, see Citrix NetScaler SDX 22040, SDX 22060, SDX 22080, SDX 22100, and SDX 22120.
[From Build 122.17] [# 353415]

When system sends any e-mail notification, it will contain host name along with IP address as sender.
[From Build 129.22] [# 464856]

You do not require a separate license file to set up a cluster on an SDX appliance. Clustering support will be provided with a valid SDX Platform License.
[From Build 129.22] [# 492668]

NetScaler VPX Appliance

Support for NetScaler VPX Virtual Appliance on XenServer 6.2
The NetScaler VPX virtual appliance now supports XenServer version 6.2 only on a non-SDX appliance. On the NetScaler SDX appliance, only the XenServer versions available for download on www.citrix.com under NetScaler downloads are supported. XenServer 6.1.1 is the latest supported version on the NetScaler SDX appliance.
[From Build 122.17] [# 439509]

NetScaler VPX Setup for the Linux KVM Platform
The Citrix NetScaler VPX can now be hosted on Kernel-based Virtualization Machine (KVM). NetScaler VPX runs as a virtual appliance on Linux-KVM server. You can set up the NetScaler VPX on this platform either through the graphical Virtual Machine Manager (Virt-Manager) application or the vrish program.
The host Linux operating system must be installed on suitable hardware by using virtualization tools such as KVM Module and QEMU. The number of virtual machines (VMs) that can be deployed on the hypervisor depends on the application requirement and the chosen hardware. After you provision a NetScaler virtual appliance, you can add additional interfaces.
For more information, see Installing NetScaler Virtual Appliances on Linux-KVM Platform.
[From Build 123.11] [# 344349]

Networking

Block Fragmented Packets
You can now configure the NetScaler appliance to drop any fragmented packets that it receives.
This feature can be useful in the following cases:
*To preventing security attacks based on fragmented packets
*To accommodate a use case requiring that the NetScaler appliance accept no fragmented packets.
To block any fragmented packet, enable the Dropipfragments (Drop IP Fragments) option in one of the following ways:
*On the NetScaler command line, by running the set L3 param command.
*In the configuration utility, by using the Configure Layer 3 Parameters dialog box (Network > Settings > Configure Layer 3 Parameters).
[From Build 112.15] [# 299298]

IPv6 Protocol Compliance
The appliance accepts all the ICMPv6 fragments of an ICMPv6 echo request that is destined to one of the NetScaler owned IPv6 address. The appliance also sends out all the ICMPv6 fragments of the corresponding ICMv6 echo response.
[From Build 112.15] [# 286580]

Block Non-IP Packets
You can configure the NetScaler appliance to drop any non-IP related packet that it receives. For example, you can drop ARP packets. This feature can be useful in the following cases:
- To prevent security attacks based on non-IP traffic
- To prevent very heavy non-IP traffic from affecting the performance of the appliance
To block non-IP traffic, set the fwmode (Network firewall mode) parameter to FULL in one of the following ways:
- On the NetScaler command line, by running the set ns config command.
- In the configuration utility, by using the Configure Network firewall mode settings dialog box (System > Settings > Change Network firewall mode).
[From Build 112.15] [# 329548]

Controlling the L2 Conn Behavior of Load Balancing Virtual Servers
The set l4 parameter command has a new parameter, l2connMethod, for specifying the MAC address, channel number, and VLAN ID attributes for the L2 Conn option behavior in a virtual server
[From Build 112.15] [# 339846, 332695]

TFTP Support
The NetScaler appliance now supports communication between a client and a Trivial File Transfer Protocol (TFTP) server.
TFTP is a simple form of file transfer protocol and is based on the UDP protocol. TFTP does not provide any security features and is generally used for automated transfer of configuration and boot files between devices in a private network. TFTP support on the NetScaler appliance is compliant with RFC 1350. A server listens on port 69 for any TFTP request.
The following features are supported:
Load balancing of TFTP servers—The NetScaler appliance can now load balance TFTP servers.
INAT processing compliant to TFTP—When a request packet, with port 69 as the destination, received by the NetScaler appliance matches an INAT rule with TFTP option enabled, the appliance processes the request and the corresponding response as compliant with the TFTP protocol.
RNAT processing compliant to TFTP—When a request packet generated by a server is destined to a TFTP server, and the packet matches an RNAT rule on the NetScaler appliance, the appliance's processing of the request and the corresponding response from the TFTP server is compliant with the TFTP protocol.
[From Build 112.15] [# 250958, 244142, 258928]

Configure Traffic Domains
Traffic domains are a way to segment network traffic for different applications. You can use traffic domains to create multiple isolated environments within a NetScaler appliance. An application belonging to a specific traffic domain communicates with entities and processes traffic within that domain. The traffic belonging to one traffic domain cannot cross the boundary of another traffic domain.
The main benefits of using traffic domains on the NetScaler appliance are the following:
* Use of duplicate IP addresses in a Network—Traffic domains allow you to assign the same IP address or network address to multiple devices on a network, or multiple entities on a NetScaler appliance, as long as each of the duplicate address belongs to a different traffic domain.
* Use of Duplicate entities on the NetScaler appliance—Traffic domains allow you to use duplicate NetScaler feature entities on the appliance. You can create entities with the same settings as long as each entity is assigned to a separate traffic domain.
* Multitenancy—Using traffic domains, you can provide hosting services for multiple customers by isolating each customer’s type of application traffic within a defined address space on the network.
[From Build 112.15] [# 319241, 318309]

IPv6 Protocol Compliance
The NetScaler appliance in L3 mode can now send out periodic Router Advertisement (RA) messages from its advertising interfaces. The appliance also sends RA messages in response to valid solicitations messages. The outgoing RA messages sent by the NetScaler appliance are compliant with RFC 4861 for Neighbor Discovery protocol for IP version 6 (IPv6). The NetScaler appliance can also send redirect messages to inform an originating host of a better router for reaching a specific destination.
[From Build 112.15] [# 286578]

Powering off an Interface
Now, when you disable an interface or an LA channel, the NetScaler appliance powers off the interface or interfaces of the LA channel and sends a link-down message to the peer device to notify that the interface(s) are disabled.
[From Build 112.15] [# 338863]

Clearing all Dynamic Routing Configurations
You can now at once clear all the routing configurations, which you created by using the VTYSH shell.
For clearing all the dynamic routing configurations, you run the clear config command in the Exec mode of the VTYSH shell. After clearing the configuration, you must run the write command in the VTYSH shell to save the changes.
[From Build 112.15] [# 285913]

ACL Action in the ACL Log Messages
Each ACL log entry now includes a field that displays the action set for the ACL. This field tells you whether the packet that hit the ACL was passed onto the NetScaler appliance or was dropped.
The field takes one of the following values:
- ALLOW: A packet that matches the conditions specified in the ACL and is passed onto the NetScaler appliance.
- DENY: A packet that matches the conditions specified in the ACL and is dropped.
Following are two sample log entries:
19) 01/23/2013:18:48:53 GMT Informational 0-PPE-0 : ACL ACL_PKT_LOG 212 0 : Source 10.102.56.26
--> Destination 10.102.56.40 - Protocol ICMP -Type 8 - Code 0 -TimeStamp 92612208(ms) - Hitcount 5 -
Hit Rule ACL1 - Action ALLOW - Data 08 00 51 ac 7e 73 00 5c 19 c4 ff 50 19 6c 0a 00 08 09 0a 0b 0c 0d 0e
0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31
32 33 34 35 36 37
20) 01/23/2013:18:48:58 GMT Informational 0-PPE-0 : ACL ACL_PKT_LOG 213 0 : Source 10.102.56.99
--> Destination 10.102.56.45 - Protocol ICMP -Type 8 - Code 0 -TimeStamp 92617209(ms) - Hitcount 6 -
Hit Rule ACL2 - Action DENY - Data 08 00 c6 a6 7e 73 00 61 1e c4 ff 50 9f 6c 0a 00 08 09 0a 0b 0c 0d 0e
0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31
32 33 34 35 36 37
[From Build 112.15] [# 290631]

Configure Stateless NAT46 Translation
The stateless NAT46 feature enables the communication between IPv4 and IPv6 networks, by way of IPv4 to IPv6 packet translation and vice versa, without maintaining any session information on the NetScaler appliance.
A stateless NAT46 configuration on the NetScaler appliance has the following components:
* IPv4-IPv6 INAT entry. An entry defining a 1:1 relationship between a public IPv4 address and an IPv6 address. In other words, a public IPv4 address on the appliance listens to connection requests on behalf of an IPv6 server.
* NAT46 IPv6 prefix. A global IPv6 prefix of length 96 bits (128-32=96) configured on the appliance. During IPv4 packet to IPv6 packet translation, the appliance sets the source IP address of the translated IPv6 packet to a concatenation of the NAT46 IPv6 prefix [96 bits] and the IPv4 source address [32 bits] that was received in the request packet.
[From Build 112.15] [# 284926]

IPv6 Protocol Compliance
You can configure multiple link-local addresses as type SNIP6. A link-local SNIP6 address can be bound to only one VLAN, and a VLAN can have only one link-local SNIP6 address. Because NetScaler owned IP addresses are of type floating, the link-local SNIP6 address bound to a VLAN is associated with all the interfaces bound to the VLAN. Any Neighbor Discovery for IPv6 (ND6) traffic going out of the interface is sourced as the link-local address associated with the interface, as specified by RFC 4861.
[From Build 112.15] [# 286577]

Stateful NAT64 Translation
The stateful NAT64 feature enables communication between IPv4 clients and IPv6 servers through IPv6 to IPv4 packet translation, and vice versa, while maintaining session information on the NetScaler appliance.
A stateful NAT64 configuration on the NetScaler appliance has the following components:
* NAT64 rule: An entry consisting of an ACL6 rule and a netprofile, which consists of a pool of NetScaler owned SNIPs.
* NAT64 IPv6 Prefix: A global IPv6 prefix of length 96 bits (128-32=96) configured on the appliance.
When an IPv6 request packet received by the NetScaler appliance matches an ACL6 defined in a NAT64 rule and the destination IP of the packet matches the NAT64 IPv6 prefix, the NetScaler appliance considers the IPv6 packet for translation.
The appliance translates this IPv6 packet to an IPv4 packet with a source IP address matching one of the IP address in the netprofile defined in the NAT64 rule, and a destination IP address consisting of the last 32 bits of the destination IPv6 address of the IPv6 request packet. The NetScaler appliance creates a session and forwards the packet to the IPv4 server. Subsequent responses from the IPv4 server and requests from the IPv6 client are translated accordingly by the appliance for the duration of the session.
[From Build 112.15] [# 316933]

Set Interval for Generating ACL Log Messages
You can now set the interval at which a log message is to be generated by the NetScaler appliance for a particular flow that matches an extended ACL configured on the appliance.
To set the interval, set the AclLogTime (ACL Log Time) parameter in one of the following ways:
*On the NetScaler command line, by running the set L3 param command.
*In the configuration utility, by using the Configure Layer 3 Parameters dialog box (Network > Settings > Configure Layer 3 Parameters).
[From Build 112.15] [# 301716]

The "show lacp" command does not display the lacp configurations. This issue is observed only in a cluster setup.
[From Build 112.15] [# 288450, 290635, 324248]

Configuring Link Redundancy by using LACP channels
Link Redundancy by using LACP channels enables the NetScaler appliance to logically create sub channels from a LACP channel where one of the sub channel is active and the remaining sub channels stay in standby mode. If the active sub channel fails or does not meet a minimum threshold throughput, one of the standby sub channel takes over and becomes active.
The NetScaler appliance forms a sub channels from links that are part of the LACP channel and are connected to a particular device. For example, for a LACP channel with four interfaces on a NetScaler appliance, where two of the interface is connected to device A, and the other two interfaces are connected to device B, then the NetScaler appliance logically creates two sub channels, one sub channel with two links to device A, and the other sub channel with the remaining two links to device B.
The lrMinThroughput parameter is introduced for configuring link redundancy for a LACP channel. This parameter specifies the minimum throughput threshold to be met by the active sub channel of a LACP channel. When the throughput of the active channel falls below the lrMinThroughput , link failover occurs and one of the standby sub channels becomes active.
For example, set channel la/1 -lrMinThroughput 2000
Link redundancy for a LACP channel is disabled, which is also the default setting, when you set the lrMinThroughput parameter of the LACP channel to zero or when you unset this parameter.
Note: In an HA configuration, if you want to configure throughput (throughput parameter) based HA failover and link redundancy ( lrMinThroughput parameter) on a LACP channel, you must set a lesser or equal value to the throughput parameter as compared to the lrMinThroughput parameter.
For example, set channel la/1 throughput 2000 -lrMinThroughput 2000
HA failover does not occur if any of the sub channels meets the lrMinThroughput parameter value even when the total throughput of the LACP channel does not meet the throughput parameter value.
HA failover occurs only when the entire sub channels of the LACP channel does not meet the lrMinThroughput parameter value and the total throughput of the LACP channel does not meet the throughput parameter value.
For more information, see http://edocssand.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-config-lr-lacp-tsk.html.
[From Build 120.13] [# 346763]

Now, the NetScaler appliance sends all ARP replies from the first interface (lexicographical order) of an LA channel.
[From Build 129.22] [# 486632]

Platform

The MPX 22040/22060/22080/22100/22120 platform now supports NetScaler release 9.3 build 65.x.
[From Build 121.10] [# 311561]

NetScaler MPX appliances now support Cisco QSFP+ cables (part number L45593-D178-C30).
[From Build 122.17] [# 427155]

Increased Throughput on the NetScaler MPX 5650 Appliance
The MPX 5650 appliance now delivers a throughput of 5Gbps.
[From Build 123.11] [# 428131, 432315]

New NetScaler MPX Appliances
Release 10.1-122.x supports the new MPX 8005 and MPX 8015 appliances.
[From Build 123.11] [# 421834, 428128]

If an LCD hardware failure is detected on a NetScaler MPX appliance, the appliance restarts. With this enhancement, the LCD application gracefully exits without restarting the appliance.
[From Build 123.11] [# 430690]

New NetScaler SDX Appliance
Release 10.1-122.x supports the new SDX 8015 appliance.
[From Build 123.11] [# 429429, 432915]

Support for ECDHE Ciphers
The Citrix NetScaler MPX 11515/11520/11530/11540/11542 appliances support the ECDHE cipher group. On the SDX 11515/11520/11530/11540/11542 appliances, the cipher group is supported only if an SSL chip is assigned to a VPX instance. This group contains the following ciphers:
- TLS1-ECDHE-RSA-RC4-SHA
- TLS1-ECDHE-RSA-DES-CBC3-SHA
- TLS1-ECDHE-RSA-AES128-SHA
- TLS1-ECDHE-RSA-AES256-SHA
The following ECC curves are supported:
- P_256
- P_384
- P_224
- P_521
Note: ECC curves 224 and 521 are not supported with TLS1.2 protocol.
[From Build 124.13] [# 453765]

The 10G ixgbe (ix) driver on the NetScaler appliance now supports the following Active Optical Cables (AOCs):
- Finisar FCBG110SD1C03
- Avago AFBR-7CAR03Z
[From Build 125.9] [# 419237]

The SDX 24100/24150 and MPX 24100/24150 platforms are now supported in this release.
[From Build 129.22] [# 487831]

The MPX 25100T and MPX 25160T platforms are now supported in this release. For more information about these platforms, see http://docs.citrix.com/en-us/netscaler/10-1/ns-gen-hardware-wrapper-10-con/ns-hardware-platforms-con/ns-hardware-25100T-25160T-ref.html.
[From Build 132.8] [# 486703, 495591, 552218]

Policies

LDAP Referral Support
AAA now supports LDAP referrals. If this feature is enabled, and the NetScaler appliance receives an LDAP_REFERRAL response to a request, AAA follows the referral to the active directory (AD) server contained in the referral and performs the update on that server, First, AAA looks up the referral server in DNS, and connects to that server. If the referral policy requires SSL/TLS, it connects via SSL/TLS. It then binds to the new server with the binddn credentials that it used with the previous server, and performs the operation which generated the referral. This feature is transparent to the user.
LDAP referral support is disabled by default, and must be explicitly enabled for each ldapAction. This feature cannot be turned on globally. The system administrator must also make sure that the AD server accepts the same binddn credentials that are used with the referring (GC) server.
To enable LDAP referrals, type the following commands at the NetScaler command line:
set authentication ldapAction <name> -followReferrals ON
set authentication ldapAction <name> -maxLDAPReferrals <integer>
For <integer>, substitute the maximum level of referrals. By default, one referral level is allowed.
For more information, see http://support.citrix.com/proddocs/topic/ns-security-10-1-map/ns-aaa-setup-policies-auth-ldap-tsk.html.
[From Build 112.15] [# 327591]

HTTP Callouts
HTTP callout responses can now be cached for a specified time duration.
[From Build 112.15] [# 233253, 241059]

HTTP Callouts
HTTP callouts now support IPv6 addresses.
[From Build 112.15] [# 215794]

HTTP callouts can now generate HTTPS requests. When configuring the HTTP callout, you must set the "scheme" parameter of the "set policy httpCallout" command.
[From Build 112.15] [# 317392]

Support for Hashing Text Strings
You can now hash text strings by using the following algorithms: MD2, MD4, MD5, SHA1, SHA224, SHA256, SHA384, and SHA512. The method provided for this purpose is DIGEST(algorithm) and it can be used on text strings. For example, to hash the body of a HTTP request by using MD5 algorithm, the expression is: HTTP.REQ.BODY(1000).DIGEST(MD5)
[From Build 112.15] [# 236496, 246627]

TCP Level Expressions
You can now get the smoothed round trip time and the bandwidth of TCP connections for the client and server by using the following expressions:
* CLIENT.TCP.SMOOTHRTT
* CLIENT.TCP.BANDWIDTH
* SERVER.TCP. SMOOTHRTT
* SERVER.TCP.BANDWIDTH
[From Build 112.15] [# 236816]

You can now specify an expression that produces a body of the HTTP callout. The expression must be specified in the -bodyExpr parameter of the "set httpCallout" command. A "Content-Length" header is automatically added with an appropriate value indicating that the request message contains a body. You can use the "unset httpCallout" command with the -bodyExpr parameter when you do not want to use the body expression for the HTTP callout.
[From Build 112.15] [# 340586]

Get Information of RPC Request
You can now get information about an RPC request by using the following expressions:
* MSSQL.REQ.RPC.BODY—Returns the body of the SQL request as a string in the form of parameters represented as "a=b" clauses separated by commas, where "a" is the RPC parameter name and "b" is its value.
* MSSQL.REQ.RPC.BODY(n)—Returns part of the body of the SQL request as a string in the form of parameters represented as "a=b" clauses separated by commas, where "a" is the RPC parameter name and "b" is its value. Parameters are returned from only the first “n” bytes of the request, skipping the SQL header. Only complete name-value pairs are returned.
Both expressions return text data, on which any text operation can be performed.
[From Build 112.15] [# 320216]

You can now get the ethertype by using an advanced policy expression.
Examples:
- CLIENT.ETHER.ETHERTYPE.EQ(IPv4)
- SERVER.ETHER.ETHERTYPE.EQ(IPv6)
[From Build 129.22] [# 388879]

SNMP

The following SNMP counters for IPv6 are added in snmp group nsIp6StatsGroup:
- ipv6TotRxPkts : IPv6 packets received
- ipv6TotTxPkts:: IPv6 packets transmitted
- ipv6TotRxBytes: IPv6 bytes received
- ipv6TotTxBytes: IPv6 bytes transmitted
- ipv6FragTotRxPkts:IPv6 Fragments received
- ipv6FragRxPkts: IPv6 Fragments received
- ipv6FragTotPktsForward : IPv6 Fragments bridged
- ipv6FragTotPktsProcessNoReass : IPv6 Fragments processed without reassembly
- ipv6ErrHdr : IPv6 error hdr packets
- ipv6LandAttack: Land-attack packets received
- ipv6FragZeroLenPkt : Packets received with a fragment length of 0 bytes
- ipv6TotIcmpFragPkts : ICMPV6 fragmented packets
- ipv6TotLookupDone : IPV6 Neighbour Look ups.
- ipv6TotLookupFailed: IPV6 Neighbour Look ups failed
- ipv6TotStaticRoutes : IPV6 Static Routes
- ipv6TotDynamicRoutes : IPV6 Static Routes.
- ipv6TotNeigborDiscovered : IPV6 Total Neighbor Discovered.
- ipv6TotIpv6To4Conversions: IPV6 To IPV4 Conversions.
- ipv6TotIpv4To6Conversions : IPV4 To IPV6 Conversions.
- ipv6TotTcpConnection : IPV6 TCP Connections.
- ipv6TotNonTcpConnection : IPV6 Non TCP Connections.
[From Build 112.15] [# 339095]

The owner node for the SNMP engine can be set in a cluster. Use the ownerNode parameter of the set SNMP engineID command.
[From Build 112.15] [# 356223]

A new SNMP OID, vsvrEstablishedConn (1.3.6.1.4.1.5951.4.1.3.1.1.71) is available for current client connections in the ESTABLISHED state at the vserver level.
[From Build 126.12] [# 418044]

SSL

Support for TLS1.1 and TLS 1.2
The SSL virtual server on the NetScaler appliance supports TLS1.1 and TLS1.2 protocol based clients. These protocols helps prevent Browser Exploit Against SSL/TLS (BEAST) attacks.
For more information about this protocol, see https://tools.ietf.org/html/rfc5246.
The following ciphers support the TLS1.1 and TLS1.2 protocol:
- SSL3-RC4-MD5
- SSL3-RC4-SHA
- SSL3-DES-CBC3-SHA
- TLS1-AES-256-CBC-SHA
- TLS1-AES-128-CBC-SHA
- SSL3-EDH-RSA-DES-CBC3-SHA
- TLS1-DHE-RSA-AES-256-CBC-SHA
- TLS1-DHE-RSA-AES-128-CBC-SHA
The following ciphers support the TLSv1.1 protocol:
- SSL3-DES-CBC-SHA
- SSL3-EDH-RSA-DES-CBC-SHA
- SSL3-ADH-RC4-MD5
- SSL3-ADH-DES-CBC-SHA
- SSL3-ADH-DES-CBC3-SHA
- TLS1-ADH-AES-128-CBC-SHA
- TLS1-ADH-AES-256-CBC-SHA
[From Build 112.15] [# 271648, 205184, 258052, 258328, 262506, 315852]

Configuring SSL Close-notify at the Entity Level
Although the global sendCloseNotify parameter must be set to YES if any entity is to send an SSL close-notify, an entity no longer has to inherit this setting from the global settings. You can set the sendCloseNotify parameter at the entity (virtual server, service, or service group) level. This enhancement provides the flexibility to set this parameter for one entity and unset it for another entity. However, make sure that you set this parameter at the global level. Otherwise, the setting at the entity level does not apply.
[From Build 112.15] [# 257122]

Support for SPDY in SSL
The NPN extension is now supported on the NetScaler appliance.
[From Build 112.15] [# 284270, 329666, 329672]

Add a Certificate Bundle
You can load a certificate bundle containing one server certificate, up to nine intermediate certificates, and optionally, a server key. Separate steps for loading and linking the certificates are no longer required.
[From Build 112.15] [# 236585, 277630]

Certificate Expiry Monitoring
The certificate expiry monitoring option is now enabled by default, and the default expiry notification period is set to 30 days.
[From Build 112.15] [# 351522]

Restrict the Root CA’s distinguished names (DN) sent by the NetScaler Appliance
As a part of the SSL handshake, in the Certificate Request message during client authentication, the server lists the distinguished names (DNs) of all the certificate authorities (CAs) bound to the server from which it will accept a client certificate. If you do not want the DN name of a specific CA certificate to be sent to the SSL client, set the skipCA flag. This setting indicates that the particular CA certificate’s distinguished name should not be sent to the SSL client.
[From Build 112.15] [# 262041]

Low Encryption Licenses for Russia
A NetScaler MPX appliance for customers in Russia initially ships with a low encryption license. After proper authorization from the Russian agency, customers can upgrade to a Standard, Enterprise, or Platinum software edition, which enables high-encryption SSL performance on the appliance.
[From Build 118.7] [# 349674, 379439]

As part of the SSL handshake with the server, the NetScaler appliance now sends a Client Hello message on the basis of the version (for example SSLv3 or TLS1.0) that is configured on the appliance. Earlier, it sent an SSLv2 compliant Client Hello message to the server.
[From Build 123.11] [# 378806, 204465, 406907]

Setting the Limit for Disabled SSL Chips
You can now set a limit to the number of disabled SSL chips after which the appliance restarts. At the command prompt, type:
set ssl parameter –cryptodevDisableLimit <positive_integer>
A chip is marked disabled after the third failed reinitialization attempt.
[From Build 125.9] [# 376153]

An SSL chip is disabled at the third reinitialization attempt. That is, the maximum reinitialization limit is 2. Earlier, this limit was 5.
[From Build 125.9] [# 455821]

Display HSM Model Number
The output of the "show fips" command now displays the HSM model number as shown below. This is especially helpful if you are conducting an audit of the FIPS card in a NetScaler appliance and cannot open the appliance without voiding the warranty.
> sh fips
FIPS HSM Info:
HSM Label : NetScaler FIPS
Initialization : FIPS-140-2 Level-2
HSM Serial Number : 2.1G1037-IC000253
HSM State : 2
HSM Model : NITROX XL CN1620-NFBE
Hardware Version : 2.0-G
Firmware Version : 1.1
Firmware Release Date : Jun04,2010
Max FIPS Key Memory : 3996
Free FIPS Key Memory : 3994
Total SRAM Memory : 467348
Free SRAM Memory : 62580
Total Crypto Cores : 3
Enabled Crypto Cores : 3
Done
[From Build 129.22] [# 385499]

On all the NetScaler MPX platforms, DH cryptographic operation is now offloaded to the hardware, reducing the load on the CPU. If your deployment uses DH crypto operations heavily, you will notice a performance improvement.
[From Build 131.11] [# 490273, 378182, 404081]

Statistics

Clearing Statistical Counters
You can now clear the counters that are displayed by the configuration utility's Dashboard and by stat commands in the NetScaler command-line interface. Clearing a counter resets it to zero, from which point it is incremented as the appliance processes traffic. You can clear the counters regardless of whether the NetScaler appliance is currently processing traffic. The ability to clear counters enables you to observe them over a specific period of time and troubleshoot the configuration.
[From Build 112.15] [# 241836, 189957, 192898, 228298]

Support for ECDHE Ciphers

The Citrix NetScaler MPX 22040/22060/22080/22100/22120 appliances now support the ECDHE cipher group. This group contains the following ciphers:
- TLS1-ECDHE-RSA-RC4-SHA
- TLS1-ECDHE-RSA-DES-CBC3-SHA
- TLS1-ECDHE-RSA-AES128-SHA
- TLS1-ECDHE-RSA-AES256-SHA
Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.
The following ECC curves are supported:
- P_256
- P_384
- P_224
- P_521
By default all four curves are bound to an SSL virtual server.
For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-config-ecdhe-ciphers-tsk.html
[From Build 121.10] [# 329257, 198673, 401256]

