此篇文章罗列了所有Netscaler可能出现的问题,大家可以按CTRL+F进行搜索需要的。
A list containing the majority of Citrix ADC (formerly NetScaler ADC) support articles collated to make this page a one stop place for you to search for and find information regarding any issues you have with the product and its related dependencies.
The page is updated daily with new support articles and information. Articles will change from time and if information here is outdated or incorrect please let me know using the comments. Links may also expire or change so if you find broken links, please again let me know. For each issue, known product versions affected are recorded however that does not mean product versions that aren’t listed are not affected.
There is a search box that you can use if looking for a specific fault. For example if you have an error code or error message, use that to perform a search. You can also use your browsers search feature which will perform a search against the whole page based on the words you enter.
NetScaler / Citrix ADC:
Brief Description of Issue | Brief Description of Fix | Applicable Product Versions Affected (if known) | Link to supplemental Support Article(s) |
---|---|---|---|
In the Persistency Table, you can only see one backend server connection mapped to the source client however when running command “show ns connection table” you can see connections from the source client to multiple backend servers. | Upgrade to 11.1.54.14. | https://support.citrix.com/article/CTX227016 | |
When more than one interface is in the same vLAN, you observe MAC moves and MAC conflicts between the NICs. | Move the affected NICs in to different VLANs or else aggregate the interfaces in to a link aggregated channel. | https://support.citrix.com/article/CTX224626 | |
When editing a document through the local machine you receive error “Cannot open a file, incorrect syntax or file path”. | A WireShark trace shows that the client was sending a request to a server not configured on any of the Content Switching policies. Once the server was mapped to a Load Balanced Virtual Server the document was editable through the local machine. | https://support.citrix.com/article/CTX226892 | |
Content Switching Virtual Server sends traffic to the wrong Load Balancing Virtual Server, resulting in users receiving 404 HTTP responses. | Enable “Drop Invalid HTTP Headers” on NetScaler. When the Content Switch receives HTTP invalid/corrupt header next packets from the same source IP the client may be redirected to an incorrect destination. | https://support.citrix.com/article/CTX226724 | |
When trying to add a new node to a cluster, you receive rrror “Invalid interface name/number”. | Make sure you are not using an incorrect backplane interface ID number. | https://support.citrix.com/article/CTX220432 | |
When connecting to RDP via NetScaler Clientless VPN bookmarks, the RDP window terminates with error “An internal error has occured” and the NetScaler resets the backend connection with reset code 9952. | This is caused by a domain mismatch in the LDAP Profile. The SSO Name attribute should be set to “SamAccountName”. | https://support.citrix.com/article/CTX226709 | |
In a High Availability setup, an unusually large spike in the number of persistent connections may result in under performance of the Secure Socket Funneling channel between the primary and secondary node. This under performance can eventually lead to session build up on the primary node and cause persistence to fail. Users are then sent to backend servers based on the Load Balancing method. | This is a known issue and will be resolved from NetScaler versions 12.0.53.x, 11.1.56.x and 11.0.70.x. As a workaround you can enable Nagle’s Algorithm and disable Window Scaling on the “nstcp_internal_apps” TCP profile. | https://support.citrix.com/article/CTX226583 | |
You are unable to bind multiple services to a Load Balancing Virtual Servr at the same time using the GUI. | Upgrade to NetScaler version 11.1.53.x. | NetScaler 11.1.51.x and 11.1.52.x. | https://support.citrix.com/article/CTX226582 |
The NetScaler Gateway Plugin interrupts DHCP requests that should be sent through the physical interface. Instead these requests are sent through the VPN tunnel. | This is a known issue. For Windows devices, the issue is fixed in 11.1 and 11.0.67.x. For MAC, a fix should be coming as part of the “High Sierra” MAC plugin update. | https://support.citrix.com/article/CTX226379 | |
Applications launched through NetScaler fail with no specific error. The loading dialog box appears and then dissapears. There is no issue with launches internally via StoreFront direct. | NetScaler tried to resolve the VDAs FQDN over UDP and the DNS response is received with a truncated bit. NetScaler should initiate a DNS query over TCP for the same FQDN but does not. This issue is being worked on by Citrix. As a workaround you can either add the VDA FQDN as a DNS A record directly on NetScaler or else reduce the size of the DNS response so that it can be accomodated in 512 bytes. | https://support.citrix.com/article/CTX226338 | |
When using EDT/DTLS via NetScaler, application launch fails with “Unknown client error 1110”. | If the DTLS packet happens to be fragmented, the DTLS stack incorrectly drops this fragmented packet which resutls in an application launch failure. TCP works fine. The fix for this issue will be available in NetScaler 11.1.55.10 and 12.0.53.x. | NetScaler Gateway 11.1 and 12.0. | https://support.citrix.com/article/CTX226014 |
NetScaler MPX 59xx/89xx models running 10.5.63.46 or 11.0.70.112 firmware versions may experience SSL failures. | Upgrade to 10.5.63.47 or 11.0.70.114. | NetScaler 11.5.63.46 and 11.0.70.112. | https://support.citrix.com/article/CTX225817 |
When Use Source IP is enabled on NetScaler, the ACK packet sent to the client after a RESET contains the wrong source IP. The IP sent is of the backend server instead of the VIP. | The entire communication works fine apart from the last packet due to it being a stray packet. This is expected behaviour. | https://support.citrix.com/article/CTX226119 | |
After upgrading NetScaler 11.1.54.x to 12.0.41.1 or 51.x you lose configuration settings set in SSL Profiles. | Secure implementation of session tickets is supported only in release 11.1.54.x. Configuration loss will occur if you upgrade from this build to any of the newer builds. There are workarounds and considerations outlines in the CTX article. | NetScaler 11.1.54.x. | https://support.citrix.com/article/CTX226077 |
If a custom theme is applied to NetScaler Gateway 11.1.50.10, the text for password field is not displayed. | NetScaler 11.1.50.10. | ||
When a RfWebUI based portal theme is used on NetScaler Gateway, Responder Policies are not supported. | NetScaler 12.0.51.24. | ||
An RfWebUI theme is not supported when used on an AAA Virtual Server configured with classic authentication policies. | |||
You receive error “1012: The NetScaler Gateway Plug-in could not start. For more information, see the connection log.(15) or (18)”. The log viewer also displays an “NDIS driver not installed” error. | Reinstall or repair the NetScaler Gateway Plug-in. If the plug-in cannot be reinstalled, use the NetScaler Gateway client removal tool. | https://support.citrix.com/article/CTX122969 | |
INAT is not allowing non-legitamate TCP traffic after the idle timeout is reached whereas RNAT does. | This is as design and is expected. | https://support.citrix.com/article/CTX225771 | |
On SDX SVM version 11.1.53.11 an issue exists were the /var directory on HDD is fills up due to increasingly large log files. | Upgrade to 11.1.53.13 which contains the fix. | NetScaler SDX 11.1.53.11. | https://support.citrix.com/article/CTX225753 |
Multiple issues exist in SDX 11.1.53.11 such as the root filesystem on XenServer running out of disk space which results in SSL chips failing, VPX appliances failing and logons to the SVM failing. | Upgrade to NetScaler SDX 11.1.53.13. | NetScaler SDX 11.1.53.11. | |
NetScaler SDX 11.1.53.11 reports 0 SSL chips detected. | This can be caused by a bug in the current firmware version which causes log files to grow and fill up the /var directory. Upgrade to NetScaler SDX 11.1.54.x. | NetScaler SDX 11.1.53.11. | https://support.citrix.com/article/CTX223787 |
NetScaler VPX running on VMware intermittently loses connection after upgrading to NetScaler 12.0.41.x or 11.1.54.x. For example, connectivity is lost after taking a snapshot of the VPX, or during a backup. | This is a known issue and will be fixed in NetScaler 12.0.51.x, 11.1.55.x and 11.0.71.x. As a workaround, replace all E1000 interfaces with VNXNET3. Make sure the MAC address stays the same to avoid re-licensing. | NetScaler 12.0.41.x and 11.1.54.x. | https://support.citrix.com/article/CTX224576 |
You witness the NetScaler console display message “xx packets dropped due to licensed throughput rate being reached”. | Purchase a higher throughput license. | https://support.citrix.com/article/CTX225182 | |
If no SSL chip is assigned to VPX running on SDX, Client Certificate Authentication fails. | If no SSL chip is assigned to the VPX, the appliance advertises SHA256 and RSA during the client certificate request message. If the client has a lower Encryption and Hashing algorithm, the client sends an empty payload to NetScaler. You must use a SHA256 and RSA certificate. | https://support.citrix.com/article/CTX221635 | |
When a user disconnects/closes an existing RDP session, the user upon reconnecting is not sent to the same backend RDP server. | Disable “Use IP Address Redirection” within the Remote Desktop Session Host server settings. NetScaler only supports IP based tokens. | https://support.citrix.com/article/CTX225499 | |
Desktops launch internally but externally through NetScaler they do not. | Add the NetScaler Gateway URL to the Trusted Sites zone. | https://support.citrix.com/article/CTX220146 | |
When the maxAAAUsers parameter is UNSET on a VPN Virtual Server, NetScaler Gateway does not update the value to the previously set value. Due to this, the number of users allowed on a VPN Virtual Server cannot be increased by applying an UNSET operation. | Upgrade to NetScaler 11.0.57.x and 10.5.59.x. | https://support.citrix.com/article/CTX201436 | |
SMTP monitor probes fail with message “Socket is already connected”. These errors are found in nsumond.log. | Change the Response Timeout value to a higher one within the STMP monitors configuration. Also fix the timeout issue at the backend SMTP server. | https://support.citrix.com/article/CTX225357 | |
Whilst HTTP/2 is enabled on a Virtual Server, connections to the Virtual Server instead use HTTP/1.1. | Make sure that TLS 1.2 is enabled on the Virtual Server and ECC Curves are bound. Also make sure that the HTTP Profile bound to the Virtual Server has HTTP/2 selected. | StoreFront 3.8. | https://support.citrix.com/article/CTX225300 |
When authenticating to NetScaler SVM you receive message “System maintenance in progress. Please try after some time”. | As a workaround you could restart the SVM processes however this issue could be due to lack of space in the /var directory. It could also be due to memory leaks in code which are now fixed in build 10.5.59.x. | NetScaler 10.5. | https://support.citrix.com/article/CTX225243 |
The built-in classic Cache Redirection policies do not work as expected for HTTPS traffic. | This is a known issue and has been fixed in NetScaler 11.0.68.x, 11.1.48.x and 12.0.x builds. | NetScaler 11.0.64.34. | https://support.citrix.com/article/CTX222545 |
You are unable to download PDF or DOC files due to error “Network Error” in Chrome or “Unable to read the source file” in Firefox. | Enable “Drop extra data from server” within the HTTP profile that is used on the Load Balancing Virtual Server. | https://support.citrix.com/article/CTX225151 | |
When adding an interface to an existing Link Aggregated Channel you receive message “Channel LA/1 is already assigned to 7 instances”. | You cannot attach more than 7 interfaces to a single LA channel. To overcome this, create an additional channel. | https://support.citrix.com/article/CTX225148 | |
When upgrading or installing a new version of the NetScaler VPN plug-in you may receive error “The older version of NetScaler Gateway Plug-in cannot be removed”. | Try running the NetScaler Gateway Client Removal Tool and/or the Microsoft Removal Tool. | https://support.citrix.com/article/CTX225098 | |
SSO is failing on internal applications after an upgrade from NetScaler 11.1.49.16 to 11.1.52.13. WireShark trace confirms that the Authorization HTTP header is missing in the packet sent by NetScaler to backend server. | Create a Traffic Policy and bind it to the NetScaler Gateway Virtual Server. | https://support.citrix.com/article/CTX225084 | |
A Load Balancing Virtual Server configured with an IPv6 address is not reachable and nsconmsg shows error “noroute”. | Check the default IPv6 route on NetScaler, it is likely incorrect. | https://support.citrix.com/article/CTX225025 | |
Restransmission (TRO) timeouts cause network latency on SSL connections through NetScaler. Symptoms include a delay of over 1 minute seen when connecting to HTTPS resources through NetScaler, faster network performance bypassing NetScaler and many TCP Zero Window events from the SNIP to backend servers observed in an Nstrace. | This is a known issue and is fixed in NetScaler 10.5.61.x and 11.0.64.34. | https://support.citrix.com/article/CTX205656 | |
SSL handshake failing after Client Hello for CBC_SHA384 ciphers. | Make sure that the certificates installed on backend servers are SHA256 and not SHA384 or SHA512. Alternatively upgrade to NetScaler 12.0, or 11.1.54.14 and above. | ||
Ns.log is unable to generate logs. | Verify is a syslog server is configured on NetScaler. The configured server should contain the logs. By default, NetScaler points to itself for ns.log. Also make sure that a syslog server is selected under Auditing -> Change Auditing Syslog Settings. | https://support.citrix.com/article/CTX225046 | |
NetScaler encounters e1k semaphore issues which results in pitboss killing NetScaler Packet Engines. | This issue is fixed in NetScaler 11.1.54.10 and 12.0.x. | https://support.citrix.com/article/CTX224950 | |
After switching off Client Choices, users are still asked to make a selection. | This was an issue with Internet Explorer Enterprise Mode. | ||
Your internal proxy server may see the client IP from Android devices whereas it sees the SNIP for iOS devices as expected. | Traffic from Android contains the “X-Forwarded-For” header containing the Android client IP address. iOS traffic does not contain this header. To satisfy proxy requirements you can create a rewrite rule to remove the “X-Forwarded-For” header. | https://support.citrix.com/article/CTX224648 | |
Newly added DNS host entries are not getting resolves through DNS Virtual Server. | By default, the DNS Virtual Server will cache both positive and negative responses received from the backend server until the DNS cache is updated or flushed. Modify the default DNS profile or create a new one and disable DNS caching. Apply this DNS profile to the DNS Virtual Server. | https://support.citrix.com/article/CTX224573 | |
Running a NetScaler trace results in error “Communication error (RPC-data-size mismatch)”. | The nstraceaggregator process has hung and needs restarted. | https://support.citrix.com/article/CTX224521 | |
When you click to edit an existing classic expression Authentication policy you receive error “Error in retrieving policy. Cannot read property ‘set_data’ or ‘null'” | Classic Authentication policies have been deprecated starting NetScaler 12. Use advanced policies instead. | NetScaler 12.0. | https://support.citrix.com/article/CTX224081 |
When NetScaler communicates with a Kerberos server in order to generate Kerberos tickets, a 15 second delay is noticed which ultimately delays the logon process. | Upgrade to NetScaler 12.0.48.x. As a workaround you can add an IPv6 record on NetScaler which resolves the delay. | NetScaler 11.1. | https://support.citrix.com/article/CTX224353 |
You cannot delete a Pattern Set that contains a semicolon in the pattern. | As a workaround use the CLI and issue an unbind command. | https://support.citrix.com/article/CTX224292 | |
After a reboot of NetScaler any nFactor advanced authentication policy is no longer bound to the AAA Virtual Server. | Upgrade to NetScaler 11.1.53.11 which contains the fix. | https://discussions.citrix.com/topic/385339-nfactor-advanced-policies-no-longer-bound-after-reboot/ | |
Even though “autocomplete=’off'” exists in NetScalers index.html file, users are still prompted by their browser to save user credentials. | This is expected behaviour as several browsers have implemented to ignore the functionality of autocomplete=off. There is a enhancement request currently with the Citrix product team to suppress such prompts. | https://support.citrix.com/article/CTX202371 | |
After an upgrade to NetScaler 11.1.49.16 and when using AES-GCM ciphers users experience random session disconnections. | Upgrade to NetScaler 11.1.53.11. | NetScaler 11.1.49.16. | https://support.citrix.com/article/CTX224246 |
Domain EPA actions for nFactor created in NetScaler 12.0.41.16 are wrong and do not work. The expression can be edited. | This issue will be fixed in NetScaler 12.0.51.x. | http://www.jgspiers.com/nfactor-authentication-with-netscaler-gateway/ | |
Users may receive multiple push notifications and the RADIUS server will send multiple authentication requests to the same user with different RADIUS IDs or OTP tokens. | Upgrade to NetScaler 11.1.41.11. | https://support.citrix.com/article/CTX223878 | |
A NetScaler connection to a backend IIS server which is configured with TLS 1.1/1.2 breaks. Event Viewer on the IIS server shows Event ID 36874 “TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed”. | NetScaler does not send the “Signature Algorithms” extension that IIS expects in the latest versions of IIS that support TLS 1.2. This issue is fixed in NetScaler 11.0.65.35. | https://support.citrix.com/article/CTX205578 | |
Users are unable to access Exchange through NetScaler. When bypassing NetScaler, connections to Exchange can be made. | Outlook over RPC reuses open POST requests which may be blocked by AppFirewall. You must create an AppFirewall bypass policy for RPC traffic. | https://support.citrix.com/article/CTX223698 | |
