NetScaler new Firmware

If you have some chance (depending or your access level) you can test the 12.0 Beta / Tech preview of NetScaler Firmware which has been released yesterday

Otherwise, you can test the 11.1 new Firmware which has been released on Feb, 2 2017: 11.1 Build 51.26 which fix some bugs.

Here is the list from Release Note:

• The NetScaler appliance might restart if role-based access is enabled in admin partitions.
  [# 653702]

• In a multifactor SAML IdP configuration, if a SAML request is resent from the service provider during authentication, the NetScaler appliance sends an assertion before authentication is complete.
  [# 666161]

• The NetScaler appliance fails if all of the following conditions are met:

  – The appliance is used as a SAML service provider.

  – Multiple load balancing and content switching virtual servers are configured for the same external identity provider (IdP) but with different FQDN.

  – SAML login happens on a virtual server with an existing SAML session from the same IdP.
  [# 664171, 670657]

• If you configure “CLI Accounting” on the NetScaler appliance, the RADIUS server does not send accounting message with Session ID.
  [# 538997]

• Memory usage on a NetScaler appliance might increase over time if the AppFlow feature is enabled and HTTP pipelined requests are sent to the HTTP or SSL virtual servers that match at least one of the AppFlow policies.
  [# 672102, 670990, 671906]

• Application Firewall uses master-slave communication for processing security checks and retrieves connection information through Protocol Control Block (PCB). In a high availability mode, the NetScaler appliance might fail, if factory reset occurs when PCB variables are cleared before freeing Application Firewall context data when accessing null pointer during processing.
  [# 664159, 665334]

• On a NetScaler Application Firewall appliance in a high availability configuration, learning mode does not work after an upgrade to release 11.0 build 68.10.
  [# 662734]

• On a NetScaler Application Firewall appliance in a high availability configuration, learning mode does not work after an upgrade to release 11.0 build 68.10.
  [# 662359, 670726]

• NetScaler release 11.0 build 47 or later logs error messages when you enable the Application Firewall feature on a NetScaler appliance in high availability mode.
  [# 660528]

• In a high availability setup, after successful deployment of the Application Firewall learned StartURL rule from the GUI, the rule remains in the learned database and is not removed. Deploying the same startURL rule results in the following error message: “The StartURL check is already in use.”
  [# 661111]

• Executing force sync operation using the nssync -s command from the shell triggers NetScaler appliance reboot and crash. The nsnetsvc crash occurs when the import filename length exceeds MAX_FILE_PATH_LEN.
  [# 657920]

• CPU utilization becomes high if you upgrade the NetScaler appliance to release 11.0 build 65 and enable Application Firewall Starturl Closure protection.
  [# 656708, 656061, 658404, 670134]

• A NetScaler appliance might fail when Application Firewall processes a request for SQL injection inspection, if the request has the SQLInjectiontype field set to “SQL Special Char or Keyword” and SQL comment handling is set to “ANSI/Nested”.
  [# 665631, 669524]

• A log message is not generated when the FormFieldConsistency protection is enabled on an Application Firewall profile and the generated hidden field “as_fid” is modified.

  With this fix, the NetScaler Application Firewall now generates a log message when the “FormFieldConsistency” protection is enabled and the hidden field “as_fid” is modified in the NetScaler Application Firewall profile.
  [# 664211]

• The Onhover pattern has been added to the default list of cross-site scripting (XSS) denied patterns that the Application Firewall looks for when scanning traffic.
  [# 665595]

• If the NetScaler Application Firewall learning feature is enabled, Form Field Consistency violations result in blocking URL requests that end with a question mark (?), with no query parameters.
  [# 666019]

• A NetScaler VPX instance becomes unresponsive if a range request is greater than the cached response size. This issue happens if you enable the media classification mode on a NetScaler appliance. While parsing range header and creating range records table, the value for parameter object size is set incorrectly. So when a range request is received, the incorrect value of the stored response causes failure.
  [# 657823, 659374, 661940, 662460, 667599]

• The DataStream feature does not work if you use a MySQL database at the back end.
  [# 629504]

• In a GSLB high availability setup, if a node stays in secondary state for more than 249 days, the service state might not be updated on this node after it becomes the primary node.
  [# 658093]

• The MEP connection for site metrics goes DOWN if the dynamic RTT and GSLB server persistence features are unused for more than 249 days. In some cases, however, the MEP connection for site metrics remains UP, but the MEP connection for network metrics goes DOWN.
  [# 658890]

• A NetScaler appliance fails if a Page Tracking session is enabled on the appliance by Appflow or AppQoE modules for partial content responses. This happens only for partial content responses served from Integrated Cache.
  [# 656556]

• If a GSLB service goes DOWN and then returns to the UP state, the configured hash-based load balancing methods might produce incorrect load balancing decisions, because the cache maintained for hash-based load balancing algorithms is not cleared when the GSLB service state is updated through MEP.
  [# 658463, 658940]

• The NetScaler appliance dumps core and restarts if all of the following conditions are met:

  – You are using Citrix Receiver or a web browser to access the NetScaler Gateway appliance.

  – An optimal XenApp/XenDesktop is launched by using determine_services in the policy expression.

  – Static proximity is used to create a preferred list of Desktop Delivery Controllers and this information is forwarded to the StoreFront.