System

Enabling CallHome Feature while Upgrading the NetScaler Appliance
While upgrading the NetScaler appliance from an older release to release 10.1 or later, the NetScaler appliance prompts you to enable the CallHome feature in one of the following cases:
- The CallHome feature is not supported in the older release.
- The CallHome feature is disabled in the older release.
[From Build 112.15] [# 311617]

Send Buffer Support for TCP Profiles
You can now set the window that is advertised to the server by using the sendBuffsize parameter of the "set ns tcpProfile" command.
[From Build 112.15] [# 315625]

User Name and Password Length Extended to 127 Characters
User names and passwords on the NetScaler appliance can now be up to 127 characters in length. Usernames and passwords can consist of upper-case and lower-case letters, digits, and the hyphen and underscore characters.
[From Build 112.15] [# 325421]

Public Key Authentication for Non-nsroot Users
All NetScaler users can now access the NetScaler appliance by using public key authentication in SSH.
[From Build 112.15] [# 209190, 235961, 291483]

New Parameters for Web Interface Site
The following parameters are added for a web interface site:
For the add wi site command:
- welcomeMessage. Localized welcome message that appears on the welcome area of the login screen.
- footerText. Localized text that appears in the footer area of all pages.
- loginSysMessage. Localized text that appears at the bottom of the main content area of the login screen.
- appWelcomeMessage. Localized text that appears at the top of the main content area of the applications screen.
- preLoginButton. Localized text that appears as the name of the pre-login message confirmation button.
- preLoginMessage. Localized text that appears on the pre-login message page.
- preLoginTitle. Localized text that appears as the title of the pre-login message page.
- showSearch. Enables the Search option on XenApp websites.
- showRefresh. Provides the Refresh button on the applications screen.
- wiUserInterfaceModes. Appearance of the login screen.
---- Simple - Only the login fields for the selected authentication method are displayed.
---- Advanced - Displays the navigation bar, which provides access to the prelogin messages and preferences screens.
- userInterfaceLayouts. Specifies whether or not to use the compact user interface.
- domainSelection. Domain names listed on the login screen for explicit authentication.
For the bind wi site command:
- farmName. Name for the logical representation of a XenApp or XenDesktop farm to be bound to the Web Interface site.
- groups. Active Directory groups that are permitted to enumerate resources from server farms. Including a setting for this parameter activates the user roaming feature. A maximum of 512 user groups can be specified for each farm defined with the Farm<n> parameter. The groups must be comma separated.
- recoveryFarm. Binded farm is set as a recovery farm.
[From Build 112.15] [# 317793]

SNMP statistics can be cleared by using the clearstats parameter of the stat snmp command.
[From Build 112.15] [# 362132]

SPDY Support
NetScaler appliances can now support SPDY. You have to enable SPDY in an HTTP profile and bind the profile to a virtual server. When SPDY is enabled, the virtual server functions as a SPDY gateway and converts SPDY requests from the clients into HTTP requests that it sends to the servers. It also converts the HTTP responses from the servers to SDPY responses that it sends to the clients. The servers do not have to support SPDY. You can enable SPDY in an HTTP profile by using the set ns httpprofile - SPDY enabled command or by using the configuration utility.
Note: SSL is required for SPDY protocol to function.
[From Build 112.15] [# 329671]

PHP Version Upgraded from 5.3.10 to 5.3.17
The PHP version has been upgraded from 5.3.10 to 5.3.17 on the NetScaler appliance to resolve security vulnerabilities and stability issues with PHP.
[From Build 112.15] [# 333572]

Multipath TCP Support
NetScaler appliances now support Multipath TCP (MPTCP). MPTCP is a TCP/IP protocol extension that identifies and uses multiple paths available between hosts to maintain the TCP session. You have to enable MPTCP on a TCP profile and bind it to a virtual server. When MPTCP is enabled, the virtual server functions as an MPTCP gateway and converts MPTCP connections with the clients to TCP connections that it maintains with the servers.
For more information, see TCP Configurations.
[From Build 119.7] [# 320221, 307024]

Custom HTTP Headers Support using Web Server Logging
The NetScaler can now export values of custom HTTP headers to the NSWL client. You can configure up to a maximum of two HTTP request header names and two HTTP response header names.
[From Build 119.7] [# 329710]

Call Home Proxy Mode Support
Call Home can now upload your NetScaler appliance's data to the Citrix TaaS server through a proxy server.
[From Build 119.7] [# 311623]

Backing Up and Restoring a NetScaler Appliance
You can now back up the NetScaler appliance at any time and then use the backup to restore the same appliance to that state.
For more information, see Backing Up and Restoring the NetScaler Appliance.
[From Build 119.7] [# 367021]

New Subnet Mask Field for the SNIP Address in the First-time Setup Wizard
The first-time setup wizard now has separate subnet mask fields for the NetScaler IP (NSIP) and subnet IP (SNIP) addresses.
[From Build 120.13] [# 413542]

Before reusing a server connection in the reuse pool, the NetScaler appliance checks the connection's idletimeout and reusepool values, and closes the connection if either value is exceeded. The appliance also checks the reuse pool for idle connections, and closes them, more frequently than specified by the zombie timer interval.
[From Build 122.17] [# 365828, 365731]

The issues that were addressed in NetScaler 10.1 releases prior to Build 135.18. The build number provided below the issue description indicates the build in which this issue was addressed.

AAA-TM

On a NetScaler appliance with AAA enabled and Kerberos Constrained Delegation single sign-on configured, after several single sign-on requests are successfully authenticated, the virtual server principle can unexpectedly become blank. When this happens, subsequent authentication requests fail.
[From Build 118.7] [# 387076, 390083]

When Kerberos Constrained Delegation is configured with a content switching virtual server, the NetScaler appliance might hang or crash. The cause is a GET request with multiple authorization headers. (Only one authorization header is expected.)
[From Build 118.7] [# 372362, 381621, 401539]

During authentication, when AAA generated a URL redirect, it rewrote the query portions of URLs that contained Base64 strings into base 8 ASCII string equivalents instead of transmitting the original strings. This caused some redirects to fail, and introduced security issues into other redirects. This behavior has been changed, and AAA now transmits the unmodified query to the user. Users should be aware that the new approach might cause issues with different protected web applications.
[From Build 118.7] [# 390037, 242875, 246109, 247244, 358370]

When importing a keytab while setting up a KCD account, AAA might fail to extract the SPN from the keytab, causing the import to fail.
[From Build 119.7] [# 387049]

When AAA is configured by authentication profile on a NetScaler appliance that has content switching enabled, users can use the Microsoft Internet Explorer or Mozilla Firefox browsers to log on, but might not be permitted to access all resources that they should be able to access. Users who log on using the Google Chrome browser do not experience this problem. The underlying cause was that authentication level is checked only once per connection rather than at each request.
[From Build 120.13] [# 401000]

On a NetScaler ADC that has AAA-TM enabled and Kerberos authentication configured, when you direct traffic through the ADC to a Microsoft SQL server, an error causes the ADC to restart.
[From Build 123.11] [# 436493]

When AAA-TM is configured to use SAML authentication, the redirect URL that the SAML virtual server returns appends the string "%00", a text-based form of the null value, to the original redirect URL. Most browsers handle the appended string properly, but newer Apple iOS and some Apple MacOS browsers fail to load the web page because of this string.
[From Build 124.13] [# 441755]

RFC822 Name-based Certificate Authentication
AAA-TM now supports the use of RFC822 name-based (SAN) client certificates to authenticate users. SAN client certificates work in exactly the same way as other client certificates. To configure the NetScaler ADC to use SAN client certificate authentication, follow the client certificate authentication instructions in the AAA-TM documentation.
[From Build 125.9] [# 453125]

When the NetScaler ADC is configured to use AAA with SAML authentication, and it receives a response from the IDP, it reformats the response in standard SAML format. (This process is sometimes called "canonicalizing" the response.) The ADC might not reformat SAML <samlp: response> namespace prefix tags correctly, because it expects <saml: assertion> format. In that case, digest verification fails.
To work around this issue, you must remove the namespace prefixes definition, as described on the following web page:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.tivoli.fim.doc_6226%2Fconfig%2Freference%2FCustomPropsKess.html
[From Build 125.9] [# 435529, 448986, 456574]

AAA-TM now supports relative URLs as form Action URLs in forms-based SSO logon forms. You do not have to specify an absolute path to the web form when configuring forms-based SSO.
[From Build 127.10] [# 317157]

AAA-TM now supports relative URLs as form Action URLs in forms-based SSO logon forms. You do not have to specify an absolute path to the web form when configuring forms-based SSO.
[From Build 128.8] [# 317157]

The Authorization header received from the client with the user credentials for 401 based authentication for KCD was intentionally corrupted by the NetScaler ADC as “Ahoutrization” before forwarding it to the backend. To avoid the risk of decoding the user-supplied credentials by using simple base64decode, the ADC now removes the incoming authorization header containing user credentials, and inserts a new Authorization header with a Kerberos token before sending the payload to the backend application.
[From Build 129.22] [# 478374]

In forms-based single sign-on (SSO), if the designated response size is 0, the NetScaler ADC does not search for the complete response, as it normally would for responses with sizes above 0. It therefore fails to find the login form, and forms-based SSO authentication fails.
[From Build 129.22] [# 493308]

The NetScaler ADC no longer sets the NSC_TMAA session cookie during a secure load balancing virtual server session.
[From Build 129.22] [# 474918, 502915]

When AAA is configured to authenticate users to a Microsoft Sharepoint 2013 server by using NTLM, the user might be prompted to retype his or her credentials even though the user entered those credentials correctly. After the user retypes the credentials, he or she is logged on successfully. The issue is that initially the NetScaler ADC sends an incorrect domain to Sharepoint.
[From Build 129.22] [# 476885]

If the hostname that sends an incoming request does not match the domain configured on the authentication virtual server, the NetScaler ADC returns an HTTP 500 error.
[From Build 129.22] [# 488015]

If a user name or password consists of UTF8 characters, basic authentication fails on the NetScaler ADC. With this fix, the ADC now passes the encoding type in the 401 challenge so that the incoming data is accurately encoded.
[From Build 130.13] [# 507386]

The NetScaler ADC does not handle an authentication request if the incoming base64 decoded kerberos ticket is more than 10 kilobytes. This fix increases the buffer-size limit to accommodate tickets of up to 65 kilobytes.
[From Build 130.13] [# 505809, 507692]

The NetScaler ADC no longer sets the NSC_TMAA session cookie during a secure load balancing virtual server session.
[From Build 130.13] [# 474918, 502915]

In a AAA-TM setup that has 401 authentication enabled on the load balancing virtual server, the NetScaler appliance can, in some cases, go down if it receives a malformed authorization header.
[From Build 131.11] [# 530792]

The NetScaler appliance can fail if the logout of the AAA-TM session is initiated through a traffic policy. The configuration that can lead to this is of the form:
> add tm trafficAction testAction1 -InitiateLogout ON
> add tm trafficPolicy testPolicy1 <rule> testAction1
[From Build 131.11] [# 527651]

The NetScaler appliance sometimes sends a 401 error message to a client that sent a valid authorization header.
[From Build 132.8] [# 532675]

With LDAP authentication, users can experience authentication failures even when they provide valid credentials. This issue occurs when the authentication subsystem is low on memory after a large number of invalid authentication attempts.
[From Build 133.9] [# 534280]

The "show aaa session" command causes a high level of CPU usage when executed with the "-username" or "-group" option.
[From Build 134.9] [# 577778, 595104, 595185]

The NetScaler appliance intermittently fails if a user accesses a very long URL without proper AAA context.
[From Build 135.08] [# 598837, 623059, 625462, 626084, 627787]

AAA-TM/Content Switching

When you configure a content switching rule that is evaluated before the user authenticates with AAA-TM, and the rule is supposed to redirect users to a specific virtual server on the basis of the user name, the rule fails.
[From Build 118.7] [# 397673]

Acceleration

The classic-policy expression used by the default acceleration policy fails to identify an Internet Explorer browser whose signature does not comply with the IE user-agent string standards.
[From Build 133.9] [# 535130]

Action Analytics

The NetScaler crashes due to an issue in hash calculation and comparison of the action analytics records. The crash is observed when the NetScaler receives URLs that differ only in case.
Examples:
http://10.217.6.239/TesT/
http://10.217.6.239/TEST/
http://10.217.6.239/TEsT/
http://10.217.6.239/TeST/
Note post fix:
Stream analytics record creation will be case sensitive. For example, WWW.GOOGLE.COM and www.google.com will result in two seperate records.
If this is not desired, stream selector results should be converted to one case. Example:
add stream selector sel1 HTTP.REQ.hostname.to_lower
[From Build 130.13] [# 406457]

AppFlow

If you enable AppFlow from a NetScaler Insight Center virtual appliance while traffic is flowing through a monitored NetScaler appliance, NetScaler Insight Center disables and then re-enables the AppFlow feature for every virtual server on the NetScaler appliance. Doing that while traffic is flowing through the appliance puts some pointer out of sync. As a result, the appliance does not respond properly.
[From Build 118.7] [# 388650, 393917, 396149, 398276, 409840]

A newly added HTTP header prevents parsing of the HTTP request.
[From Build 121.10] [# 418296]

A Nitro call used by NetScaler Insight Center to fetch the license information from a NetScaler appliance affects the performance of the appliance.
[From Build 122.17] [# 430591]

The NetScaler fails to respond if appflow logging is disabled on a VPN virtual server when ICA traffic flows through the NetScaler.
[From Build 123.11] [# 430960, 470262]

If HTML Injection is enabled, the NetScaler ADC injects JavaScript into the response to obtain client-side page-load time and client-side page-render time details. The JavaScript triggers a special request that is intended only for the NetScaler ADC, but the NetScaler ADC creates an additional request by forwarding the request to the server.
[From Build 126.12] [# 441332, 357422, 401672]

If a browser executes the JavaScript that is inserted into the response of the main page, it sends a special request intended for the NetScaler ADC. AppFlow records for this request must not be generated. While handling this behavior, the logic in one part of the code assumes that the AppFlow records must not be sent, but another part of the code assumes that the records must be sent. As a result, the NetScaler ADC fails to respond.
[From Build 128.8] [# 478480, 480535, 495201]

If you have enabled AppFlow for ICA on a NetScaler ADC, the ADC crashes while processing CGP packets.
[From Build 129.22] [# 523088]

If you enable Appflow for ICA on a NetScaler ADC, the NetScaler ADC might fail under certain conditions while parsing the ICA frames.
[From Build 129.22] [# 512321, 519402]

NetScaler ADC might fail if you disable AppFlow or clear the AppFlow actions and policies when ICA traffic flows through the NetScaler ADC.
[From Build 129.22] [# 487686, 502208, 516910]

The NetScaler ADC fails if AppFlow is enabled and it receives an ICA command longer than 2048 bytes.
[From Build 129.22] [# 504990, 508918]

The HTML Injection JavaScript is incorrectly inserted into one of the JavaScript responses sent by the server, causing the page to fail to load.
[From Build 131.11] [# 472971]

If you have enabled AppFlow for ICA on a NetScaler ADC, the ADC fails while processing Common Gateway Protocol (CGP) packets.
[From Build 131.11] [# 523088]

AppFlow should not export the records for internal connections, like the Kernel RPC. When it attempts to export records for such an internal connection, it leads to AppFlow failure.
[From Build 132.8] [# 547892, 531101]

The NetScaler appliance might fail if, while AppFlow for ICA is enabled, a network glitch disrupts the Citrix Receiver connection and Receiver attempts to reconnect.
[From Build 133.9] [# 531017, 532712, 542000, 544421, 547598, 547984, 548297, 548749, 548771, 549044, 549370, 549511, 567534, 578548]

When routes are updated after an AppFlow collector is added, the NetScaler appliance sends ARP requests for the AppFlow collector IP address, even when the collector is reachable only through a router.
[From Build 134.9] [# 574420]

The NetScaler appliance might become unresponsive if a request generated by a client is corrupted after execution of the client-side measurement script. This issue can occur if you enable the client side measurement option for an AppFlow action.
[From Build 134.9] [# 601915, 601924, 607217]

Application Firewall

Application Firewall Signatures
You can now configure the JSON content types for your application firewall in the "Manage JSON Content Types" dialog box in the global settings. The dialog box is nearly identical to the "Manage XML Content Types" dialog box.
[From Build 118.7] [# 384103]

Application Firewall Signatures
To improve performance, when the application firewall processes buffer overflow signatures it does not evaluate PCRE expressions unless the minLength parameter is set.
[From Build 118.7] [# 376437, 365941]

Application Firewall Signatures
If you configure an application firewall profile but do not bind any signatures to it, the NetScaler appliance becomes unresponsive or fails if a user sends a request with a JSON body to a web site protected by that profile.
[From Build 118.7] [# 390804, 393588]

The application firewall now supports sessionless cookie proxying on NetScaler cluster configurations that do not use the spotted VIP feature.
[From Build 118.7] [# 351544]

The application firewall includes an extraneous line break in the hidden field that it adds to forms as part of the form field consistency check. This line break is not javascript-compliant and can cause issues with javascript-enhanced forms.
[From Build 119.7] [# 403027]

Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.
[From Build 120.13] [# 303060]

If the NetScaler appliance sends a large amount of input data to the application firewall in a short time, the appliance can become unresponsive or fail. The appliance now sends input data in batches limited to sizes that do not cause this problem.
[From Build 121.10] [# 416714]

On a NetScaler appliance with both the application firewall and integrated caching enabled, a memory leak might occur. To work around this issue, disable integrated caching.
[From Build 122.17] [# 391317, 423289]

On a NetScaler appliance with the application firewall enabled and configured, if a protected web site contains a multipart web form, a memory leak causes a small amount of memory to be consumed and not released each time the application firewall processes the web form. Repeated processing of requests and responses can gradually consume available memory.
[From Build 122.17] [# 422919, 423289]

On a NetScaler appliance with the application firewall enabled, web forms submitted with URL-encoded double-byte character (Chinese, Japanese, or Korean) inputs might generate a Form Field consistency check violation. The reason is that the application firewall counts bytes instead of characters when validating web form input, causing some double-byte input to exceed the form field maxlength attribute.
[From Build 122.17] [# 422639, 239207]

The application firewall blocks XML requests that have empty bodies (zero content length), which causes autodiscover and other features that use such requests to fail. To work around this issue, you can disable the XML Format, XML Message Validation, XML Denial of Service, and Web Services Interoperability (WSI) security checks.
[From Build 123.11] [# 432276]

The application firewall currently miscalculates memory limits on 12 GB, 2 vCPU NetScaler appliances. For example, when the appliance has 2 GB of memory available, the application firewall shows only 600 MB of available memory.
[From Build 123.11] [# 427857]

By default, the application firewall's SQL Injection signatures patterns and security checks do not prevent SQL injection attacks that use the percent (%) or underscore (_) characters. To work around this issue, add the percent and underscore characters to each signatures object as SQL special characters.
[From Build 123.11] [# 407347]

On a NetScaler MPX5500 appliance that has the application firewall enabled, and has logging enabled for at least one signature or security check, when that logging action is triggered the appliance might hang or crash.
[From Build 123.11] [# 423861, 436918]

If memory utilization is high on a NetScaler appliance that has the application firewall enabled and configured, URL redirect might fail, causing the appliance to crash. To work around this issue, reduce memory utilization by reducing session timeouts and disabling memory-intensive filtering rules.
[From Build 123.11] [# 427717]

When using CVPN or the application firewall credit card or safe object security checks, memory issues might cause the NetScaler ADC to become unresponsive or restart.
[From Build 123.11] [# 448961, 449223, 449851, 450070]

If you use the single sign on (SSO) feature on your NetScaler ADC or NetScaler Gateway, it might become unresponsive or restart.
[From Build 123.11] [# 446304, 443080, 444746, 444810, 447206, 448814, 449393, 449396, 451162, 451860, 452078, 452427, 453146, 454416]

On a NetScaler ADC HA pair configured to use the Citrix VPN, single sign-on, and the Application Firewall, a memory page issue might cause the primary ADC to reboot, failing over to the secondary ADC.
[From Build 124.13] [# 445552, 367086, 444810, 450052, 453111, 453165]

On a NetScaler appliance or VPX that has the application firewall enabled and at least one profile that has the Safe Object security check enabled, the application firewall might generate an extremely large buffer file while checking responses for objects. The oversized buffer might cause performance problems or, in extreme cases, hang the system. To work around this issue, disable the Safe Object check.
[From Build 124.13] [# 444471]

If you use the single sign on (SSO) feature on your NetScaler ADC or NetScaler Gateway, it might become unresponsive or restart.
[From Build 124.13] [# 446304, 443080, 444746, 444810, 447206, 448814, 449393, 449396, 451162, 451860, 452078, 452427, 453146, 454416]

Apple iPhone and iPad users are unable to watch MP4 videos on web sites that are protected by the application firewall when either the form field consistency check or the credit card check is enabled, even if blocking is not enabled. The problem is specific to Apple iOS. Google Android smartphone or tablet users are able to watch MP4 content.
To work around this issue, add the following expression to the policy that invokes the application firewall:
"HTTP.REQ.URL.REGEX_MATCH(re#.mp4$#).NOT"
For example, to exempt URLs that contain the string ".mp4" from the policy pol_media.example.com, which calls the profile prfl_media.example.com, you would type the following command:
> add appfw policy pol_media-example.com "HTTP.REQ.URL.REGEX_MATCH(re#.mp4$#).NOT" prfl_media.example.com
[From Build 124.13] [# 405434, 412329]

Web Form Processing Issue Causes ADC to Become Unresponsive
On a NetScaler ADC that has the application firewall enabled and the Form Field Consistency check or Field Formats check enabled, a memory leak might cause the ADC to become unresponsive, requiring a manual restart. The underlying issue is a failure to process certain types of web form content properly. Appliances or VPX instances that have limited CPU and memory are especially likely to experience this issue.
To work around this issue, disable entity decoding. You can disable this feature by logging onto the NetScaler command line and, at the prompt, typing the following command:
set appfw settings -entityDecoding off
[From Build 125.9] [# 436100]

Response-side Check Issue with Lotus Notes Webmail
On a NetScaler ADC that has the application firewall enabled and an XML or Web 2.0 profile configured, if a response-side check (such as the Credit Card or Safe Object check) is enabled along with at least one XML-based check, Lotus Notes webmail does not load correctly. Specifically, the frame that should contain the user's inbox is blank.
[From Build 125.9] [# 448610]

Web-Based Content Not Loaded Correctly when XML Checks are Enabled
On a NetScaler ADC that has the application firewall enabled and an XML or Web 2.0 profile configured, if any XML security checks are enabled, certain web content does not load correctly. To work around this issue, create a separate profile that has the application firewall disabled. Then, create an application firewall policy that assigns that profile to those web pages that are affected by this issue.
[From Build 125.9] [# 450939]

If you use the single sign on (SSO) feature on your NetScaler ADC or NetScaler Gateway, it might become unresponsive or restart.
[From Build 125.9] [# 446304, 443080, 444746, 444810, 447206, 448814, 449393, 449396, 451162, 451860, 452078, 452427, 453146, 454416]

Viewing Large PDF Files in Google Chrome Browser
On a NetScaler ADC that has the application firewall enabled, when a Google Chrome user opens a large PDF file on a protected web server, the ADC might become unresponsive. The same file, if downloaded with Internet Explorer or Mozilla Firefox, causes no problems. The cause is a loop in a backup queue.
[From Build 125.9] [# 452846, 438094, 453768, 456263, 459327, 461608, 464502]

Memory Caching Issue
On a NetScaler ADC that has the application firewall enabled, and that has either limited available memory or a small memory cache configured, a memory page issue might cause the ADC to become unresponsive or reboot.
[From Build 125.9] [# 453111]

When using CVPN or the application firewall credit card or safe object security checks, memory issues might cause the NetScaler ADC to become unresponsive or restart.
[From Build 125.9] [# 448961, 449223, 449851, 450070]

High Level of Out of Memory Errors
On a NetScaler ADC with limited CPU and memory, if the application firewall is enabled, out-of-memory errors might accumulate in the NetScaler log, causing rapid rotation of logfiles. To work around this issue, lower the session timeout from the default 900 seconds to 360 seconds or lower.
[From Build 125.9] [# 428852]

On a NetScaler ADC HA pair configured to use the Citrix VPN, single sign-on, and the Application Firewall, a memory page issue might cause the primary ADC to reboot, failing over to the secondary ADC.
[From Build 125.9] [# 445552, 367086, 444810, 450052, 453111, 453165]

After automatic update of the application firewall signature rules, custom signature rules with versions lower than the current signatures are automatically disabled.
[From Build 126.12] [# 457454]

If an attacker includes an SQL special character that is not followed by an SQL keyword in web form data filtered by the application firewall, the application firewall does not block the request because it classifies a special character that does not include a keyword as a false positive.
[From Build 126.12] [# 443207, 355620]

By default, the application firewall's SQL Injection signatures patterns and security checks do not prevent SQL injection attacks that use the percent (%) or underscore (_) characters. To work around this issue, add the percent and underscore characters to each signatures object as SQL special characters.
[From Build 126.12] [# 407347]

A user with a web proxy that allows the user to modify the HTTP header can on rare occasions bypass certain security checks when sending content that would normally be blocked. For example, a user might bypass the HTML and XML SQL injection checks when sending an SQL special symbol to a protected web application, as long as the special symbol is not combined with an SQL command. A user might also be able to send a modified cookie by intercepting and including all cookies that the application firewall sent to the user, including the NetScaler cookie. Finally, the user might be able to use a web form to upload a script and save that script as a different file type.
It does not appear that this technique can be used to cause an actual security breach.
[From Build 126.12] [# 424879]

NetScaler ADCs that are configured as an HA pair with the application firewall enabled might become unresponsive or reboot when the application firewall is processing a large web form.
[From Build 127.10] [# 455284]

A NetScaler ADC that is configured as an HA pair, and that has the application firewall feature enabled, might experience repeated failovers from the primary to the secondary node when processing HTML traffic with large tag attribute values.
[From Build 127.10] [# 456650, 313950]

Any application firewall profile that has either the "AlwaysExceptFirstRequest" or the "AlwaysExceptStartURLs" option enabled cannot be viewed in the configuration utility. These options are available from the command line only. When upgrading to either the current 10.1 maintenance release or the 10.5 beta release of the NetScaler operating system from any previous release, any profile which had the "always" option enabled has that option changed to "AlwaysExceptStartURLs." Profiles that have the "if_present" or "OFF" options enabled are not affected.
[From Build 127.10] [# 472094]

If the application firewall receives a multipart POST request with a Content-Type header that contains a charset, it blocks that request as malformed.
[From Build 129.22] [# 464641]

If you use the configuration utility to make changes to the HTML Cross-Site Scripting check, Allowed/Denied patterns, the application firewall becomes unresponsive after the first POST request it receives after you save your changes. (The Allowed/Denied patterns are accessed through the Modify Signature dialog box.) If you use the command line to make the same changes, no problems occur.
[From Build 129.22] [# 459031, 463351]

If you update default signatures on the primary NetScaler ADC in an HA pair, you cannot sync the updated signatures to the secondary ADC.
[From Build 129.22] [# 486231]

The application firewall parses multipart forms correctly according to the appropriate RFC.
[From Build 129.22] [# 479840, 472476, 482042]