After a SAML session timeout, if the user logs out of the session an “HTTP 1.1 internal server error 43524” error is displayed within the “/cgi/tmlogout” page rather than receiving a “Session logged out successfully” message. | Upgrade to NetScaler 12.0 which supports SAML IDP logout support for redirect and post bindings. | https://support.citrix.com/article/CTX223616 | |
High Availability pair is not working as expected. | Wrong VLAN tagging was configured on the secondary NetScaler appliance. | https://support.citrix.com/article/CTX209094 | |
AppFirewall does not detect double encoded XSS/cross site scripts. | NetScaler does not detect double encoded cross site scripting by default. You need to write an nsapimgr command to rc.netscaler so that this command is run after each reboot. | https://support.citrix.com/article/CTX221281 | |
NTP sync is failing with error “No association ID’s returned”. | Disable the “Auto-key” setting on the NTP server configuration within NetScaler. Only enable this when the NTP server supports Auto-key. | https://support.citrix.com/article/CTX222999 | |
NetScaler drops traffic when the AppFirewall Session Limit is reached. | Reduce traffic or upgrade NetScaler hardwffare or license if the traic rate is breaching the device limit. As a workaround you could also decrease the session timeout limit on AppFirewall but this may likely place more resource demand on NetScaler. In case of a VPX appliance, each Packet Engine by default can handle 1,00,000 AppFirewall sessions at one time. If you add more CPUs to the VPX appliance, additional Packet Engines will be added to support more AppFirewall sessions. | https://support.citrix.com/article/CTX217549 | |
On a VPX appliance unless provisioned in Amazon Web Services, interfaces are not hot-pluggable. | The appliance must be switched off before you can add a new interface. This excludes appliances deployed on AWS. | ||
When importing a certificate to NetScaler you receive error “Issuer certificate mismatch, or PEM pass phrase requires for this private key”. | This issue can occur when you have exported a Windows certificate and during the export wizard selected “Include all certificates in the certification path if possible”. To overcome this issue, export the certificate again but do not select this option. | https://support.citrix.com/article/CTX226986 | |
After an upgrade to NetScaler 11.1 Windows 7 clients can no longer connect to SSL VPN. They may also see a “Version Upgrade” prompt repeatedly. Other Windows versions such as Windows 8/10 work fine. | From NetScaler 11.1 onwards, the nsload.exe component of the NetScaler Gateway Plug-in is signed by SHA2 which requires Windows 7 clients to install a patch to support it. Upgrade to NetScaler 11.1.49.x and install patch KB3033929 on the Windows 7 clients. | https://support.citrix.com/article/CTX217048 | |
TLS 1.1 and 1.2 on NetScaler causes interruption to downloading/uploading files due to Windows size leak. Symptoms are that you can launch applications but they freeze after 2 minutes, you are unable to download attachments via Outlook Web Access and while downloading/uploading files through a Load Balanced VIP the process stops after some time. | As a workaround you could disable TLS 1.1 and 1.2 on NetScaler Load Balanced Virtual Servers. Upgrade to NetScaler 10.5.60.x, 11.0.64.x and 11.1.x builds. | NetScaler 10.5 to 11.0. | https://support.citrix.com/article/CTX202431 |
When running through the XenApp and XenDesktop Wizard, the “Retrieve Stores” button intermittently fails on the first check. Click the button again and it will work. | Upgrade to NetScaler 11.1.56.15 or 12.0.53.6. | ||
If you log on to SharePoint 2013 through Clientless VPN, you cannot use Internet Explorer to open a Word “.doc” document. | This is a known issue. Use Firefox or Chrome. | NetScaler 11.1.53.11 and still exists in 12.0.53.6 (August 2017). | |
If you log on to SharePoint 2013 through Clientless VPN, you cannot document drag and drop. | Upload the document instead. | NetScaler 11.1.53.11 and still exists in 12.0.53.6 (August 2017). | |
If you log on to SharePoint through Clientless Access, you cannot add a new item to the calendar if using Internet Explorer. | Use Firefox or Chrome. | NetScaler 12.0.41.16. | |
When using Firefox v51 and later, the NetScaler EPA and VPN plugins do not launch. | This is due to Firefox dropping NPAPI plugin support. This has now been resolved in NetScaler 12.0.51.24. | ||
When you update a certificate key pair an error “Cannot allocate memory” is shown. | Reboot NetScaler and make sure ns.conf does not contain the new certificate configuration. Preferably contact Citrix Technical Support for a fix. | NetScaler 11.0 and 11.1. | https://support.citrix.com/article/CTX222699 |
When using ESX 5.5.0 with patch 2456374 you cannot shut down or restart a NetScaler VPX instance from the console. | NetScaler 11.1.53.11. | ||
When you attempt to enable “ICA Only” on a NetScaler Gateway Virtual Server through the Cluster IP (CLIP), you receive error “Changing ‘ICAonly’ parameter is not allowed in Cluster Deployment”. | In a cluster deployment, you can enable ICA Only mode only when creating the NetScaler Gateway Virtual Server and not afterwards. | https://support.citrix.com/article/CTX222465 | |
Changing an expired LDAP password intermittently fails with error “Incorrect credentials. Try again.” | This is a known issue and is targeted for resolution in NetScaler 11.0.71.x, 11.1.55.x and 12.0.53.x builds. An issue was found in one of the functions used to store/dyplicate password strings in a structure used by the authentication module. | NetScaler 11.0 to 12.0. | https://support.citrix.com/article/CTX221846 |
You cannot download files through a Content Switching Virtual Server. Bypassing the Content Switch works fine. | Configure an HTTP Profile on NetScaler with “Drop extra data from server” enabled. Attach this profile to the Content Switch. The backend server is returning several segments for the requested file for download. These segmenets are adding up to a size larger than what is specific in the Content-Length header and so NetScaler drops the traffic with a reset code of 9217. | https://support.citrix.com/article/CTX222480 | |
When executing NetScaler commands, slow output is observed. The console shows lots of “first_nsb seq” messages. | NetScaler was sending the details/output of each command to an external authentication server for authorisation. The authentication server was unreachable hence the long delays between running commands since timeouts were occuring. The external AAA configuration was removed and “RBA on response” was disabled. | https://support.citrix.com/article/CTX214171 | |
With Split Tunnel switched off and a client connected to NetScaler full VPN, a command such as nslookup returns only one backend server IP rather than multiple. This could become an issue if that one IP address became unreachable. | Run nsapimgr commands on NetScaler to override the default DNS behaviour of the appliance. By default, only one IP address is sent unless you tweak the nsapimgr knobs. | https://support.citrix.com/article/CTX200243 | |
You can still ping a VIP even though it is disabled and the Effective State of the Virtual Server is DOWN. | This happens because the IP is still enabled. You need to go in to System -> Network -> IPs, right-click the desired IP and click “Disable”. | https://support.citrix.com/article/CTX222390 | |
When using the Green Bubble theme and Device Certificate Authentication is enabled, after selecting the Device Certificate a “403 Access Forbidden” error is flagged. | 302 Redirects from NetScaler cause the NS_EPAC Cookie to be reset. To fix this, you have to make changed to the file “ctxs.authentication.css” located in /var/netscaler/gui/vpn/css/. | https://support.citrix.com/article/CTX222284 | |
Logos/images are not loading for the maintenance page defined in a Responder Action. The text referred in HTML code displays fine. | You have to convert the image to its base64 encoded equivalent and then refer the base64 encoded URL in the image tag of the HTML code to be used by Responder. | https://support.citrix.com/article/CTX222273 | |
Flushing one member in a Content Group flushes the other members aswell. | Make sure you have defined a memory limit for the Content Group. Having a memory limit of 0/not defined will cause this to happen. | https://support.citrix.com/article/CTX221853 | |
You receive error “Your logon has expired. Please log on again to continue” when accessing StoreFront through NetScaler Gateway. | Verify your StoreFront store is pointing to the correct NetScaler Gateway, select “No VPN tunnel” or “Full VPN tunnel” depending on your requirements and make sure IIS has “Load User Profile” set to “True”. Also make sure you have propagated StoreFront configuration to the remaining Server Group members. | https://support.citrix.com/article/CTX204766 | |
You receive an SSL related error when connecting to NetScaler via Receiver for Windows 4.7, Receiver for Mac 12.5, Receiver for Android 3.12 or Receiver for Linux 13.6. | These Receiver versions introduced stricter certificate validation checks. This issue was due to a defect in some builds of NetScaler were SSL handshakes fail if a Client Hello message includes an ECC extension that the NetScaler does not support. All NetScaler 11.0, 11.1 and 12.0 builds are safe from this interoperability issue. | NetScaler 10.1, 10.5. | https://support.citrix.com/article/CTX221453 |
After an upgrade to NetScaler 10.5 or above, the Default Route shows as “Null Route” when checked from the GUI but shows as configured via CLI. | This is a GUI bug, although it does not affect network functionality. Upgrade to NetScaler 12.0 which contains the fix. | NetScaler 10.5 to 11.1. | https://support.citrix.com/article/CTX221632 |
High CPU is experienced on NetScaler due to high loopback interface traffic caused by looping DNS packet destined for port 53. | As a workaround, within your LDAP profile(s), use an IP address to define the LDAP server instead of hostname. This has been fixed in NetScaler 11.1.53.13. | NetScaler 11.1. | |
The RDP Proxy feature shows as unlicensed even though you have an Enterprise license. If you have a Platinum license, the feature appears to be licensed as normal. | Upgrade to NetScaler 11.1.48.10. | NetScaler 11.1.47.14. | https://support.citrix.com/article/CTX217582 |
A change in the file structure in NetScaler 10.1.122.17 may cause custom created monitors to dissapear. This may cause services to be marked as DOWN. | This happens because the script files for monitors are now in a new location. | https://support.citrix.com/article/CTX206715 | |
When booting NetScaler after a firmware upgrade an “Unable to load a kernel” error is displayed. | This may be caused by the NetScaler kernel file being missing from /flash. You could try to temporarily boot from the copy of the kernel file that resides in /var and then reinstall the NetScaler firmware. | https://support.citrix.com/article/CTX202541 | |
If you force the nsroot password to be changed on next logon and specify strong password requirements, any password is accepted. | Upgrade to NetScaler 11.1.51.26. | ||
After disabling TLS 1.1 on NetScaler, Outlook clients cannot connect to Exchange through the Load Balancing Virtual Server. | The NetScaler Load Balanced Virtual Server only listens on TLS 1.2 but the Outlook clients are sending a Client Hello using TLS 1.1. Make sure that the Outlook clients have TLS 1.2 enabled or else enable TLS 1.1 on NetScaler again. | https://support.citrix.com/article/CTX212141 | |
NetScaler Compression policy is not working as expected for JavaScript when AppFirewall is turned on. | Change the “Cache-Control” header to not include “no-transform” directive. There are a few modules in NetScaler such as AppFlow and AppFirewall which need uncompressed responses. For these scenarios, we either delete or corrupt the Accept-Encoding header coming from the client. | https://support.citrix.com/article/CTX220664 | |
AEM-GCM ciphers cause memory leak on VPX appliances. The VIP which has these ciphers bound goes DOWN due to high memory usage. | Upgrade to NetScaler 11.0.68.12 and above or NetScaler 11.1.49.x and above. Whilst waiting to upgrade a workaround involves failing over to a secondary appliance in an HA setup and rebooting the primary appliance to free up the memory leak. | https://support.citrix.com/article/CTX217918 | |
NetScaler is sending a NTLMv2 response in a Type3 message event though it was configured to send NTLMv1 responses. | This happens because the backend server is sending a Negotiate Target Info message in the Negotiate Flag. To fix, disable NTLMv2 on NetScaler using CLI or make sure the backend server does not set Negotiate Target Info in the Negotiate Flag. | https://support.citrix.com/article/CTX221081 | |
High Availability is not working on NetScaler and error message “Secondary node was down and peer device was unknown” is displayed. | All interfaces were set to send tagged traffic and there was no interface to send untagged traffic or native vLAN traffic. This caused issues as heartbeat traffic was unable to route. After creating an Access Port on the switch, untagged traffic could be sent via this port. | https://support.citrix.com/article/CTX217930 | |
Performance issues with NetScaler MPX SSL. | To resolve, create a TCP profile, increase the buffer size and then bind it to the affected Virtual Server. | https://support.citrix.com/article/CTX207005 | |
Single Sign-On to StoreFront fails if the TCP Fast Open option is enabled for the TCP profile of a manually created NetScaler Gateway Virtual Server. | NetScaler 12.0.41.16. | ||
IE7 browser does not display the Gateway Portal if the portal theme is set to Default, X1 or GreenBubble. RfWebUI works. | NetScaler 12.0.41.16. Still exists in NetScaler 12.0.51.24. | ||
After upgrading VMware ESX to 6.0, you get message “VMware Tools: Out of Date” on the VPX virtual machine. | This is because VPX uses a customised version of the VM Tools package which is not upgraded during an ESX upgrade. This will not affect the functionality of the VPX. To use the latest customised VM Tools, upgrade to any released build after 11.0.65.x or any 11.1 builds. | https://support.citrix.com/article/CTX224604 | |
Upgrading NetScaler to 12.0 via GUI fails because “libvpath_if.so” is missing. | Upgrade from CLI or else copy “libvpath_if.so” from any 11.1 builds to the 12.0 build and try to upgrade NetScaler from the GUI again. | https://support.citrix.com/article/CTX224806 | |
EPA scans fail on Windows 10 but the same scan works on Windows 8.1. | The OPSWAT library in NetScaler 10.5 and earlier does not support Windows 10. Upgrade to NetScaler 11.0.64.34 or later. | NetScaler Gateway 10.5. | https://support.citrix.com/article/CTX205106 |
NetScaler services go DOWN for a few seconds and during that time the newnslog shows error “Failure – TCP connection successful, but application timed out”. | What this means is that the server is accepting connections, but not actually serving pages which is likely do to a backend issue on the web servers. | https://support.citrix.com/article/CTX215481 | |
When browsing to any internal or external websites using Secure Web you receive an “HTTP/1.1 Gateway Timeout” error. | This could be due to the NetScaler unable to resolve the hostname via DNS. Make sure that NetScaler is able to resolve the address of internal and external websites. | https://support.citrix.com/article/CTX227220 | |
Citrix Receiver can not be detected when browsing to the NetScaler Gateway portal and using the latest versions of Firefox. | Firefox dropped support for NPAPI plugins which causes this issue. This is now resolved in NetScaler 11.1.55.10 and 12.0.51.24 builds. | ||
After an upgrade to NetScaler 11.1, SSO to ShareFile fails. | Create and bind a Traffic Policy to the NetScaler Gateway Virtual Server which turns off SSO for requests that contain a “Bearer” header. This is only applicable if you want to enable SSO at the NetScaler for ShareFile to override the client’s SSO behaviour. | https://support.citrix.com/article/CTX227271 | |
After an upgrade to NetScaler you can no longer access the management GUI. | Log on to the NetScaler via SSH and check if “VPN UI Theme” is set to “CUSTOM” by running command “show vpn parameters”. If it is, run command “set vpn parameter -UITHEME DEFAULT” and then try to access the GUI, | https://support.citrix.com/article/CTX227345 | |
Users are prompted for authentication while attaching files through Outlook Web Access or SharePoint which is load balanced through NetScaler. | There is a setting that turns off Single Sign-On if the user does not complete sending data in 3 seconds. You can verify this by viewing the “svpn_tot_sso_dnsbq_acc_timer_timedout” counter and running a command in FreeBSD to increase the value as mentioned in the CTX article. | https://support.citrix.com/article/CTX209066 | |
When creating a new SSL Profile in NetScaler via the GUI you receive error “Invalid argument [strictsigdigestcheck]”. | This has been resolved in NetScaler 11.1.55.10. As a workaround, you can use the CLI. | Citrix NetScaler 11.1.54.14. | https://support.citrix.com/article/CTX227448 |
With NetScaler as a SAML IdP, your web browser receives error “Parsing of presented Assertion failed. Please contact your administrator”. In “newnslog” you see events such as “saml_assertion_parse_fail” and “aaa_samlidp_tot_authnreq_fail”. | When an unsigned authentication request is send with “NameIDPolicy”, NetScaler as an IdP fails to parse the incoming request. This is a known issue and has been resolved in NetScaler 12.0.53.6. As a workaround you can configure the SAMP SP to send signed authentication requests. | https://support.citrix.com/article/CTX227514 | |
NetScaler VPN client with AlwaysOn configured keeps trying to connect to VPN even when the machine is on the Intranet. | This is a known issue. To resolve, upgrade to NetScaler 12.0.53.6 or 11.1.56.x. | https://support.citrix.com/article/CTX227102 | |
OCSP Responder does not work if configured in a non-default Traffic Domain. | OCSP is not supported in a non-default Traffic Domain. Move the OCSP Responder onto the default Traffic Domain. | https://support.citrix.com/article/CTX215698 | |
In a cluster, the “HTTP Request” value on a Load Balanced monitor may be different between each node. | This is a bug, upgrade to NetScaler 11.1.55.x. | Citrix NetScaler 11.1. | https://support.citrix.com/article/CTX227492 |