The NetScaler application firewall “Click to Rule” functionality is not working in the 51.x and the 52.x builds of release 10.5. With this fix, the user can successfully select the pertinent log message in the syslog viewer and deploy it as a relaxation rule.
[From Build 129.22] [# 503856]

The SQL wildcard characters (%, _, ^, []) were accidentally removed from the Citrix application firewall default signature object. This breaks the SQL wildcard functionality when the default signature file and its clones are used. This fix restores the wildcard characters in the default signature file. The application firewall detects them and flags the SQL Injection check violations.
[From Build 129.22] [# 513952]

NetScaler Application Firewall Default Signature object now has rules that can be enabled to protect against Shellshock vulnerability (CVE-2014-6271, CVE-2014-7169) which could allow arbitrary code execution.
[From Build 130.13] [# 505272, 505039]

The NetScaler ADC might fail if a transaction is aborted before the application firewall completes processing the request.
[From Build 130.13] [# 481899]

If a response contains href links that include query parameters, the NetScaler application firewall triggers false positives for CSRF and form field consistency violations if these links are accessed. With this fix, if CSRF or Field Consistency checks are enabled, the URLs in the hrefs are added to the URL Closure table even if startURL Closure is not enabled.
[From Build 130.13] [# 488369]

When a user attempts to upload a file to a server that is protected by the application firewall, the file upload fails. The underlying cause is that the application firewall included an invalid character in the MIME boundary when encoding the file.
[From Build 130.13] [# 472476, 418036]

If a NetScaler ADC receives a request for an object that it cached before the application firewall configuration was modified to add any advanced security check protection, the ADC responds with HTTP Error 503 for subsequent requests to access this cached object, because the object does not contain the expected application firewall metadata. With this fix, the existing cached objects without the required metadata are considered stale and are flushed. The request is served from the origin server and the cache is updated with refreshed data.
[From Build 130.13] [# 473322, 466491]

The Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as "Not Set".
[From Build 130.13] [# 443673]

If the NetScaler application firewall receives a request with percent-encoded space character, such as "login%20name" for a form field login name, the deployed learned rule containing the encoded character (%20) fails to work as relaxation rule. The security check violation is still triggered. Note that the browser converts the space to a "+" character. For such a request, the corresponding learned rule with "login+name" for "login name" works as expected when deployed as a startURL relaxation rule.
[From Build 130.13] [# 315183]

If CEF logging is turned on, only the format of application firewall log messages is expected to change, but the format of other logs is also affected, causing problem with their display. With this fix, turning on the application firewall CEF logging does not modify the format or display of other logs.
[From Build 130.13] [# 476206]

The application firewall PCI-DSS report does not contain information about the "SQLInjectionCheckSQLWildChars" parameter.
[From Build 130.13] [# 423150]

The external syslog servers are not able to properly display the audit-log messages from the NetScaler application firewall, because the messages are longer than expected. With this fix, the messages are the correct length.
[From Build 131.11] [# 528170]

After an upgrade from a 9.3 build, the user interfaces display inaccurate information about classic policy bindings and inheritance. With this fix, both the configuration utility and the command line interface display the information accurately.
[From Build 131.11] [# 511480]

A 64 bit memory leak in the application firewall module might lead to cache misses. The memory leak occurs when the cache is turned on and any of the advanced application firewall security checks are enabled. The application firewall memory leak is now fixed, and the fix resolves the interoperability issue with the cache module.
[From Build 132.8] [# 549466]

The response for an XML GET request might be truncated if, in addition to any of the XML checks, the creditcard or safeobject checks are enabled for the application firewall profile.
[From Build 132.8] [# 539777]

The Perl script that parses and merges the application firewall signatures during an update operation can cause Perl to crash on the NetScaler ADC. The crash files reduce the amount of space available on the hard drive.
[From Build 132.8] [# 543372]

When any form protection check is enabled and the default request content-type parameter of the application firewall profile is not configured, an incoming request without a content-type header is treated as a form, even if it is not a form. The transfer-encoding header gets deleted, and a content-length header gets added, but the request is forwarded to the server as a chunked request. The server is unable to process the chunked data and determines it to be a bad request. With this fix, the form analysis is carried out only when "multipart/form-data" or "application/x-www-form-urlencoded" content type is either specified in the request or set as the default request content type in the profile that is applied when the content-type is not specified in the request.
[From Build 132.8] [# 559348]

Enabling the NetScaler application firewall XML Format check might block the contents of a response when the user accesses an embedded link in some applications. The response might be truncated even when the XML format check is deployed in a non-block mode.
[From Build 132.8] [# 528902, 558724]

The NetScaler ADC might fail if a request attempts to access uninitialized variable for an application firewall protected resource. This might be seen when the path ends with "/..".
[From Build 132.8] [# 517750, 530793]

During binding a signature to an application firewall profile, the NetScaler appliance might fail when it is under memory pressure.
[From Build 132.8] [# 559060]

When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.
For example, if you had two sets of custom signatures, named "custom_signatures" and "custom_signatures_2", that were based on copies of the default signatures file, you would update the signatures on your NetScaler ADC by issuing the following commands:
> update appfw signatures "*Default Signatures"
> update appfw signatures "custom_signatures"
> update appfw signatures "custom_signatures_2"
[From Build 133.9] [# 399596]

The Citrix application firewall silently resets the connection when it receives a malformed or invalid request. With this fix, the application firewall logs such events.
[From Build 133.9] [# 577742]

During an application firewall security check inspection, a compressed response from the server might trigger a violation if the XML format check is enabled. With this fix, the Accept-Encoding request header is removed when the XML protections are enabled. If content compression is enabled on the server, the XML check inspection is bypassed when the server sends a compressed response.
[From Build 133.9] [# 580273]

If, when processing a form for response-side security check inspection, the application firewall resets a connection, the partially parsed form is not freed. The result is a memory leak. With this fix, the memory allocated to the partially parsed forms is freed when a connection is reset.
[From Build 133.9] [# 572637, 581520]

If a large number of long standing sessions expire and are freed during application firewall processing, a tight-loop condition might occur, causing the NetScaler appliance to fail.
[From Build 133.9] [# 550657]

The application firewall might experience a transient low-memory condition during a traffic surge if advanced security check protections (such as Form Field consistency, CSRF, form tagging and so on, which require rewriting the HTML forms in the response) are enabled for the profiles. This might result in a memory leak, and memory allocation failures might occur even after the traffic surge subsides.
[From Build 134.9] [# 598776, 597952]

URL Transformation, SSL VPN, and CVPN features leverage the application firewall processing engine and enforce the content-length check of the built-in dummy application firewall profile. For some transactions, this check truncates the processed data.
[From Build 134.9] [# 532338, 526029, 539487]

Cache Redirection

The NetScaler cache fails to respond to a request in which an absolute URL does not include a slash (/) after the host name.
[From Build 119.7] [# 401148, 408856, 441788]

An invalid HTTP request received on a cache redirection virtual server configured on the NetScaler ADC is sent to the cache server. This results in errors and degraded performance.
With the fix, invalid HTTP requests are redirected to the origin server instead of the cache server.
[From Build 129.22] [# 497866, 502366]

Applying multiple ACL rules causes excessive consumption of CPU cycles. As a result, the NetScaler ADC might become unresponsive.
[From Build 130.13] [# 502366, 505091, 514785]

An invalid HTTP request received on a cache redirection virtual server configured on the NetScaler ADC is sent to the cache server. This results in errors and degraded performance.
With the fix, invalid HTTP requests are redirected to the origin server instead of the cache server.
[From Build 130.13] [# 497866, 502366]

The NetScaler ADC fails if the cache redirection virtual server and the httpport parameter point to the same service. For example, the following configuration causes the ADC to fail:
> set ns param -httpport 80
> add cr vserver cr1 http * 80
> set cr vserver cr1 -listenpoliciy "client.ip.src.eq(1.1.1.1)"
[From Build 131.11] [# 509690]

In a fully transparent CR deployment if a client sends two HTTP GET requests for the same connection, the first connection to the CACHE is closed when the second GET request is received. This happens because a specific flag is set to open new connection which forwards the second GET request to the cache. Since the first connection for the same 4 tuple is still open, NetScaler sends a reset signal.
Fix: Do not set the flag to initiate the connection for the second GET request, since the previous connection already exists.
[From Build 132.8] [# 541395]

Cache Redirection/NetScaler Gateway

When performing DNS resolution, the NetScaler appliance fails because of an ASYNC block if the appliance is configured as a forward proxy for cache redirection or if it tries to access a CVPN resource.
[From Build 130.13] [# 486578, 491485, 502030, 519399]

Citrix NetScaler 1000V

NetScaler-VSB supporting 9 virtual NICs comes up with virtual NICs. This happens when there is an existing NetScaler-VSB (pre 10.5-52.x) on Nexus1110x that supports 7 virtual NICs.
[From Build 129.22] [# 499050]

NetScaler-VSB supporting 9 virtual NICs comes up with 7 virtual NICs. This happens when there is an existing NetScaler-VSB (pre 10.5-52.x) on Nexus1110x that supports 7 virtual NICs.
[From Build 130.13] [# 499050]

CloudBridge Connector

The Internet Key Exchange Daemon (IKED) might fail after the NetScaler ADC is restarted.
[From Build 128.8] [# 460193, 444265, 451886, 474654]

Traffic latency might be greater than 100 milliseconds in a CloudBridge connector tunnel between two NetScaler appliances.
[From Build 129.22] [# 498541]

Memory leaks might occur on NetScaler ADCs connected to a CloudBridge Connector tunnel when one of the ADCs sends monitor probes, through the tunnel, to a service that is bound to an HTTP or SSH load balancing virtual server.
[From Build 129.22] [# 512191, 513775]

When the state of a CloudBridge connector tunnel is DOWN, there is a delay in displaying the related log messages (from the /tmp/iked.debug file) on the Create CloudBridge Connector page of the configuration utility.
[From Build 130.13] [# 440781]

Cluster

A newly added node cannot synchronize the cluster configuration, because it cannot establish a connection to the cluster configuration coordinator. This issue might arise if the configuration coordinator rpcNode password on the new node is not the same as that on the configuration coordinator.
[From Build 118.7] [# 370814]

In some cases, the MSR routes remain in DOWN state since probing ownership is incorrectly being distributed across the cluster. MSR in cluster needs spotted SNIPs and probing ownership must be with the local node alone.
[From Build 126.12] [# 455148]

When upgrading a cluster node to NetScaler 10.5, from any build of NetScaler 10.1, make sure that the "syncookie" parameter is disabled on the TCP profiles. Otherwise, there can be disruption in traffic flow.
[From Build 129.22] [# 480071, 483171]

From NetScaler 10.5 Build 52.x, the cluster feature is licensed with the Platinum and Enterprise licenses. In earlier releases, the cluster feature was licensed by a separate cluster license file.
Note:
- If you have configured a cluster in an earlier build, the cluster will work with the separate cluster license file. No changes are required.
- When you configure a new cluster in Build 52.x and then downgrade to an earlier build, the cluster will not work as it now expects the separate cluster license file.
[From Build 130.13] [# 486259]

NetScaler cluster nodes may send a large number of ARP requests if a large number of ARP entries are learned over a cluster LA interface.
[From Build 132.8] [# 519327, 542633]

Important! Every NetScaler command is internally assigned a unique ID.
For some commands like 'add cs policy' and 'add server', the unique ID generated on the cluster configuration coordinator (CCO) already exists for another command of same type in a non-CCO node. Therefore, the command execution on the non-CCO node fails.
[From Build 134.9] [# 614718, 615459]

In a cluster setup, a command that is executed on the cluster configuration coordinator is propagated to the other cluster nodes. Therefore, a command that takes a long time to complete (such as "save ns config"), can take a little extra time to complete on all the cluster nodes. During this time, if you execute another command on the cluster (through another session), that command will fail because the previous command is not yet complete.
[From Build 134.9] [# 551607, 495270, 562651]

Command Line Interface

The "show ns runningConfig" command displays the current time instead of the time at which the configuration was last modified.
[From Build 121.10] [# 379234]

After a user logs on to a NetScaler appliance through the CLI, the "set cli mode -disabledFeatureAction NONE" command is automatically executed, and the following error message appears:
ERROR: Not authorized to execute this command.
[From Build 122.17] [# 420596]

A policy bound to a vpn vserver with "-type RESPONSE" gets lost after a reboot. That is, it is no longer bound after a reboot.
[From Build 125.9] [# 441505]

When you run the command show techsupport to generate a tar of system configuration data, in certain scenarios, the NetScaler ADC might ignore to collect certain large files.
[From Build 126.12] [# 436772]

The rbaOnResponse system parameter fails to work after you upgrade NetScaler ADC nCore or nCore VPX from version 9.3 to 10.x.
[From Build 129.22] [# 480639]

NetScaler ADC fails to run the commands that have arguments accepting string values and starting with a hyphen (-).
For example, NetScaler ADC fails to run the following command because the expected value is a string for uat argument that begins with a hyphen.
bind policy patset ps_adi_any_robots_deny -uat -index 1
[From Build 131.11] [# 508618, 508815]

NetScaler ADC fails to run the commands that have arguments accepting string values and starting with a hyphen (-).
For example, NetScaler ADC fails to run the following command because the expected value is a string for uat argument that begins with a hyphen.
bind policy patset ps_adi_any_robots_deny -uat -index 1
[From Build 132.8] [# 508618, 508815]

Compression

The output of the "show cmp parameter" command incorrectly displays the label as "Disable External Cache" instead of "Enable External Cache".
[From Build 126.12] [# 456734]

Configuration Utility

On NetScaler appliances that run the cluster OS, user-defined control policies are not listed in the control flow and therefore do not appear in the Policy Manager. After these policies are bound to Global or an appropriate bind point, they are listed in the data flow.
[From Build 118.7] [# 387554]

You cannot configure a GSLB service for which a server is not configured on the NetScaler appliance. The configuration utility displays the message "Server must be specified".
[From Build 118.7] [# 360163]

When search results do not fit onto one page, duplicate records might appear on the second and subsequent pages.
[From Build 118.7] [# 369900, 252063]

If you use the configuration utility to view a Responder action, the Responder Actions page is reloaded.
[From Build 118.7] [# 369583]

The pagination count on the page listing SSL policies that can be bound does not display the correct values.
[From Build 119.7] [# 372535]

When a NetScaler session expires, a session expiry message appears in the graphical user interface, and the user has to manually enter the IP address or the domain name of the NetScaler appliance in the address bar to log back on.
[From Build 120.13] [# 361970, 387024, 397473, 400307]

When a NetScaler session expires, a session expiry message appears in the graphical user interface, and the user has to manually enter the IP address or the domain name of the NetScaler appliance in the address bar to log back on.
[From Build 121.10] [# 361970, 387024, 397473, 400307]

When using the "Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop" wizard, if you configure XenDesktop and later edit the "Xen Farm" settings to have only XenApp, the XenDesktop bound to the Web Interface site of type Xenappservices in not modified. Therefore, published resources of both, XenApp and XenDesktop, are displayed when accessing the Web Interface site through Receivers.
[From Build 121.10] [# 413087]

When using the "Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop" wizard, the compression feature is not enabled on the appliance and for the service groups.
[From Build 121.10] [# 409605]

When editing the "Xen Farm" settings in the "Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop" wizard, load balancing configuration is lost if you switch from XenApp or XenDesktop to Both or from Both to XenApp or XenDesktop. This issue is observed only when Web Interface on NetScaler is the integration point.
[From Build 121.10] [# 414760]

The Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, displays an error if more than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers, or if more than one service is bound to the service group.
[From Build 121.10] [# 414807]

Unable to access ICA connections through the graphical user interface
[From Build 121.10] [# 420349, 414333, 430665]

When you click the "Edit" link to update the configurations specified in the "Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop" wizard, an error is displayed when you try to apply the optimization settings.
[From Build 121.10] [# 414361]

The NetScaler configuration utility is not compatible with JRE version 7.45.
[From Build 122.17] [# 426594, 426069, 426185, 453470]

When you use the configuration utility to add a new NetScaler IP address or subnet mask, the qwerty keyboard does not allow you to enter a value greater than 249 for the last octet.
[From Build 122.17] [# 431045]

When you navigate to "System > Diagnostics" and, under "Utilities", click "TraceRoute" and "Run", the utility uses the default value for Packet Length(44) and displays the error message: Packet length must be greater than 47.
[From Build 122.17] [# 430094]

If a SureConnect policy is bound to a virtual server and you upgrade the NetScaler appliance to version 10.1, build 120.13, the policy is not displayed when you navigate to "Traffic Management > Virtual Servers > <virtual server name>.
[From Build 122.17] [# 429652]

A large ns.conf file can make the configuration utility slow to respond. The large file also slows processing of the following commands:
- show ns runningConfig
- save ns config
[From Build 123.11] [# 405303]

When using the "Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop" wizard for the first time, if you cancel the operation, the configurations that you created are not cleared and you cannot access the wizard again.
[From Build 123.11] [# 414431]

In a cluster setup, globally bound DNS policies are listed multiple times in the "Bind/Unbind DNS Policy(s) to Global" dialog box.
[From Build 123.11] [# 323213, 388012]

The comparison between the source IP address of the incoming packets and the configured NetScaler host-name address is unsuccessful because of an endian mismatch.
[From Build 123.11] [# 382199, 462580, 463712]

When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
[From Build 123.11] [# 414422]

In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.
[From Build 123.11] [# 438216]

If you navigate to "Traffic Management >Load Balancing > Virtual Servers" and click "SSL Settings" under the "SSL Parameter" tab on the "Create Virtual Server" dialogue box, the "Enable Cipher Redirect" check box is enabled by default.
[From Build 123.11] [# 419409]

If the Surge Protection feature is not licensed, you cannot use the configuration utility to modify the global system settings (System > Settings).
[From Build 124.13] [# 439603]

A large ns.conf file can make the configuration utility slow to respond. The large file also slows processing of the following commands:
- show ns runningConfig
- save ns config
[From Build 124.13] [# 405303]

If you use the configuration utility to create a NetScaler-owned IP address, and provide the OSPF LSA Type1 area value, the Type1 area value is not displayed when you click on the created IP address to view or edit the details.
[From Build 125.9] [# 443850]

After you set the SSO Domain (single sign-on domain) value, the value is not displayed on the configuration utility when you navigate to Security > AAA Application Traffic > Settings > Change Global Settings.
[From Build 125.9] [# 446549]

If you create a monitor by using the graphical user interface and choose the default browse option to select the in-built monitor scripts from the /nsconfig/monitors folder, the folder does not display any scripts to choose..
[From Build 125.9] [# 447077, 460857]

The configuration utility includes an option to enable Net Profile when you create a StoreFront monitor, but that option should not be enabled for a StoreFront monitor.
[From Build 125.9] [# 449229]

The System > Cluster > Manage Cluster screen allows a user to create a cluster without providing a Cluster IP address.
[From Build 126.12] [# 448851]

If you create a monitor by using the graphical user interface and choose the default browse option to select the in-built monitor scripts from the /nsconfig/monitors folder, the folder does not display any scripts to choose.
[From Build 126.12] [# 447077, 460857]

On a NetScaler SDX graphical user interface, an nsroot user cannot change the passwords of other configured user accounts.
[From Build 126.12] [# 460413]

In the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings creates an error condition.
[From Build 127.10] [# 403766]

The Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, displays a distorted view of the published resources when you apply the application firewall settings in the Security section.
[From Build 127.10] [# 409057]

For MPX and VPX Netscalers, you can edit ifalias from the Graphical User Interface properly. If you are using Cluster VPX, you can only edit ifalias using the command line interface and not the Graphical User Interface.
[From Build 127.10] [# 446373]

The configuration utility might display the following error message when you create a monitor by navigating to Traffic Management > Load balancing > Monitors and click Add:
Error creating view. Model must not be null
[From Build 127.10] [# 473832, 474471, 490291]

The System > Cluster > Manage Cluster screen allows a user to create a cluster without providing a Cluster IP address.
[From Build 127.10] [# 448851]

If you bind a load balancing monitor to a load balancing service, the Configure Service dialog box displays an incorrect value for response time on the Monitor tab.
[From Build 129.22] [# 488748]

If you bind a content switching policy to a content switching virtual server, an incorrect value appears in the Configure Virtual Server (Content Switching) dialog box. The error is on the CSW tab, in the Hits column under Policies.
[From Build 129.22] [# 475653]

The configuration utility displays the "Resource already exists" error if you configure a content switching virtual server with the IP address 10.69.129.128 .
[From Build 129.22] [# 490142]

The NetScaler Application Delivery Controller (ADC) and NetScaler Gateway are vulnerable to the arbitrary code execution in a SOAP interface, as described at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7140.
With this fix, the ADC and NetScaler Gateway do not allow a remote attacker to execute arbitrary code.
[From Build 129.22] [# 483340]

If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a "No such resource" error message appears, even if the rename operation is successful.
[From Build 129.22] [# 374304, 377460]

A NetScaler ADC displays a Java error if you access it by using an sshd connection.
[From Build 129.22] [# 451546]

If the number of interfaces that you created are more than eight, the Reporting tab in the configuration utility displays only eight interfaces to be monitored.
[From Build 130.13] [# 494804]

If you have assigned an SSL chip to a VPX instance provisioned on an SDX appliance, you cannot enable or disable TLS1.1 and TLS1.2 protocol support on a virtual server by using the configuration utility.
[From Build 130.13] [# 496957]

The configuration utility does not display SSL policies if you navigate to Traffic Management > SSL > Policies to create a policy.
[From Build 130.13] [# 489884]

The configuration utility displays the "Resource already exists" error if you configure a content switching virtual server with the IP address 10.69.129.128 .
[From Build 130.13] [# 490142]

If you create a GSLB service by using a server name with alphanumeric characters, the server name does not get converted to a server IP address, and the server IP address value is null. As a result, GSLB synchronization fails.
[From Build 130.13] [# 501644, 505641, 509379]

If a NetScaler connection from a client is closed without the client logging out, the session created for that connection remains active until the configured timeout period elapses. If this happens frequently, after about the 20th occurrence the user might get a "Connection limit to CFE exceeded" error message.
[From Build 130.13] [# 375277, 322602, 334465, 396405, 412455, 419503, 438382, 438534, 438796, 441853, 446387, 448361]

If a connection from a client to a NetScaler ADC is closed without the client logging out, the session created for that connection remains active until the configured timeout period lapses. If this occurs frequently, after about the 20th occurrence the user might get a "Connection limit to CFE exceeded" error message.
[From Build 130.13] [# 511565]

If a NetScaler connection from a client is closed without the client logging out, the session created for that connection remains active until the configured timeout period elapses. If this happens frequently, after about the 20th occurrence the user might get a "Connection limit to CFE exceeded" error message.
[From Build 131.11] [# 375277, 322602, 334465, 396405, 412455, 419503, 438382, 438534, 438796, 441853, 446387, 448361]

If you configure a command policy for a system user (System> User Administration > Users > <username> >Edit > Insert) by using the NetScaler configuration utility, the check-boxes do not function as expected on the Command Policies screen.
[From Build 131.11] [# 522654]

Although the default value of the sslv2redirect parameter is “Disabled,” the configuration utility incorrectly shows this value as “Enabled” for a new SSL virtual server.
[From Build 131.11] [# 529177]

The NetScaler configuration utility displays the following error message if a user with no shell access logs on to the NetScaler appliance: "Not authorized to execute this command".
[From Build 131.11] [# 524143]

When you use the configuration utility to create a certificate, an error message appears even if the validity period specified is within the acceptable range.
[From Build 131.11] [# 420736, 536924]

The NetScaler configuration utility displays the following error message if a user with no shell access logs on to the NetScaler appliance: "Not authorized to execute this command".
[From Build 131.11] [# 522511, 517993]

The statistics of service group members do not appear correctly in the configuration utility.
[From Build 131.11] [# 521579, 508630, 519918, 521983]

Load balancing virtual servers that are used by AppExpert applications are displayed in nodes other than the AppExpert node. For example, they are displayed in the Available Virtual Servers list in the "Create Persistency Group" dialog box (Load Balancing > Persistency Groups > Add) and in the Target Load Balancing Virtual Server list in the "Create Content Switching Action" dialog box (Content Switching > Actions > Add).
[From Build 131.11] [# 353015]

If you specify the service type as DNS and select the DNS64 and ByPassAAA check boxes, and later navigate to some other service type (for example HTTP), the checkboxes are grayed out because they do not apply to an HTTP service but are not cleared. That is, DNS64 and ByPassAAA are disabled but not set to the default value.
[From Build 132.8] [# 538163]

NetScaler authentication fails if you use special characters such as & or ; in the password.
[From Build 132.8] [# 542557, 542644, 544420, 547508]

Java Runtime Environment (JRE) does not work on Internet Explorer version 10.
[From Build 132.8] [# 482135]

The system backup and restore functionality is not available on the Cisco NetScaler GUI.
[From Build 133.9] [# 553373]

If you specify the service type as DNS and select the DNS64 and ByPassAAA check boxes, and later navigate to some other service type (for example HTTP), the checkboxes are grayed out, because they do not apply to (for example) an HTTP service, but they are not cleared. That is, DNS64 and ByPassAAA are disabled but not set to the default value.
[From Build 133.9] [# 538163]

Configuration utility

If a user with read-only permissions opens a monitor (Configuration > Traffic Management >Load Balancing> Monitors), the configuration utility displays the 'Not authorized to execute this command' error message.
[From Build 130.13] [# 512427]

Content Switching

If a content switching virtual server with a large number of existing connections is removed, flushing all the PCBs takes time. If any traffic destined for the virtual server is received during this time, the appliance fails.
[From Build 122.17] [# 394856, 353736]

Rebinding a content switching policy to a content switching virtual server might result in memory corruption, which might cause the NetScaler appliance to fail.
[From Build 123.11] [# 432272, 409948, 467208]

In a cluster environment, if you run the bind cs vserver command with the argument type, the NetScaler appliance incorrectly reports a difference between the running configuration and the saved configuration.
[From Build 123.11] [# 411116]

You must bind only a load balancing (LB) virtual server as the default or target LB virtual server to a content switching (CS) virtual server. Global server load balancing (GSLB), cache redirection (CR), virtual private network (VPN), and CS virtual servers must not be bound to a CS virtual sever as the default or target virtual server.
[From Build 125.9] [# 449261, 451077]

The NetScaler appliance fails in the following scenario:
1. Create a content switching virtual server (CS1) and bind a policy (P1) to it.
2. Rename the virtual server (CS1) to CS2.
3. Create another content switching virtual server named CS1 and bind P1 to the new CS1.
4. Send traffic to virtual server CS1.
[From Build 125.9] [# 428991]

If an HTTP content switching virtual server is bound to an SSL virtual server that has a backup SSL virtual server, the following error message appears:
ERROR: The backup vserver of the target vserver is not compatible with the CS vserver.
[From Build 125.9] [# 445561]

The output of the "stat cs vserver –fullValues" command now displays the number of requests per second. In earlier builds, the output displayed the total number of requests.
[From Build 127.10] [# 460259]

If an invalid HTTP request that spans multiple TCP segments is sent to a content switching virtual server, the NetScaler ADC might skip the load balancing decision and initiate a connection from the SNIP address to the content switching virtual server. This can cause the ADC to fail.
To prevent this problem, the ADC closes the client connection when this situation arises.
[From Build 130.13] [# 501856]