ns.log may be filled with entries such as “NS_ICA_ERROR: Invalid buffer length file no”. This causes excessive logging on the syslog server and ns.log is filled with the same logs. | Upgrade to NetScaler 12.0.51.24 or 11.1.54.16. Alternatively as a workaround you can disable the logging of type “NOTICE” by running CLI command “set syslogParams -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING INFORMATIONAL”. | https://support.citrix.com/article/CTX225646 | |
Passthrough to StoreFront fails after upgrading NetScaler to 11.0.67.12 with error “Http/1.1 Internal Server Error 43531”. | Add a SNIP in to the same subnet as the non-routable StoreFront VIP address or add a route on NetScaler so that one of the current NetScaler SNIPs can route to the non-routable StoreFront Load Balancing VIP. | Citrix NetScaler 11.0.67.12. | https://support.citrix.com/article/CTX216509 |
EPA scans fail on Windows 10 clients with message “Access Denied. Your device does not meet the requirements for logging on to the secure network”. In Event Viewer on the client machine you see “A fatal error occured while creating a TLS client credential. The internal error state is 10013”. | Disable SSL 3.0 on the client machine. | https://support.citrix.com/article/CTX221593 | |
If NetScaler sends a “Content-Length” header to the backend server(s) with a value of 0 and the servers are not configured to expect such requests, the backend server may reject the request and terminate the connection. This will cause large uploads to fail. | Using “nsapimgr” you can disable the NetScaler’s new functionality on how it handles large post requests. In NetScaler 11.1.54.x and onwards, there is a new feature where NetScaler in the event of a large POST request (such as a large file upload) being received, NetScaler sends an additional POST request with Content Length 0 to the backend server as a mechanism to avoid failure during the large file upload. | Citrix NetScaler 11.1.54.x | https://support.citrix.com/article/CTX225681 |
When connecting to NetScaler Gateway VPN, you receive error “The server met an error. Please try again or contact your administrator”. | Within your Session Profile, change the “Plug-in Type” from “Java” to “Windows/MAC OS X”. | https://support.citrix.com/article/CTX226938 | |
Policy bindings are lost after a reboot even if the running configuration was saved. | Upgrade to NetScaler 10.5.59.11. | Citrix NetScaler 10.5. | https://support.citrix.com/article/CTX214714 |
Citrix Receiver users are unable to enumerate applications and receive a “No applications available” message when using Unified Gateway. When logging on to NetScaler via a web browser, you can access your applications. | Check the Content Switching Policy and remove your storename from the expression if it exists. | https://support.citrix.com/article/CTX215087 | |
Unable to launch applications from NetScaler Gateway using Google Chrome if “Client Selective Trust (CST)” is enabled. | This is a known issue. Follow the steps from the CTX article to configure Google Chrome so that you can access resources via NetScaler Gateway with CST enabled. | Google Chrome. | https://support.citrix.com/article/CTX221662 |
When using RDP Proxy, you receive error “Your computer can’t connect to the remote computer because the Connection Broker couldn’t validate the setting you specified in your RDP file”. | This is because the server you tried to connect to had the “Remote Desktop Session Host” role installed, which RDP Proxy does not support at this time. An enhancement request to support this scenario is with Citrix. | Citrix NetScaler RDP Proxy. | https://support.citrix.com/article/CTX227538 |
Internet Explorer 8 does not display the NetScaler Gateway portal correctly when the portal theme is set to “Default”, “Greenbubble” or “X1”. | This is a known issue and a bug “ID 669942” is currently open. | https://support.citrix.com/article/CTX227539 | |
The “XenApp and XenDesktop Wizard” view on NetScaler Gateway shows “0” under “HDX Session”. | “ICA Only” should be set to “true” under the basic settings of your NetScaler Gateway Virtual Server. | https://support.citrix.com/article/CTX227574 | |
After logging on to NetScaler Gateway users receive a “Not a privileged user” error. | User is being denied by an authorization policy. Check the “Default Authorization Action” and any lower level authorization policies that may apply to the affected user. | https://support.citrix.com/article/CTX227576 | |
Proxy NTLM authentication no longer works after an upgrade to NetScaler 11.0.69.x. | NetScaler in build 11.0.69.x and newer no longer supports the “Proxy-Connection” header. As a workaround, use “nsapimgr” to turn Proxy Connection header support back on. | Citrix NetScaler 11.0.69.x. | https://support.citrix.com/article/CTX227603 |
A clear config crashes NetScaler. | Citrix are working on a fix. | https://support.citrix.com/article/CTX227819 | |
If more than 120-250 users simultaneously attempt to reach intranet resources through NetScaler Gateway, there are sudden connection drops for new and existing users and NetScaler would hang/crash. | This is a known issue and Citrix are working on a resolution. As a workaround, disable compression using CLI command “unbind tunnel global ns_tunnel_cmpall_gzip”. | https://support.citrix.com/article/CTX227924 | |
NetScaler crashes frequently due to number of URLs being written which exceeds fixed size array. | Upgrade to NetScaler 11.1.56.x | Citrix NetScaler 11.1. | https://support.citrix.com/article/CTX227943 |
Enterprise or Personal Bookmarks do not appear when using Clientless Access. | Make sure Clientless Access is enabled, your Virtual Server has “ICA Only” set to “false” and the theme being used has “Show Enterprise Websites Section” and/or “Show Personal Websites Section” checked. | ||
After a fresh, non-upgrade install of Mac OS High Sierra, when installing the NetScaler Gateway plugin you receive error “System Extension Blocked” and VPN connections do not work. | Allow the blocked extensions by navigating to “System Preferences -> Security & Privacy”. | Mac OS High Sierra. | https://support.citrix.com/article/CTX228097 |
On an HTTP/SSL Load Balancing Virtual Server, some of the HTTP response to client is stripped if Cookie Persistency is used within a Traffic Domain. | Upgrade to NetScaler 11.0.71.x, 11.1.56.x or 12.0.55.x | https://support.citrix.com/article/CTX228092 | |
When binding an EPA scan policy to a NetScaler Gateway Virtual Server you receive error “Binding invalid policy”. | Make sure ICA only mode is switched off on the Virtual Server as EPA scans require SmartAccess to be enabled. | https://support.citrix.com/article/CTX206431 | |
The VPN plugin does not display the device certificate dropdown. | Either only have one device certificate on the system or else make sure the CN or the DN are in the subject field within the certificate. | https://support.citrix.com/article/CTX228085 | |
When binding two certificates from different issuing CAs, you receive an error if the certificates have the same AIA value. | There is a security check added in build 11.1.55.x onwards. | Citrix NetScaler 11.1.55.x. | https://support.citrix.com/article/CTX228136 |
High Availability synchronisation fails with “-internaluserlogin DISABLED” command. | On both nodes, check directory permissions are correct as explained in the CTX article. | https://support.citrix.com/article/CTX214822 | |
After an upgrade of NetScaler 11.0 to 11.1, MEP is flapping every 5 seconds. | This is caused by AppFlow connection chaining being enabled on only one of the nodes. As a workaround, enable AppFlow connection chaining on the both nodes before upgrading. A permanent fix to this issue is expected in NetScaler 11.1.56.x and 12.0.55.x | Citrix NetScaler 11.1. | https://support.citrix.com/article/CTX228192 |
Upon accessing the GUI of a VPX, the appliance freezes. | Increase RAM from 2GB to 4GB as per Citrix recommendation. | https://support.citrix.com/article/CTX228222 | |
ICA sessions may suddenly hang or freeze and nslog shows “NS_ICA_ERROR: Invalid buffer length file no = 1191 line no = 2”. | Upgrade the VPX running on SDX to 11.1.54.121. | Citrix NetScaler SDX 89xx. | https://support.citrix.com/article/CTX228250 |
In a GSLB setup, you notice the Packet Engine CPU at 100% due to a high amount of loopback interface traffic and high “arp_tot_skip” counters. | Upgrade to NetScaler 11.1.52.x or 12.0.51.x. | https://support.citrix.com/article/CTX228267 | |
“Select one of the following options” appears if HSTS is checked in an SSL Profile or on the NetScaler Gateway Virtual Server and RfWebUI is used. This occurs just after authentication and even when “Client Choices” is unchecked. | This is currently with Citrix and will be resolved in an upcoming release. As a workaround, insert the STS header via a Rewrite policy. | Citrix NetScaler 12.0. | https://support.citrix.com/article/CTX228504 |
Newnslog files are flooded with “nsssf_handler” debug messages. This causes the “var” directory to become full. | This is a known issue. Upgrade to NetScaler 11.1.53.x. | https://support.citrix.com/article/CTX228546 | |
From an Admin Partition, NetScaler sends reply packets to the loopback interface of the default partition. | Upgrade to NetScaler 11.1.56.x. | https://support.citrix.com/article/CTX228612 | |
Upon binding multiple certificates or a wildcard certificate to a single Virtual Server to be used with SNI, Load Balanced web pages return “Page cannot be displayed”. | Check “Server Certificate for SNI” under the Server Certificate Binding to enable SNI. | https://support.citrix.com/article/CTX228036 | |
After enabling IPv6 on NetScaler, the appliance crashes. | Upgrade to NetScaler 11.1.55.13 or 12.0.53.13. | Citrix NetScaler 11.0 and 11.1. | https://support.citrix.com/article/CTX228710 |
In a clustered setup, when renaming an Authentication Virtual Server, eccCurveName bindings do not update to reflect being bound to the new updated AAA name. | This is a known issue and is currently being tracked under bug #689754. | https://support.citrix.com/article/CTX228696 | |
After an upgrade to NetScaler 11.1.49.16, user sessions are randomly disconnected. | Upgrade to NetScaler 11.1.53.x or 12.0.34.x. | Citrix NetScaler 11.1.49.16. | https://support.citrix.com/article/CTX224246 |
When creating an EPA scan within a Session Profile, the fields are displayed with values of 0’s and 1’s. | This is a bug and will be fixed in build 12.0.56.12. Create the expression via CLI as a workaround. | Citrix NetScaler 12.0. | https://support.citrix.com/article/CTX228767 |
Load Balancing services flapping due to the monitor probes fluctuating. | This issue was experienced with a High Availability pair that had one node on VMware and the other on Hyper-V as a result of an on-going Hypervisor migration. | https://support.citrix.com/article/CTX228764 | |
After installing hotfix “KB3025390” the EPA plugin does not run as expected. | Edit “epa.html” and “postepa.html” using the steps provided in the CTX article. | https://support.citrix.com/article/CTX200357 | |
EPA scans fail occasionally with Safari or Firefox web browsers and display error “3006”. | Install the NetScaler Gateway plug-in on the client machines before EPA scans are performed. | https://support.citrix.com/article/CTX127026 | |
Outlook 2016 shows as disconnected after an upgrade to NetScaler. | Disable “Media Classification” on NetScaler to prevent HTTP buffering occurring on responses to the client. | https://support.citrix.com/article/CTX228620 | |
Monitor probes fail to LDAPS over port TCP 636 due to the renegotiation extension missing from Client Hello. | As a workaround, disable “HSTS” on the backend SSL Profile. Citrix are working on an enhancement request for upcoming releases. | Citrix NetScaler 12.0. | https://support.citrix.com/article/CTX228865 |
When launching applications or desktops you receive error “Cannot connect to the Citrix XenApp server.Network issues are preventing your connection” or “Unknown client error 0”. | There may be a mismatch between the STAs defined on NetScaler versus those defined on StoreFront. A firewall may be blocking communication or STA server entries may be missing from your NetScaler Gateway Virtual Server. | ||
Adaptive Transport (EDT) does not work through NetScaler Gateway. | Make sure Session Reliability is enabled within the NetScaler Gateway configuration portion of StoreFront. Also make sure DTLS is enabled on your NetScaler Gateway Virtual Server. | ||
After authenticating to NetScaler Gateway, you receive message “There are no apps or desktops available to you at this time”. | Even though the Session Profile looked correct, the “Home Page” under “Client Experience” was mistakenly checked. After unchecking, applications and desktops displayed. | ||
Authentication from an iOS device to NetScaler fails when the password contains the £ character. Android devices do not experience the same. | Upgrade to NetScaler 11.1.56.x or 12.0.56.x. | https://support.citrix.com/article/CTX229089 | |
After logging on to NetScaler Gateway, the page continuously spins rather than going to StoreFront. | This issue does not affect all browsers. This fix will be resolved in future versions of NetScaler. | Citrix NetScaler 12.0. | https://support.citrix.com/article/CTX229091 |
NetScaler crashes if SSL Proxy is configured and CVPN is used for application access. | This is a known issue and is fixed in NetScaler 11.0.71.12, 11.1.55.7 and 12.0.56.16. | https://support.citrix.com/article/CTX229138 | |
NetScaler appliance crashes due to kernel memory corruption. In the “messages” file within “/var/log” shows “Core dump of pid xxx uid zzz could not be done”. | Upgrade to NetScaler 11.0.71.x, 11.1.51.x or 12.0.24.x. | Citrix NetScaler 11.0, 11.2 and 12.0. | https://support.citrix.com/article/CTX229201 |
On an HA pair, with “Sync State” disabled, memory will spike up to more than 90%. | Enable HA synchronization again, or if it is disabled due to different firmware versions between nodes, update them to be the same. | https://support.citrix.com/article/CTX229369 | |
After a high availability failover, all VIPs in one Admin Partition are no longer reachable. VIPs in the default Admin Partition are reachable. | This was a known issue and has been resolved in NetScaler 11.1.56.x and 12.0.56.x. | https://support.citrix.com/article/CTX229417 | |
OCSP Stapling does not work as NetScaler is unable to send the certificarte revocation status to the user. | As a workaround, follow the steps provided in the CTX article to configure OCSP Responder. | https://support.citrix.com/article/CTX229479 | |
When evaluating a rewrite action via the GUI you get error “Cannot convert undefined or null to object”. | This is a bug now resolved in NetScaler 12.0.53.13. The request was being parsed as text rather than HTML. | https://support.citrix.com/article/CTX229508 | |
After an upgrade to VPX 12, vSphere reports high CPU on NetScaler even though the CPU utilisation is low. | This is expected behaviour in NetScaler 12.0 builds because CPU yielding for the VPX has been disabled. If you want to override this behaviour issue command “set ns vpxparam -cpuyield YES”. | Citrix NetScaler 12.0. | https://support.citrix.com/article/CTX229555 |
When accessing StoreFront through NetScaler Gateway the page gets stuck at “/cgi/setclient?wica”. | This can happen if USIP (Use Source IP) is enabled. This would result in the source client IP from the internet being used to connect to StoreFront. Disable USIP. | https://support.citrix.com/article/CTX208180 | |
When running a Qualys Security Scan on NetScaler the NetScaler Gateway becomes inaccessible over port HTTPs during the scan. | This is a known issue and will be fixed in upcoming NetScaler 11.1 and 12.0 releases. | https://support.citrix.com/article/CTX229675 | |
You receive error “4009 User Not Found” when authenticating to NetScaler Gateway using User Principal Names, however the samAccountName method works for the same user. | Check the users account in Active Directory, it is likely that the “User logon name” fields are blank under the “Account” tab. | ||
When launching an ICA session from NetScaler Gateway you may receive SSL “Error 58” or SSL “Error 27” depending on which Receiver version you have installed. | This can happen if the have “Client Certificate” authentication enabled for a subset of users but do not redirect ICA sessions through a NetScaler Gateway vServer that has Certificate Authentication unchecked. | ||
When accessing a web based application Load Balanced by NetScaler you intermittently receive “404 Page not found”. NetScaler traces show traffic going to the wrong back-end port or wrong back-end server which does hot host the resources being requested. | This is caused by Connection Multiplexing being enabled on the Load Balanced VIP that uses wildcard Service Groups. Disable Connection Multiplexing in an HTTP Profile bound to the Load Balanced Virtual Server. | https://support.citrix.com/article/CTX229845 | |
VLAN configuration is lost when NetScaler fails over to the second High Availability node. | Compare ns.conf on each appliance for differences. Also check that the Link Aggregation channel configuration is identical on both appliances. | https://support.citrix.com/article/CTX229896 | |
If you have configured a “Respond with HTML Page” Responder Action and the HTML Page name starts with an Upper Case character, there is a problem displaying it in the GUI. The CLI is not affected. | The issue does not occur if the HTML page starts with a lower case character. This is a known issue and will be fixed in a future build. | Citrix NetScaler 12.0. | https://support.citrix.com/article/CTX229900 |
Endpoint Analysis Scans created using OPSWAT do not work on macOS 10.13 High Sierra. Classic EPA policies do work. | OPSWAT does not seem to support macOS 10.13 at this time. | Apple macOS 10.13 and OPSWAT. | https://support.citrix.com/article/CTX229928 |
When signatures are bound to an App Firewall profile, latency is observed on Virtual Servers due to an increase in NetScaler CPU consumption. | Disable signatures that are generic and receiving a lot of hits, but can be done without. | https://support.citrix.com/article/CTX229989 | |
You receive authentication failures when your password contains the “£” character. | This occurs only on iOS devices when using 401 based authentication and is not experienced using forms based authentication or using any authentication on other devices. Citrix are working on a solution. | Apple iOS. | https://support.citrix.com/article/CTX229089 |
In a double-hop scenario the STA server which is bound to the NetScaler in hope 1 is marked as DOWN. | Upgrade to NetScaler 11.1.56.15 or 12.0.53.13. | https://support.citrix.com/article/CTX230067 | |
After enabling AppFlow NetScaler generates core files. Syslog shows that the NetScaler restarts. | Upgrade to NetScaler 11.1.57.x or 12.0.56.x. | https://support.citrix.com/article/CTX229852 | |
NetScaler may become unresponsive if an AppFlow action has client-side measurements enabled and the appliance receives a corrupted request. | Upgrade to NetScaler 11.1.56.15. | ||
When forcing failover in a high availability setup, the secondary node reboots and failover does not occur.. | This happens because the SSL handshake crashes the Packet Engine. Upgrade to the latest NetScaler 11.1 or 12.0 builds. | Citrix NetScaler 11.0. | https://support.citrix.com/article/CTX230126 |
Newnslog files do not compress resulting in “/var” filling up. | Follow the steps included in the CTX article to determine if the “nslog.nextzip” file has a value. | https://support.citrix.com/article/CTX205014 | |
When trying to authenticate to a NetScaler AAA Virtual Server that uses the RfWebUI theme and that has Classic Authentication Policies configured as Primary and Secondary, the authentication process does not complete after providing OTP/token code in the last factor. If the X1 theme is used, the issue does not occur. | This error is due to Classic Authentication Policies not being supported by the RfWebUI theme when used with AAA. Instead, use Advanced Authentication Policies. | https://support.citrix.com/article/CTX230166 | |
After browsing to the NetScaler Gateway login page using Internet Explorer you can enter the username/password but when pressing the “Enter” keyboard key the browser does not send the username and password to NetScaler. You therefore have to manually click the “Log On” button. This does not happen with other browsers. | IE Browser Emulation was the cause of this issue, setting an IE11 browser to act like IE8. Once the “Document mode” is set to “Edge” and the “Browser profile” is set to “Desktop” the enter key should work during logon. | Microsoft Internet Explorer | https://support.citrix.com/article/CTX230208 |
You are unable to see all service group members in reporting when rying to add a counter of type “System Entities Statistics -> Service Group Member -> Entities”. Only the first 100 entries are returned. | This only affects VPX appliances provisioned on SDX. Citrix are working on a solution. | Citrix NetScaler 10.0, 11.0 and 12.0. | https://support.citrix.com/article/CTX230195 |
NetScaler appliance becomes unresponsive and logs contain “Error=80000004 in nsagg_process_stat_request”. | This is a known issue due to the “nscollectmap.xml” file either being missing or corrupted. You should upgrade to the latest version of NetScaler 11.0 to fix. | https://support.citrix.com/article/CTX230294 | |
With NetScaler acting as an IdP to multiple SPs, SAML Assertion works only for one SP. | Multiple SPs cannot be evaluated using “GoTo Expression” when bound via the GUI. Remove the current SAML IdP policies and bind them again using the CLI with a “GoTo Expression” of “NEXT”. | https://support.citrix.com/article/CTX230267 | |
In a High Availability pair certificates on the primary appliance are not synced to the secondary and there is no synchronization errors. | This happens when multiple certificates are installed on the primary node with the same certificate file names. Install the certificates again but with unique names. | https://support.citrix.com/article/CTX230239 | |
When launching an application via NetScaler using Receiver for Windows 4.2 to 4.9 you receive error “SSL Error 47: An unclassified SSL network error has occurred”. | This happens when TLS 1.2 is selected as part of the SSL handshake between client and NetScaler however the NetScaler presents a SHA1 certificate. Instead, bind a SHA256 certificate to NetScaler Gateway. | https://support.citrix.com/article/CTX230233 | |
You notice that the NetScaler InUse memory constantly sits above 70%. | This happens due to NETPCBs hanging around and taking up a lot of memory. This issue can be mitigated by command “set rskeytype -rsstype SYMMETRIC”. | https://support.citrix.com/article/CTX230232 | |
NetScaler compacting and sending packets but applications do not work as a result. | Devices in the middle of the route are not accepting the compacted packets NetScaler sends for some reason and must be investigated and configured to accept these packets as per RFC standard. | https://support.citrix.com/article/CTX230438 | |
You cannot connect to a backend web server through NetScaler due to “Fatal alert: handshake failure”. | This is due to the backend server requiring an SNI extension to be present in the “Client Hello” packet from NetScaler. Enable SNI on NetScaler via CLI command “set vpn parameter backendServerSni ENABLED”. | https://support.citrix.com/article/CTX230681 | |
After an upgrade from NetScaler 11.0 to 11.1 when editing an existing VPN Virtual Server through the XA/XD Wizard you only see a spinning circle and StoreFront information is not displayed. | Upgrade to NetScaler 11.1.56.15 which has the fix. | Citrix NetScaler 11.1. | https://support.citrix.com/article/CTX230600 |
The public IP of a service intermittently appears in the GSLB response for a domain. | This is a known bug. Unbind the Responder policy that uses a Rate Limiting Expression or use DNS Policies instead of Responder. | Citrix NetScaler 11.1 and 12.0. | https://support.citrix.com/article/CTX230599 |
When logging on to StoreFront that has FAS enabled, via NetScaler Gateway, you may receive the following error after logging out “Cannot log on using smart card. Please close your browser to protect your account”. | An enhancement request has been raised as seamless logout from NetScaler Gateway and IdP is not supported at the moment. In the meantime, close your browser window after logoff from StoreFront. | https://support.citrix.com/article/CTX230620 | |
When setting up SAML SSO a web browser reports error “RelayState in SAML authentication request is too big. Please contact your administrator”. | This was due to a hard coded limit in NetScaler which did not allow RelayState to exceed 1024 bytes. Upgrade to NetScaler 11.1.53.11. | Citrix NetScaler 11.0 and 11.1. | https://support.citrix.com/article/CTX225483 |
When logging on to NetScaler Full VPN you receive error “Windows cannot find ‘C:\program’. Make sure you have typed the name correctly, and then try again”. | Upgrade to the latest NetScaler 11.1 or 12.0 release which will contain the fix. | https://support.citrix.com/article/CTX230602 | |
When Split Tunnel is ON external traffic is unreachable. | When Split Tunnel was switched ON the proxy settings in Internet Explorer were being modified after connecting to VPN. Upgrade to NetScaler 10.5.67.10, 11.1.56.15 or 12.0.56.x. | https://support.citrix.com/article/CTX230591 | |
When attempting to open and edit SharePoint documents through Microsoft Word or a web browser via NetScaler you receive error “File could not be found” on MAC and “Unable to open the document” on Windows. | The issue lies with how NetScaler is handing the OPTION request. Follow the CTX article steps to resolve. | https://support.citrix.com/article/CTX230802 | |
Mobile devices cannot sign in to Lync, delivered through NetScaler. | As per Microsoft recommendation you should use protocol “SSL_TCP” on the Lync Load Balanced Virtual Server(s) rather than SSL. | https://support.citrix.com/article/CTX230772 | |
NetScaler crashes and generates a core NSPPE file if a particular sequence of white space and CR-LF characters are sent to an HTTP or SSL virtual server instead of a valid HTTP request. | This is a known issue. Uprade to NetScaler 11.1.56.15. | Citrix NetScaler 11.1.55.13. | https://support.citrix.com/article/CTX230826 |
NetScaler VPX on XenServer encounters service flapping, VIPs going down and interfaces reporting “Hangs” and “Stalls”. | This is a known issue and is fixed in NetScaler 11.1.56.19. | Citrix NetScaler 11.1. | https://support.citrix.com/article/CTX230832 |
The High Availability status between two VPX nodes is flapping after a VPX configuration restore, even though both nodes are online. | The SDX SVM was missing the XenServer IP hosting the VPXs under “Network Configuration”. | Citrix XenServer. | https://support.citrix.com/article/CTX230963 |
After enabling HSTS (Strict Transport Security) on a VIP clients cannot browse the VIP. | As per RFC 6797, if using HSTS, there are certain requirements for redirecting ports as per the CTX article. | https://support.citrix.com/article/CTX230915 | |
A warm reboot of a VPX hosted on SDX causes SSL chips for that VPX to go down. | Upgrade to NetScaler 11.1.56.x or 12.0.14.x. | https://support.citrix.com/article/CTX230909 | |
When NetScaler is acting as a SAML IdP, the SAML logout response does not contain a “Destination” attribute. This causes SAML SPs to not correctly process the logout response, resulting in logout failure and possibly an error page generated by the SP. | This is a known issue and will be fixed hopefully in a February 2018 release of NetScaler. | https://support.citrix.com/article/CTX230898 | |
You may face an intermittent issue with the NetScaler management CPU spiking to 100% and causing VIPs and LDAP configuration to go down. | This happens when you configure LDAP on NetScaler to use TLS, causing the NetScaler aaad process to consume 100% CPU. Either use PLAINTEXT or else avoid a blocking call from AAAD to LDAPS as explained in the CTX article. | https://support.citrix.com/article/CTX230883 | |
If you have a Login Schema that contains custom labels and credentials, you cannot modify it using the GUI and will receive error “Invalid XML >> null”. | There is an enhancement request to allow you to edit such Login Schema’s. In the meantime, use the CLI or a text editor. | https://support.citrix.com/article/CTX230972 | |
The Primary NetScaler in a High Availability pair is showing the Secondary appliance as UP even though the appliance is DOWN. | This happened due to the “Hello” and “Dead” intervals being incorrectly configured. | https://support.citrix.com/article/CTX231016 | |
Enhanced Authentication Feedback does not work properly during cascade authentication. For example, an error code may display but not any enhanced error reason when authentication fails. | Since a login attempt is evaluated against each authentication policy in this scenario, the end result if authentication fails may not be correct. There is an enhancement request to resolve this, however in the meantime you should find other solutions that avoids using cascade authentication if you need to use Enhance Authentication Feedback. One solution is to convert classic policies to advanced authentication policies. | https://support.citrix.com/article/CTX230677 | |
NetScaler devices reboot intermittently. | Upgrade to the latest 11.0, 11.1 and 12.0 builds. | https://support.citrix.com/article/CTX231086 | |
Certificate based authentication fails after upgrading to NetScaler 12.0. | This is a known issue, due to no “NONCE extension” being sent in the OCSP response. There are workarounds described in the CTX article. | https://support.citrix.com/article/CTX231133 | |
Device Certificate EPA scans fail with “Access Denied”. | You must be a local administrator of the machine in order for this EPA scan to succeed. Alternatively, if you install the NetScaler Gateway plug-in this component can access the certificate store for you. | https://support.citrix.com/article/CTX230397 | |
After upgrading to 11.1.56.19, SSO fails. Backend servers send a bad request response to NetScaler’s POST request. | This is a known issue due to NetScaler corrupting the POST request it sends to the backend server. As a workaround upgrading to NetScaler 12.0.53.22 is recommended. | Citrix NetScaler 11.1.56.19. | https://support.citrix.com/article/CTX231063 |
When you have a custom theme applied to NetScaler Gateway and a DFS authentication policy bound to the Virtual Server, the background image does not load. | This will be resolved in upcoming builds 11.0.72.x, 11.1.57.x, and 12.0.57.x. | Citrix NetScaler 11.0, 11.1 and 12.0. | https://support.citrix.com/article/CTX231154 |
In Azure, heartbeats are getting missed between NetScaler appliances configured for High Availability. | When CPU is not dedicated to NetScalers in Azure, NetScaler yields those CPUs to azure. When NetScaler wants to send heartbeats it cannot as the CPUs are unavailable. This causes failover. Upgrade to NetScaler 12.0.56.20 and run command “set ns vpxparam -cpuyield NO” to prevent CPU yielding. | Citrix NetScaler 11.1. | https://support.citrix.com/article/CTX231147 |
When AppFirewall policies are bound to a Load Balancing or Content Switching Virtual Server, NetScaler may generate a crash file. | This bug is scheduled to be resolved in Q1 2018 builds. | Citrix NetScaler 10.5, 11.0 and 11.1. | https://support.citrix.com/article/CTX231219 |
You receive a “Operation timed out” error message when making changed to the primary NetScaler VPX. | In this case, the secondary VPX was hung and not accepting propagation commands from the primary VPX. In order to resolve, reboot the secondary appliance. | https://support.citrix.com/article/CTX231210 | |
FTP over TLS via NetScaler SSL VPN fails to connect. | Upgrade to NetScaler 11.1.57.x. | https://support.citrix.com/article/CTX230063 | |
When binding a certificate with SNI, NetScaler becomes unresponsive. A failover may also occur. | Upgrade to NetScaler 12.0.57.x scheduled Q1 2018. | Citrix NetScaler 11.0 and 12.0. | https://support.citrix.com/article/CTX231337 |
After upgrading to NetScaler 12.0, the command “nsconmsg -d current -g pol_hits” does not display policy hits. | Instead use commands “nsconmsg -d current -g _hits” or “nsconmsg -d current -g pcb_hits”. | Citrix NetScaler 12.0. | https://discussions.citrix.com/topic/392135-nsconmsg-d-current-g-pol_hits-not-showing-policy-hits/ |
After an upgrade to NetScaler 12.0, the Password Reveal “eye” symbol option no longer works. | This is by design in version 12.0 of NetScaler. To re-enable this option, modify a CSS file as described in the CTX article. | Citrix NetScaler 12.0. | https://support.citrix.com/article/CTX231433 |
When you have a certificate that contains an ECC public key, you are unable to use that certificate to authenticate against NetScaler using Client Certificate Authentication. | Replace the bound CA certificate with one that has a matching ECC public key. If the client certificate is ECC the CA certificate bound at NetScaler must also be ECC. | https://support.citrix.com/article/CTX231492 | |
EDT does not work in a double-hop DMZ scenario. | Support for this scenario will be available in the next NetScaler 12.0 release in Q1 2018. | https://support.citrix.com/article/CTX231528 | |
SSO is failing for Form Based Authentication even though aaad.debug shows the authentication as successful. | In your LDAP profile set “ssoNameAttribute” to either “sAMAccountName” or set it to blank so that the username provided by the user is forwarded to the web server and not some other attribute from Active Directory. | https://support.citrix.com/article/CTX231561 | |
Published applications may not be displayed to users that run Receiver for iOS 7.4 or later with Smart Card authentication through NetScaler Gateway v11.1.54.x or 12.x. | This happens as NetScaler does not authenticate users properly when using Smart Card which results in application enumeration not working. Follow the CTX article to run an “nsapimgr” command to resolve. | Citrix NetScaler 11.1.54.x, 12.x. | https://support.citrix.com/article/CTX231643 |
When enrolling for NetScaler OTP authentication, when testing via the Manage OTP portal, you are returned error “Failed to verify OTP”. | This can happen when there is a time difference between NetScaler and the client device (mobile). | https://support.citrix.com/article/CTX231826 | |
After enabling AppFlow you notice that NetScaler restarts. | A fix will be released in NetScaler 12.0.57.x. As a workaround, change the AppFlow transport mode to “Logstream”. | Citrix NetScaler 12.0.56.20. | https://support.citrix.com/article/CTX231934 |
In a cluster setup, cluster synchronisation works fine but configuration synchronisation fails while re-joining a cluster group. After re-joining, all services show as down and no VIPs will be populated when running “sh ip” from the second (non-CCO) node. | This is resolved in NetScaler 12.0.57.x. | Citrix NetScaler 12.0. | https://support.citrix.com/article/CTX231992 |
When attempting to launch an application you receive error “Cannot connect to the Citrix XenApp server. Network issues are preventing your connection”. | Based on a working and non-working WireShark trace, the non-working trace was sending a SYN-ACK from an incorrect MAC address. This was a cause of NIC teaming on Hyper-V. | Microsoft Hyper-V. | https://support.citrix.com/article/CTX232009 |
NetScaler monitor probes for LDAP return “Failure – Probe time out”. | This can happen in a large AD environment and as a best practice you should reduce the returned values to a smaller number. You can do this by using the “Filter” field under the “Configure Monitor” wizard. | https://support.citrix.com/article/CTX232063 | |
When logging into NetScaler full VPN after a PC restart you receive a connection timeout or interrupted connection. VPN logs may show “Entered critical section ns_SaveConfigFileCS” and “Your NetScaler Gateway session timed-out and you are not connected”. | Upgrade to NetScaler 12.0 which contains the fix. | Citrix NetScaler 11.0. and 11.1. | https://support.citrix.com/article/CTX232119 |
While doing SSO during an application launch, NetScaler crashes. | Upgrade to NetScaler 12.0.56.20. | Citrix NetScaler 12.0. | https://support.citrix.com/article/CTX232175 |
When an HTTP profile with HTTP/2 support is bound to a Virtual Server, connections to this Virtual Server are not making use of HTTP/2. | NetScaler requires ECC ciphers to be bound to the Virtual Server when using HTTP/2. | https://support.citrix.com/article/CTX232246 | |