If you perform the following sequence of actions, the second command fails when the restart process runs the commands, because that process adds the gotopriorityexpression to the second binding:
1. Bind a policy to a content switching virtual server and specify a gotopriorityexpression.
2. Bind a filter or compression policy to another content switching virtual server without specifying a gotopriorityexpression.
3. Save the configuration and restart the appliance.
[From Build 131.11] [# 523636, 532832, 533690]

DNS

The NetScaler appliance, configured to function as DNS forwarder or DNS resolver, may becomes unresponsive whenever it receives UDP DNS truncated response from a name server.
[From Build 120.13] [# 401451, 406480, 409029]

NetScaler caches partial response in the following two conditions:
1. When the response contains more number of resource records for same domain than the limit mentioned in documents. In such a condition, NetScaler caches response till the maximum limit.
2. When the response contains invalid RDATA, for example, 0.0.0.0 in address record (A record). In such a condition, NetScaler caches resource record till the invalid resource record.
In such conditions, when NetScaler received a query for the same domain, it replied with a partial response. Going forward, NetScaler will not cache partial response and in such conditions the queries are directed to the back end server.
[From Build 123.11] [# 385524]

In DNSRewrite Policy, CLIENT.IP.SRC.MATCHES_LOCATION is an incorrect expression for a response from the DNS. NetScaler does not recognize this expression and hence might crash.
[From Build 123.11] [# 426093, 452776]

The NetScaler appliance might fail in the following set of circumstances:
* On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.
* The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.
[From Build 124.13] [# 376662]

Statistics do not appear correctly for a DNS load balancing virtual server.
[From Build 128.8] [# 462862]

CNAME Record Caching
NetScaler ADC when deployed in a proxy mode does not always send the query for an address record to the back-end server. This happens when for an answer to a query for an address record, a partial CNAME chain is present in the cache. Under few conditions, ADC caches the partial CNAME record and serves the query from the cache.
For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-tmg-dns-caching-cname-record-con.html
[From Build 128.8] [# 422509]

If a server sends a NODATA response that has CNAME record in the answer section and no records in the authoritative and additional sections, the response is marked for CNAME caching on the NetScaler ADC, because it is incorrectly assumed to be a referral response. As a result, the ADC sends a blank response to subsequent queries, of any query type, for the canonical name.
[From Build 129.22] [# 477552]

When a NetScaler ADC is deployed as a DNS server with caching enabled, and "flush dns proxyRecords" is used when the ADC is serving a large volume of traffic and has a large number of records in its cache, the ADC might fail.
[From Build 129.22] [# 484069]

The DNS cache entries are not flushed if the DNS caching feature has been disabled for approximately 250 days.
[From Build 129.22] [# 471707]

If the number of records in a DNS response for a domain exceeds the Netscaler ADC limit, or if one of the records in the response contains invalid data, the NetScaler ADC does not cache the response. As a result, DNS resolution using NetScaler nameserver entities fails.
[From Build 130.13] [# 437529]

Non-standard query packets are altered before they are forwarded to back-end servers, which causes the server to respond with a "FORMAT error" message.
[From Build 133.9] [# 559064]

If a NetScaler appliance in DNS resolver mode is configured to resolve queries with suffixes, the appliance fails if there is no address record for the NS record associated with one of the suffixes.
[From Build 134.9] [# 605861]

If, while a DNS-TCP client request is in surge queue, the NetScaler appliance receives a FIN from the client and responds with a FIN or ACK before the queued request is forwarded to the backend server, the appliance might fail.
[From Build 134.9] [# 581723]

If, while adding a DNS record (such as addrec and nsrec) from the GUI or by using the NITRO API, you specify the TTL value as 3600, the value of the minimum TTL of the SOA record is used instead.
[From Build 134.9] [# 382478]

If, while resolving a domain name in DNS resolver mode, the NetScaler appliance does not receive a response from the first name server, it tries to resolve the domain name with the other name servers. During this process, if the address record for the associated NS record is not present, the NetScaler appliance fails.
[From Build 134.9] [# 609967, 617204]

DataStream

If a MySQL client sends a query larger than 16 MB, the query is split into multiple MySQL packets. Only the first MySQL packet in a query is forwarded to the server, and the remaining packets are accumulated on the appliance. After some time the window size is reduced to zero and the client cannot send any more packets to the appliance.
[From Build 123.11] [# 433383]

A pluggable authentication request causes the handshake to fail. A NetScaler ADC does not support pluggable authentication requests. The flags that indicate pluggable authentication requests are now ignored and the request is processed.
[From Build 124.13] [# 441162]

NTLM authentication is now supported on all Windows clients.
[From Build 126.12] [# 451036]

Support for SQL Server High-Availability (HA) Group Deployment
The NetScaler ADC now supports AlwaysOn Availability group deployment in database specific load balancing for MSSQL 2012.
For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-dbproxy-db-specific-lb-for-mssql-2012-tsk.html
[From Build 127.10] [# 415485]

If a service group is used to load balance MSSQL servers that require Kerberos Constrained Delegation, the NetScaler ADC fails to use the proper service port to fetch tickets.
[From Build 129.22] [# 479472, 501750]

If you use SQL server driver for SQL Server 2000 SP1, the databases are not enumerated for Kerberos authentication on the NetScaler ADC, because the ADC does not process the SSPI packet correctly.
[From Build 130.13] [# 507709]

A NetScaler client becomes unresponsive if:
1. The NetScaler appliance receives the complete response to the client's query from the server.
2. At the same time, the client sends an attention packet to the appliance.
The client becomes unresponsive because the appliance closes the server-side connection but does not send the client a response to the attention packet.
[From Build 134.9] [# 560401]

Documentation

The PDF format of NetScaler product documentation is no longer packaged with the NetScaler MPX, VPX, and SDX software. NetScaler product documentation is available in HTML format on the eDocs product library web site. You can generate a PDF for any topic from eDocs.
To access NetScaler documentation on eDocs, see http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html.
[From Build 118.7] [# 395277]

The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes.
See http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-1-map/ns-rn-changes-gui-10-1-con.html for information about the new node structure.
[From Build 122.17] [# 370607]

GSLB

On a NetScaler appliance that has both a monitor and a GSLB view bound to a GSLB service, occasionally the view binding is not visible from the command line and is not saved in ns.conf, even though the GSLB service is properly configured and UP.
[From Build 118.7] [# 394328, 406300]

In a GSLB setup, if you perform auto synchronization and the configuration file in your local site contains the "add locationFile" command, the command is not synchronized to the remote location.
[From Build 119.7] [# 385305]

When GSLB virtual server is configured with RTT or Static Proximity as load balancing method or SOURCEIPHASH as the persistence type, NetScaler may reboot because of invalid memory access.
This issue is observed on the MPX 7500 appliance.
[From Build 121.10] [# 421837]

If a configuration has a large number of GSLB services and the add location file command is used to add the location database, some of the services might not be assigned a location from the database.
[From Build 121.10] [# 408374]

On a NetScaler appliance that has GSLB configured, if you remove custom location entries from the GSLB database, the appliance crashes.
[From Build 123.11] [# 413367]

You can add a GSLB site IP address with a Traffic Domain setting, but this configuration is not supported, and the NetScaler fails. With this fix, you cannot add a GSLB site IP address with a Traffic Domain setting.
[From Build 124.13] [# 434660]

GSLB static proximity stops working, if you remove the custom records after the database ideal times out. If you have not removed the custom records, then it starts to work when a new connection request is made.
[From Build 127.10] [# 465500]

In rare cases, high management-CPU usage occurs and a large number of error messages appear in the log file. As a result, queries to the location database might fail, and the backup load balancing method is used for site load balancing.
[From Build 129.22] [# 453144, 455417]

If you change the GSLB configuration while the GSLB feature is disabled, the NetScaler ADC might process some stale messages when you enable the feature. As a result, the ADC might dump core and restart.
[From Build 130.13] [# 485811]

If you force synchronization of the GSLB configuration, the non-default settings on the RPC node are lost. As a result, the GSLB auto-sync functionality is lost.
[From Build 131.11] [# 497412]

A NetScaler appliance in a GSLB configuration might fail if the public IP address of a GSLB service is different on two GSLB sites and, on one of the sites, the public IP address for that service is the address of a load balancing virtual server.
[From Build 131.11] [# 505932]

The NetScaler ADC fails if a VPN session action, a WI home page, or DBS services are configured with a domain name that at the same time is managed by a GSLB virtual server configured with static proximity or RTT load balancing methods.
[From Build 131.11] [# 433094, 469937, 517974]

The show gslb service command now displays the following values related to the GSLB service:
-Last State Change
-Time since last state change
-Client and Server idle timeout
[From Build 131.11] [# 498854]

If the length of the domain name bound to a GSLB virtual server exceeds 31 characters, the domain name is displayed as HASHED STRING during an SNMP MIB Walk operation.
[From Build 131.11] [# 511878]

All GSLB features except DNS views, auto sync, and static proximity are supported for IPV6.
[From Build 131.11] [# 519589]

If the disablePrimaryOnDown parameter is configured on the primary GSLB virtual server, the primary GSLB virtual server remains in the DISABLED state even after its health state is UP. The backup GSLB virtual server continues to serve the traffic until HA failover, or until you manually enable the primary GSLB virtual server.
[From Build 131.11] [# 517961]

If a spillover policy is bound to a GSLB virtual server of type UDP, the show ns runningConfig command does not display the policy binding. The policy binding functions properly, but the configuration might be lost if a failover occurs or if the appliance is restarted.
[From Build 132.8] [# 528060]

Loading a new location file that has a coordinate outside the correct range (-90 to +90 latitude or -180 to +180 longitude) can cause the appliance to fail.
Recommendation: After loading any location file, use the command, "show locationparameters" to get a summary of the coordinates loaded and any parsing errors. The specific problems are reported in /var/log/ns.log.
[From Build 133.9] [# 550294]

Configuring a hash based backup load balancing method on a GSLB virtual server might cause the NetScaler ADC to fail if traffic triggers the backup method.
[From Build 134.9] [# 496676, 593298, 601363]

GSLB virtual server configured with Dynamic Proximity as LB method fails.
[From Build 134.9] [# 578969]

If you have configured the canonical name as the GSLB domain in NetScaler appliance, when the backend server returns the CNAME record without the requested record, NetScaler appliance changes the TTL value of the GSLB domain with the TTL value of the CNAME record.
[From Build 134.9] [# 582925]

Graphical User Interface

A user session is not terminated if the user logs out of NetScaler ADC by using the configuration utility. The session is terminated only after the session timeout is complete.
[From Build 130.13] [# 513132]

If you enable NTP synchronization on a NetScaler ADC, the ntpd service binds to port 3010. The binding causes resource conflicts, because the port was reserved for the nsnetsvc service.
[From Build 130.13] [# 502309, 503357]

On a NetScaler SDX appliance or NetScaler VPX instance, if you use the graphical user interface (GUI) to modify the high availability (HA) monitoring or any other property, the GUI displays the Operation not Permitted error message.
[From Build 130.13] [# 495067]

High Availability

In a high availability configuration, on a connection to an FTP virtual server with the stateful connection failover option enabled, if the FTP control connection is closed before the passive mode FTP data connection is opened, the secondary node might become unresponsive.
[From Build 121.10] [# 357841, 408502]

The synchronization of files in an HA setup stops working after the nsinternal user is disabled.
[From Build 122.17] [# 420089, 409307, 425486]

On the secondary node of a high availability (HA) configuration, if the HA propagation and HA synchronization options are disabled and Stay secondary is enabled, you cannot disable the Stay secondary option after upgrading the node.
[From Build 124.13] [# 416573]

On a HA setup, even though the source IP is not explicitly set to *, the output of the "show ns rpcNode" commands shows the source IP as *. Therefore, when HA failover happens for the second time, the LB persistency session information is not propagated to the secondary node. This means that the information is not available when a forced failover is performed on the new primary node.
The fix ensures that the NetScaler IP (NSIP) address of the local box is always set as the source IP address in a HA setup.
[From Build 129.22] [# 469857]

In a high availability configuration, if the diff ns config command includes the -ignoreDeviceSpecific parameter, the command fails and does not display the difference in configurations between the two nodes.
[From Build 131.11] [# 524146, 526699]

If the link between the primary and secondary appliance is very slow and there are a large number (millions) of sessions to be synchronized (because of, for example, load balancing persistence), the primary appliance quickly consumes all the NetScaler memory available for buffering. The lack of buffer space for other subsystems can result in various disruptions, such as failover.
[From Build 131.11] [# 519085, 525203, 533671, 534616, 537991, 539518, 541525]

In a high availability configuration, with failSafe mode enabled on the secondary node, the node might briefly become primary when restarted.
[From Build 132.8] [# 534795]

In a high availability configuration, if a NetScaler packet processing engine (NSPPE) fails on the primary node, both the nodes might go into a warm reboot loop.
[From Build 132.8] [# 479666, 507519, 541503]

After an HA configuration is stabilized from a "spilt brain" condition (both nodes primary), connections are not immediately synchronized between the current primary and the current secondary node. This latency might result in an HA failover.
[From Build 132.8] [# 537496]

When there is a HA issue, the synchronization of persistence sessions between the primary and secondary appliances can fail. This can cause some of the persistence sessions not being replicated on the secondary appliance.
[From Build 134.9] [# 580703, 579037, 595104, 595491, 595506, 596002, 596215, 599250, 599396, 604164, 605112, 608450, 608485, 610589, 618785, 624928, 632295]

The HA traffic between the HA pair is abnormally high. This issue is caused by a loop that repeatedly tries to push the same sessions to the secondary appliance after failover.
[From Build 134.9] [# 560640, 566710, 576012, 576096, 579037, 582354, 590730]

ICA AppFlow

The NetScaler appliance fails while processing ICA traffic if you have disabled AppFlow logging on the VPN virtual server (set vpn vserver -appflowlog disable).
[From Build 122.17] [# 417274]

During an ICA handshake, the version-length value that Mac receiver sends in UNICODE format is parsed incorrectly.
[From Build 123.11] [# 432039]

When NetScaler Gateway is deployed in a double hop setup, the NetScaler fails while processing the packets.
[From Build 123.11] [# 429280, 449953, 463668]

On the NetScaler Insight Center dashboard, the source IP address displayed in the application launch records is incorrect.
[From Build 123.11] [# 397109]

The NetScaler Gateway fails if AppFlow is enabled or disabled during ICA connections. The NetScaler Gateway might also fail if the NetScaler appliance receives an ICA parsing error.
[From Build 123.11] [# 430696]

The NetScaler Insight Center dashboard displays incorrect Init Program and Client Version values for MAC or HTML receivers on different platforms.
[From Build 123.11] [# 433180]

The HDX Insight console displays unnecessary ICA user-session information and console
messages.
[From Build 123.11] [# 433511]

The NetScaler ADC might fail if the EUEM channel data that is part of the ICA traffic flow is split across multiple frames in such a way that the first frame contains only 1 byte.
[From Build 125.9] [# 445959, 451775]

With some WYSE clients, NetScaler ADC fails while processing the ICA connections if the ICA frame is fragmented across several CGP frames (more than three 3 frames).
[From Build 125.9] [# 445550]

The NetScaler Gateway fails if AppFlow is enabled or disabled during ICA connections. The NetScaler Gateway might also fail if the NetScaler appliance receives an ICA parsing error.
[From Build 125.9] [# 430696]

When appflow is enabled, Multi-Stream ICA connections do not work if an appflow policy is bound to a VPN virtual server and appflow logging is enabled on the VPN virtual server.
[From Build 128.8] [# 458122]

Integrated Caching

Once the memory limit for a content group is reached, the memory of the resulting object flush is not handled properly. As a result, no objects are stored after the content groups memory limit is reached.
[From Build 123.11] [# 434877, 436298, 451148]

The NetScaler appliance fails to respond when it receives multiple byte-range requests for the same objects at almost the same time and where the starting range of byte-range is greater than 1MB.
[From Build 125.9] [# 427598, 446526, 447867]

When refreshing a cache object for a conditional GET to an expired object, the memory is deducted two times but is returned only once when the cache cell goes away. This causes the memory that is used for a content group to slowly increase and finally reach the maximum memory that a content group can use. The NetScaler appliance is therefore unable to cache objects for that content group.
[From Build 125.9] [# 436298]

While revalidating cached objects, the integrated caching feature performs some incorrect accounting of the cache size. This causes the NetScaler appliance to crash.
[From Build 127.10] [# 466452, 469584, 469588, 470925]

The output of the "stat cache -d" command displays an incorrect value for the utilized memory parameter.
[From Build 128.8] [# 427479, 463589, 482725, 502413]

While revalidating cached objects, the integrated caching feature performs some incorrect accounting of the cache size. This causes the NetScaler appliance to crash.
[From Build 128.8] [# 466452, 469584, 469588, 470925]

With integrated caching enabled, the NetScaler can crash when the evaluation of a callout 'result expression' (configured with the resultExpr parameter) results in a UNDEF condition.
[From Build 129.22] [# 488145]

Load Balancing

When you add a new server to an existing service group, the services in the group might be designated as DOWN even though monitoring probes succeed. To enable the services, unset the virtual server spillover method. They are then correctly designated as UP.
[From Build 118.7] [# 391273, 370416]

Occasionally, when you create a new load balancing virtual server in the configuration utility, a series of error messages appear. The message indicates that the load balancing feature is not licensed, and you are unable to create the virtual server.
[From Build 118.7] [# 387253]

If a virtual server is UP because the service(s) are in Transition Out-Of-Service (TROFS) state, the clients do not respond due to requests being queued at the virtual server rather than at the services. Instead, the client must issue 503 or RST.
[From Build 119.7] [# 383402]

If you change the load balancing group of a virtual server that has a large number of SSL sessions, the appliance might fail.
[From Build 119.7] [# 351870, 399978]

In an interactive voice response (IVR) setup, the option selected by a user is not communicated to the server because the RTSP packet is corrupted. As a result, the user is repeatedly asked to select an option from the same list.
[From Build 120.13] [# 390545]

If you unbind a load balancing (LB) monitor from its service, all the connections to the configured destination IP address (destip) and port (destport) of the LB monitor are closed. In a typical L3 direct server return (DSR) deployment, the destip address and destport of the LB monitor are actually the IP address and port of the virtual server. Therefore, in a typical L3 DSR deployment, if you unbind an LB monitor from its service, all the existing connections to the virtual server are closed. As a result, performance temporarily decreases. The same behavior occurs if you delete a service.
[From Build 120.13] [# 409028]

Monitoring of StoreFront servers fails if they are part of a cluster and the StoreFront monitor is bound to the entire service group. The StoreFront monitor probe fails because individual members have different host names.
[From Build 120.13] [# 398327]

Oracle database monitor fills the console window with DONE and DEEP_FLD_LEN messages.
This issue is observed on the MPX 9500 appliance.
[From Build 121.10] [# 417101]

If a diameter packet is received by a diameter load balancing virtual server on which persistency is enabled, and that packet contains multiple full requests and a partial request, the NetScaler fails to recognize the partial request and sends it to the server. The result is an invalid packet being sent to the server, and the NetScaler sends a 5xxx message to the client.
[From Build 121.10] [# 410711]

If you run a custom health monitoring script that does not require an argument, the NetScaler appliance sends an incorrect timeout to the script. As a result, the script continues to run for longer than expected. After some time, the maximum limit for the number of scripts allowed on the appliance is reached and new scripts cannot be run.
[From Build 121.10] [# 409055]

In some cases, if you configure a domain-based IPv6 service on the NetScaler appliance, the appliance might become unresponsive.
[From Build 122.17] [# 399446, 416718]

If a NetScaler appliance responds to a DNSSEC-enabled request from its cache, and this response is immediately followed by a response from the server to an earlier query that could not be addressed from the NetScaler cache, the appliance drops the response from the server instead of forwarding it. However, the memory associated with the response packet is not freed. As more such requests are received, the memory on the appliance is gradually exhausted.
[From Build 122.17] [# 412530]

In a high availability setup, after you upgrade the secondary node and make it the new primary, the process of file synchronization from the new secondary (old primary) node to the new primary node overwrites some of the updated data on the new primary. Specifically, the new monitoring scripts delivered as part of the upgrade on the new primary node are overwritten. As a result, the monitoring scripts might fail.
[From Build 122.17] [# 417630]

The stat servicegroup command incorrectly displays the svrttfb (server-time-to-first-byte) value as zero.
[From Build 122.17] [# 424780]

If the first octet of the IP address of a service has a value of 6 (6.x.x.x), and the service is bound to a virtual server that is configured for persistence, the NetScaler appliance fails when it tries to direct a request to that service.
[From Build 122.17] [# 393613, 427971, 456281]

If you have configured a DNS auto-scaling service group and run the "show server <server name>" command to display the details of the server bound to this service group, the following incorrect entries appear:
- an extra entity with an IP address 0.0.0.0
- mode as POLICY
- state as DOWN.
[From Build 123.11] [# 398274, 397588, 425221, 434329]

If you create a service of type SSL_BRIDGE and enable client IP address (CIP) on the service, the NetScaler appliance inserts an HTTP header with the client’s IP address as its value. In an SSL_BRIDGE topology, you must not insert a header. With this fix, the appliance throws a warning and removes the CIP option for an SSL_BRIDGE service while saving the configuration.
[From Build 123.11] [# 438169]

If you configure persistence on a virtual server that is configured for link load balancing, the NetScaler appliance might fail.
[From Build 123.11] [# 392542, 418698, 431925]

If you use NITRO to display the details of the load balancing monitors configured on a NetScaler appliance, the output for non-HTTP type monitors incorrectly displays a response code, user name, and password. These attributes are not applicable to non-HTTP type monitors.
[From Build 123.11] [# 410365]

The NetScaler appliance might fail while processing an NX domain message if you have configured an autoscaling service group on the appliance.
[From Build 123.11] [# 402996, 405475, 407313]

If you have configured an autoscaling service group on the NetScaler appliance, the states of some of these services are not updated, because command numbers are not updated. For example, a service state might appear as UP although the monitor has marked it as DOWN.
[From Build 123.11] [# 422821, 405467]

The NetScaler appliance fails under the following sequence of events:
1. An IPv6 domain based service and an IPv6 address based service are configured on the appliance.
2. Both the services are bound to a load balancing virtual server.
3. The domain based service is UP when the address based service enters the UP state.
[From Build 123.11] [# 429445]

If you bind a content switching (CS) policy to a CS virtual server, specify a load balancing (LB) virtual server as the target virtual server, and then view the LB virtual server details in the configuration utility, the CS virtual server bindings incorrectly appear in the cache redirection virtual server section. However, if you use the command line to view the details of the virtual server (show lb vserver), the details appear in the correct section.
[From Build 123.11] [# 406467]

If you have added a backup virtual server on release 9.x, the configuration is lost after you upgrade to release 10.1.
[From Build 124.13] [# 440406]

If you add a new service group, the SOAP API query for the "show servicegroup" command might fail.
[From Build 124.13] [# 429538, 441186]

If you configure an HTTP_ECV monitor with a response string, and the response arrives in multiple packets, the NetScaler appliance might not parse the response correctly. As a result, a monitoring probe to the appliance fails and services are marked DOWN.
[From Build 124.13] [# 433324]

If you rename an autoscaling service group, the NetScaler appliance might fail.
[From Build 124.13] [# 421411]

If a NetScaler appliance receives a request for which a session does not already exist, the appliance creates a session and designates one of the packet engines (PEs) as the session owner. Subsequent requests that belong to that session might not always arrive at and be handled by the owner PE (for example, PE1). If such a request arrives at another PE (for example PE2), that PE (PE2) gets the information from the owner PE (PE1). Now, the cached session is present in PE2 and the owned session is present in PE1. Because of a timing issue, the information in PE1 is cleared before the cached entry in PE2. As a result, different session entries are created for the same client on PE1 and PE2 and source IP persistence might not work correctly.
[From Build 124.13] [# 420827, 434537]

In a high availability setup, if an autoscaling service group with more than 4000 members is removed, failover occurs.
[From Build 124.13] [# 407493]

If Edge mode is disabled, the state of the name-based service group member appears as UNKNOWN, even though the server represented by the service group member is reachable.
[From Build 124.13] [# 417872, 438960, 465030]

The configuration for the NetScaler Web 2.0 Push feature is not saved in the configuration (ns.conf) file. As a result, if you run the "show running config" command, the push configuration is not shown.
[From Build 125.9] [# 451670]

In direct server return mode, the NetScaler ADC does not send a RST flag to the client after the idle timeout has expired.
[From Build 125.9] [# 452648]

Support for Fallback to NTLM Authentication
Currently AAA supports Kerberos authentication only with Datastream Windows Authentication. AAA does not support fallback to NTLM if Kerberos authentication fails.
[From Build 125.9] [# 382693]

Using Canonical FQDN when Constructing Server SPN
When performing Kerberos authentication or authorization, instead of accepting the hostname that the user provided in the request, AAA-TM now performs a DNS lookup on the hostname IP, and uses the canonical FQDN for that IP when constructing a server SPN.
[From Build 125.9] [# 441290]

If you add a server with a name that contains an IP address and a string, and then use that server to add a service, the error message “service already exists” appears.
[From Build 126.12] [# 434925]

In NetScaler deployments where a load balancing virtual server is deployed behind another virtual server, the count of the number of request bytes is inadvertently doubled.
[From Build 126.12] [# 369369, 252157, 438593]

When the primary virtual IP address is down and no backup is configured, spillover persistence fails to decrement the session allocation counter. This leads the NetScaler appliance to believe that sessions are alive and therefore reject new client requests.
[From Build 126.12] [# 454497]

If you bind policies in one of the following orders of priority, and then run the "show running config" or the "save config" command, the command runs repeatedly:
* Syslog, nslog, syslog
* Nslog, syslog, nslog
[From Build 126.12] [# 441973, 442098]

If a user tries to use a long URL (more than 1024 bytes) to access a protected resource for the first time (that is, without a valid cookie), the NetScaler ADC returns a 500 error.
[From Build 126.12] [# 456632]

In a deployment with multiple MAC-mode virtual servers, some changes in the configuration can result in a MAC-mode virtual server failing to serve traffic. Changes that can cause the problem include:
- Disabling and enabling the interface through which the MAC of a service is learnt.
- Removing virtual servers or clearing their configurations.
- Changes caused by high availability failovers.
[From Build 127.10] [# 471938]

The NetScaler ADC does not set the mandatory flag in a Route-Record AVP. As a result, some diameter implementations might reject the AVP.
[From Build 127.10] [# 475980]

The NetScaler ADC fails if requests requiring IP fragmentation are forwarded to a virtual server that is configured for sessionless load balancing in IP mode.
[From Build 128.8] [# 478949]

If you have configured the RADIUS PI expression CLIENT.UDP.RADIUS.ATTR_TYPE(<avp code>) for content switching, rule-based persistency, or the token load balancing method, and you typecast the result of this expression to an integer or IP address by using the expression TYPECAST_NUM_AT / TYPECAST_IP_ADDRESS_AT, the typecast operation fails.
[From Build 129.22] [# 482113]