SNMP cannot retrieve all entities of a Content Switching Virtual Server. If a Content Switching Virtual Server has a default Virtual Server bound to it then details are retrieved. | An enhancement request is currently with Citrix for this behaviour. | https://support.citrix.com/article/CTX232338 | |
When running through the NetScaler Gateway wizard error “Resource already exists” appears. | Delete all resources created by the wizard and try again. If this is a new environment, you can use command “clear ns config basic” to clear out all basic configuration. | https://support.citrix.com/article/CTX230513 | |
When using special characters to authenticate you receive error “Invalid credentials”. | There is a bug in the 11.1.48.x version of NetScaler Gateway plugin. Upgrading to 12.0.53.13 resolved the issue. | https://support.citrix.com/article/CTX232414 | |
When reading the “messages” log file from “var/log” you see continuous “ldap_bind user failed” and “ldap_first_entry returned null user not found” messages. | This is a known issue and resolved in NetScaler 11.1.57.11 or 12.0.56.20. | Citrix NetScaler 11.1 and 12.0. | https://support.citrix.com/article/CTX232381 |
EDT falls back to TCP instead of UDP intermittently. | Upgrade to NetScaler 11.1.57.x or 12.0.56.11 which contains the fix. | https://support.citrix.com/article/CTX232419 | |
Backups taken on an SDX appliance are never transferred to MAS and in the MAS logs you see errors “SCP Command Timed out on ” and “DeviceBackup from failed (Download issue)”. | Verify DNS is configured correctly on SDX to ensure it can resolve the MAS appliance FQDN. | https://support.citrix.com/article/CTX232439 | |
When creating or editing PBR policies or Extended ACL policies via the GUI you receive an “Operation not supported” error. | This is resolved in NetScaler 12.0.57.x. | Citrix NetScaler 12.0.53.13. | https://support.citrix.com/article/CTX232453 |
The RfWebUI portal theme causes Receiver error “Your account cannot be added using the server address. Make sure you entered it correctly. You may need to enter your email address instead”. | A fix for this issue will be released in an upcoming version of NetScaler however the issue is still currently under investigation. Other portal themes do not pose the same problem and this does not affect connections to NetScaler from a web browser. | Citrix NetScaler 11.1. | https://support.citrix.com/article/CTX232428 |
A Server is detached from Service Group after a failover of NetScaler in a high availability setup. When attempting to re-bind the server you receive error “Resource already exists”. | This is a known issue and resolved in NetScaler 12.0.56.20. | Citrix NetScaler 11.1. | https://support.citrix.com/article/CTX232533 |
When accessing SharePoint as a CVPN bookmark you receive error “Sorry, something went wrong while accessing SharePoint”. | Follow the steps in the CTX article to define the “SSO Type”, Traffic Policy and so on for use with SharePoint and CVPN. | https://support.citrix.com/article/CTX232586 | |
After NetScaler internally sends a DNS query to a DNS server, a “504 Gateway Timeout” error will be sent by NetScaler if a response to NetScaler for it’s DNS query is greater than 512 bytes. | This is normal behaviour of NetScaler as it drops DNS UDP responses greater than 512 bytes, however Citrix are investigating this as a future product enhancement. | https://support.citrix.com/article/CTX232602 | |
The memory of NetScaler keeps increasing and you see a large amount of current AAA sessions. | This can happen if you have a high Session Timeout value configured for AAA sessions. Lower the Session Timeout value to an interval of 120 minutes for example. | https://support.citrix.com/article/CTX232630 | |
In AWS the secondary NetScaler is unable to sync configuration from the primary and when you run “sync ha node” via CLI you receive error “Sync Failed”. | Network traffic between the same subnets are governed by firewall rules in AWS. You need to allow traffic between the HA synchronisation ports. | Amazon Web Services. | https://support.citrix.com/article/CTX232793 |
Emails sent with attachments through native email clients for Android and iPhone fail. | In this case the ActiveSync Load Balancing Virtual Server was sharing the same Content Switching Virtual Server as other Load Balancing Virtual Servers. Not all Load Balancing Virtual Servers required Client Certificate authentication, but Active Sync did. Create a separate Content Switching Virtual Server to be used for ActiveSync which has Client Certificate authentication set to “Mandatory”. | https://support.citrix.com/article/CTX232812 | |
GSLB wilcard location expressions such as “CLIENT.IP.SRC.MATCHES_LOCATION(“North America.US.*.*.*.*”)” do not get hits. | From NetScaler build 11.1.51.11 onwards you have to manually enable wildcard matches by using CLI command “set locationParameter -matchWildcardtoany YES”. | Citrix NetScaler 11.1.53.11. | https://support.citrix.com/article/CTX232884 |
User is presented with an “HTTP/1.1 Internal Server Error 43550” error when re-authenticating to AAA after a session timeout. | This is a known issue and will be resolved in build 11.1.56.19. Alternatively upgrade to NetScaler 12.0 which is not affected. | Citrix NetScaler 11.1.56.19. | https://support.citrix.com/article/CTX232902 |
System temperature on NetScaler SDX shows “Error”. | The latest SDX devices have been tested between 0C and 85C without any impact. You can use “ipmitool” to modify the threshold value for temperatures if the temperature. | https://support.citrix.com/article/CTX233001 | |
When a NetScaler Gateway is configured for IPv6, communication between NetScaler Gateway and a StoreFront Load Balancing virtual server on the same NetScaler is broken. | Upgrade to the latest 12.0.57.19 build. | https://support.citrix.com/article/CTX233072 | |
ShareFile file uploads are very slow when routing through NetScaler. | Fine tune the TCP options on NetScaler to improve upload times. | https://support.citrix.com/article/CTX233077 | |
When launching a desktop through NetScaler you receive error “Unknown client error 0” or “Unknown client error 1110”. | Windows 10 v1709 was released with enhanced Windows Defender security which now controls Windows Firewall. Make sure you have incoming firewall rules for TCP/UDP 1494/2598. | Microsoft Windows 10 1709. | https://support.citrix.com/article/CTX233143 |
Session Timeouts do not work for Outlook Web Access. | OWA continues to send requests as a manner of polling the server. You may want to identify the patters of the URLs used for monitoring OWA and bind then against a patset as explained in the CTX article. | https://support.citrix.com/article/CTX233146 | |
NetScaler crashes after installing or updating a certificate. | This will be resolved in later versions of 11.1.58.x and 12.0.x. As a workaround, disable AppFlow, perform the certificate installation and then enable AppFlow again. | Citrix NetScaler 11.0, 11.1 and 12.0. | https://support.citrix.com/article/CTX233166 |
After an HA failover, RDP sessions fail to reconnect with error “This computer can’t connect to the remote computer”. | Reconnections will be successful based on the “rdpCookieValidity” period configured on the “rdpClientProfile”. Set the value of “rdpCookieValidity” to something larger so that a timeout does not occur. | https://support.citrix.com/article/CTX233207 | |
NetScaler does not seem to sycnrhonise with configured NTP server. | AutoKey was selected within the NTP configuration, but not required. | ||
When installing an intermediate certificate on NetScaler under “Traffic Management -> SSL -> Certificates -> Server Certificates” you are asked to provide a private key. | Intermediate certificates should be installed under “Traffic Management -> SSL -> Certificates -> CA Certificates”. | Citrix NetScaler 12.0. | |
HTTP monitor probes fail with “Internal error: Resource unavailable to send probe”. | WireShark trace shows that the backend server is sending a connection reset with the TCP window size being set to 0. If there is a firewall between the NetScaler and backend server that has threat protection enabled, it needs to be disabled as this causes the TCP connection to close. | https://support.citrix.com/article/CTX233245 | |
CPU usage for the management CPU displays the wrong values. | This will be resolved in NetScaler 11.1.58.x and above. | Citrix NetScaler 11.1. | https://support.citrix.com/article/CTX233306 |
When connected to full VPN through NetScaler you cannot access RDP/SMB servers but can access HTTP sites and use telnet. | This is a Layer 7 issue and in this case a Traffic Policy was configured with an expression of “true” and an action to control SSO to HTTP services. This as a result affected non-HTTP traffic. | https://support.citrix.com/article/CTX233260 | |
An unconfigured “UDP-ECV” monitor continues to mark a service as UP even though the backend server is shut down. | This happens because the monitor has not been configured to expect a particular string in the probe response, so assumes the service is in an UP state. Either configure the probe to look for a certain response or configure the service with a second monitor such as a PING monitor. | https://support.citrix.com/article/CTX233267 | |
When logging on to NetScaler you receive error “Operation not permitted – no FIPS card present in the system”. | The message can be safely ignored at the moment and Citrix will fix in an upcoming release. | Citrix NetScaler 12.0. | |
When using SNI on NetScaler DTLS connections for EDT or RealTime Audio over UDP are not established. | SNI is not currently supported with DTLS and must be disabled. | ||
After an upgrade to NetScaler 12.0.57.19 the Session Policy labels are named differently. | This is intentional. | Citrix NetScaler 12.0.57.19. | |
When installing a certificate you see error “The specified certificate is not yet valid”. | Correct the date and time on NetScaler so that the certificate can be verified. | https://support.citrix.com/article/CTX233398 | |
Via the GUI you cannot create a new Cipher Group. | Upgrade to NetScaler 12.0.57.24 or later. | Citrix NetScaler 12.0.57.19. | https://support.citrix.com/article/CTX233408 |
Integrated Caching does not work as expected. | The backend server was sending cacheable content which would only work with the “nocache” default policy. | https://support.citrix.com/article/CTX233412 | |
NetScaler is changing the chunk data and values received from a backend server. This causes the front-end client to fail. | This will be resolved in NetScaler 11.1.59.x. | https://support.citrix.com/article/CTX233426 | |
With Client Certificate and Device Certificate both enabled on NetScaler Gateway, one user connecting shows as anonymous when “show aaa session” is ran. | “Enable Authentication” must be checked on the NetScaler Gateway vServer properties and the Client Certificate authentication profile must have “User Name Field” set to “Subject:CN”. | https://support.citrix.com/article/CTX233491 | |
With only HTTPS access to NetScaler, you have mistakenly unbound the default certificate from the NetScaler IP “nshttps-127.0.0.1-443” internal service. | Log on to NetScaler via PuTTy and run command “bind ssl service nshttps-127.0.0.1-443 -certkeyname ns-server-certificate”. At this stage you will be able to browse the GUI again over HTTPS. | ||
When upgrading a highly available pair from 11.1.56.19 to 11.1.57.11 the secondary appliance crashes continuously. | This is due to a change in the order of the DHT namespace between 11.1.56.19 and 11.1.57.11. It is recommended that you upgrade to 11.1.58.x or any of the 12.0 builds. | Citrix NetScaler 11.1.56.19. | https://support.citrix.com/article/CTX233577 |
When connected to StoreFront internally via native Receiver, after moving to the internet and Always-On VPN connecting via NetScaler, you get error “There was a problem connecting: Store name” when trying to launch an application and refreshing Receiver throws error “Your apps are not available at this time”. | Native Receiver access to an internal/external store via Always-On VPN is not officially supported. The only workaround is to have the internal beacon reachable both internally and externally. | https://support.citrix.com/article/CTX233632 | |
When accessing web sites load balanced through NetScaler multiple times, images and other objects do not load as expected although the first visit works. NetScaler was found to be sending an HTTP 200 OK response on the first visit but subsequent visits causes NetScaler to respond with “HTTP 304 Not Modified” and “TCP-RST”. | In this case the backend web server was sending “null” in the 304 Not Modified response which is not RFC compliant. Edit the HTTP profile and add a Rewrite policy to delete “If-Modified-Since” headers as explained in the CTX article. | https://support.citrix.com/article/CTX233721 | |
Abnormally high traffic is detected on secondary NetScaler through TCP port 3011. | This is expected behaviour due to Stateful Connection failover. | https://support.citrix.com/article/CTX233806 | |
When using Optimal Gateway Routing and launching a session you receive an “Unknown client error 0” error or “Cannot connect to the Citrix XenApp server.Network issues are preventing your connection”.. | In this case authentication was happening on StoreFront rather than NetScaler Gateway, but “icaSessionTimeout” was set to “ON” in NetScaler. Switching it to “OFF” is required as AAA is not being used given that authentication does not happen at the NetScaler Gateway VIP. | https://support.citrix.com/article/CTX233853 | |
When creating a Content Switching policy you receive error “String length exceed maximum”. | The maximum policy length is 1499 characters for a Content Switching policy. You will need to create two policies if the expression length is longer. | https://support.citrix.com/article/CTX233818 | |
After an upgrade to NetScaler 12.0.57.19 AAA authentication fails with “Found extended error code 1245184”.. | This will be resolved in the next release of NetScaler. | Citrix NetScaler 12.0.57.19. | https://support.citrix.com/article/CTX233819 |
LDAP authentication fails consistently for specific users. | Make sure that within the LDAP profile, “Base DN” and “Search Filter” is set appropriately. | https://support.citrix.com/article/CTX233809 | |
When appliances part of a High Availability pair are both configured to send Syslog messages to an external server, only the primary can send them. | This issue will be fixed in NetScaler 11.1.58.x. | Citrix NetScaler 11.1. | https://support.citrix.com/article/CTX233927 |
User cannot connect to full VPN through NetScaler Gateway. | Allow traffic to ports 3108, 3148, 3168 and 3188 through Windows Firewall. | https://support.citrix.com/article/CTX234018 | |
When unbinding a service from a Service Group in the GUI you receive message “No scuch server”. Unbinding via command line works. | This will be resolved in NetScaler 12.0.58.x. | Citrix NetScaler 11.1 and 12.0. | https://support.citrix.com/article/CTX234015 |
When creating a Session Policy you cannot see the “OPSWAT EPA Editor”. | Use OPSWAT EPA Editor when creating a Session Profile under the “Security Tab” and copy/paste in to the Session Policy Expression box. | Citrix NetScaler 12.0.57.x. | https://support.citrix.com/article/CTX233367 |
When “/var” is full, ns.log (newnslog) stops and does not automatically start when the var partition has been cleaned up. | Upgrade to NetScaler 11.1.57.x or 12.0.51.x as these builds restart the “nslog.sh” process automatically when disk space has been eased. | https://support.citrix.com/article/CTX234151 | |
After setting a value against “Max Login Attempts” and “Failed Login Timeout” you can not reset the value back to “0” in the GUI. | This needs to be done via the CLI and is expected behaviour. Use command “unset vpn vserver vservername.com -maxLoginAttempts” or “unset aaa parameter -maxLoginAttempts” if using AAA. | https://support.citrix.com/article/CTX234177 | |
NetScaler VPX appliances that are running on SDX and have not been configured for external authentication do not appear under “NetScaler -> Instances” when you log on to SDX as an external user by using RADIUS, LDAP or TACAS. This happens after an upgrade from SDX 10.5 or 11.0 to 11.1 or 12.0. | Log on to SDX using nsroot credentials. Navigate to “System -> User Administration -> Group -> Edit”, under “Instances” move the “Available instances” to “Configured instances” and click “OK”. Log on as an external user and confirm you see the appliances. | https://support.citrix.com/article/CTX234229 | |
NetScaler installed on Nutanix AHV gets stuck when it tries to load the kernel and the “/var” partition is missing. | The disk was connected as a SCSI device rather than IDE. | https://discussions.citrix.com/topic/394112-netscaler-gateway-vpx-kvm-acropolis-hypervisor-no-boot | |
You receive message “pluginlist.xml file is tampered, or NetScaler version is older” when using a newer EPA Plugin than NetScaler. | Update “pluginlist.xml” files on NetScaler and add a new plugin-node to the file. | https://support.citrix.com/article/CTX234364 | |
With Split Tunnel off, a user who is connected to an online service using a client application then connects to NetScaler VPN but is still able to use the online service. | Use the “Kill Connections” option within your NetScaler VPN Session Profile. This will terminate pre-existing client connections when a connection to NetScaler VPN is made. | https://support.citrix.com/article/CTX234401 | |
The running and saved configuration may show differences after an upgrade to NetScaler 12.0.57.19. | Upgrade to NetScaler 12.0.57.24 or later. | Citrix NetScaler 12.0.57.19. | https://support.citrix.com/article/CTX234528 |
When creating policy expressions you may receive error “No support to set compound expression value”. | Classic policies are deprecated. | https://support.citrix.com/article/CTX234716 | |
Syslog shows “packets dropped due to licensed throughput rate being reached”. | This occurs when you have hit the bandwidth limit defined by the license that is applied to NetScaler. To resolve upgrade your license. | https://support.citrix.com/article/CTX225182 | |
When adding an expression under a “Rule Pattern”, the expression is added initially but then cannot be seen when you revisit the Rule Pattern, and the “Name” returns to “Any”. | This is a GUI issue and resolved in NetScaler 11.1.58.x. | Citrix NetScaler 11.1.56.19 and 12.0.57.19. | https://support.citrix.com/article/CTX235093 |