If a client connection is in the CLOSE_WAIT state, the NetScaler ADC does not send PUSH notifications to the client. However, it reports success to the PUSH server.
[From Build 129.22] [# 489197]

You can now bind loopback members (for example 127.0.0.1) to service groups. Previously, you could bind loopback members to services only.
[From Build 130.13] [# 504209]

A very slow memory leak occurs on the secondary node in a high availability pair if all of the following conditions are met:
a) The configuration is large (approximately 4MB).
b) The configuration includes a large number of "bind lb group" commands.
c) Configuration changes very frequently, resulting in frequent synchronization.
[From Build 130.13] [# 457639]

In a high availability setup, a failover might disconnect active connections even though stateful connection failover is enabled on the virtual servers.
[From Build 130.13] [# 489400]

If a load balancing virtual server on which persistence is configured is bound to a load balancing group that has no persistence setting, the NetScaler ADC does not change the virtual server’s persistence setting. As a result, when traffic arrives at the virtual server, it tries to create a persistence session, but that session fails and the number of sessions increases.
[From Build 130.13] [# 497470]

If a semantically incorrect command is entered while a domain based service is being resolved to a NetScaler-owned IP address, the NetScaler ADC displays the state of the service incorrectly.
[From Build 130.13] [# 502338]

The NetScaler ADC might fail after you rename a server that is bound to a service group. This problem does not occur if you assign a name to a server that was identified by its IP address.
[From Build 131.11] [# 443027]

The SIP monitor probe has an invalid character in the VIA header. As a result, the probe fails and an incorrect service state might appear.
[From Build 131.11] [# 519644]

The NetScaler ADC might fail if a high idle timeout value is set on a TFTP load balancing virtual server and the ADC runs out of memory.
[From Build 131.11] [# 505543]

If your spillover policy contains the ACTIVETRANSACTIONS or the SURGECOUNT expression (for example, <expression>. ACTIVETRANSACTIONS.GT(<N>)), traffic might spill over to the virtual server bound to this policy even though the current value of the counter has not reached N. This is because these two expressions use an arbitrary number for comparison.
For example, spillover to a virtual server bound to the following policy might occur before the active transactions counter reaches a value of 10:
SYS.VSERVER("A').ACTIVETRANSACTION.GT(10) -action spillover
[From Build 131.11] [# 516615]

Unsetting one of the load balancing virtual server parameters, such as redirect URL, backup virtual server, push virtual server, or authentication profile, incorrectly unsets the appflowLog parameter.
[From Build 132.8] [# 523239]

If you configure cookie persistence and custom cookie on a virtual server, and later change the name or IP address of the virtual server, persistence is not honored.
[From Build 133.9] [# 524079, 559022]

If an SSL monitor is bound to a domain-based service that is configured with non-default SSL settings, the monitor might not show the service as UP.
[From Build 133.9] [# 575171, 576012]

In a high availability setup, if custom cookie persistence is configured on a virtual server, part of the secondary node's configuration might not be synchronized with the primary after a failover occurs.
[From Build 133.9] [# 552799, 552607]

If the "Invalid argument error" message appears intermittently in nsmund.log, treat it as a false positive. The error appears because a scenario was not handled correctly. However, if this message appears in the log every time a particular script runs, there is an issue with the arguments that are passed to the script.
[From Build 133.9] [# 568719]

In a RADIUS load balancing setup, if Use Source IP (USIP) is configured on the RADIUS services, the server side connections are not reused, and requests are dropped.
[From Build 133.9] [# 574120, 534888]

If the load balancing (LB) feature is not licensed, and you try to enable an LB virtual server, an error message appears.
[From Build 133.9] [# 466094, 534755]

In a RADIUS load balancing setup, requests might be dropped because the memory for the session entries is not freed until the idle timeout expires even though the transaction completed earlier.
[From Build 133.9] [# 573155]

In a load balancing group configuration, the "sh run" command sometimes runs in a loop, which exponentially increases the size of the temporary configuration file. As a result, saving the configuration and synchronizing the nodes in a high availability setup might fail.
[From Build 134.9] [# 587812, 598499, 601918]

The appliance fails if non-reachable autoscale entities that are part of a service group later become reachable and, in the interim, the service group name has changed.
[From Build 134.9] [# 583647]

In certain cases, if the name of an FTP virtual server is greater than 32 characters, the virtual server lookup fails and the request is not served.
[From Build 134.9] [# 566644]

Load Balancing/AAA-TM

A NetScaler appliance that has AAA-TM configured for authentication with a RADIUS Server might intermittently generate "HTTP/1.1 Internal Server Error 6" error messages.
[From Build 118.7] [# 391105, 457607]

If you attempt to create a KCD service account on a NetScaler appliance or virtual appliance that has AAA-TM enabled and integrated caching disabled, a buffer overflow might load the appliance or cause it to fail.
[From Build 119.7] [# 402472, 397716, 403737, 404942, 465004, 474112]

On a NetScaler SDX with AAA and SAML enabled and configured, occasionally the NetScaler appliance crashes and generates a core dump during SAML authentication.
[From Build 122.17] [# 426421, 431795, 436267]

On a NetScaler appliance with AAA enabled and configured, a user whose account is bound to over 100 groups might be unable to execute NetScaler commands at the command line despite having the appropriate permissions to do so. To work around this issue, do not bind a single user account to more than 99 groups.
[From Build 122.17] [# 431206]

On a NetScaler appliance that has the load balancing and AAA-TM features enabled, and that protects an application that uses 401 Basic authentication, if a client authenticates with a browser that does not support cookies, the appliance might experience repeated crashes or (for HA setups) repeated failovers. The cause is that the appliance does not receive the expected traffic management cookie, fails to reconnect to the existing session, and instead creates a new sesson each time the client connects to a protected resource. If a large number of authentication requests is sent within a short period of time, the abandoned sessions do not expire quickly enough and can therefore consume available memory.
[From Build 123.11] [# 431917]

On a NetScaler appliance that has the load balancing and AAA-TM features enabled, a request that contains an extraneous space in the URL might cause the appliance to crash. This issue occurs only with unauthenticated connections; the appliance processes the same request correctly over authenticated connections.
[From Build 123.11] [# 437407]

Load Balancing/DNS

If two NetScaler appliances in a high-availability configuration have TCPB mode enabled globally, and you create a DNS TCP service, the service might be successfully created on the primary NetScaler appliance but fail on the secondary appliance.
[From Build 118.7] [# 376173]

Load Balancing/MSSQL

On a NetScaler appliance or VPX virtual appliance that is configured for load balancing in an environment that includes a Microsoft SQL server database, if a client sends a large number of long queries to the MSSQL database, the appliance might become unresponsive or fail.
[From Build 119.7] [# 401118]

Load Balancing/Responder

On a NetScaler MPX15000 appliance that has the load balancing and responder features enabled, and has a load balancing policy that includes both the SYS.CHECK_LIMIT and HTTP.REQ.BODY statements, a complex cascade of events might cause the appliance to restart repeatedly. To work around this issue, you can either rewrite the configuration to separate the SYS.CHECK_LIMIT and HTTP.REQ.BODY statements into two separate policies, or operate the NetScaler appliance on a single core.
[From Build 124.13] [# 432790]

MPTCP

Syncookie cannot be disabled on a TCP profile that has MPTCP enabled.
[From Build 120.13] [# 399708]

The NetScaler appliance does not respond when using client IP insertion with MPTCP.
[From Build 120.13] [# 400888]

The NetScaler appliance might not respond when TCP buffering and MPTCP is enabled.
[From Build 120.13] [# 399938]

MPTCP transactions of a TCP profile with Selective ACKnowledgement and window scaling might not respond.
[From Build 120.13] [# 401105]

While using MPTCP, the NetScaler appliance cannot adequately handle overlapping data sequence maps.
[From Build 121.10] [# 412833]

The NetScaler appliance must not send MPTCP control signals such as DATA_FIN or FAST_CLOSE when the NetScaler has already sent a subflow FIN.
[From Build 121.10] [# 414182]

MPTCP does not support IPv6 addresses.
[From Build 121.10] [# 401793]

The NetScaler appliances does not acknowledge the subflow FIN when it comes with the MPTCP DATA_FIN.
[From Build 121.10] [# 409426]

While using MPTCP, the NetScaler appliance crashes when trying to free an already freed TCP session.
[From Build 121.10] [# 419184]

Virtual servers to which a listen policy is bound accept connections from the first subflow only.
[From Build 122.17] [# 400861]

MPTCP does not support FTP data connections.
[From Build 122.17] [# 400819]

Multiple spillover persistence sessions are created for a single MPTCP transaction.
[From Build 122.17] [# 400875]

With USIP enabled, MPTCP requests do not go through.
[From Build 122.17] [# 331338]

Monitoring

If you bind monitors to services, and then bind a DoS or SureConnect policy to one of those services, save the configuration, and restart the appliance, you lose information about monitors bound to any services created after the service to which you bound the policy was created. Also, if you run the "show ns runningConfig" command before restarting the appliance, the monitor binding information does not appear.
[From Build 120.13] [# 406391]

A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.
[From Build 121.10] [# 383812]

If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.
[From Build 123.11] [# 369946]

Transparent monitors are now combined with the functionality of an ARP monitor. This avoids the need to bind a separate monitor to incorporate reachability as part of the health status. Without an ARP monitor, UP services could not transition to DOWN when the next hop failed.
[From Build 124.13] [# 301570]

NITRO API

For a service that is bound to a service group, NITRO cannot obtain the state of the service monitor.
[From Build 123.11] [# 424553, 302231, 386570]

When importing an AppExpert template that has back end services configured, the NetScaler ADC reports a protocol mismatch error even if other service parameters (service name, IP address and port) are not the same.
[From Build 125.9] [# 444986]

When AppFlow is enabled on a NetScaler, the following query, which requests console messages from nsconmsg tool, results in httpd core dump due to large buffer length.
http://<NSIP>/nitro/v1/config/clioutput?args=command:"shell+nsconmsg+%2DK+%2Fvar%2Fnslog%2Fnewnslog+%2Dd+consmsg"
[From Build 130.13] [# 507594]

Viewing the Statistics of Services and Service Groups that are Bound to a Load Balancing Virtual Server
You can now view the statistics of services and service groups that are bound to a load balancing virtual server by using the following URL:
http://<netscaler-ip-address>/nitro/v1/stat/lbvserver/<name>?statbindings=yes
You cannot view these details by using the "http://<netscaler-ip-address>/nitro/v1/stat/lbvserver/<name>" URL which only gives the statistics of the load balancing virtual server.
[From Build 133.9] [# 241950, 244603, 523907, 534804, 538057]

NetScaler Appliance

Different languages use different keyboard layouts, causing problems with using special characters through the LOM console. With this fix, the LOM console supports additional keyboard layouts and keyboard control tools.
To change the keyboard layout, in the console, navigate to options > preferences and select a language.
[From Build 134.9] [# 583263, 601405]

NetScaler GUI

If you remove a node by using the CLIP address, the following error message appears, but the node is successfully removed:
"Unable to delete cluster instance from <IP address>. Reason: Unable to complete Cluster Instance delete request."
You can ignore this message.
[From Build 135.08] [# 630788]

A large configuration file puts a heavy load on the management CPU. The resulting delay in displaying the output of the "show ns runningconfig" command might exceed the timeout value.
[From Build 135.08] [# 475830, 449234, 643926]

NetScaler Gateway

On a NetScaler appliance that has AAA configured with SSL certificate set to "optional" and at least one authentication policy, when Android users attempt to authenticate, the Android Receiver client generates the following error: "invalid server certificate". This error is caused by improper cookie handling by the Android Receiver client.
[From Build 121.10] [# 418200]

Devices running Windows cannot connect if the NetScaler Gateway virtual server is configured with either TLS 1.1 or TLS 1.2 or both.
[From Build 125.9] [# 445485]

If proxy settings are configured on the user device and the NetScaler Gateway URL is in the proxy bypass list, users cannot establish a VPN connection with the NetScaler Gateway Plug-in for Windows
[From Build 127.10] [# 456179, 462881, 466862]

If users connect to a domain-based server by using clientless access, NetScaler Gateway fails occasionally.
[From Build 127.10] [# 412237]

When users log on, preauthenication might not synchronize between processes. When this occurs, NetScaler Gateway fails.
[From Build 127.10] [# 440623]

If you configure the Green Bubble theme and if users do not meet the domain requirements when changing their passwords, users do not receive an error message. Instead, the logon page appears. With this fix, the error message appears to users.
[From Build 127.10] [# 474027]

If a configuration change occurs while being referred in the processing engine, NetScaler Gateway fails.
[From Build 127.10] [# 460997, 477547]

If you disable authentication on NetScaler Gateway, endpoint analysis scan can occasionally be bypassed.
[From Build 128.8] [# 470059]

When users log on with clientless access and then open the Access Interface, the order of files that appear in Personal File Shares differs from the order of files on the file share server.
[From Build 128.8] [# 461225]

When users upgrade the NetScaler Gateway Plug-in from Version 10.1.122.17 or later to the latest Version 10.1 Maintenance Release on a computer that includes an installation of Citrix Receiver, the automatic upgrade fails.
[From Build 128.8] [# 461279]

On a multi-core appliance, if session propagation to one core fails, NetScaler Gateway fails.
[From Build 128.8] [# 485042]

If you configure load balancing virtual servers and the Secure Ticket Authority (STA) with the same fully qualified domain name (FQDN), attempts to bind the STA to the NetScaler Gateway virtual server fail.
[From Build 128.8] [# 374296]

If you bind SAML and LDAP authentication polices to the virtual server for two-factor authentication, after authenticating with SAML which is primary authentication type the LDAP user name populates automatically. If the first logon attempt to LDAP fails, user names are case-sensitive and must be entered again exactly as it appears after SAML authentication. For example, if the user name is populated as JohnDoe@xyzz.com and the user types johndoe@xyzz.com during the subsequent attempt, log on fails.
[From Build 128.8] [# 463871]

Attempts to connect to the NetScaler Gateway from a Windows-based computer fails with the error 1008 when Transport Security Layer (TLS) block ciphers are configured and TLS 1.2 is enabled on NetScaler Gateway.
[From Build 128.8] [# 468145, 473867]

If the Domain Name Server (DNS) configuration is not available, users receive an "Internal error 500" message after successfully logging on to NetScaler Gateway.
[From Build 128.8] [# 464956, 470873, 471478, 474012]

If user names contain a period (.) that have a common prefix before the period, NetScaler Gateway creates cache files based on the prefix. When this occurs, tickets for one user are sent to a different user.
[From Build 129.22] [# 494463]

Upgrading to Maintenance Build 122.11 changes the rewrite policy for HTTP.REQ.USER.NAME. This change retrieves the single sign-on name attribute instead of the server logon name.
[From Build 129.22] [# 495610]

When there are a very large number of simultaneous user authentication requests and the authentication server is slow to respond, Netscaler Gateway can fail.
[From Build 129.22] [# 488182, 489345, 493939]

When there are a very large number of simultaneous user authentication requests and the authentication server is slow to respond, Netscaler Gateway can fail.
[From Build 129.22] [# 484431, 488182]

In a high availability deployment, if the NetScaler Gateway virtual server is missing on the secondary appliance, NetScaler Gateway fails during session propagation.
[From Build 129.22] [# 481889, 486176, 501408]

If you configure endpoint analysis policies, if the session times out and users do not close the web browser, they cannot log on again.
[From Build 129.22] [# 459149]

In a high availability deployment, when users log on with SAML authentication, the secondary appliance fails over.
[From Build 129.22] [# 490075, 485042]

If you configure SAML authentication with signed SAML assertions, if the user connection disconnects before the SAML response is normalized, NetScaler Gateway fails.
[From Build 129.22] [# 489609]

If the authentication server is extremely slow to respond, such as 15-30 seconds or more, this can cause delays with users logging on successfully, even if the amount of simultaneous connections is low.
[From Build 129.22] [# 489343]

If the maximum number of users is set to a number greater than 5 on a NetScaler Gateway virtual server, if you remove the Universal license, the virtual server configuration is also removed.
[From Build 129.22] [# 447452, 486009]

If users connect to a web resource over Secure Browse and a proxy server resides behind NetScaler Gateway, single sign-on fails. Single sign-on is successful to either the web resource or the proxy server, but not both at the same time.
[From Build 129.22] [# 470013, 480556]

If Kerberos uses x.509 certificates (PKINIT) for single sign-on, NetScaler Gateway fails to obtain tickets if the Key Distribution Center (KDC) returns a realm referral. This can cause the NetScaler Gateway appliance to fail.
[From Build 129.22] [# 484245]

The endpoint analysis scan fails when users log on by using Internet Explorer 11.
[From Build 129.22] [# 417481, 423915, 496637]

When users upgrade the NetScaler Gateway Plug-in from Version 10.1.122.17 or later to the latest Version 10.1 Maintenance Release on a computer that includes an installation of Citrix Receiver, the automatic upgrade fails.
[From Build 129.22] [# 461279, 491220]

When ActiveSync clients connect to NetScaler Gateway with "Basic authorization", Gateway fails if credentials in the basic authorization header are invalid.
ActiveSync clients are supported only with AAA-TM servers on Netscaler.
Note: This fix was provided in Build 120.x of NetScaler 10.1. However, it missed being included in the release notes of that build.
[From Build 130.13] [# 405138, 405517, 408689, 424539, 429017, 429477, 431645]

Responder or URL transform policies that are bound to the Content Switching virtual server are not applied to connection requests that come through NetScaler Gateway.
[From Build 130.13] [# 495867]

When users log on with the NetScaler Gateway Plug-in for Windows, attempts to access internal network resources fail from Windows Metro applications, such as Internet Explorer Metro Mode. This occurs when you configure address pools (intranet IP addresses).
[From Build 130.13] [# 505029]

If users connect with the NetScaler Gateway Plug-in for Windows and then attempt to receive a call through a softphone, the call fails.
[From Build 130.13] [# 498679]

When pre-auth is configured on ncore systems, or when Session timeout kicks in, the NetScaler Gateway may fail while cleaning up the session.
[From Build 130.13] [# 528011, 527990]

When users log on with the NetScaler Gateway Plug-in, if the users TCP connection closes and the connection to the internal network through NetScaler Gateway is in progress, the appliance might fail.
[From Build 130.13] [# 500207, 508831]

Netscaler Gateway might fail on nCore systems if End Point Analysis is configured or if the configured Session Timeout kicks in.
[From Build 130.13] [# 527990]

When the Endpoint Analysis is configured, the users are redirected to index.html. Otherwise, a session is created for any arbitrary URL if the authentication is disabled on the NetScaler Gateway.
[From Build 130.13] [# 516257]

On nCore systems, when pre-authentication policies are configured or when an admin session timeout elapses, a core dump may occur when the NetScaler Gateway cleans up the session.
[From Build 130.13] [# 523321, 534178]

When users connect from a web browser and enter their SAML credentials, NetScaler Gateway fails. This occurs when you configure pre-authentication policies and two-factor authentication policies with SAML and LDAP with SAML as the primary authentication type and having a higher priority.
[From Build 130.13] [# 506689]

When user connects to a multi-core NetScaler Gateway running out of memory during inter-core communication, NetScaler Gateway fails.
[From Build 130.13] [# 513385]

In a double-hop DMZ deployment, if the Receiver connection closes and the connection to XenApp or XenDesktop is in progress, the appliance might fail.
[From Build 130.13] [# 508831]

If ICA proxy is set to On and you configure authorization policies, when users attempt to connect, NetScaler Gateway modifies the host header to the FQDN of the Web Interface or StoreFront server. When this occurs, user log on fails with the message "Error: Not a priviledged user."
[From Build 130.13] [# 501369, 500311]

If users do not have administrative rights, the Endpoint Analysis Plug-in installation fails.
[From Build 130.13] [# 506686]

In MPX devices, there can be a delay delivering UDP packets from the server to the client in full tunnel mode.
[From Build 131.11] [# 503811]

The NetScaler Gateway appliance fails during the device certificate check if AppController is configured on the virtual server.
[From Build 131.11] [# 511805, 532549]

The NetScaler GUI blocks the creation of a Session Action with a "forced time out" value greater than 255 (256 - 65535). The acceptable range for the "forced time-out" property was increased to 65535 at the back-end, but the GUI does not reflect the same.
[From Build 131.11] [# 535530]

When a user logs on with the NetScaler Gateway Plug-in, if a Domain Name System (DNS) suffix is configured on the user device, resolution fails. This occurs if a DNS server is not configured and all of the following are configured on the NetScaler Gateway appliance:
- Authoritative DNS
- DNS address record configured with the host name only
- DNS Suffix
[From Build 131.11] [# 459311]

In a high-availabiltity (HA) configuration, the secondary appliance may fail occasionally due to a duplicate free-attempt of a AAA context.
[From Build 131.11] [# 531956, 538937]

If the NetScaler Gateway virtual server is behind a proxy server and its fully qualified domain name (FQDN) is not resolvable by the local DNS server, endpoint analysis fails and a "failed sending epaq" error message appears.
[From Build 131.11] [# 522700, 531535]

Remote users who use the Windows full client/plugin to access Netscaler Gateway can encounter an issue if the Internet Explorer browser has "Automatic Configuration Script" settings configured for Proxy, and the automatic configuration script file is unreachable from the user device at the time of Gateway session establishment. In this scenario, the Windows plugin incorrectly connects to the Proxy server configured in the Manual Settings and fails to establish the session. The expected correct behavior in this situation would be to bypass the proxy and connect to NetScaler Gateway directly.
Users are affected only if:
1. They use Windows full client for establishing the gateway session
AND
2. They have both Automatic Configuration script and Manual configuration for Proxy in their Internet Explorer settings
AND
3. The configured Automatic Proxy script file happens to be unreachable from the user's device (for example the Automatic Proxy script file address is an internal address and not reachable remotely).
[From Build 131.11] [# 531520]

On nCore systems, when pre-authentication policies are configured or when an admin session times out, a core dump might occur when the NetScaler Gateway appliance cleans up the session.
[From Build 131.11] [# 523321, 534178]

If existing AAA sessions exist on a Secondary Netscaler after failover with no associated vpn vservers, then the secondary Netscaler can fail during session sync from Primary.
[From Build 131.11] [# 529205]

Java Runtime Environment (JRE) version 7, update 51 or later, displays a security warning when NetScaler Gateway for Java is launched. In some cases, JRE blocks the launch.
[From Build 131.11] [# 491076, 535339]

If a user installs Microsoft Security Bulletin MS14-080 (KB3025390) for Internet Explorer 11, then uses the IE 11 browser to log on to a NetScaler Gateway virtual IP with endpoint analysis, either as pre-authentication or post-authentication check, the endpoint analysis fails and a Download or Skip Check button appears in the browser.
[From Build 131.11] [# 527757]

If preauthorization is configured on a NetScaler Gateway nCore appliance, the system might fail while cleaning up after an interrupted session. Even if preauthorization is not configured, the system can fail while cleaning up after a session timeout.
[From Build 131.11] [# 528011, 527990]

In order to fix this issue, we unbound the cache policy through the XA/XD wizard. The builds that implemented this fix will not bind to the cache policy in the configuration flow.
But if the box is upgraded from an older build where the cache policy is bounded, it will continue and the removal of that policy is done manually.
[From Build 132.8] [# 545422, 550597]

The NetScaler GUI blocks the creation of a Session Action with a "forced time out" value greater than 255 (256 - 65535). The acceptable range for the "forced time-out" property was increased to 65535 at the back-end, but the GUI does not reflect the same.
[From Build 132.8] [# 535530]

Memory is increasing gradually every week by some 1-2% . The Customer started observing this issue after upgrade to 10.1 126.12nc. A memory leak of MEM_SSLVPN module is suspected based on the observation.
[From Build 132.8] [# 512356]

The NetScaler appliance crashes under the following conditions:
- An external service is added with the same IP address as wihome
- There are existing AAA sessions
- The IP address of this external service is changed and later removed
The crash happens when a user logs in and launches an app. This is because the http request, which needs to be forwarded to Web Interface/Storefront, accesses the stale server information resulting in the crash.
[From Build 132.8] [# 529296, 540736]

After the VPN tunnel is established, external websites fail to load intermittently under the following conditions:
- If enable_vpn_dnstruncate_fix nsapimgr flag is set on NetScaler.
- DNS servers on NetScaler are configured to send negative DNS response for external DNS query.
- Split DNS is set to both
[From Build 132.8] [# 524028]

If the HTTP CONNECT request is received on the existing connection to a NetScaler Gateway virtual server for a non-owner core before the session is fully authenticated and established, the NetScaler Gateway may fail.
[From Build 132.8] [# 534326]

If existing AAA sessions exist on a Secondary Netscaler after failover with no associated vpn vservers, then the secondary Netscaler can fail during session sync from Primary.
[From Build 132.8] [# 529205]

Applications that use UDP (User Datagram Protocol) or ICMP (Internet Control Message Protocol) on Mac OS X Yosemite (10.10) such as the ones using audio or video streaming, may be unreliable.
[From Build 132.8] [# 515013, 512064, 538446]

OS X Yosemite users connecting to VPX NetScaler Gateway will not be able to access internal UDP or ICMP resources. This would not occur with the MPX NetScaler appliance.
[From Build 132.8] [# 538446]

If the Authorization Group field (in NetScaler Gateway > Global Settings > Change global settings) is left empty, the NetScaler appliance throws the "String too short" error.
[From Build 132.8] [# 538804]

The rba module crashes when rba users send incorrect remote addr data. Sanity checks for remote addrlen were added to prevent failure.
[From Build 132.8] [# 539286]

NetScaler Gateway EPA and VPN plugins don't get triggered on latest chrome browser. Chrome browser shows download prompt even after installation.
[From Build 133.9] [# 570493]

In a double hop deployment, STA server status on hop 1 does not go down when double hop is disabled in hop2, and the user still launch ICA apps.
[From Build 133.9] [# 539743]

Applicable only for Mac VPN clients
Chrome is phasing out NPAPI support. From Chrome version 42+ all NPAPI plugins will appear as if they are not installed. This will affect all existing customers. Affected customers will see a download prompt even though the VPN plugin is installed.
[From Build 133.9] [# 572447, 574353, 575609]

NetScaler Gateway now supports Windows 10.
[From Build 133.9] [# 579428]

Internet access fails intermittently when connecting to a NetScaler Gateway with Split Tunnel On using a Windows machine.
[From Build 133.9] [# 572709]

The RSA Pin change fails if RSA radius servers are load-balanced with the RADIUS type protocol service. The workaround is to change the load-balance protocol service type to UDP or ANY.
[From Build 133.9] [# 534888, 528950, 542189]

The NetScaler appliance experienced a system error due to a memory corruption issue.
[From Build 134.9] [# 587825]

A NetScaler Gateway NSPPE crash happened under the following conditions:
* wihome is configured with FQDN
* wihome is removed immediately even before the DNS response for the same comes back
[From Build 134.9] [# 542560, 566864]

Single sign on (SSO) for the NavUI file share view does not honor the ssocredential configuration on the authentication action, and instead sends only the username from the authentication session. If a domain is configured to accept something other than the session username, SSO will fail. This fix makes NavUI file share properly honor the ssocredential setting and send what the administrator has configured.
[From Build 134.9] [# 607507]

After upgrading NetScaler Gateway MPX 9700 FIPS using 10.1-118.7 firmware, the Web interface is slow to render.
[From Build 134.9] [# 502615]

Applications using more than 128 simultaneous connections over VPN fail on Windows machines.
[From Build 134.9] [# 596994, 567389]

NetScaler Insight Center

The HDX Insight node appears even when all NetScaler appliances have only standard licenses. The node must be visible only when a minimum of one appliance has an enterprise or platinum license.
[From Build 118.7] [# 391336]

Web Insight
In the Dashboard tab, in some instances, the breadcrumb navigation does not display any text for labels.
[From Build 118.7] [# 390581]

HDX Insight
If you uncheck the ICA check-box and save, you will see Appflow enabled but no reports or data will show.
[From Build 118.7] [# 388453]

HDX Insight
The graph is not plotted for user applications. This issue is observed on navigating to "Dashboard > HDX Insight > Users > <username> > <SessionID> > Applications > More" button.
[From Build 118.7] [# 386543]

NetScaler Insight Center appliance fails to respond.
[From Build 118.7] [# 377737, 369685]

HDX Insight
The graph is incorrectly plotted for user applications. This issue is observed on navigating to "Dashboard > HDX Insight > Users > <username> > <sessionID> > Applications > More > <application name>.
[From Build 118.7] [# 385895]

Load balancing, content switching or VPN applications that have a space characters in the name cannot be enabled.
[From Build 118.7] [# 392515]

HDX Insight
You cannot enable Appflow on a VPN application for which you have specified an expression from the drop-down list.
[From Build 118.7] [# 391477]

HDX Insight
The introduction displayed when you log in to a new NetScaler Insight Center appliance provides only Web Insight information. It does not provide information related to HDX Insight.
[From Build 118.7] [# 387257]

Web Insight
The "Page analysis" button is misplaced and not functional on the Dashboard > Web Insight > URL page.
[From Build 118.7] [# 378652]

Web Insight
In Configuration > Inventory > Application List page, the value of number of applications displayed and total number of applications can be incorrect.
[From Build 118.7] [# 378044]

HDX Insight
In the Dashboard > HDX Insight > Applications page, the "Total Session Launch count" displays an incorrect number of sessions launched.
[From Build 118.7] [# 381522]

HDX Insight
The text that is displayed on clicking the orange icon besides a metric does not accurately describe the licensing issue.
[From Build 118.7] [# 388093]

During an ICA session, the NetScaler appliance fails to respond when you access it's invalid memory space.
[From Build 119.7] [# 405177]

During an ICA session, the NetScaler appliance fails to respond due to a NULL pointer access.
[From Build 119.7] [# 403134, 403195, 404097, 405013, 408650]

The load time and render time metrics are not displayed for standard or enterprise licenses of NetScaler appliances.
[From Build 119.7] [# 400900]

The help page on the Graphical User Interface (GUI) displays incorrect information for enabling data collection.
[From Build 119.7] [# 400545]

The HDX Insight node is not displayed for Enterprise licenses of NetScaler appliances.
[From Build 119.7] [# 400665, 405611]

Unable to add the IP address in the inventory which contains the number 255 in any quadrant.
[From Build 119.7] [# 332854]

For an Active session, data is sent to the AppFlow collector even if the policy rule is changed to FALSE when the session is active.
[From Build 120.13] [# 369664]

If the memory usage on the NetScaler Insight Center appliance reaches the maximum limit, the appliance fails to respond to further memory-allocation requests by other modules and becomes unresponsive.
[From Build 120.13] [# 402458]

HDX Insight does not support XenApp versions earlier than 6.5.
[From Build 120.13] [# 414844]

During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.
[From Build 120.13] [# 408495, 410708]

NetScaler appliance may fail to respond when AppFlow is enabled on the NetScaler Insight Center and the user tries to access the XenApp/XenDesktop farm.
[From Build 120.13] [# 413016]

In certain situations, the NetScaler appliance incorrectly interprets the compression buffer size negotiation between the client and the server, and enabling Appflow on the ICA connection causes the appliance to fail when the connection is used to launch an application or desktop. This problem most commonly occurs when a CloudBridge appliance or any WAN optimization device is placed between the client and the NetScaler appliance.
[From Build 120.13] [# 402959, 413016, 413657, 414382, 419571]

On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
[From Build 120.13] [# 397236]

On the "Dashboard > Users" page, ICA RTT values displayed on the graph in the left panel do not match the values displayed below the graph, or there is a delay in the updating the values.
[From Build 120.13] [# 405818]

If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
[From Build 120.13] [# 402727, 406388]

The Active App count in the left pane of the User Details page is not updated instantly.
[From Build 120.13] [# 395022]

In a mixed XenApp/XenDesktop server farm, if the XenApp and XenDesktop versions are older than 6.5 and 5.0 respectively, the applications fail to launch because the NetScaler appliance incorrectly parses the ICA packets.
[From Build 120.13] [# 411107]

In some situations, the NetScaler appliance fails after parsing ICA traffic incorrectly.
[From Build 120.13] [# 413657]

If a CloudBridge appliance is placed between the client and a NetScaler appliance, and AppFlow is enabled for ICA traffic, the XenApp/XenDesktop applications fail to launch and the NetScaler appliance fails.
[From Build 120.13] [# 415812]

NetScaler appliance might fail if AppFlow is enabled and the user tries to access a XenApp/Xendesktop farm under certain network conditions that result in split data packets.
[From Build 121.10] [# 414137, 410495]

In some cases, NetScaler Insight Center reports incorrect values for XenApp launch count.
[From Build 121.10] [# 416889]

When you enable HDX Insight on a VPN server and try to launch an application from the XenApp server, the NetScaler appliance might fail as it copies the data to an invalid memory location.
[From Build 121.10] [# 423840, 426203]

If the values for certain metrics are zero, the graphs display these values incorrectly.
[From Build 122.17] [# 403665]

The "Total App Launch Count" is not displayed when you navigate to "Dashboard > HDX Insight > Gateways" and display the summary for a particular user.
[From Build 122.17] [# 394613]

On the "Dashboard > HDX Insight > Users" page, the report for a specific user does not display data for the Total Application Launch count.
[From Build 122.17] [# 398844]

Even when Appflow is disabled for a virtual server, you can still clear the configurations on the NetScaler Insight Center by selecting the "Clear AppFlow Configurations" from the "Action" list.
[From Build 122.17] [# 399329]

In certain scenarios, if data sent from the XenApp server to the client receiver is delayed because of network congestion or increased network latency, the client re-transmits the ICA magic string, which causes the NetScaler Gateway to fail. This failure happens because the NetScaler Gateway was not expecting two packets containing the magic string.
[From Build 123.11] [# 439088]

In certain scenarios, if data sent from the XenApp server to the client receiver is delayed because of network congestion or increased network latency, the client re-transmits the ICA magic string, which causes the NetScaler Gateway to fail. This failure happens because the NetScaler Gateway was not expecting two packets containing the magic string.
[From Build 123.11] [# 437475, 441040, 454436, 456445, 459454, 459455, 465311]

The HDX Insight dashboard displays the host delay as server side server-side NetScaler delay.
[From Build 123.11] [# 439992]

On the dashboard, the table that appears when you navigate to "HDX Insight > Gateways" might display a blank desktop name.
[From Build 123.11] [# 424610]

If you add a NetScaler appliance to a NetScaler Insight Center setup while ICA sessions are enabled, NetScaler Insight Center does not report the existing ICA sessions. It reports only the ICA sessions initiated after the appliance is added.
[From Build 123.11] [# 417415, 421148]

The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
[From Build 123.11] [# 412129]

NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
[From Build 123.11] [# 405849]

After the NetScaler upgrade or downgrade operation, NetScaler Insight Center does not report any data on the dashboard.
[From Build 123.11] [# 405936]

On the "Dashboard > HDX Insight > Users" page, the line-graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
[From Build 123.11] [# 397258]

If you move columns and refresh the page, the column ordering is sometimes reset to default.
[From Build 124.13] [# 414155]

On the dashboard, the table that appears when you navigate to "HDX Insight > Gateways" might display a blank desktop name.
[From Build 124.13] [# 424610]

The HDX Insight dashboard displays the host delay as server side server-side NetScaler delay.
[From Build 124.13] [# 439992]

After you enable appflow on some virtual servers, even though no error message appears, the Insight column does not display a check box indicating that the feature is enabled.
[From Build 124.13] [# 346171, 333555]

On the Dashboard > Web Insight > Applications page, the report for a specific application does not display the client type and client version details.
[From Build 126.12] [# 456449]

The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
[From Build 126.12] [# 409885]

If a NetScaler ADC is deployed in transparent mode for HDX Insight, Citrix Receiver fails to launch the applications or desktops if use source IP (USIP) is enabled and use subnet IP (USNIP) is disabled.
[From Build 126.12] [# 451609]

On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the "HTML Injection" box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
[From Build 126.12] [# 401514]

If a NetScaler ADC is deployed in transparent mode for HDX Insight, Citrix Receiver fails to launch the applications or desktops if the appflow policy is not bound to a global bind point.
[From Build 126.12] [# 452989]

On the dashboard, HDX Insight reports do not display the active sessions and also displays an incorrect value for session launch count.
[From Build 126.12] [# 453764]

On the dashboard, when you navigate to Web Insight > Devices > (device record) and click on HTTP Request Methods, HTTP Response Status, Operating Systems, or User Agents, and then from the bread crumb navigation click Application from the respective drop down list, the graph does not display any details.
[From Build 127.10] [# 450474]

A memory corruption issue causes a NetScaler ADC with AppFlow for ICA enabled to fail.
[From Build 128.8] [# 459668]

If you enable and then disable AppFlow on a NetScaler ADC, the ADC fails while sending the ICA AppFlow records.
[From Build 128.8] [# 474159, 475853]

If you enable AppFlow for ICA traffic on a NetScaler ADC, the NetScaler ADC might fail because of an internal memory re-use and dependency issue.
[From Build 128.8] [# 482748]

A NetScaler ADC fails when it receives ICA traffic from metro receiver client.
[From Build 129.22] [# 475981, 477602, 482413, 485138]

A NetScaler ADC fails when it receives ICA traffic from metro receiver client.
[From Build 129.22] [# 482413, 492160]

If you enable AppFlow for ICA traffic on a NetScaler ADC, and if there is a large number of sessions, the ADC might fail because of an internal memory re-use and dependency issue.
[From Build 129.22] [# 486792]

The NetScaler ADC might fail if you enable AppFlow for ICA and access XenApp or XenDesktop through the Windows Receiver client.
[From Build 130.13] [# 490680]

The NetScaler ADCs being monitored by NetScaler Insight Center might fail if, while ICA sessions are active, you enable AppFlow for ICA and then either clear the configuration or disable and re-enable AppFlow on NetScaler Insight Center.
[From Build 130.13] [# 505985, 507879, 507882]

You cannot install an SSL certificate on a NetScaler Insight Center virtual appliance.
[From Build 131.11] [# 541712]

/var/mps/system_health directory is not created for Insight Center. Because of this the techsupport files are not created for Insight Center.
[From Build 132.8] [# 494666]

You cannot install an SSL certificate on a NetScaler Insight Center virtual appliance.
[From Build 132.8] [# 541712]

NetScaler appliance fails because of incorrect handling of HDX Insight's internal data structures. This may happen when HDX Insight skips parsing ICA data in certain error scenarios.
[From Build 133.9] [# 551081, 580514, 589856]

NetScaler appliance fails because of incorrect handling of HDX Insight's internal data structures. This may happen when HDX Insight skips parsing ICA data in certain error scenarios.
[From Build 133.9] [# 559043, 553185, 585888, 588152]

If you enable the Appflow feature, the NetScaler appliance might become unresponsive while processing ICA connections.
[From Build 134.9] [# 584795]

If the AppFlow feature is enabled when Receiver for HTML5 1.6 is used to launch ICA applications and desktops, the NetScaler appliance might become unresponsive while processing ICA connections.
[From Build 134.9] [# 596264, 605347]

NetScaler SDX Appliance

If the /var/mps/policy/mps_policy_backup.xml file is empty or corrupted, the appliance performs a core dump and the Management Service user interface is blank.
[From Build 118.7] [# 385037]

If you modify a NetScaler instance from the Management Service, binding 1/x and 10/x interfaces to an L2 VLAN fails.
[From Build 119.7] [# 400409]

If you create a static channel, you cannot use the Management Service to remove more than one member interface at a time from the channel.
[From Build 119.7] [# 400607]

If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the "VLAN Settings" page of NetScaler instance "Modify NetScaler Wizard".
[From Build 120.13] [# 399972]

If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.
[From Build 120.13] [# 400502]

The SVM restore operation of NetScaler instances fail as the SVM shuts down the NetScaler instances that are still being provisioned.
[From Build 120.13] [# 405921]

SSL certificate installation on a NetScaler instance from the SDX Management Service fails during validation if the SSL certificate does not have an associated key file.
[From Build 120.13] [# 405115]

After the SDX appliance restarts, NetScaler VPX instances on the appliance cannot send packets tagged with VLAN IDs through an LACP channel.
[From Build 120.13] [# 410416, 444395]

When you display the running configuration of a NetScaler instance in the Service Management interface, the double quotation marks (") are replaced with HTML code (;quot&).
[From Build 121.10] [# 413123]

If a NetScaler instance is created with a Management VLAN using the 0/1 or 0/2 interface, the guest VMs fail to start after provisioning, because the guest VMs use the VLAN networks instead of physical network while assigning the interface.
[From Build 122.17] [# 424588]

If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.
[From Build 122.17] [# 400651]

The SNMP responses are not as specified by the RFC 4001.
[From Build 122.17] [# 420630]

The format of the APPFW CSRF TAG syslog message is not in the expected format. As a result, Command Center displays incorrect values, under AppFirewall Recent Logs, in some fields for this type of AppFirewall syslog message.
[From Build 122.17] [# 414851]

Descriptors in the NetScaler SDX SNMP MIB file include underscore characters, which are invalid. Only alphanumeric characters are supported.
[From Build 123.11] [# 430097]

Even after you configure a short message service (SMS) server, you do not receive an SMS message when an alert is generated.
[From Build 123.11] [# 430449]

A NetScaler SDX appliance intermittently stops processing traffic on interfaces that are part of an LACP link aggregation interface that is transmitting a small amount of traffic.
[From Build 123.11] [# 434738, 446641]

When viewing the built-in or custom reports on the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: NO DATA TO CHART.
[From Build 123.11] [# 262505, 408110]

Deletion of a management channel from the Management Service might not always succeed.
[From Build 123.11] [# 433054]

If you create an LACP channel with more than 8 member interfaces, or a static channel with more that 16 member interfaces, the following error message appears: "Channel Interface String Length: 185 is greater than maximum allowed length:128".
[From Build 123.11] [# 424630]

If a management channel exists on a NetScaler instance, you cannot trace the route of a packet from the Management Service to a NetScaler instance.
[From Build 123.11] [# 431243]

If you apply a license after modifying the SVM host name, the license application might fail.
[From Build 123.11] [# 431463]

After you create, modify or delete an LACP channel, one of the member interfaces might temporarily stop transmitting. The NetScaler instance might intermittently show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).
[From Build 124.13] [# 370574, 431840, 442436]

If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.
[From Build 124.13] [# 399630]

If you specify secure-only access on a NetScaler instance, single sign-on to that instance from the Management Service user interface is not successful.
[From Build 124.13] [# 396252]

On a NetScaler SDX appliance running Management Service version 10.1, build 119.7, manually initiated backup operations fail, and a User name missing error message appears.
[From Build 125.9] [# 445598]

When you click on a NetScaler IP address in the SVM GUI, the NetScaler configuration utility opens without prompting for logon credentials. Log on is done through single sign on (SSO).
[From Build 125.9] [# 456884]

If the administrative password for the Management Service contains an ampersand character (&), communication between Management Service and XenServer is affected, and errors occur during provisioning or modification of the instances.
[From Build 125.9] [# 447773]

On NetScaler SDX appliance, the NetScaler instances do not start when the total number of interfaces and SSL cores is more than 26.
[From Build 125.9] [# 446985]

Management service was showing wrong alert for power supply status with the message that "One of the two power supplies is not working."
[From Build 126.12] [# 460376, 457317]

The local storage partition was configured as sda3 instead of sda4 in the disk configuration file for NSSDX-22000 and NSSDX-22000T systems. Installing the supplemental pack 100014 along with the latest release resolves the error in disk configuration file.
[From Build 126.12] [# 455601]

If you are using the NetScaler SDX 8015/ 8400/8600 10G platform, no interfaces are shown in the interface list when an LACP channel is being created.
[From Build 126.12] [# 460329]

If appliance inventory is going on at the same time when channel is being created, then it may happen that channel is created on the VPX but it is not visible from the SVM.
[From Build 126.12] [# 449247]

When you click on a NetScaler IP address in the SVM GUI, the NetScaler configuration utility opens without prompting for logon credentials. Log on is done through single sign on (SSO).
[From Build 126.12] [# 456884]

When an interface other than 0/1 and 0/2 is being used for management on a VPX and later if that interfaces is made part of a channel creation from SVM, then that channel will not be pushed to this VPX and manual steps will be required to achieve the same.
A user can delete such channels (made out of data interfaces and used for VPX management) from SVM which will leave the VPX in unmanageable state.
[From Build 127.10] [# 456703]

Configuring a wrong DNS IP address was slowing internal communication between Management Service and XenServer. With the current release, the DNS look up will be ignored for internal communication.
[From Build 127.10] [# 475099]

Management Service gives an error when an SDX administrator tries to bind a management channel while provisioning or modifying a NetScaler instance.
[From Build 128.8] [# 463820, 480347]

If a management channel modify request is sent through Nitro and a data interface is added in the member interface list, then the request succeeds and makes management channel inconsistent.
[From Build 128.8] [# 481835]

The backup of an SDX appliance was failing with an error "username missing". The root cause for this was that the migration from 9.3.x was failing because of duplicate database entries. Going forward, the Management Service will remove the duplicate database entries resulting in a successful migration.
[From Build 128.8] [# 480054]

The NSIP modify action from the Management Service results in inconsistent state if the "Save Config" command from the Management Service to VPX takes a long time to respond. This happens because the connection might time-out. The issue has been fixed by increasing the time-out values.
[From Build 128.8] [# 480581]

On creating a LACP channel, interface MAC address is altered and the new MAC address will be persistent even after the unbind operation.
[From Build 128.8] [# 482122]

For a case under the following conditions, when:
1. A VLAN is present on XenServer on management interfaces (normally ETH0 and ETH1 on most platforms)
2. A management channel created from Management Service is present on SDX, and
3. A VPX is using this management channel.
Then, If the management channel is deleted from Management Service, then post deletion the VPX may be seen with the VLAN present on its management interfaces.
[From Build 128.8] [# 482603]

Set operation on a channel may lead to channel MAC address becoming zero on a VPX running on an SDX appliance.
[From Build 128.8] [# 483430]

If a VPX is using an interface A and a channel is created on Management Service using interface A and interface B then this channel should also get added to the VPX. But if the Interface B is already shared to its maximum limit, that is no free VFs are left on interface B then that channel will not be added to the VPX.
[From Build 128.8] [# 436286]

If you create channels on SDX and use these channels in VPXs and then take a backup of the appliance to restore either the complete appliance or selected instances, then channels are not restored and instances may fail.
[From Build 129.22] [# 432899, 435206]

In case of shared management of CPU in SDX, licenses fail to load on start-up sometimes if the management CPU is overloaded.
[From Build 129.22] [# 473681]

After you unbind the interface from a channel, interface drops the packets sent to the individual interfaces.
[From Build 129.22] [# 484194]

The backup file contain more NetScaler instance than allowed instance in the license applied. Now instance restore for a single NetScaler fails with error message "License does not allow more than x NetScaler instance".
[From Build 129.22] [# 498440]

The installation of supplemental pack 100015 fails on NetScaler SDX 8200 10G appliances.
[From Build 130.13] [# 502975]

Enhancement to add 'lspci -vvvxxx' logging at boot time information to SDX log. It uses logrotate to keep log data from the last 3 boots.
[From Build 130.13] [# 507009]

In SDX NetScaler cluster, SDX management VLAN modifications are not allowed through cluster IP.
[From Build 130.13] [# 469680]

On NetScaler SDX 8000 appliances, the Service Virtual Machine (SVM) might not detect the disk correctly, in which case it marks the status of the disk as down in system health monitoring. However, the provisioning of NetScaler VPX instances works as expected. This issue occurs in the following releases:
- NetScaler 10.1 Build 129.11 or earlier
- NetScaler 10.5 Build 52.11 or earlier
[From Build 130.13] [# 488794, 497445, 504308]

In Management Service, the Tagall setting configured for channels under Management VLAN settings is not available on VPXs.
[From Build 130.13] [# 506128]

The management interface of a SDX-8000/SDX8200/SDX-8400 appliance might loose connectivity if the interface is connected to a CAT switch.
[From Build 130.13] [# 470002, 460650, 484387, 504145, 505053]

Restore operation fails when the backup file of newer version is restored in older Management Service version.
[From Build 130.13] [# 502428]

The installation of supplemental pack 100015 fails on NSSDX-8200 10G platforms. The root cause of failure is that the install script treats a warning as an error and aborts the installation.
[From Build 130.13] [# 495614]

Some of the NIC's may become unusable and may not be visible in Management Service on SDX220XX and SDX241XX platforms running with XenServer 6.1 Supplemental Pack 100016A.
[From Build 131.11] [# 536844]

When a NetSclaer VLAN with tagged option for channels is selected, the native VLAN also gets tagged inside the NetScaler VPX for the channel.
[From Build 131.11] [# 512624]

The NetScaler SDX appliance fails if it receives SNMP requests before system initialization.
[From Build 131.11] [# 525871]

If a new SSL certificate that requires a key is installed without the key, access to management service GUI is lost.
[From Build 131.11] [# 440208]

When you provision the maximum possible number of VPX simultaneously from Management Service, the Xen Server does not provide the details of correct memory space available immediately. There is a lag in recovering the memory space. For this reason although the memory space is available, you may still get "Not enough memory available" error.
[From Build 132.8] [# 525616]

Upgrading XenServer on a NetScaler SDX appliance to Revision 1 of XenServer 6.1 causes a loss of information about memory and CPU settings assigned to the control domain. As a result, a subsequent attempt to upgrade to XenServer 6.5 fails.
[From Build 133.9] [# 578680]

On an SDX appliance, the Management Service may lose connectivity. The issue is seen only with Management Service which is in the UP state for many days, minimum being 277 days.
[From Build 133.9] [# 444854, 487984, 496194, 506802, 547064, 547571, 549842]

If you have created channels on NetScaler SDX Appliance, the Management Service statistics process, svm_stat, may fail in some cases.
[From Build 133.9] [# 570006]

On an SDX appliance, if a NetScaler instance is provisioned with more than 3.5 GB memory,
the state of the interfaces might continuously change between UP and DOWN (flap) when the instance processes traffic.
[From Build 134.9] [# 541222, 548301, 626380]

If there is an unclean shutdown (such a system crash) of a VPX instance that has an additional virtual disk (40G), the additional disk (/dev/ad1) does not mount in /var/crash due to which cores are not available upon failure.
[From Build 134.9] [# 534767]

NetScaler VPX Appliance

In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might occur in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
sysctl netscaler.ns_vpx_halt_method=2
Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
sysctl netscaler.ns_vpx_halt_method=2
[From Build 126.12] [# 326388]

Networking

For an IPv6 load balancing virtual server that belongs to a traffic domain, and for which the persistence is set as cookieinsert, the NetScaler appliance does not insert the correct cookie in its response.
[From Build 118.7] [# 359348]

The Network Visualizer does not display the bound IP addresses of a configured VLAN.
[From Build 119.7] [# 366321]

With Random source port selection for Active FTP enabled on the NetScaler appliance, when an FTP server initiates a connection from the standard TCP port number 20, the NetScaler appliance uses a random port instead of port 20 for the client side data connection.
[From Build 119.7] [# 402068]

The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.
[From Build 119.7] [# 402123]

If the NetScaler appliance has redundant L2 connectivity with a switch, the NetScaler appliance might mark its link-local IPv6 addresses as duplicate during the DAD (Duplicate address detection) process.
[From Build 120.13] [# 404861]

When IP fragments are received on a load balancing virtual server on which the client timeout parameter set to zero, the NetScaler appliance might dump core and then restart.
[From Build 120.13] [# 405190]

The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.
[From Build 120.13] [# 402123]

When the conditions specified in an ACL rule include the != operator, the NetScaler appliance might not properly filter packets based on the ACL rule.
[From Build 120.13] [# 401303]

The NetScaler appliance might restart if it receives a duplicate IPv6 fragment within a very short time after receiving the original fragment.
[From Build 121.10] [# 404849]

After unbinding a netprofile from a NetScaler Gateway virtual server, the netprofile cannot be removed from the NetScaler appliance.
[From Build 122.17] [# 416941]

If you have configured a TFTP load balancing virtual server with persistency option enabled, the NetScaler appliance might become unresponsive when the virtual server receives some traffic.
[From Build 123.11] [# 428819, 436289, 439158]

If you have configured an extended ACL without specifying the optional parameter "source IP address", high CPU spikes might occur when you run the "apply ns acls" command either by using the configuration utility or the NetScaler command line.
[From Build 123.11] [# 424243, 430158, 438766]

If you have configured more than ten ICMP extended ACLs, high CPU spikes might occur when you run the "apply ns acls" command either by using the configuration utility or the NetScaler command line.
[From Build 123.11] [# 408693]

The NetScaler appliance might become unresponsive when traffic from a TFTP server matches a RNAT rule configured on the appliance.
[From Build 123.11] [# 431652, 454475]

When you reset a member interface of a LACP channel, Tx stalls might increment continuously.
[From Build 123.11] [# 435697]

For a load balancing configuration in which an IPv6 virtual server is used to load balance IPv6 servers, if the NetScaler appliance processes client’s final ACK of the TCP handshake and the first data packets in the same IO cycle, the appliance may not forward the data packets to the server causing the connection to fail.
[From Build 124.13] [# 423856]

In a High Availability configuration, if you set the maxFlips, maxFlipTime, or syncvlan parameter of the set HA node command, the NetScaler ADC adds a duplicate entry of the add HA node command to the running configuration.
[From Build 125.9] [# 449175]

On a NetScaler ADC configured for link load balancing with RNAT, access to external sites fails intermittently.
[From Build 125.9] [# 448738, 453558]

In a high availability configuration in INC mode, net profile and IPset commands propagate to the secondary node.
[From Build 126.12] [# 452434]

In a high availability configuration, you might lose your VLAN configuration if you upgrade the secondary node to build 125.x from builds: 122.17, 123.11,124.13.
[From Build 126.12] [# 469033, 467726]

The NetScaler ADC might not remove the session information of an FTP connection from its memory while closing the connection. When the NetScaler ADC allocates the same memory block for a connection related to a UDP DNS service, the NetScaler ADC becomes unresponsive.
[From Build 127.10] [# 448316]

If you have configured active FTP with random source port option enabled for an FTP virtual server, the NetScaler ADC might not handle data connections properly for this FTP server and (NetScaler) might become unresponsive.
[From Build 127.10] [# 477507]