Multiple default routes are seen on secondary node, and the primary node only sees one. | If a multiple routes are configured on the secondary node, these are not removed as part of the HA config sync and instead the route from primary is added as part of the config sync. Remove any manually created routes from the secondary node. | https://support.citrix.com/article/CTX234941 | |
After an upgrade to NetScaler 12.0 the management and login pages are down. | The 11.1 version of NetScaler uses PHP5 whereas 12.0 uses PHP7. When an upgrade happens, httpd.conf is picked up from “/nsconfig/” which still has the PHP5 version included in its configuration. Follow the CTX article to edit “httpd.conf” under “/nsconfig/” or delete the file if you do not need any customisation. | https://support.citrix.com/article/CTX234948 | |
External users cannot use Jabber voice while connecting through NetScaler Gateway. | VMXE should be installed on the VDA servers and the client machine which is why a tunnel is required for this traffic. Configure Full VPN or Split Tunnel between the client machine and backend server. | https://support.citrix.com/article/CTX234962 | |
A memory leak exists on NetScaler. | This happens after using SSL Ciphers “TLS1.2-ECDHE-RSA-CHACHA20-POLY1305” and “TLS1.2-DHE-RSA-CHACHA20-POLY1305” ciphers. Remove these from your custom cipher groups. This will be fixed in an upcoming version of NetScaler 12.0 and 12.1. | Citrix NetScaler 12.0.57.19. | https://discussions.citrix.com/topic/394344-netscaler-vpx-125719-memory-leak/ |
Persistent sessions do not get cleared and eventually hit the default limit. | In this case, no certificate was bound to the port 3009 internal service, which is used for secure high availability propagation. Normally the “ns-server-cert” default certificate is bound to this service. If the primary node cannot propagate persistent session information to the secondary appliance, it cannot clear those sessions down. | https://support.citrix.com/article/CTX235248 | |
The status of a STA server using a FQDN for the STA server name remains down. | This is a known issue and fixed in 11.0.70.16 and above, 11.1.55.13 and above or any 12.0 build. | Citrix NetScaler 11.0.66. | https://support.citrix.com/article/CTX235273 |
RADIUS authentication fails when the RADIUS server is pointed to a load balanced VIP. Pointing direct to a single IP works. | Sometimes a PBR configured for the NSIP would be pointing to a next hop gateway and NetScaler does not have a SNIP in the same subnet as the next hop resulting in the traffic possibly never leaving NetScaler. Create a “Net Profile” and use the Subnet IP as the Source IP. Bind the Net Profile to the Load Balancing Virtual Server or service. | https://support.citrix.com/article/CTX235254 | |
You can log on to the CLI of NetScaler but not the GUI. | Remove unnecessary files from the /var directory. Common subdirectories are “/core, /crash, /log, /nslog, /nstrace, /ns-system_backup, /temp/support” | https://support.citrix.com/article/CTX235283 | |
When launching a desktop via NetScaler Gateway you receive error “An unclassified SSL network error occurred. Error 47”. | This can happen when you have Client Authentication set to “Optional” on your NetScaler Gateway or on a SSL Profile, but are not using client certificate authentication. | ||
RADIUS authentication fails with error “Rejecting with error code 4020” and “Skipping as radius server does not support authentication functionality” as recorded in aaad.debug. | In NetScaler, navigate to your RADIUS server and make sure “Authentication” is checked. | https://support.citrix.com/article/CTX235331 | |
When you update a certificate-key pair, a duplicate entry is created and error message “Cannot allocate memory” is displayed. | Upgrade to NetScaler 11.0.71.x, 11.1.55.x or 12.0.51.x. | https://support.citrix.com/article/CTX222699 | |
When connecting to an application through NetScaler Gateway you receive error “Socket operation on non-socket (socket error 10038)”. | Make sure that your computer trusts the entire certificate chain presented by NetScaler. You may have to upload Intermediate and/or Root certificates to NetScaler and link them to your NetScaler Gateway certificate. | ||
When typing within an HDX session, you notice that letters are sometimes multiplied. For example, you could type “a” and the screen returns “aaaaaa”. | This was due to a firewall memory issue. Memory consumption on the firewall was high and every so often large latency spikes would appear and impact packets with as high as 600ms latency. | ||
RPC over HTTPS traffic for Exchange 2016 is not working via NetScaler. Outlook is stuck in a “Connecting” state and asks repeatedly for authentication. | In this case a Responder policy was bound globally to NetScaler to protect against the “ShellShock” vulnerability. This policy needs to inspect 1000 bytes of the HTTP body and in this case the client was sending authentication information in a packet with 104 bytes of data. NetScaler was not forwarding this on to the back-end Exchange servers. Either unbind the policy or create a lower priority Responder policy that matches Outlook RPC traffic and has a GotoExpression of “END” and action of “NOOP” so that the problematic policy is not evaluated. | https://support.citrix.com/article/CTX235592 | |
After upgrading to NetScaler 12.1.48.13 you receive message “Appliance license expired”. | This is a UI issue and you can safely ignore the message. | https://support.citrix.com/article/CTX235679 | |
RADIUS authentication fails and WireShark shows “Access-Challenge(11)” sent from the RADIUS server. | A recreation of the RADIUS server/profile on NetScaler resolved the problem. | ||
Responder policies work for a Cache Redirection virtual server running over HTTP but not HTTPS. | This is a limitation. NetScaler cannot see the request when using HTTPS because client web browsers establish a direct tunnel to the destination server using the “CONNECT” method. | https://support.citrix.com/article/CTX235623 | |
After an upgrade from NetScaler 11.0.66.11 to 12.0.57.24, EPA scans looking to validate MD5 hash values fail. In this case, the EPA scan is looking to validate if the Receiver for Windows version is 4.10 or 4.11. | This is a known issue. Upgrade to NetScaler 11.1.58.13. | https://support.citrix.com/article/CTX235751 | |
You cannot upload a certificate to NetScaler and receive error “No certificates present in the certificate bundle file”. | Citrix NetScaler 12.1. | ||
NetScaler full VPN does not work on Windows 7 after an upgrade of NetScaler from 11.x to 12.x. Windows 10 clients work fine. Windows 7 clients can ping and resolve DNS for internal systems. | Reset the Windows Firewall profiles on the Windows 7 machine. You can also try via registry disabling the creation of the virtual adapter. | https://discussions.citrix.com/topic/395707-vpn-issues-with-windows-7-and-netscaler-plugin-120-build-5724 | |
Files cannot be uploaded to a Windows Server 2012 R2 file server using NetScaler SSL VPN and the file size appears as “0” in WireShark. | Use VPN full tunnel to access the file share instead of accessing the share via the NetScaler portal. | https://support.citrix.com/article/CTX235807 | |
When trying to enable TLS 1.1 or 1.2 you receive error “Enabling TLSv1.1/1.2 is not supported on this entity/platform”. | Update the FIPS firmware to version 2.2 or above which is compatible with TLS 1.1/1.2. | https://support.citrix.com/article/CTX235765 | |
When unbinding a certificate with SNI from an SSL Virtual Server that has active connections, NetScaler crashes. | Upgrade to NetScaler 11.1.57.13, 12.0.57.24 or 12.1.48.13. | https://support.citrix.com/article/CTX231416 | |
When redirected to a SAML IdP you receive message “Target URL not found for redirect after successful login. Please contact your administrator”. | Append “/saml/login” to the Redirect URL. | https://support.citrix.com/article/CTX235851 | |
When logging on to NetScaler Gateway you receive error “No logon methods are available on this platform” after authenticating successfully. | This can happen if you change NetScaler Gateway related settings on StoreFront but do not propagate the changes to the Server Group. | ||
After a reboot of NetScaler the GUI shows the license as “VPX(1)”. | Check the “license.log” file and run “cat license” under the “/nsconfig/license” directory to verify the expiry date. It it likely that you have to renew the license. NetScaler continues to run until a reboot is performed. | https://support.citrix.com/article/CTX233486 | |
NetScaler crashes after upgrading to 11.0.70.16 due to content type header missing. | Upgrade to the latest 11.0 or 11.1 builds. | https://support.citrix.com/article/CTX236114 | |
Two VPN clients connected to NetScaler with different intranet IP addresses cannot ping eachother. | Upgrade to the latest 11.1 or 12.0 releases of NetScaler. | https://support.citrix.com/article/CTX236182 | |
When changing your password at the NetScaler Gateway login page and you enter the same value for “Old Password” and “New Password” you may receive error “Gateway encountered an unexpected condition” and you have to refresh the page. | This issue has been fixed with the release of NetScaler 12.0.58.x. | https://support.citrix.com/article/CTX236184 | |
The hits counter increases for a Virtual Server that is down. | This happens when the vServer is part of a GSLB vServer and GSLB is in an Active/Active setup. | https://support.citrix.com/article/CTX236180 | |
When booting VPX on Nutanix, the appliance gets stuck loading “/boot/defaults/loader.conf”. | NetScaler VPX requires a serial port to power on the VM successfully. By default, the guest VM on AHV does not come with a serial port. | Nutanix AHV. | https://support.citrix.com/article/CTX233303 |
OPSWAT v3 EPA firewall scans for Mac OS 10.13 does not work. | OPSWAT v3 only supports up to Mac OS 10.12. Upgrade to the latest NetScaler 12 build as OPSWAT v4 scans asupport Mac OS 10.13. | https://support.citrix.com/article/CTX235878 | |
EPA scans that are configured under an advanced Session Policy do not trigger. | nFactor needs to be used if using an advanced Session Policy. | https://support.citrix.com/article/CTX236219 | |
Receiver for iOS device can log on to NetScaler Gateway but is not presented with any applications or desktops. | In this case the NetScaler Gateway URL has the www. prefix removed, but the external beacon on StoreFront still references this URL with www. | https://discussions.citrix.com/topic/396879-netscaler-121-4813-upgrade-has-stopped-receiver-for-ios-working/ | |
There are no line breaks or events when going through syslogs. | Per RFC 5424 there are no line breaks or delimiters. | https://support.citrix.com/article/CTX236329 | |
NetScaler SDX single bundle upgrade fails when upgrading from NetScaler 12.0.57.24 to 12.0.58.x or 12.1.48.13. | Disk space reported by XenServer/Dom0 should be equal or lower than 72%. Run the “df /” command to check the amount of disk space used and clear space if necessary. | https://support.citrix.com/article/CTX236339 | |
When the Hyper-V role is installed on a machine, the NetScaler Gateway Plugin connection flaps. | A fix will be available in a future NetScaler 12.1.x.x build. As a workaround, set “EnableAutoUpdate” DWORD to “0x0” under “HKLM\SOFTWARE\Citrix\Secure Access Client”. | https://support.citrix.com/article/CTX235998 | |
Pre-authentication EPA scans fail for Comma Seperated Value Expressions (such as MAC address checks) when the length of the expression is greater than 1024. | This issue is resolved in NetScaler 12.0.59.x and 12.1.49.x releases. | https://support.citrix.com/article/CTX236345 | |
When upgrading SDX from 12.0 to 12.1 using the “Single Bundle Upgrade (SBU2)”, the version of XenServer may not upgrade. | Use the “df /” command to check if Dom0 disk space Use% is 100%. If so, reboot the SDX and run the SBU again. | https://support.citrix.com/article/CTX236373 | |
Location database imports may take a long time. | Unsorted database files require processing when importing, increasing the import time depending on the number of records. Sort the database by IP address before importing. | https://support.citrix.com/article/CTX236390 | |
NetScaler SDX 8900 running build 11.1.56.19 or earlier encounters TCP probe failures. | WireShark trace shows different PE’s being used to send the probe related packets. This is resolved in NetScaler 11.1.58.13 and later builds. | Citrix NetScaler SDX 8900 running build11.1.56.19. | https://support.citrix.com/article/CTX236411 |
Application slowness is experienced when routing through a NetScaler Load Balancing Virtual Server, routing directly is much faster. | A custom TCP profile was bound to the Load Balancing Virtual Server which had Windows Scaling and SACK enabled, but it was not bound to the Service Group, which limited to speed to backend servers. | https://support.citrix.com/article/CTX236420 | |
Enhanced Authentication Feedback does not work on the RfWebUI portal theme when a non-English language is used. | This is a known issue. | ||
Secure ICA fails through NetScaler when the VDA is running Windows Server 2016/Windows 10 1607 or later. | An additional step is necessary when the VDA is running on Windows Serveer 2016/Windows 10 1607 or later which affects connections from Receiver for Windows 4.6. You have to set the SSL Cipher Suite Order via Group Policy as per Citrix documentation for secure TLS (link in CTX article). | Microsoft Windows 10 1607 and Microsoft Windows Server 2016 or later. | https://support.citrix.com/article/CTX236472 |
When the POST body limit is set to more than 2GB under AppFirewall Profile settings, AppFirewall drops the POST request received from client and sends a TCP Zero Window. | This issue is fixed in NetScaler 12.0.58.x. | https://support.citrix.com/article/CTX236467 | |
The “show audit messages” command outputs nothing however opening “ns.log” does show logs. | This fix is targeted in NetScaler 12.0.59.x. As a workaround change any syslog action “Log Facility” to “LOCAL0”. | https://support.citrix.com/article/CTX236507 | |
NetScaler cannot connect to a backend web service which only accepts ECDHE type ciphers. | The Service Group on NetScaler did not have any of the ECC Curves bound to it, which resulted in NetScaler not offering any ECDHE ciphers during the initial handshake. | ||
High packet CPU usage is caused by ICMP traffic on loopback IP address 127.0.0.2. Running command “nsconmsg -K newnslog -d current -s disptime=1 -g nic_tot_rx_packets | more” confirms a high amount of loopback packets. | This issue is seen when the configured name server returns a server failure response and the packet is looped into NetScaler. A fix will be included in NetScaler builds 11.1.59.x, 12.0.59.x and 12.1.49.x due to be released Q3 2018. Alternatively you can run command “set ns rateControl -tcpThreshold 233 -icmpThreshold 100”. | https://support.citrix.com/article/CTX236572 | |
NetScaler upgrade stalls when run from the GUI. | Upgrade to NetScaler 11.1.59, 12.0.58 or 12.1.47 or later using CLI and after that future upgrades via GUI should work. | https://support.citrix.com/article/CTX236770 | |
You cannot use a database when the NetScaler Load Balancing Virtual Server protocol is set to “MYSQL”. It works when the protocol is set to “ANY”. | MySQL 5.7 is not yet supported by NetScaler. As a workaround use TCP or ANY against your Virtual Server. | https://support.citrix.com/article/CTX233460 | |
After a VPN tunnel is established, the machine’s connection goes down and the VPN plugin screen shows “Gateway is not reachable”. | Windows Connection Manager could be disconnecting low speed connections that the VPN gateway relies on, or when connecting from a non-domain network WCM blocks the connection. | https://support.citrix.com/article/CTX236853 | |
VPX shows “Out of Service” if the firmware version if 12.0.58.x or later and the SDX version is less than 12.0.58.x. | This is a known issue. Upgrade the SDX to any version above 12.0.58.x. | https://support.citrix.com/article/CTX237009 | |
In a GSLB query response, clients receive all GSLB service IPs even though most of them are down. | This is caused by a configuration issue. | https://support.citrix.com/article/CTX237165 | |
When using RDP Proxy with SSO disabled, you notice that it is possible to edit the RDP connection and enable clipboard, client drives and so on even though they are disabled in the RDP Proxy Client Profile. | This is expected behaviour, you have to turn SSO on to enforce restriction of the clipboard etc. | ||
When a client sends 1 byte of HTTP data, NetScaler sends a RESET to the client with RESET code “win=213280”. | This fault is due to NetScaler considering a 1 byte HTTP packet as bad data. This issue is resolved in NetScaler 11.1.59 or 12.0.59 and above builds. | Citrix NetScaler 11.1. | https://support.citrix.com/article/CTX237318 |
When using SAML and after authenticating with an IdP and being passed to NetScaler, you receive error message “Malformed Assertion sent to NetScalerl Please contact your administrator”. | Check the logs on the IdP side for any indication as to why this error message is appearing. This error normally means that the IdP does not trust the NetScaler provided certificate bound to your SAML policy. | https://support.citrix.com/article/CTX237335 | |
When taking a trace with “Capture SSL Master Keys” selected, the “nstrace.sslkeys” file contains blank keys. | Upgrade to 11.1.59.x, 12.0.58.x or 12.1.46.x and above. | https://support.citrix.com/article/CTX237392 | |
SDX SVM shows interface as up but the interface remains down in VPX. | Upgrade to 11.1.59.x, 12.0.58.x, 12.1.49.x or higher. | https://support.citrix.com/article/CTX237458 | |
After upgrading from Windows 7 to Windows 10, the NetScaler Gateway VPN plugin may fail with error “Unable to manage network component. The condition can be transient. If it persists, it maybe because you’re a member of the Network Configuration Operators group on this computer. Members of this group cannot install network filter driver”. | You are recommended to upgrade to version 12.0.57.24 and above of the plugin when running Windows 10. | https://support.citrix.com/article/CTX237512 | |
After enabling USIP, the client IP is used to validate tickets with the STA server. After disabling USIP the same behaviour occurs. | Reboot NetScaler or re-configure the NetScaler Gateway Virtual Server with STA servers. | https://support.citrix.com/article/CTX237527 | |