In a high availability (HA) configuration, the secondary node might forward BOOTP and DHCP related traffic using a configured VMAC address instead of interface’s MAC address.
[From Build 127.10] [# 457119]

In a high availability configuration, you might lose your VLAN configuration if you upgrade the secondary node to build 125.x from builds: 122.17, 123.11,124.13.
[From Build 127.10] [# 469033, 467726]

RNAT configuration might be lost in a NetScaler ADC after you restart it.
[From Build 127.10] [# 475466, 475462, 486447]

The NetScaler appliance might consume excessive CPU cycles when processing ACL rules.
[From Build 127.10] [# 438557]

The default speed for an LACP channel is set to NONE instead of AUTO.
[From Build 128.8] [# 414407, 485512]

If you have configured active FTP with random source port option enabled for an FTP virtual server, the NetScaler ADC might not handle data connections properly for this FTP server and (NetScaler) might become unresponsive.
[From Build 128.8] [# 477507]

On a NetScaler ADC, ND6 entries might get in INCOMPLETE state due to synchronization mismatch among different internal modules. As a result NetScaler fails to serve traffic for that IPV6 address.
[From Build 129.22] [# 480100, 483728]

The LACP channels of a NetScaler ADC might take around 7 minutes to become functional (UP state) after the NetScaler is restarted.
[From Build 129.22] [# 475622]

In a high availability configuration, run-time information such as service states and load balancing persistence sessions might not propagate to the secondary.
[From Build 129.22] [# 441062]

With more than 1000 IP tunnels configured on a NetScaler ADC, the internal data structure for these IP tunnels might not be updated for some events. This changes the status of these IP tunnels to the DOWN state.
[From Build 129.22] [# 491473]

The NetScaler ADC drops IPv4 packets related to the following protocols:
- IPv6 encapsulation (41)
- Fragment Header for IPv6 (44)
- ICMP for IPv6 (58)
[From Build 129.22] [# 490190]

For a link load balancing with RNAT configuration, the NetScaler ADC might use an incorrect subnet IP (SNIP) address to communicate to the external devices.
[From Build 129.22] [# 480621, 478048]

In a transparent cache redirection deployment, when a request is destined to a MAC address (say MAC-A) and the response for the request is sent from another MAC address (say MAC-B), the NetScaler ADC sends further requests to MAC-B. If MAC-B stops handling the requests, the session might get hung.
[From Build 129.22] [# 460246]

The CPU usage might be approximately 10% higher in NetScaler 10.5 version as compared to NetScaler 9.3 version.
[From Build 129.22] [# 432192]

In a CloudBridge connector tunnel, IKED packets might get routed back to the same NetScaler ADC instead of the peer tunnel end point.
[From Build 129.22] [# 494875, 498447]

The NetScaler ADC might use a large amount of CPU cycles when it receives a burst of GRE traffic, which meets the following criteria:
- The NetScaler ADC is not the GRE end point for this traffic.
- The NetScaler ADC creates a NAT session information for this traffic.
[From Build 129.22] [# 480573]

For a link load balancing with RNAT configuration in which persistence is enabled for the virtual server, the NetScaler ADC might become unresponsive when the virtual server receives traffic.
[From Build 129.22] [# 471651, 479882, 485831, 493232]

The NetScaler ADC might fail to evaluate listen policies, containing source or destination ipv6 address/subnet, for certain IPv6 addresses.
[From Build 129.22] [# 496564]

In a high availability (HA) configuration, VMAC configuration might be lost when continuous HA failover happens.
[From Build 129.22] [# 477402]

If you disable the TCP Proxy parameter while creating a Reverse Network Address Translation (RNAT) rule on a multi-core NetScaler ADC, the NAT operation fails.
[From Build 130.13] [# 508631, 509453]

The NetScaler ADC might become unresponsive when ICMP error packets match a forwarding session rule.
[From Build 130.13] [# 502213, 512248]

The NetScaler ADC might not update its bridge and ARP tables with the information received from GARP messages.
[From Build 130.13] [# 497277]

With MAC based forwarding (MBF) enabled, the NetScaler ADC does not update Layer 2 information such as MAC address, interface ID, and VLAN ID, for a dynamic service even when the associated router is inactive. As a result, the router drops the packets destined to the IP address specified by the dynamic service.
[From Build 130.13] [# 490341]

Old or stale OSPF LSAs might exist after a warm restart, or a restart after a power failure, resulting in a triple flip.
[From Build 130.13] [# 441005]

For a load balancing server configured on a non-default traffic domain, modifying the IP address of the server also changes the name of the server.
[From Build 130.13] [# 496237]

An Access Control List (ACL) rule specifying the TCP protocol and the Established option might not get evaluated if another ACL rule with a higher priority also specifies TCP.
[From Build 130.13] [# 510173]

In a high availability (HA) configuration, ACL rules that are configured to block SSH related packets also block HA file synchronization that internally uses the SSH protocol.
[From Build 131.11] [# 438901]

If you bind an interface with a unit number greater than 31 to a VLAN that is used as a Sync VLAN in an HA configuration, the Sync VLAN becomes unoperational.
[From Build 131.11] [# 507345]

In an active-active configuration, services bound to the backup VIP addresses do not send monitor probes to the associated servers.
[From Build 131.11] [# 355965, 485260]

Upon receiving Generic Routing Encapsulation (GRE) packets as IP fragments on a virtual server with protocol ANY, the NetScaler ADC fails and restarts. This occurs only when you do not explicitly configure a GRE tunnel on the NetScaler ADC.
[From Build 131.11] [# 522538]

An ACL6 rule might not get evaluated for a series of TCP packets.
[From Build 131.11] [# 528554]

In an active-active configuration with the sendToMaster parameter enabled, the backup nodes might not forward packets to the master node.
[From Build 132.8] [# 554336]

Blocking Traffic on Internal Ports
The NetScaler appliance does not block traffic that matches an ACL rule if the traffic is destined to the appliance's NSIP address, or one of its SNIP addresses, and a port in the 3008-3011 range.
This behavior is now specified by the default setting of the new Implicit ACL Allow (implicitACLAllow) parameter (of the L3 param command). You can disable this parameter if you want to block traffic to ports in the 3008-3011 range. An appliance in a high availability configuration makes an exception for its partner (primary or secondary) node. It does not block traffic from that node.
To disable or enable this parameter by using the command line interface
At the command prompt, type:
> set l3param -implicitACLAllow [ENABLED|DISABLED]
Note: The parameter implicitACLAllow is enabled by default.
Example
> set l3param -implicitACLAllow DISABLED
Done
[From Build 132.8] [# 529317]

An active FTP connection might get reset for no apparent reason, regardless of the state of the random source port.
[From Build 132.8] [# 507908]

A PBR6 rule might not get evaluated if you set the operator option to NEQ (!=) for source and destination IPv6 addresses.
[From Build 133.9] [# 575906]

An attempt to access the configuration utility might fail if the logon address is an IPv6 address.
[From Build 133.9] [# 553588]

If you have configured an INAT rule in which the private IP address is set to a virtual IP address, the rule is removed after you restart the NetScaler appliance.
[From Build 133.9] [# 556632]

TFTP monitor probes might fail with the error “Probe Timed out.”
[From Build 133.9] [# 578663]

If the IPv6 routes change, the IPv6-Ipv6 tunnel's encapsulation IP addressess are not obtained based on the latest route information. As a result, the tunnels use old encapsulation IP addresses to encapsulate packets.
[From Build 133.9] [# 564252]

Both the appliances in a NetScaler HA setup might become unresponsive or fail if you modify/remove two or more ACL/ACL6 rules on the primary node and then force synchronization on the secondary node without applying the ACLs on the primary node.
[From Build 133.9] [# 576810, 545920, 575433]

An ACL6 rule might not get evaluated if you set the operator option to NEQ (!=) for source and destination IPv6 addresses.
[From Build 133.9] [# 573516]

For extended ACL rules that are associated in NAT configurations (for example, RNAT rules, Large Scale NAT configurations), the configuration utility displays the TCP established parameter as enabled for these ACL rules.
[From Build 134.9] [# 597458]

For a sessionless virtual server configuration, the NetScaler appliance might forward packets for an incoming connection without changing their source MAC address with the MAC address of one of its interfaces. As a result, the connection fails.
[From Build 134.9] [# 603477, 583499]

On a NetScaler appliance, connections might get reset between routing processes. As a result, the dynamic routes are occasionally deleted and added back.
[From Build 134.9] [# 599306]

If an IPv6 virtual server with persistency enabled is removed from a traffic domain, the traffic domain information for the existing persistency sessions is lost, and the NetScaler appliance hosting the virtual server becomes unresponsive.
[From Build 134.9] [# 608558]

For backend TCP connections, a NetScaler appliance might allocate the subnet IP address and port of an active connection to a new connection. As a result, the new TCP connection fails.
[From Build 134.9] [# 613454]

The NetScaler appliance does not retain the entire 64 bit ID of IPv6 fragments of a session. As a result, the session might fail.
[From Build 134.9] [# 614042]

If a connection matches a RNAT rule, the NetScaler appliance probes for the existence of the destination server before processing the connection based on the RNAT rule. The connection that is used for probing is sometimes left idle on the appliance and a new connection is opened once the client connection is successfully established. This probe connection stays idle for the configured idle timeout (2.5 hours) thus holding up resources on the server.
Now, these probe connections are flushed within a minute if they remain idle.
[From Build 134.9] [# 588694, 588551]

In a high availability configuration, when the connection between primary and secondary goes down and comes up again, the secondary node receives HA INIT request from the primary node and it terminates all BGP connections.
[From Build 134.9] [# 588509]

An active FTP connection might get reset for no apparent reason, regardless of the state of the random source port.
[From Build 134.9] [# 507908, 609496, 611357, 615638]

If you configure a PBR rule for the ICMP protocol, and the "forwardicmpfragments" L3 parameter is enabled, the NetScaler appliance might become unresponsive.
[From Build 134.9] [# 575476]

Platform

The NetScaler hardware might sometimes report incorrect values for system health counters. The health counters are read over the SMBus, which is prone to reporting wrong or zero values.
[From Build 118.7] [# 373125]

In certain cases, error messages on the console of an MPX 5550/5650 or MPX 8200/8400/8600 appliance continuously scroll if the physical registers are not correctly read.
[From Build 118.7] [# 360223, 363330, 368513, 374726, 376201, 383863, 385560, 387301, 388487, 392958, 396159, 417578, 426783, 456228]

The NetScaler license is not processed if the configuration file (ns.conf) contains multiple instances of the host name, or if the host name in the ns.conf file is different from the host name in the rc.conf file. With this fix, if the ns.conf file contains multiple host names, only the name set by the "set ns hostname" command is used. Also, the host name in ns.conf no longer takes precedence over the host name in rc.conf.
[From Build 120.13] [# 409202]

NetScaler does not display the correct daylight savings time for Israel.
[From Build 123.11] [# 428562]

On the MPX 22040/22060/22080/22100/22120 appliance, if the 10G ports are not populated, the appliance takes about 20 minutes to finish the restart process.
[From Build 123.11] [# 432687]

With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:
- Release 10.1 starting build 112.15 or later
- Release 10 build 74 or later
- Release 9.3 build 62.4 or later
- Release 9.3.e build 59.5003.e or later
[From Build 123.11] [# 410251]

If you try to form a cluster of MPX 22040, MPX 22060, MPX 22080, MPX 22100, and MPX 22120 appliances, the appliance on which you issue the "join cluster" command performs a core dump and restarts. As a result, that appliance is not added to the cluster.
[From Build 124.13] [# 435200]

The MPX 11515/11520/11530/11540/11542 platform now supports NetScaler release 9.3 build 65.x.
[From Build 124.13] [# 395280]

The MPX 22040/22060/22080/22100/22120 platform now supports NetScaler release 9.3 build 65.x.
[From Build 128.8] [# 311561]

For NetScaler platforms that have Small Form-factor Pluggable (SFP) transceivers, with part number FTLF8519P3BNL, the bootup log files show that the SFPs are unsupported, even though they are functioning properly. This issue occurs in the following releases:
- NetScaler 9.3 Build 67.5 or earlier
- NetScaler 10.1 Build 129.11 or earlier
- NetScaler 10.5 Build 52.11 or earlier
[From Build 129.22] [# 501834]

NetScaler supports Multi-PE for Hyper-V.
[From Build 130.13] [# 484123]

On a NetScaler ADC that has a Small Form-factor Pluggable (SFP) interface with part number FTLF8519P2BNL, disabling this interface might not disable the interface of the peer device.
[From Build 130.13] [# 487169]

NetScaler VPX instances running on Xen Server might consume a high percentage of CPU cycles while processing 1G traffic.
[From Build 130.13] [# 498929]

On NetScaler MPX 22040/22060/22080/22100/22120 and ByteMobile T1200 appliances, SNMP based alarms are supported for only first two power supplies.
[From Build 131.11] [# 525360]

The user interfaces (command line and configuration utility) of a NetScaler instance running on a SDX appliance do not display the actual state of the management ports.
[From Build 131.11] [# 251216, 302381]

NetScaler VPX instances running on VMware ESXi lose network connectivity when you apply either of the following patches:
- ESXi550-201410401-BG
- ESXi510-201410401-BG
[From Build 131.11] [# 510673, 517241, 538267]

If you have a cluster setup of NetScaler MPX 8005/8015/8200/8400/8600/8800 appliances, time synchronization among the cluster nodes might fail.
[From Build 133.9] [# 356564, 566811]

The MPX 25100T and MPX 25160T platforms are now supported in this release. For more information about these platforms, see http://docs.citrix.com/en-us/netscaler/10-1/ns-gen-hardware-wrapper-10-con/ns-hardware-platforms-con/ns-hardware-25100T-25160T-ref.html.
[From Build 133.9] [# 486703, 495591, 552218]

The MPX 25100T and MPX 25160T platforms are now supported in this release. For more information about these platforms, see http://docs.citrix.com/en-us/netscaler/10-1/ns-gen-hardware-wrapper-10-con/ns-hardware-platforms-con/ns-hardware-25100T-25160T-ref.html.
[From Build 134.9] [# 486703, 495591, 552218]

Support for New Hardware Platforms
The T1120 and T1300-40G platforms with NIC firmware 4.53 are now supported.
Note: T1300-40G platform with NIC firmware 4.26 is backward compatible.
[From Build 135.08] [# 593888]

Policies

If an HTTP callout is configured with a virtual server that has a widcard port, the NetScaler appliance fails to respond the first time the callout is triggered.
[From Build 119.7] [# 391238]

When a filter policy is globally bound to a NetScaler, application firewall or compression or authorization policies that are bound to a content switching virtual server are not saved in the running configuration. However, these bindings are displayed when you run the "show cs vserver" command.
[From Build 122.17] [# 410624]

After upgrading to NetScaler 10.1, policies that were globally bound to the NetScaler are also being bound at a virtual server level.
[From Build 122.17] [# 429232]

The NetScaler appliance might fail to respond in the event that a policy of the form HTTP.REQ.BODY(n).AFTER_STR(target-string) has a large value for "n" (for example, 40000) and when the appliance receives large requests in combination with requests with no content length.
[From Build 123.11] [# 417071, 423206]

The NetScaler appliance may fail to respond if it does not have sufficient memory during the execution of an XML_DECRYPT function in a policy expression.
[From Build 124.13] [# 414552, 429079]

A memory leak in the XML_DECRYPT() policy function can consume all NetScaler memory, making it unavailable for other operations.
[From Build 124.13] [# 442807]

Error messages displayed during policy binding are shown as hexadecimal code instead of the corresponding warning message.
[From Build 125.9] [# 430148]

After changing the time zone on a NetScaler appliance, you must restart the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.
[From Build 129.22] [# 425465]

Using the "SYS.CHECK_LIMIT" expression in conjunction with any boolean expression can cause the NetScaler to crash.
[From Build 129.22] [# 493045]

The maximum value of the RelayState attribute that can be sent with the assertion that NetScaler sends is increased to 512 bytes. This applies to cases where the administrator configures a traffic policy to send assertion to a relying party.
[From Build 129.22] [# 473721]

Rewrite policy bindings to virtual servers can be lost when you upgrade the NetScaler firmware to version 10.1.128.11. If the rewrite policy is bound to a load balancing virtual server, the policy bindings are not displayed as part of the server configuration, but they are saved when the user saves the configuration. If the rewrite policy is bound to a content switching virtual server, the policy bindings are lost when the user saves the configuration.
[From Build 130.13] [# 508510, 513724, 517150, 518535, 519945]

The NetScaler appliance can crash or the data can get corrupted when the URL (or other string) satisfies the following criteria:
- Length is more than 1300 bytes (800 bytes for HTML_XML_SAFE).
- Has at least one unsafe character.
- A significant initial part of the string does not need encoding (or some smaller initial part of the string does not need encoding and there are lots of characters needing encoding)
- One of the following functions is used on the string in the expression:
* HTTP_URL_SAFE - unsafe characters are not allowed. Safe characters are: a-z, A-Z, 0-9, "-", "_", ".", "!", "~", "*", "'", "(", ")", ";", ":", "@", "?", "=", "$", "%", "&", "+", ",", "/".
* HTTP_HEADER_SAFE - new line ('
') characters are unsafe.
* HTML_XML_SAFE - unsafe characters are '<', '>' and '&'.
* APPEND_QUERY_PARAMETER - same as HTTP_URL_SAFE
[From Build 130.13] [# 506761, 519776]

If packet tracing is configured with a default-syntax expression and non-TCP traffic is being processed, and rewrite action applied on a HTTP chunked message is occurring then the rewritten data maybe incorrect or it might crash a NetScaler appliance.
[From Build 134.9] [# 598465]

Under certain conditions, a NetScaler appliance does not insert an X-Forwarded-For field in the HTTP header for an HTTP CONNECT requests that are forwarded to server.
[From Build 134.9] [# 605089]

Some IP based expressions might not work for IP addresses starting from octet 128 or greater (128.x.x.x - 254.x.x.x).
The following expressions are not impacted:
- EQ, IN_SUBNET, IS_IPV6, GET1, GET2, GET3, GET4, MATCHES, MATCHES_LOCATION, APPEND, TYPECAST_TEXT_T, TYPECAST_IPv6_ADDRESS_AT
The following expressions do not work:
GT, GE, LT, LE, BETWEEN, NE, ADD, SUB, MUL, DIV, MOD, NEG, BITAND, BITOR, BITXOR, BITNEG, LSHIFT, RSHIFT, TYPECAST_TIME_AT, TYPECAST_IP_ADDRESS_AT, TYPECAST_DOUBLE_AT, TYPECAST_UNSIGNED_LONG_AT, WEEKDAY_STRING, WEEKDAY_STRING_SHORT, SIGNED8_STRING, UNSIGNED8_STRING, SIGNED16_STRING, UNSIGNED16_STRING, SIGNED32_STRING
[From Build 134.9] [# 534244]

Policy

The default SSL virtual server configurations are disturbed, if HTTP callouts are configured on the NetScaler appliance.
[From Build 132.8] [# 551626]

A NetScaler appliance that has a rewrite policy configured, becomes unresponsive, if all the following conditions are met:
1. The rewrite action type is either "replace" or "insert_after".
2. The HTTP response does not have the content-length header.
3. The body of the HTTP response is split into multiple TCP packets with different TCP packets arriving with some time delay. This causes the policy rewrite engine to pause and resume the packet processing.
4. The string specified in the rewrite action is present in the last packet of the HTTP response.
[From Build 132.8] [# 554460]

Rewrite

Modifying the content with more than one callout results in incorrect computation of the content length. This issue is not observed if all the callouts use GET requests.
[From Build 120.13] [# 401455]

On a NetScaler appliance with Rewrite enabled and configured, a newly-created Rewrite policy that is bound to a content-switching virtual server might not be saved either in the running configuration or in the saved configuration.
[From Build 122.17] [# 418252]

SNMP

A new SNMP alarm, vridStateChange, indicates the change of the state of a VRID from backup to master in an active-active configuration. The NetScaler appliance in which the state of a VRID changes to master sends a trap message for each VIP address bound to that VRID to the configured SNMP managers, indicating that the NetScaler appliance is currently serving traffic for a particular VIP address bound to that VRID. If no VIP addresses are bound to that VRID, the appliance does not send any trap messages.
[From Build 118.7] [# 246215]

SNMPD fails to respond if it receives a packet with a NULL community string.
[From Build 121.10] [# 413733, 413871, 421055, 468830]

SNMPD fails to respond if it receives a packet with a NULL community string.
[From Build 122.17] [# 413733, 413871, 421055, 468830]

Net-SNMP does not handle the endOfMibView condition properly if the value of max-repetition is set to zero. As a result, memory allocation failures, and the SNMP daemon fails to respond.
[From Build 123.11] [# 435520, 438590]

The aggregateBWUseHigh and aggregateBWUseNormal SNMP traps are frequently generated even though the bandwidth is less than the set value for the alarm.
[From Build 125.9] [# 407594]

SPDY

The NetScaler appliance sometimes fails when a TCP connection is closed from a SPDY client while some streams are still active.
[From Build 122.17] [# 406948, 405903, 429211, 432515]

Next Protocol Negotiation (NPN) TLS extension cannot be explicitly enabled or disabled. It is automatically enabled when SPDY is enabled on a HTTP profile, and disabled when SPDY is disabled.
[From Build 127.10] [# 460918, 474003]

SSL

In some cases, parsing an incorrectly formatted client certificate might take more than a few seconds. The delay can trigger the monitoring logic to terminate the process and restart the appliance.
[From Build 118.7] [# 392683, 257157, 392686, 392996]

In the NetScaler configuration utility, the "FipsKey" parameter does not appear in the "Install certificate" dialog box. As a result, you cannot add a certificate-key pair on an MPX FIPS appliance by using the configuration utility.
[From Build 119.7] [# 400649]

An attempt to establish an HTTPS connection to a NetScaler FIPS appliance through a Chrome browser fails, because the browser sends a SPDY-NPN extension by default, and the NetScaler FIPS appliance does not support the NPN extension.
[From Build 119.7] [# 400084]

If any entity is added as part of user interactive process on command line for SSL Certificates and the operation is aborted in between using CTRL+C, then again carrying out the same operation causes the NetScaler command line to crash.
[From Build 121.10] [# 408393]

If a malformed packet is received from a client, the NetScaler appliance closes the connection and releases the resources used for that connection to the common pool. In some cases, some of these resources are not cleaned before returning to the pool and a bad resource might be reused for a future request. In such cases, the SSL handshake for that future request fails.
[From Build 122.17] [# 423905, 418100, 430942]

If you create a certificate revocation list (CRL), enable refresh, and specify the method as HTTP or LDAP, CRL refresh does not happen.
[From Build 123.11] [# 434737]

If the SSL handshake uses the TLSv1.1 or TLSv1.2 protocol and you have bound an RC4 cipher to the SSL virtual server, downloading a large file might take an unusually long time.
[From Build 123.11] [# 432375]

If a client sends a certain type of malformed message, which can make uninitialized resources available for subsequent handshakes, an SSL handshake that uses one of those resources causes a memory leak.
[From Build 123.11] [# 431919]

If you upgrade to this build, the number of SSL chips for which the status is shown as UP on an MPX 21550 platform with 36 chips is less than the actual number of chips that are UP. This is only a reporting issue.
[From Build 123.11] [# 235990]

On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.
[From Build 124.13] [# 345883]

If you upgrade to this build, the number of SSL chips for which the status is shown as UP on an MPX 21550 platform with 36 chips is less than the actual number of chips that are UP. This is only a reporting issue.
[From Build 124.13] [# 235990]

If you add a certificate revocation list (CRL) with refresh enabled, the appliance might perform a core dump and restart.
[From Build 125.9] [# 436205, 411462, 436185]

In a high availability setup, the force ha sync command appends the DEFAULT cipher group to the user-defined ciphers on the virtual server of the secondary node.
[From Build 126.12] [# 451698, 446674, 452080]

On a Nitrox-2 chip based platform, if you bind cipher groups, such as HIGH and AES, to your virtual server, the unsupported ECDHE cipher might also be bound. This cipher does not cause any problems. To remove it, you must unbind the cipher group.
[From Build 126.12] [# 437018]

If you use the configuration utility to configure FIPS appliances in a high availability setup, FIPS keys are not exported or imported between the nodes, because the option to enable secure information management (SIM) is not available.
[From Build 127.10] [# 459688, 446760]

The version displayed in syslog is SSLv2.0 even though the session is negotiated using TLSv1.2.
[From Build 128.8] [# 474417, 474413]

In rare cases, if the random number generated for the DH key exchange has a leading zero, DH negotiation fails because of a hardware limitation.
[From Build 128.8] [# 414388, 345883, 349858, 428257, 428259]

On all the NetScaler MPX platforms, DH cryptographic operation is now offloaded to the hardware, reducing the load on the CPU. If your deployment uses DH crypto operations heavily, you will notice a performance improvement.
[From Build 129.22] [# 490273, 378182, 404081]

If a spike in traffic occurs while the NetScaler ADC is doing a DH-based handshake, some packets might be dropped, because a DH handshake consumes a high number of CPU cycles.
[From Build 129.22] [# 484525]

If session reuse is enabled on the NetScaler and a network error occurs, the NetScaler attempts to clear the session information so that it is not reused for a subsequent session request from the same client. In rare cases, the NetScaler might fail during this cleanup process.
[From Build 130.13] [# 494093, 485932, 492191, 492797, 497321]

In a setup with a large number of virtual servers, if only a few virtual servers receive most of the traffic while the other virtual servers are idle, there might be a delay in cleaning up the sessions.
[From Build 130.13] [# 492087, 510038, 510483]

On all NetScaler appliances except MPX 5500 and MPX 5550/5650/5750 appliances, if both the rate of new SSL connections and the percentage of SSL session reuse are high, SSL session buildup causes high usage of memory. If the result is a memory allocation failure, SSL traffic is dropped.
[From Build 132.8] [# 532136, 525686, 531207, 539902, 547350, 548697, 559753, 561598, 563485, 569063]

If you run the "update ssl certkey" command to modify the certificate-key pair that is bound to a service group, a duplicate entry is seen for the same certificate key pair in the running configuration.
[From Build 132.8] [# 550138, 552436, 552701]

In a NetScaler cluster setup, if you add a certificate-key pair with a subject name greater than 64 characters, and later add more certificate-key files, the addition fails with the "No such certificate file exists" error even though the certificate-key pair key file is present on all cluster nodes.
[From Build 133.9] [# 554917]

In some cases, when client authentication is enabled, incorrect data form a client leads to a memory leak on the NetScaler appliance. If a large number of clients send incorrect data, the appliance fails.
[From Build 133.9] [# 570754]

If application data is received during an SSL renegotiation handshake, the appliance sends a RST flag.
[From Build 133.9] [# 542034]

If you have a large number of SSL services (greater than 3000) in the backend, CPU usage increases exponentially and the appliance fails.
[From Build 134.9] [# 581193]

If you bind a secure monitor to a service, such as SSL_BRIDGE, that does not allow SSL configuration, the default settings are used. The default SSL version sent in the SSL handshake record header is SSLv3.
Contact Citrix support if you want to disable SSLv3 and use the next higher protocol.
[From Build 134.9] [# 584424]

If you downgrade the software on your NetScaler appliance that does not have a license to release 9.3 build 61.66 or earlier, some commands related to the default server certificate might not be saved in the running configuration. As a result, after restarting, secure access (HTTPS) to the appliance fails.
[From Build 134.9] [# 551603, 559154]

2048-bit Default Certificates on the NetScaler VPX Instance
You no longer need a license on your VPX instance to generate a 2048-bit default certificate. After upgrading your VPX instance to release 11.0, if you want to replace the old internal default 512-bit certificate, delete all your old certificate-key pairs that have "ns-" as the first three characters, and then restart the instance to automatically generate a 2048-bit default certificate.
[From Build 134.9] [# 451441, 405363, 458905, 465280, 540467, 547106, 551603, 559154, 584335, 588128]

If you have configured optional client-certificate authentication and your policies target client certificate x509 extensions, such as auth keyid, a transaction with a client that doesn't have a certificate might cause the appliance to fail or to use stale values from a previous transaction.
[From Build 134.9] [# 593091, 632016]

An incoming SSL record that spans more than 256 TCP packets and contains TCP header options causes memory corruption in the Cavium command buffer structure. As a result, the NetScaler appliance fails.
[From Build 134.9] [# 573904, 583295, 590222, 606399]

Even though SSL renegotiation is set to deny (that is, denySSLReneg is set to ALL), the server responds with the "server reneg" extension in the initial SSL handshake.
[From Build 135.09] [# 559082]

An SSL handshake fails if a client hello includes an ECC extension but the NetScaler appliance does not support any of the ECDHE ciphers in the cipher list sent by the client. The handshake fails even if the list contains some non-ECDHE ciphers that are supported.
[From Build 135.10] [# 668239]

SureConnect

SureConnect (SC) should be enabled on one entity. If you enable SC or configure SC policies on a load balancing virtual server, do not enable SC on any of the services or service groups that are bound to this virtual server. Doing so can result in configuration loss during reboot or lead to inconsistent configuration across an HA pair.
[From Build 132.8] [# 526782]

System

When selective acknowledgement (SACK) and partial buffering are enabled on the appliance, acknowledgements with incorrect TCP checksum are forwarded to the server.
[From Build 118.7] [# 384153]

The NetScaler appliance wrongly advertises TCP buffer size to the client side when dynamic windows management is enabled and the service-side buffer size is larger than 40k. This problem occurs when two different TCP profiles are bound to the virtual server (buffer size is 8k) and to the service (buffer size > 40k). It causes failure when the appliance is uploading files.
[From Build 118.7] [# 392293]

If the SNMP service has the NSI_NS_SERVICE flag set, and you clear the configuration, the NetScaler appliance crashes.
[From Build 119.7] [# 404094]

The SNMP module allocates memory for all OIDs in an SNMP request and queues them for further processing. With a large number of SNMP requests (each request with possibly hundreds of OIDs), the result can be a memory shortage that in turn leads to memory allocation failures.
[From Build 119.7] [# 394724, 411601]

SNMP returns incorrect values for the "ifOutOctets" and "ifInOctets" counters.
[From Build 119.7] [# 390257]

The NetScaler appliance dumps a core when you create a cluster or a high availability setup on an appliance that has a TFTP load balancing virtual server.
[From Build 119.7] [# 395735, 401437, 406759, 407288]

If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
[From Build 120.13] [# 401111, 375425, 399769, 408267, 408648, 413721, 414273, 424726, 460731]

A session is not freed when port allocation fails. The session is getting matched and the NetScaler fails when it tries to access other linked sessions which are NULL.
[From Build 120.13] [# 407974, 421716]

Stat-command output specified with the "fullValues" parameter is aligned incorrectly.
[From Build 120.13] [# 391632]

When you try to add a second name-based SNMP manager, you get an error message that says an SNMP manger with that name already exists.
[From Build 120.13] [# 353546]

On a NetScaler MPX system, the SNMP count for the appliance's hardware memory and the show system memory display are incorrect. The amount of memory shown is larger than the actual amount.
[From Build 120.13] [# 391754]

The NetScaler appliance might fail to respond if an ICMP error occurs when TCP buffering and integrated caching are enabled on the appliance.
[From Build 120.13] [# 402677, 406353, 408800, 411332, 412960, 426506, 441788]

Remote monitoring of a high capacity appliance, such as a NetScaler MPX 22000, might indicate a drop in performance even though performance remains robust. The apparent problem is the result of a pause in the stream of monitoring data, not an actual drop in throughput.
[From Build 120.13] [# 407868]

If, from a management computer, you run a command that forms a request size of more than 8000 bytes, the NetScaler ADC might not properly buffer this large request. As a result, the ADC terminates the connection to the management computer.
[From Build 120.13] [# 423610, 436854]

The NetScaler appliance can crash when there are split ICA frames that span 2 CGP frames with other CGP packets in between.
[From Build 121.10] [# 411613, 414137, 436849, 444308]

TCP buffering bypasses as the calculated 'usable system memory' is less than the configured threshold value.
[From Build 121.10] [# 405532, 423815, 434383]

If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
[From Build 121.10] [# 375425]

If you specify an invalid IPv4 address in a command that can accept either IPv4 or IPv6 address, the NetScaler shell exits automatically, because of to memory corruption.
[From Build 121.10] [# 415623, 247585, 327131, 384988]

In an high availability setup, after a forced failover, the sync operation fails to sync the -establishClientConnection parameter setting.
[From Build 121.10] [# 216272, 220771]

If changes are made in the nsconfig/resolv.conf file, the appliance fails to override the default DNS configurations.
[From Build 121.10] [# 412681]

On a NetScaler appliance, an invalid HTTP range request results in a large amount of memory usage and the following error appears: "ERROR: Communication error with the packet engine."
[From Build 121.10] [# 401526]

When the NetScaler appliance receives invalid Selective Acknowledgment (SACK) blocks from the client, it attempts to send old data that has already been cleared. As a result, the appliance stops responding.
[From Build 122.17] [# 419553, 423433, 426506, 428155]

The NetScaler appliance stops sending TCP DUP ACKs when it receives out of order packets. This might result in latency between the client and the appliance, or the appliance and the server, with reduced throughput for some traffic patterns.
[From Build 122.17] [# 417793, 421214, 421329, 423099]

The NetScaler appliance does not forward the complete request to the server if the request requires more than one packet. As a result, the transaction fails.
[From Build 122.17] [# 420781]

The NetScaler appliance intermittently resets TCP connections that originate from the NetScaler FreeBSD shell and are destined for NetScaler-owned IP addresses (for example, a SNIP or VIP address). The resets affect applications such as LDAP.
[From Build 122.17] [# 430176, 430185]

On the "System > Diagnostics" page, when you select "Saved v/s running", the configuration utility displays a difference between the running and saved configurations, even if there is no difference.
[From Build 123.11] [# 388836, 388830, 388831, 411627, 416264, 430646, 430652]

The "stat system -detail" command does not display the number of CPUs.
[From Build 123.11] [# 382647]

When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the "time" parameter is deprecated for these SNMP alarms.
Note: The same error occurs if you try to set the time for one of these alarms.
[From Build 123.11] [# 388481, 391618]

A signed short integer overflow can occur during packet processing. Subsequent packets are corrupted.
[From Build 124.13] [# 432728]

When Call Home is enabled, duplicate SNMP traps are generated for power supply unit (PSU) failures.
[From Build 124.13] [# 435796]

The NetScaler appliance might fail to respond if an ICMP error causes the packet engine to enter a loop and thereby resulting in a pitboss process failure.
[From Build 124.13] [# 436798, 438765, 439849, 449803]

If large number of small packets are sent through the packet processing pipeline, the packet engine enters a loop and restarts, causing a pitboss failure.
[From Build 124.13] [# 439579, 442723, 442749]

ISIS packets are dropped at the Nexus 1000V distributed virtual switch (DVS), which has no option to enable promiscuous mode. However, this issue is not observed when the virtual machines are connected through the ESX virtual switch with promiscuous mode ON.
[From Build 124.13] [# 430071]

The MPTCP data_ack signal is not sent in the subflow in which the MP_FAIL signal is sent.
[From Build 124.13] [# 397587]

When a client's MPTCP token is invalid in the C2C steered MP_CAPABLE final ACK, the packet is dropped silently without flushing out the RSS filter. This filter is never deleted. If the client reuses the same 4-tuple as the filter, the incoming packet may go into the steering loop between the PEs. This will lead to very high CPU utilization.
[From Build 125.9] [# 447623]

If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
[From Build 126.12] [# 451285, 441843, 457850]

Memory leak found in shell '/bin/sh' while performing management CPU profiling in "nsproflog.sh" thereby causing swap zone issues.
[From Build 126.12] [# 462797, 441758, 446780, 455911, 457505, 459435, 468798, 476812, 495481]

The state of services for which NATPCB is allocated starts flapping because of NATPCB allocation failure.
[From Build 126.12] [# 453811, 470299]

When web server logging and audit logging are enabled on the NetScaler, the TCP current clients counter goes to negative values and shows a very large value in the stat or the SNMP OID.
[From Build 126.12] [# 335202, 248103, 341155, 404099]

If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
[From Build 126.12] [# 401111, 375425, 399769, 408267, 408648, 413721, 414273, 424726, 460731]

The NetScaler ADC forwards unprocessed packets to the load balancing virtual servers without selecting a service, because of an HTTP out-of-order packet processing issue. Instead of being dropped, these connections queue up at the virtual servers. The ADC fails to respond while processing these connections.
[From Build 126.12] [# 432612, 426784, 434780, 468253]

The NetScaler ADC might fail during an nstrace operation.
[From Build 126.12] [# 446300]

High CPU usage is observed when evaluating listen policy named expressions on a virtual server that picks up every packet.
[From Build 126.12] [# 450580]

The NetScaler appliance drops a connection if it receives 255 back-to-back old packets (re-transmissions). The limit is configurable and the default value has been increased.
[From Build 126.12] [# 453108]

With large number of configuration entries in the ns.conf file, the commands in the /nsconfig/rc.netscaler file might not be applied after the appliance is restarted.
[From Build 126.12] [# 396628, 402205]

When the NetScaler has application firewall disabled but SSO enabled, and if the NetScaler memory is less, all unused memory (appfw memory) is not recovered. This leads to an erroneous value for the "ActualInUse" memory counter.
[From Build 127.10] [# 450054, 450787, 453207, 453481, 459354]

The NetScaler system backup tar file does not include the following files:
- /nsconfig/ns.conf
- /nsconfig/Zebos.conf
- /nsconfig/rc.netscaler
- /nsconfig/snmpd.conf
- /var/log/wicmd.log
- /nsconfig/nsbefore.sh
- /nsconfig/nsafter.sh
[From Build 127.10] [# 455041, 478635, 484981]

The "show ns runningConfig" command may produce partial output if invoked while another "show ns runningConfig" command, from the same or other admin session is in progress.
[From Build 127.10] [# 478895]

If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
[From Build 127.10] [# 451285, 441843, 457850, 488115]

The NetScaler nstrace utility does not filter out all IPv6 packets when a IPv4 only filter is entered.
[From Build 127.10] [# 450398]

The Monupload process monitors the power supply and sends a "show techsupport" bundle as soon as a power failure is observed. This behavior is now modified to upload the bundle only in case the power supply does not recover in a 1 minute.
[From Build 128.8] [# 452240]

The "show ns runningConfig" command may produce partial output if invoked while another "show ns runningConfig" command, from the same or other admin session is in progress.
[From Build 128.8] [# 478895]

When different TCP profiles are bound to a virtual server and to the services that are bound to that virtual server, and one of the profiles has window scaling as ENABLED and the other has it as DISABLED, NetScaler sometimes considers that window scaling is ENABLED. The expectation in such a case is that NetScaler considers window scaling as DISABLED.
[From Build 128.8] [# 481442]

With USIP mode enabled, when the client FIN comes along with the final ACK for the server response, the NetScaler TCP module does not acknowledge the FIN.
[From Build 129.22] [# 478356]

Changes made to the time zone are not reflected till the NetScaler appliance is warm rebooted.
[From Build 129.22] [# 471100, 425465, 484159, 484187]

The NetScaler intermittently fails to generate traps due to issues in propagating the alarm state to the SNMP daemon.
[From Build 129.22] [# 490192]

SNMP walk shows the operational status of a LA channel as DOWN even when it is in the PARTIAL-UP state.
[From Build 129.22] [# 477709]

A new HTTP profile option "rtspTunnel" allows RTSP over HTTP. The RTSP tunnel is detected by the presence of either one of the following
- 'Accept: application/x-rtsp-tunnelled' request header
- 'Content-Type: application/x-rtsp-tunnelled' response header
Once the tunnel is detected, NetScaler stops HTTP tracking for that TCP connection and lets the RTSP flow go through. The "rtspTunnel" option is disabled by default.
[From Build 129.22] [# 480219]

If you change the IP address of a load balancing virtual server that shares the same server information (IP address, port and service) with an audit server and then clear the configurations, the NetScaler is expected to remove the virtual server, the audit server, and other NetScaler configurations. However, when you now add the virtual server with the original server details, the NetScaler throws an error message that says "resource already exists".
Note: In a HA setup, this behavior is displayed even when you perform a force sync or a force failover operation.
[From Build 129.22] [# 484527]

When the Call Home feature is disabled before the Call Home enable operation is successful, a second instance of the Call Home process starts to run. This results in high usage of the management CPU.
[From Build 129.22] [# 498232]

When the Netscaler ADC hits congestion with HA or LACP packets or continuous congestion in a single-PE environment, it cannot recover and packet transmission stops. This is applicable to the management ports on NetScaler SDX appliances and to all ports on NetScaler VPX instances running on XenServer.
[From Build 130.13] [# 532316, 532045, 533018, 534634, 534671, 537616]

The NetScaler appliance can crash when a large HTTP request URL has a space in it and if the request is broken into multiple packets.
[From Build 130.13] [# 497321, 501856, 502116, 502902, 517374]

The nsnetsvc process size increases when the "stat" command is executed.
[From Build 130.13] [# 418028, 409722, 467187]

When a HTTP profile is bound to a virtual server or service, the configurations of this profile are considered over the configurations of the global HTTP profile (nshttp_default_profile). However, when connection multiplexing is disabled globally and enabled on the virtual server or service, the global setting for connection multiplexing is being considered. This issue has now been fixed.
[From Build 130.13] [# 494013]

A NetScaler VPX virtual appliance with multiple packet engines fails if you enable the nstrace feature in TX mode with an advanced filter expression.
[From Build 131.11] [# 528309]

When upgrading the NetScaler software from release 9.3, without a cache license, to release 10.0 or later, with a cache license, you have to apply the cache configuration manually to enable the integrated caching feature.
[From Build 131.11] [# 451841, 332826, 346327, 361979, 465489, 485864]

If the NetScaler appliance uses the HTTP pipeline to parse an HTTP request, and the parsing process fragments the request packet, the appliance might not UNSET the NS_FINAL_DATA flag after receiving a fragment of the packet. In that case, the appliance will fails.
[From Build 131.11] [# 527320, 527211]

The NetScaler backup and restore functionality now creates a backup of each of the following configuration files: inetd.conf, ntp.conf, syslog.conf, newsyslog.conf, crontab, host.conf, hosts, ttys, sshd_config, httpd.conf, monitrc, rc.conf, ssh_config, localtime, issue, and issue.net.
[From Build 131.11] [# 506378]

The memory allocation API, malloc, returns a NULL value if it does not obtain memory for 'nscollect utility'. If the 'nscollect utility' tries to dereference this NULL pointer, it results in a memory segmentation error.
[From Build 131.11] [# 528818, 529425]

If you enable the nstrace feature in TX mode with an advanced filter expression, the NetScaler appliance fails.
[From Build 131.11] [# 494911, 481032, 511763, 528309, 532708, 538507]

The NetScaler appliance generates SNMP clear alarm traps for successful cases of haVersionMismatch, haNoHeartbeats, haBadSecState, haSyncFailure, and haPropFailure error events in an HA configuration.
[From Build 131.11] [# 368832]

The save ns config command and the nsnetsvc process fail under low memory conditions.
[From Build 131.11] [# 488110, 496136]

The NetScaler randomly crashes when SPDY is enabled on a NetScaler deployment which has integrated caching or front end optimization enabled. This occurs due to some interaction issues.
[From Build 131.11] [# 486257]

If password based authentication is used to open an SSH session to a NetScaler appliance, the wrong remote IP address is sent to the NetScaler syslog records.
[From Build 131.11] [# 286861, 301935, 513312, 522183, 541332]

A NetScaler ADC processing SPDY traffic on SPDY enabled virtual servers fails intermittently if an HTTP response body received with chunked transfer-encoding and the response header is modified by other NetScaler features.
[From Build 131.11] [# 519004, 528861]

If a non-HTTP request is received on an HTTP virtual server, the transaction might fail.
[From Build 131.11] [# 504910]

When the Netscaler ADC encounters congestion with HA or LACP packets, it cannot recover and packet transmission stops. This is applicable to the management ports on NetScaler SDX appliances and to all ports on NetScaler VPX instances running on XenServer.
[From Build 131.11] [# 532316, 532045, 533018, 534634, 534671, 537616]

The ns_monuploadd_err.pl script monitors the health of the NetScaler appliance by looking for errors recorded in the log files. The script decompresses the log files and does not remove the decompressed log files, which therefore consume disk space.
[From Build 131.11] [# 532042, 447664, 532587, 533164]

If you enable SPDY and the SPDY layer accumulates more than 8912 bytes of set-cookie values while processing a sever response, a buffer overrun causes the NetScaler appliance to fail.
[From Build 131.11] [# 524949]

Multiple instances of the nstraceaggregator daemon can run at the same time. As a result the NetScaler appliance might fail and corrupt the captured files.
[From Build 132.8] [# 527119, 522584, 525657]

A NetScaler appliance fails if it attempts to apply HTML injection to a server response that does not have a content type header.
[From Build 132.8] [# 529493]

In a cluster setup, if the TCP profile parameter 'sendBuffsize' is unset the NetScaler appliance displays 0 bytes as the buffer size instead of 8190 bytes (default value).
[From Build 132.8] [# 552654]

The output of the "show channel" command includes interfaces that have been unbound from the channel.
[From Build 132.8] [# 540998]

During the execution of the "nstrace.sh" script (from shell) or the "start nstrace" command (from CLI), when the trace file is rolled over, some packets might not be available in the trace. The number of packets that will be dropped from the trace is directly proportional to the traffic rate.
[From Build 132.8] [# 480258, 494482, 523853]

Enabling the AppFlow feature during a transaction causes the NetScaler appliance to fail.
[From Build 132.8] [# 547739, 527797, 531101]

If the NetScaler appliance receives a Websocket upgrade request, and an HTTP-body based policy is bound globally or to a virtual server, the appliance does not forward the request to server until a TCP FIN flag is received from the client.
[From Build 132.8] [# 536576, 549318]

NTP Version Update
In NetScaler release 11, the NTP version has been updated from 4.2.6p3 to 4.2.8p2.
If you upgrade your NetScaler appliance from any earlier release to release 11, the NTP configuration is automatically upgraded with additional security policies. For more information about configuring an NTP server, see http://docs.citrix.com/en-us/netscaler/11/system/basic-operations/configuring-clock-sychronization.html.
[From Build 133.9] [# 440375, 440591]

If you execute NTP commands, such as enable ntp sync and show ntp status, the NetScaler appliance might become unresponsive because of a memory leak.
[From Build 133.9] [# 529787, 574866, 581849]

If you enable the snmp alarm SERVICEGROUP-MEMBER-MAXCLIENTS, varbinds such as svcGrpMemberName, svcGrpMemberEstablishedConn, alarmHighThreshold, svcGrpMemberFullName, and sysIpAddress might be missing from the alert.
[From Build 133.9] [# 578673]

Failed SNMP requests were not removed properly, therefore, subsequent set requests were retained in the queue. This lead to all SNMP requests getting blocked and high memory usage, due to which the SNMP module stops responding.
[From Build 134.9] [# 590289, 584527, 596242]

A NetScaler appliance might occasionally fail when a client connects to an HTTP/SSL server and the server sends a 101 (switching protocols) response. The connection is closed before data can be sent or received from the client.
[From Build 134.9] [# 576561, 587759]

Under stressful conditions (too many API requests) the NetScaler appliance is unable to retrieve LCD counters from the back end.
[From Build 134.9] [# 533156, 599100]

Setting 'Request timeout' or 'Request timeout action' in HTTP Profiles can cause the NetScaler to fail in some situations.
[From Build 134.9] [# 501100]

The management CPU usage becomes high if the CPU frequently compresses newnlog files. This fix reduces CPU usage by allowing the appliance to zip only five files per hour.
[From Build 134.9] [# 454467, 459466, 598709, 598851]

The NetScaler appliance fails to respond when the HTML injection feature is enabled.
[From Build 134.9] [# 542418, 611842]

NIC Failures detected during boot up do not prevent a NetScaler appliance from booting up and successfully starting the packet engines. The appliance displays an error message about the missing NICs.
With this fix, if a NIC failure is detected during boot up, the appliance will not start Packet Engines and display an error message about the missing NICs.
[From Build 134.9] [# 547260]

Due to a bug in Hard Disk Drive (HDD) monitoring logic, if a message in /var/log/messages matches "*ad* Device not configured" string pattern, it results in producing false positive errors.
[From Build 134.9] [# 611774, 598774]

A warning error message "Error =80000004 in nsagg_process_stat_request, closing connection" displays when a nscollect module requests counter information from a nsagregator daemon at every 5 minute interval. The nsaggregator daemon prints the warning message as response to the request received from nscollect module for more than 256 counters.
[From Build 134.9] [# 610809, 577474, 579560, 622553]

In a cluster or HA setup, when you perform an operation that adds a new file (create/import SSL/APPFW), the files is synchronized to the other nodes (non-CCO nodes in a cluster or the secondary appliance in an HA setup). This synchronization either happens either periodically or when manually executed. If an operation that uses this file is executed before the file is synchronized, the operation fails, because the required file is not available.
For example, if you import a certificate file, and then execute the "show cert key" command immediately, the command fails.
This issue is fixed by synchronizing the files across all the nodes automatically, after they are added.
[From Build 134.9] [# 535162, 283661, 288743, 389394, 470729, 562724]

In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.
[From Build 135.08] [# 449234, 457629, 496448]

If a 10G interface is disabled, the IfInDiscard counter might increase.
[From Build 135.08] [# 647082]

In a NetScaler appliance, if the Ring Receive buffer is full, the appliance starts to discard data packets at the Network Interface Card (NIC). As a result, the appliance drops packets leading to a probe failure.
[From Build 135.08] [# 623977, 649735]

User Interface

The SNMP counter of type cntr32 has been changed to a gauge counter.
[From Build 131.11] [# 524080, 448724]

In certain cases, an attempt to add or bind a load balancing virtual server, service, or service group can fail if the internal ID assigned to the virtual server, service or service group conflicts with the internal ID of an existing virtual server, service, or service group.
[From Build 132.8] [# 516162, 358664, 538009, 540912, 542248, 542721, 546566, 549368]

The NetScaler appliance serves erroneous cache content if you use the XenApp/XenDesktop wizard's auto-configured cache policies.
[From Build 132.8] [# 426551, 545422]

WIonNS

You can now optionally configure agCallbackURL from agURL. The agURL would represent the front end Access Gateway (AG) for the client. The agCallback is for communication between Web Interface (WI) and AG. Also, The agCallbackURL is an optional parameter. Use the following command to configure agCallbackURL:
add wi site /Citrix/new http://agee.citrix.com http://sta.citrix.com -agCallbackUrl http://callback.citrix.com
[From Build 131.11] [# 508743]

Web Interface

In a high availability setup, if the failover operation is performed twice, a user trying to launch an application is unable to proceed after the AGESSO.jsp page appears. If the domain controller is configured for x number of logon retries, and the user refreshes the page x number of times, the account is locked.
With this fix, the user is able to launch the application. However, if an application is launched immediately after failover, and the launch takes longer than usual (about 75 seconds), a session error page might appear, in which case the user has to log on again.
[From Build 126.12] [# 450811]

Neither the CLI nor the configuration utility allows a user to configure a pre-login message of more than 255 characters.
[From Build 126.12] [# 458113]

Upgrading a NetScaler ADC from release 10 to release 10.1 deletes a set of customized options of the add wi site command.
[From Build 126.12] [# 456120]

XML

Users who access a Microsoft Sharepoint server through a NetScaler ADC that has the application firewall enabled are unable to open any document type that requires software that is not part of the browser, such as Microsoft Office files.
[From Build 129.22] [# 450232]

For details of a specific release, see the corresponding release notes.

Build 135.18 (2017-03-01) (Current build) Replaces: 135.12
Build 135.11 (2017-03-02)
Build 135.10 (2017-03-02)
Build 135.09 (2017-03-02)
Build 135.08 (2016-10-25)
Build 134.9 (2016-04-11)
Build 133.9 (2015-09-03)
Build 132.8 (2015-06-10)
Build 131.11 (2015-03-10) Replaces: 131.7
Build 130.13 (2015-02-18) Replaces: 130.11
Build 129.22 (2014-12-01)
Build 128.8 (2014-10-21)
Build 127.10 (2014-10-21)
Build 126.12 (2014-05-13)
Build 125.9 (2014-04-12)
Build 124.13 (2014-02-12)
Build 123.11 (2014-03-12) Replaces: 123.9
Build 122.17 (2013-11-12) Replaces: 122.11
Build 121.10 (2013-10-12)
Build 120.13 (2013-09-12)
Build 119.7 (2013-07-15)
Build 118.7 (2013-06-12)
Build 112.15 (2014-07-28)

Note

Notes

Additional Changes/Fixes Available in Replacement Builds

Additional Changes/Fixes Available in Versions

Fixed Issues

Networking

Known Issues

AAA-TM

AppFlow

Application Firewall

Cluster

Command Line Interface

Configuration Utility

GSLB

High Availability

Load Balancing

NITRO API

NetScaler CLI

NetScaler GUI

NetScaler Gateway

NetScaler Insight Center

NetScaler SDX Appliance

NetScaler VPX Appliance

Networking

Platform

Policies

Reporting

SSL

System

Web Interface on NetScaler (WIonNS)

XML API

What's New in Previous NetScaler 10.1 Releases

AAA Application Traffic

AAA-TM

AppExpert

AppFlow

AppQoE

Application Firewall

Cache Redirection

Cloud Integration

Cluster

Configuration Utility

Content Switching

DNS

DNS64

DataStream

Global Server Load Balancing

Load Balancing

Load Balancing and AAA-TM

Monitors

NITRO API

NetScaler Gateway

NetScaler Insight Center

NetScaler SDX Appliance

NetScaler VPX Appliance

Networking

Platform

Policies

SNMP

SSL

Statistics

Support for ECDHE Ciphers

System

Fixed Issues in Previous NetScaler 10.1 Releases

AAA-TM

AAA-TM/Content Switching

Acceleration

Action Analytics

AppFlow

Application Firewall

Cache Redirection

Cache Redirection/NetScaler Gateway

Citrix NetScaler 1000V

CloudBridge Connector

Cluster

Command Line Interface

Compression

Configuration Utility

Configuration utility

Content Switching