When two different NetScaler appliances use the same SAML IdP and you browse to the first, authenticate with the IdP then browse to the second, an error “SAML Assertion seems to have been resent. Please contact your administrator” is thrown after visiting the second appliance URL. The original SAML assertion is being sent to the second load balancer automatically. | Upgrade to NetScaler 11.1.49.x. | https://support.citrix.com/article/CTX237556 | |
Medical devices are unable to send large data to a database which is load balanced by NetScaler. | Chaneg the MTU on NetScaler interface to accept jumbo frames using command “set interface -mtu 9000”. | https://support.citrix.com/article/CTX237579 | |
When configuring a Load Balancing Virtual Server you receive message “Address already in use” even though the IP is not currently used on the appliance. | This can be caused by a URL in a Session Policy resolving to the same IP, an A record created on NetScaler pointing to the same IP, or an external DNS record pointing to the same IP. NetScaler will avoid this IP being used, unless cleaned up, to avoid a duplicate IP on the network. | Citrix NetScaler 12.1. | https://support.citrix.com/article/CTX237834 |
When setting “CRL Auto Refresh” to update once per day, the setting may change to 2 days on the GUI automatically. | Upgrade to NetScaler 12.1.50.x. | Citrix NetScaler 12.1.48.13. | https://support.citrix.com/article/CTX237845 |
Client certificate authentication does not work and you receive error “No active policy while trying to fallback from certificate failure”. | An upgrade to NetScaler 12.0.57.24 resolved the issue. | Citrix NetScaler 12.0.57.19. | |
After a firmware upgrade to 12.0.58.15, NetScaler crashes constantly. | Upgrade to NetScaler 12.0.58.18 or 12.1.49.23. | Citrix NetScaler 12.0.58.15. | https://support.citrix.com/article/CTX237873 |
After configuring NetScaler for external authentication for management, you log on to the NetScaler GUI using domain credentials but receive error “Not authorized to execute this command”. This can occur even if you have been assigned “superuser” permissions. | The “Group Attribute” and “Sub Attribute Name” fields on the LDAP policy which is used for external authentication should be complete with values “memberOf” and “cn” respectively. | ||
When NetScaler is operating in a cluster, you see duplicate DNS records via the GUI, but the CLI command “show dns addrec” shows the records separately for all nodes in the cluster. | This is not an issue, but an enhancement request has been raised so that the GUI can show the records per each NetScaler node in the cluster. | https://support.citrix.com/article/CTX134123 | |
When logging off from an AlwaysON VPN session, proxy settings are removed from Internet Explorer. | This issue will be fixed in a future release of Citrix Gateway. Workarounds are available via the CTX article. | https://support.citrix.com/article/CTX238183 | |
Load balancing does not work if the protocol of the virtual server is set to HTTP. If set to “TCP” or “ANY”, it works. | Integrated Caching was enabled, but the caching memory was either exhausted or not configured correctly. | https://support.citrix.com/article/CTX238197 | |
You cannot RDP to a Windows Server 2012 R2 machine using RDP Proxy with SSO enabled. If SSO is turned off, RDP works. | The policy “Require use of specific security layer for remote (RDP) connections” was set higher than RDP Proxy with SSO could handle. Setting to “Negotiate” resolved the issue. | https://support.citrix.com/article/CTX238413 | |
You cannot download the IP reputation database. | Make sure NetScaler can connect to “amazonaws.com”. | https://support.citrix.com/article/CTX238534 | |
When an EPA scan is running, on the EPA plugin UI, the Gateway Server URL has “undefined” appended to the end of the URL. | This will be fixed in ADC 12.1.50.x | Citrix ADC 12.1.49.23 | https://discussions.citrix.com/topic/398678-epa-plugin-appending-undefined-to-gateway-server/ |
After connecting to VPN via the Citrix Gateway plugin for Mac 3.4.1, DNS resolution fails whilst accessing internal resources from a Safari browser. | Citrix Gateway plugin for Mac 3.4.1 will not capture IPv6 DNS queries. Upgrade to version 4.2.3. | Citrix Gateway plugin for Mac 3.4.1. | https://support.citrix.com/article/CTX238807 |
When connecting to a backend resource via Citrix Gateway, you may receive error “HTTP/1.1 504 Gateway Timeout”. | This can be caused by Citrix Gateway/ADC being unable to perform DNS resolution, an incorrect or missing SNIP, or services on Citrix ADC being marked as DOWN. | https://support.citrix.com/article/CTX238687 | |
Large file downlaods through Citrix ADC fail and WireShark traces should many “TCP zero window” entries. | Tune the TCP profile in use on Citrix ADC as explained in the CTX article. | https://support.citrix.com/article/CTX238612 | |
Interfaces on Citrix ADC flap and cause HA failovers. | Upgrade to Citrix ADC 12.0.59.3. | Citrix ADC 11.1.56.19. | https://support.citrix.com/article/CTX238578 |
When adding a RADIUS secret via the GUI, it does not appear to save as the field appears blank when revisited. | Upgrade to Citrix ADC 12.0.59.8 or 12.1.50.28. | https://support.citrix.com/article/CTX238857 | |
When attempting to change the SDX management IP address, you receive error “Configuration Failed: The operation could not be performed because a redo log is enabled on the Pool”. | Follow the steps posted by Raman in the attached Citrix Discussions URL. | https://discussions.citrix.com/topic/399002-sdx-redo-log-cannot-change-mgmt-ip/ | |
When issuing the “show ntp status command” you are returned “No association ID” on a secondary NetScaler appliance. | In this scenario NTP was configured whilst the secondary appliance was offline, so the commands were not propagated. Even when the secondary appliance comes online and the NTP configuration is synchronised to the appliance, you have to manually restart the NTP Daemon to get the NTP status from the secondary appliance. This is a current limitation of NetScaler, and will be fixed in future versions. | https://support.citrix.com/article/CTX239095 | |
Blinking orange light appears on an SDX appliance beside one of the SSD drive slots. The SVM shows the drive and RAID configuration is operating fine. | The “Locate” option was enabled on the SVM for one of the physical drives, which caused the blinking light. | https://support.citrix.com/article/CTX239180 | |
When using SAML with Citrix Gateway and Microsoft as the IdP, logging off Citrix Gateway redirects the user’s browser to the IdP logoff URL, but Citrix Gateway still displays an active session for the user. | This will be resolved in an upcoming Gateway firmware release. | https://support.citrix.com/article/CTX239178 | |
SSL related functions stop working on MPX 59xx or 89xx models. This also affects VPX appliances running on an SDX 89xx. | This issue occurs due to the SSL card becoming unresponsive. It is fixed in firmware versions 11.1.59.10, 12.0.59.8 and 21.1. | https://support.citrix.com/article/CTX239212 | |
Firefox 62 and Google Chrome 70 report an SSL handshake failure to an extranet site after an upgrade of Citrix ADC to 12.1.49.23. | Disabling TLS 1.3 resolved the problem. | https://discussions.citrix.com/topic/399415-browser-handshake-failure/ | |
After an upgrade or HA failover, Service Group configuration may be missing, such as missing servers. | Upgrade to Citrix ADC 12.1.58.x or later. | https://support.citrix.com/article/CTX239381 | |
With Exchange 2016 load balanced by NetScaler, lots of RST or RST, ACK packets are witnessed between the VIP and client. | Citrix are investigating this issue. Changing the Load Balanced Virtual Server protocol from SSL to TCP has resolved the issue. | https://discussions.citrix.com/topic/399402-load-balancing-exchange-get-thousands-rst-packets/ | |
On an SDX, the SVM GUI may be unavailble, VPX appliances may have an “Out of Service” Instance State, SDX and VPX appliances may become unresponsive and/or “ssl_err_coleto_card_threshold” and “ssl_err_card_process_fail_rst” counters may increase. | This happens when a Coleto SSL chip on the SDX becomes unresponsive and no longer accepts handshakes. Upgrade the SDX appliance to 11.1.59.x, 12.0.58.x or 12.1.x. | https://support.citrix.com/article/CTX239273 | |
Post authentication EPA scans are not initiated when Advanced Session Policies are used. However, Classic Policies do work. | If working with Advanced Session Policies, you need to use nFactor authentication to perform an EPA scan as a factor.. | https://support.citrix.com/article/CTX239452 | |
Call Home does not work and “debug.log” on Citrix ADC shows several entries such as “Can’t connect to callhome.citrix.com:443” and “Crypt-SSLeay can’t verify hostnames”. | This issue will be fixed in Citrix ADC 11.1.50.x, 12.0.60.x and 12.1.50.x. | https://support.citrix.com/article/CTX239502 | |
When nordic characters are used in an expression such as “HTTP.REQ.HOSTNAME.SET_CHAR_SET(UTF_8).CONTAINS(\”ä\”) “, policies do not evaluate. | An enhancement request has been raised to support these types of expressions. | https://support.citrix.com/article/CTX239538 | |
After upgrading to Citrix ADC 12.1.49.23, App Firewall blocks requests to web applications. | If the Content-Length of a POST packet is zero, NetScaler will now block it due to non-RFC compliance. This is a new feature in this firmware version. | Citrix ADC 12.1.49.23. | https://support.citrix.com/article/CTX239367 |
After an upgrade of Citrix ADC from 11.1 to 12.0, button text etc. on the GUI is incorrect. | Clearing the Chrome browser cache resolved this issue. | https://discussions.citrix.com/topic/399675-120-gui-error-after-upgrade/ | |
When connected to Citrix Gateway full VPN, calling other Cisco soft-phone users connected to full VPN does not work correctly. | Intranet IPs on Citrix ADC needed to be defined. | https://support.citrix.com/article/CTX239685 | |
After an upgrade to Citrix ADC 12.0.59.8, nFactor authentication no longer works. | Removing the “Authentication Domain” from the AAA Authentication Profile fixed the issue. | ||
After enabling DTLS on Citrix ADC, performance is very slow such as access to StoreFront. | From a network trace, check if there are a lot of NAK missing packets. Try enabling UDP Flood Protection on the firewall that sits between Citrix Gateway and VDA. | https://support.citrix.com/article/CTX239770 | |
Load balancing Microsoft Exchange 2019 sites such as ECP and OWA does not work correctly and you receive SSL handshake timeouts. | Modifying the Exchange server registry allows Citrix ADC to communicate with them. This is a current limitation with Citrix ADC. | Microsoft Exchange 2019. | https://discussions.citrix.com/topic/400007-netscaler-vpx-exchange-2019-time-out-during-ssl-handshake-stage-https-webservices/ |
Restoring a backup via the GUI does not work. | Using the CLI does work. | Citrix ADC 12.0.57.24. | |
When running an EPA scan on macOS that checks for a client certificate, the EPA plugin crashes. The same does not occur on Windows OS. | This is a bug and will be fixed in Citrix ADC 12.0.60.x. | Citrix ADC 12.0.58.15. | https://discussions.citrix.com/topic/397910-netscaler-gateway-epa-client-certificate-check-for-macos/ |
After an upgrade of ADC, RADIUS authentication fails for clients pointed to the RADIUS VIP hosted by ADC. | Upgrade ADC to 12.0.57.x or change the RADIUS vServer protocol type to UDP. | Citrix ADC 12.0.41.24. | https://support.citrix.com/article/CTX233619 |
Random URL timeouts occur when accetting a HTTP VIP hosted on ADC. | A WireShark trace showed that the server sending requests through ADC was sending incorrect URL encoding. | https://support.citrix.com/article/CTX239900 | |
On appliances that use a coleto SSL card, SSL connections stop working. There are no issues with HTTP traffic. | This is a known issue. A code fix is available in 12.0.58.15 or 11.1.59.x. | https://support.citrix.com/article/CTX239001 | |
When Director is load balanced through ADC, the main splash page just shows a spinning circle and never loads. | Check the load balancing configuration on ADC, as it is likely incorrect. | https://support.citrix.com/article/CTX217794 | |
High availability synchronisation fails. | Run command “show ns param” to check if “Nsinternal User Login” is disabled. If so, run “set ns param -internaluserlogin ENABLED”. | https://support.citrix.com/article/CTX228899 | |
When connecting to a published desktop or application via Gateway, you receive “SSL Error 4”. | The Gateway had an ECDSA certificate bound to it, which Receiver does not support. | https://support.citrix.com/article/CTX240043 | |
After an upgrade or fresh install of ADC/Gateway version 12.1.50.28, Responder policies no longer work. | The only option at present is to downgrade to 12.1.49.37. | Citrix ADC/Gateway 12.1.50.28. | |
Rewrite policies are no longer working after an upgrade to ADC 12.1.50.28. | This is resolved in 12.1.50.31. | Citrix ADC 12.1.50.28. | https://discussions.citrix.com/topic/400405-second-password-field-visible-after-upgrade-adc-121-4937-to-5028/ |
Newly uploaded certificates appear to unbind from virtual servers after an HA failover. | This can happen if the certificate name is the same as the old certificate, and is expected behaviour. You should use new and unique certificate names when uploading new, replacement certificates to ADC. | https://support.citrix.com/article/CTX239736 | |
You cannot add a store from Workspace app for Mac or Windows when connected externally. | ADC had incorrect Response-Rewrite policies which was causing the problem. | https://support.citrix.com/article/CTX239882 | |
Authenticating to SSL VPN with SAML for multi-factor authentication works fine, but when logging off and back on the user is not challenged for any credentials. | This issue has been resolved in the VPN plugin 12.1.51.x. | https://support.citrix.com/article/CTX241520 | |
During a network trace, you may see TCP zero windows from the ADC SNIP address to backend server IPs. | This indicates that ADC does not have enough space in the buffer to process the TCP traffic quickly enough. It is suggested that any TCP profile you use has “TCP Flavor” set to “BIC” and “TCP Buffer Size (bytes)” set to a size between 128-256KB. | https://support.citrix.com/article/CTX227670 | |
After enabling “Secure Access Only” against the NSIP on ADC, the ADC still allows you to connect over HTTP. | Upgrading to 12.1.50.31 solved the issue. | Citrix ADC 12.1.50.28. | https://discussions.citrix.com/topic/401141-secure-console-access/ |
When importing Gateway configuration into StoreFront using “Imported from file” you receive error “STA on file does not match the ID returned by the server”. | The STA entry added to Gateway was prefixed with HTTPS, but the STA server itself was still configured for HTTP. | https://discussions.citrix.com/topic/401130-sta-on-file-does-not-match-the-id-returned-by-the-server/ | |
You only have the options to bind “Rewrite” or “Responder” policies to an SSL load balancing vServer. You can bind all other policy types via CLI. | Citrix are investigating. | Citrix ADC 12.1.50.31. | |
Using the “Download file” link to download StoreFront configuration for importing to StoreFront does not work. | This is resolved in ADC 12.1.50.31. | Citrix ADC 12.1.50.28. | |
After configuring nFactor and changing the authentication verification order as per “CTX229505”, authentication works via the web browser but not when using the VPN plug-in. | Upgrading to the latest build of ADC 12.1 solved this issue, which provides support for nFactor authentication when using the Windows VPN plug-in. | https://discussions.citrix.com/topic/400902-netscaler-nfactor-with-changed-authentication-verification-order-and-gateway-plugin-for-windows/ | |
ADC monitor probes fail with error “Time out during TCP connection establishment stage”. | This indicates that either the backend server is unreachable or not listening to TCP requests from the monitor. In this case, the firewall was blocking the TCP connection. | https://support.citrix.com/article/CTX205016 | |
The /var filesystem is running low on free disk space. | Using the “fstat” command in this case, AppFirewall learning mode was enabled. It is recommended to only enable this during initial configuration. | https://support.citrix.com/article/CTX206849 | |
Citrix sessions freeze intermittently after an upgrade to ADC 12.1.50.28. | This is a known issue and will be fixed in ADC 13. As a workaround, disable EDT Insights using command “nsapimgr -ys enable_ica_edtinsight=0”. | Citrix ADC 12.1.50.28. | https://discussions.citrix.com/topic/400400-adc-121-build-5028-citrix-session-freezing/ |
After an upgrade to 12.1.50.31 or 12.1.51.16, when browsing to the Gateway URL you randomly receive error “Cannot complete your request”. | Disable static page caching using command “set aaa parameter -enableStaticPageCaching NO” or disable via the GUI. | Citrix ADC/Gateway 12.1.50.31 & 12.1.51.16. | https://discussions.citrix.com/topic/401050-cannot-complete-your-request-before-login/ |
When connected to ADC VPN from an endpoint that has the Microsoft Configuration Manager client installed for endpoint management, the ‘SMS Agent Host’ service attempts to connect to the Configuration Manager server using NTLM authentication, fails, and eventually locks out the user’s Active Directory account. | On the AAA Virtual Server, specifying an Authentication Domain solved the issue. | https://discussions.citrix.com/topic/401908-adc-vpn-and-ms-configuration-manager-sms-host-agent-service-causing-account-lockout/ | |
After an upgrade to 12.1.51.16, new EPA installs fail on 64-bit Windows devices. | Copy an older version of ‘nsepa_setup64.exe’ to the ‘/netscaler/ns_gui/epa/scrips/win’ folder. | Citrix ADC 12.1.51.16. | https://discussions.citrix.com/topic/401949-do-not-use-1215116-if-you-are-using-epa-scans-for-new-installs-nseap_setup64exe-file-missing/ |
After a direct upgrade from 10.5 to 12.1, users are prompted to downgrade the Gateway plug-in with message “The NetScaler Gateway requires you to downgrade the client version from 10.5.X.X to 1.1.1.1”. | When upgrading 10.5 you should first upgrade to 11.1 and then to 12.1. The VPN plug-in should also be upgraded to 11.1 before upgrading the build to 12.1. Alternatively you can manually modify the “f_ndisagent.xml” version to the actual ADC version. | https://support.citrix.com/article/CTX247705 | |
Passthrough authentication from Gateway does not work for all domains when multiple domain users access the same Gateway. | Extra cofiguration on StoreFront and Gateway required. | https://discussions.citrix.com/topic/401966-netscaler-passthrough-sso-to-storefront-does-not-authenticate-multiple-domain-users/ | |
Monitor bindings are removed from a Service Group during a reboot or high availability failover. | This will be fixed in the next build. | Citrix ADC 12.1.51.16. | |
Active ICA sessions through Gateway are disconnected when someone browses to the Gateway URL. | Disabling AppFlow fixed this issue | Citrix ADC 11.1.48.10. | https://discussions.citrix.com/topic/402044-xenapp-sessions-disconnecting-briefly-whenever-users-access-external-netscaler-url/ |
When logging on to Gateway, blank icons appear for each resource. | A Rewrite policy which was setting the “Content-Security-Policy” header was causing this issue. | https://discussions.citrix.com/topic/401940-netscaler-ocsp-stapling-responder-behind-a-proxy/ | |
Each time a user logs in using SSH Key based authentication, an SNMP Trap may be sent out from ADC along with “netScalerLoginFailure” messages placed in “ns.log” Syslog. | Citrix are working on a resolution. | https://support.citrix.com/article/CTX249928 | |
ADC does not send HTTPS traffic to the proxy after an HA failover and if the last octet in the IP address assigned to the proxy is greater than “127”. | This is resolved in 11.1.54.16. | https://support.citrix.com/article/CTX240049 | |
Only one user can authenticate to Gateway. | The “SSO Name Attribute” field was populated with “sAMAccountName” rather than “cn” under the LDAP server on ADC. | https://discussions.citrix.com/topic/402517-gateway-authentication/ | |
Load balancing does not work for Remote Desktop Connection Brokers. | The problem was resolved after configurnig the same load balancing on an appliance running build 12.0.59.8. | Citrix ADC 12.0.60.9. | https://discussions.citrix.com/topic/402345-load-balancing-rd-2016-connection-brokers/ |
When viewing a Load Balancing VIP the protocol appears as “SSL” but when editing the settings, it shows as “SIP_SSL”. | This is a bug that should be fixed in later builds. | https://discussions.citrix.com/topic/402326-ssl-service-protocol-auto-switching-to-sip_ssl/ | |
The GUI shows the timezone as being incorrect, even though it has been changed via CLI and logs show the correct time. | This appears to be a bug, as the same issues are not noticed in build 12.1.49.23.. | Citrix ADC 12.1.50.28 and 12.1.51.19. | https://discussions.citrix.com/topic/402336-change-timezone-vpx-12-gui/ |
If first factor is SAML, the second factor never executes. An authentication loop is experienced. | This is resolved in ADC 12.1.50.31. | https://discussions.citrix.com/topic/402166-netscaler-nfactor-saml-epa/ | |
Receiver for HTML5 does not work through Gateway, but works direct to StoreFront. | STA servers were showing as down. | https://discussions.citrix.com/topic/402421-how-to-configure-netscaler-gateway-to-support-both-html5-and-citrix-receiver/ | |
When browsing to the Gateway URL you see message “Full VPN and EPA are not supported in Edge browser. Please use a different browser for a better experience”. | Downgrading to build 12.1.50.31 resolved the issue. It is important to know however that EPA and Full VPN are still not supported through Edge. In another case, Citrix provided replacement files for the X1 theme. | Citrix Gateway 12.1.51.16. | https://discussions.citrix.com/topic/402071-message-in-edge-about-full-vpn-and-epa/ |
After an upgrade to ADC 12.1.51.16, browsing to the Gateway URL with Internet Explorer 11 throws error “Object doesn’t support property or method addeventlistener is not supported by the object”. Chrome works. | A Rewrite policy was bound globally which was emulating Internet Explorer connections as an earlier version of IE. Unbinding resolved the issue. | https://discussions.citrix.com/topic/402317-netscaler-121-object-doesnt-support-property-or-method-addeventlistener-is-not-supported-by-the-object/ | |
When connecting to Gateway using SAML, Client Drive Mapping does not work. | Adding a Studio policy without using the “Access control” filter resolved the issue. | https://discussions.citrix.com/topic/402174-saml-authentication-no-client-drive-mapping/ | |
Accessing a Bookmark results in error “ERR_TOO_MANY_REDIRECTS”. | Excluding the domain under “Citrix Gateway -> Global Settings -> Configure Domains for Clientless Access” resolved this issue. | https://discussions.citrix.com/topic/402775-netscaler-unified-gateway-too-many-redirects/ | |
In a Citrix ADC high availability deployment, the “ns.log” (Syslog) shows errors such as “Request to AWS API server failed” and “Incorrect Secret and/or Access Keys”. | This is a known issue. Citrix are working with the AWS team to inform ADC customers, and they are working on a fix. | https://discussions.citrix.com/topic/402647-vpx-ha-in-aws-not-working/ | |
RADIUS and LDAP policies switch on subsequent logons to Gateway via Workspace app. | StoreFront should be configured with “Domain and security token” under “Logon type” when configuring the Gateway settings. | https://support.citrix.com/article/CTX251009 | |
You receive “Cannot complete your request” when using a custom portal theme on a Gateway or AAA virtual server. | Upgrade to ADC 12.0 61.8. If running 11.1 or 12.1, a fix will be made available in an upcoming release. A workaround is available in the CTX article. | https://support.citrix.com/article/CTX244520 | |
EPA plugin is not launching when a Content Security Policy is in use. | Update the Content Security Policy (via Rewrite action) with the expression from the CTX article. | https://support.citrix.com/article/CTX250979 | |
The state of a monitor shows down with error “Failure – No MIP/SNIP available to send the monitor probe”. | Try using CLI command “ping -S “. If ping is successful, use a Net Profile for the probe traffic. If there is no response from ping, there may be no route from ADC to the backend service, or there may be an IP address conflict which can be checked using command “nsconmsg -K newnslog -d conmsg”. | https://support.citrix.com/article/CTX214997 | |
Password expiry notification does not show when using the Greenbubble theme. | The RfWebUI theme is required to be used with Clientless Access. | https://discussions.citrix.com/topic/402945-netscaler-gateway-password-expiry-notification-ns121-5031-not-showing/ | |
Adding a DNS name server to ADC using CLI command “add dns nameServer ” returns error “ERROR: Name servers already configured”. | The DNS server trying to be added was a Load Balancing Virtual Server already added as a Name Server to ADC. It cannot be added again. Also, you cannot add direct DNS servers and Load Balancing Virtual Servers as Name Servers at the same time. It is one or the other. | https://discussions.citrix.com/topic/403029-dns-name-server-cant-add-name-server-into-dns-name-servers-list/ | |
SSO to internal web applications does not work as expected after an upgrade to ADC 12.1.51.19. | Creating an Authentication Profile and binding it to the required Load Balancing Virtual Servers solved the issue. | https://discussions.citrix.com/topic/402936-sso-problem-after-upgrading-to-121-5119/ | |
HTTPS-EVC monitor probes fail with error “Time out during SSL handshake stage”. | The back-end server was dropping the probe if a proper host name was not used. | https://discussions.citrix.com/topic/402861-backend-monitor-failure-time-out-during-ssl-handshake-stage/ | |
When connecting to Remote PC over Citrix Gateway, errors “The Citrix ICA Transport Driver received SSL initialization error 0x80090331” and “An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed” are logged. | Binding the “HIGH” SSL Cipher Group to the “ns_default_ssl_profile_backend” SSL Profile resolved the issue. | https://discussions.citrix.com/topic/403227-ssl-vda-connection-issue-to-remote-pc/ | |
When trying to save a custom report the following error appears: “An internal server error was encountered. Error writing reports to the file (/nsconfig/nstemplates/reports/reports.xml)”. | Run command “chmod 777 /var/nstemplates/reports/”. | https://discussions.citrix.com/topic/400625-error-to-save-custom-reports-in-vpx-express/ | |
Logging on to StoreFront through Gateway returns “Incorrect Username or Password” and Event Viewer on StoreFront shows error “Password expiry information was requested but none was returned”. | With “Configure Password Validation” set to “Delivery Controllers” rather than “Active Directory” in StoreFront, the list of Delivery Controllers was not configured. | https://discussions.citrix.com/topic/402327-authentication-issues-with-storefront-netscaler/ | |
Connectivity to a VIP works for a period of time, then no longer responds. This only happens on one node in a high availability pair. If failover is performed to the second node, connectivity to the same VIP works constantly. | Recreating the VIP with a new IP solved the issue. | https://discussions.citrix.com/topic/402763-netscaler-ha-odd-issue/ | |
AAA virtual server asks users to reauthenticate when clicking on embedded links that point to Load Balancing VIPs that are attached to an AAA Authentication Profile, even though users have already authenticated at a higher level Authentication Profile. | This appears to be a bug in ADC 12.1.51.x. | Citrix ADC 12.1.51.x. | https://discussions.citrix.com/topic/400852-authentication-profile-authentication-level/ |
Users cannot change their password and receive error “Password change failed. Make sure you supply correct existing password and try again”. | This is resolved in ADC 12.1.51.19. | Citrix ADC 12.1.48.13. | https://discussions.citrix.com/topic/402479-unable-to-voluntarily-change-user-password/ |
SSL Labs reports “This server is vulnerable to the Zombie POODLE vulnerability. Grade will be set to F from May 2019”. | Upgrading to ADC 12.1 51.19 solves this issue. | Citrix ADC 11.1 57.11. | https://discussions.citrix.com/topic/403258-zombie-poodle-with-cipher-block-chaining/ |
Logging on to StoreFront through Gateway with Receiver for iOS fails, but Receiver for Windows works and using a web browser works. | A Traffic Policy bound to the Gateway virtual server was the culprit. | https://discussions.citrix.com/topic/403498-receiver-logon-failed-to-storefront-web-works-fine/ | |
Whilst trying to add a vCPU license to an ADC, no value shows under “Allocable CPU(s)”. | Remove the local license file manually, restart the VPX and complete the remaining steps from the CTX article. | https://support.citrix.com/article/CTX256675 | |
A Delivery Group that was set to show only applications through Gateway stopped working. | “Require token consistency” needed to be enabled in the advanced settings of the StoreFront store. | https://discussions.citrix.com/topic/403628-access-policy-on-delivery-group-to-only-show-via-netscaler-connections-suddenly-stopped-working/ | |
You are unable to unbind Authorization Policies from an AAA User or Group. | This is a known issue and resolved in ADC 12.0.57.x and 12.1.x. | https://support.citrix.com/article/CTX237000 | |
Citrix ADC displays error “Session is invalid. Please login again” even when valid credentials are supplied. | Losing connectivity with the NTP server(s) can cause this error. Make sure NTP configuration and synchronisation is correct, and no time/date drift is occuring. | https://support.citrix.com/article/CTX256782 | |
Using a Responder policy for HTTP to HTTPS redirection worked fine for many years, but after an upgrade of ADC the appliance now does a core dump when a request without a hostname (for example using VIP) hits the HTTP virtual server. | This will be resolved in an upcoming release of ADC. As a workaround, use Responder action “Respond with” instead of “Redirect”. | Citrix ADC 13.0.36.27. | https://discussions.citrix.com/topic/403644-citrix-adc-core-dumps-when-http-request-withoutempty-hostname-hits-80-443-redirect-policy/ |
External DNS servers when added to ADC appear as DOWN. For example, adding “8.8.8.8” and port “52” as a service on ADC does not work. Internal DNS servers added to ADC appear UP. | This turned out to be an issue with traffic from the customers ISP being incorrectly routed to the external firewall. | https://discussions.citrix.com/topic/403334-netscaler-external-dns-service-down-internal-dns-service-up/ | |
ADC sends TCP segmenets which are lower in size than the value set by the client/server. | This can occur when the MSS size is specifically set in a TCP Profile bound to the virtual server. | https://support.citrix.com/article/CTX256845 | |
After an upgrade to ADC 12.1.41.19, a black screen is encountered when connecting to Windows 7 VDAs. This happens with Workspace app, but not with Workspace app for HTML5. | The customer’s firewall was blocking outbound UDP packets from the Gateway whenever they failed over to their secondary MPX. | https://discussions.citrix.com/topic/402493-receiverworkspace-client-connections-via-gateway-show-black-screen-after-firmware-upgrade-of-netscaler-to-121-5119/ | |
EPA scans take a long time to complete on Windows 10 1809. | This is a known issue. The issue is fixed in OPSWAT 4.0. ADC 11.1 is only compatible with OPSWAT 3.0. Upgrade to Citrix ADC 12 or higher builds. | Microsoft Windows 10 1809 and Citrix ADC 11.1. | https://support.citrix.com/article/CTX257542 |
After upgrading ADC FROM 11.1 to 12.1.51.19, Workspace app does not ask for credentials. If you recreate the account via Workspace app then you are prompted for credentials. Authenticating via a web browser also works. | Two new Rewrite policies were created and bound to the Gateway virtual server. | https://discussions.citrix.com/topic/402974-workspaceapp-does-not-ask-for-credentials-on-external-site/ | |
nFactor authentication with client certificate authentication as a factor does not work with Google Chrome or Mozilla Firefox, but works with Internet Explorer. | Disabling TLS 1.3 on the AAA virtual server resolved the problem. It appears that certificate based authentication does not work with Chrome or Firefox when TLS 1.3 is used. | https://discussions.citrix.com/topic/403672-certbased-auth-adc-setting-anonymous-in-userfield-in-chrome-and-firefox/ | |
You notice there is a wide space in the “Cache-Control” header value in a packet sent by ADC to client browser. This occurs even when there is no space in the Content Group’s Cache-Control value when viewed from the ADC GUI. | This is by design, starting ADC 13.0. | Citrix ADC 13.0. | https://support.citrix.com/article/CTX257641 |
The interfaces on an SDX appliance do not come up. | The customer was using an unsupported SFP (fibre) module on the appliance. The supported modules are listed in the ADC data sheet. | https://support.citrix.com/article/CTX257632 |
文章有(16)条网友点评
【原创】Citrix修复和已知问题 – NetScaler / Citrix ADC – 虚拟化论坛
voksrnsei http://www.gr6l38so934q1267b98z3zef289pwcrss.org/
avoksrnsei
[url=http://www.gr6l38so934q1267b98z3zef289pwcrss.org/]uvoksrnsei[/url]
Най-добрите показатели за форекс. https://bg.forex-stock-bitcoin-brokers.com
I am regular reader, how are you everybody? This paragraph posted at
this web site is in fact pleasant.
website design is amazing
I just lіҝe the valuable info you pгovide in your articles.
Greetings! I know this is somewhat off topic but I was wondering if you
knew where I could get a captcha plugin for my comment form?
I’m using the same blog platform as yours and I’m having trouble finding
one? Thanks a lot!
Magnificent goods from you, man. I have understand your stuff previous to and you’re just too magnificent.
I really like what you have acquired here, really like what you are stating and the way in which you say it.
You make it enjoyable and you still care for to keep it smart.
I cant wait to read far more from you. This is really a great
web site.
My brother suggested I might like this web site.
He was entirely right. This post actually made my day.
You cann’t imagine simply how much time I had spent for this info!
Thanks!
Howdy, i read your blog occasionally and i own a similar one and
i was just curious if you get a lot of spam feedback?
If so how do you stop it, any plugin or anything you can recommend?
I get so much lately it’s driving me mad so any assistance is very
much appreciated.
You got a very wonderful website, Glad I discovered it
through yahoo.
Please play responsibly. Four Winds Casinos are Equal
Opportunity Employers. These machines can be found at varied locations, together with grocery shops, banks, and even some casinos.
ANA ticket counters (including native workplace and airport) within the
Americas (excluding Canada): USD 25.00 · Before touchdown, ANA
served a second meal. She additionally advised me the place the empty seats in the cabin were so I may take higher pictures, and when she saw me snapping a photo of my meal… About two hours earlier than touchdown, flight attendants came
by the cabin for the second meal service, which included each Japanese and international
menus. However, with other worldwide routes touchdown round the same time, it still took
a substantial period of time to get by means of. When she discovered I used to be connecting to New York, she
proactively checked forward on the following flight and
got here back to inform me I’d be on precisely the same plane.
You might inform the crew had been extremely pleased with the product, as
not one however two pursuers got here by to clarify how it worked.
For one leg in enterprise class and the returning leg in first class, you
merely take half of the spherical-journey prices and add it up.
Keep on writing, great job!
I’m really enjoying thhe design and layout off your website.
It’s a very easy on the eyes which makes it much more enjoyable for me
to come hdre and visit more often. Did you hire out a developr tto create your theme?
Fantastic work!
Review my wweb site … call girl in Islamabad
I know this web site presents quality depending posts and extra material,
is there any other website which offers these data in quality?
I feel that is among the most significant information for me.
And i’m glad reading your article. However should observation on some basic things,
The web site style is ideal, the articles is in reality excellent : D.
Just right activity, cheers
Heya i am for the first time here. I found this board and I in finding It really useful & it
helped me out a lot. I’m hoping to give something again and help others
like you helped me.