  – Your connection is terminated or disconnected while the determine_services policy is being evaluated.
  [# 668766]

• You cannot unbind a transform policy from a virtual server by using the GUI.
  [# 652579]

• If the features “Force password change for nsroot user when default nsroot password is being used” and “strong password” are enabled, any password is accepted when you change the nsroot password.
  [# 656825]

• If the name of a load balancing virtual server contains a space, the virtual server is not listed by the reporting tool. (Reporting > Counters > System entities statistics > Entities)
  [# 642269]

• If you use “clear ns configuration” command to clear the NetScaler configuration and reset it to factory default, the command policies are restored to the default values.
  [# 643546, 200969]

• When a partition admin tries to perform the Download, Create, or Create Directory operation on the “Manage Certificate” screen, an “operation not permitted” error appears. The expected behavior is that the buttons must be disabled.
  [# 491353]

• If the application payload is larger than allowed by the maximum segment size setting, the appliance dumps the core.
  [# 656994, 662324, 664318, 664591, 664837, 665693, 665865, 668202]

• If the AAA subsystem is configured for NTLM authentication, and the backend server is used for NTLM authentication, the server sends a content-length response that spans multiple TCP packets in a Type2 message. The NetScaler appliance then fails to complete NTLM authentication.
  [# 656917]

• A NetScaler appliance might periodically restart after an upgrade if the deployment uses STA servers and, during the upgrade, the administrator’s browser is closed while the appliance is communicating with a STA server.
  [# 656236, 658333, 661742, 661981, 662842, 663944, 665773]

• The RADIUS accounting feature does not send an accounting-session-id parameter, which is required (RFC 2866).
  [# 653363]

• The NetScaler appliance becomes unresponsive while processing heavy UDP traffic.
  [# 656920, 661104]

• NetScaler Gateway is not able to generate URLs for SharePoint 2013 in CVPN format. As a result, SharePoint is inaccessible.
  [# 652330]

• Mac OSX users are unable to sign on to the OSX Receiver client and are denied access to their apps and desktops.
  [# 651273, 652955, 666081]

• On the LDAP side, if the administrator sets the option to change the user password at the next logon, the X1 Theme is applied to the Password Change page. If the user clicks Submit without entering the password, the “You need to enter the password” prompt is shown in English, even on systems localized for a different language.
  [# 647784]

• Kerberos Authentication fails when Kerberos Traffic is sent through UDP.
  [# 654089]

• The NetScaler appliance occasionally dumps core memory during system initialization, because of a VPN module error.
  [# 663377]

• The Connection Proxy” persistence does not work when accessing the NetScaler Gateway GSLB Service if the GSLB services are configured with publicIP different from the service IP.
  [# 665452]

• The TURN service does not start if there are two or more VPN servers with the same IP address but different port numbers.
  [# 662931, 655808]

• In some AAA logout sessions, the appliance dumps core memory.
  [# 666046]

• Not all intranet applications are loaded onto the client machine when a large number of intranet applications and CSEC encryption are configured.
  [# 667968]

• If negotiate authentication is the first authentication factor, non-pass-through authentication in the next factor is not supported.
  [# 657741]

• If an iPhone client uses Safari to access Netscaler Gateway, the NetScaler or NetScaler Gateway appliance might dump core memory.
  [# 660344, 663343]

• A GSLB virtual server using the least connections method always resolves to the same site IP address.
  [# 661206]

• If AD/LDAP authentication is configured to communicate on SSL channel in authentication actions, under heavy login load, Gateway portal results in blank pages.
  [# 661235, 661917]

• If Client Certificate authentication and Pre-Auth End Point Analysis are both configured, redundant End Point Analysis occurs before the logon page is displayed. This behavior is due to the EPA Session Reset with Cert Two Factor Authentication set to On.
  [# 661601]

• If a VPN virtual server to which a custom RfWebUI portal theme is bound is accessed from a browser that has the language set to German, French, Spanish or Japanese, the log on page does not load.
  [# 662773]

• The NetScaler Gateway appliance fails when a user attempts to log on, if the logon page uses the RfWebUI theme and the appliance has insufficient CCU Licenses.
  [# 659085]

• When XenApp/XenDesktop users launch applications/desktops that have the Advanced Encryption policy enabled, memory allocation issues cause high-availability failovers.
  [# 659728]

• The NetScaler appliance fails because it attempts to process a large unexpected value for an Expander variable. This fix adds checks to prevent this condition.
  [# 660894, 662489, 668651]

• When Session Reliability is disabled on Storefront and Session Reliability on HA Failover is enabled on a NetScaler high availability pair running on 11.1 build 49.16, the passive NetScaler instance might reboot when you launch an application or a virtual desktop.

  You can avoid the issue by performing either of the following steps:

  * Disable “Session Reliability on HA” feature on the NetScaler instance.

  -or-

  * Enable Session Reliability on Storefront. (Navigate to Citrix Storefront > NetScaler Gateway > Secure Ticket Authority > Enable Session Reliability.)
  [# 664372, 667057]

• Ability to Export Gateway Insight Reports in Other Formats

  You can now export the Gateway Insight reports with all the details shown in the GUI in excel and csv format from NetScaler Insight Center.
  [# 631822]

• The whitelist of Citrix Receiver versions used by HDX Insight now includes version 13.0.2.265571 of Citrix Receiver for Linux.
  [# 614558, 606817]

• In the NetScaler SDX appliance, if you have configured a large number of channels or interfaces, Management Service UI screens that displays the system interface list or channels loads slow.
  [# 659110]

• The NICs of a 14xxx 40G or 25xxx 40G NetScaler SDX appliance are not shown under Configuration > System > Interfaces if, after a factory reset, you use the Platform Upgrade option in the Management Service to upgrade the appliance to NetScaler SDX release 10.5 or 11.1 with 5.04 firmware.
  [# 663206]

• A NetScaler VPX instance on a NetScaler SDX appliance might fail because of kernel memory corruption caused by a problem in the error handling path in the kernel. The issue occurs when a user-space process fails and dumps the core file at a time when the value for “sysctl.kern.corefile” points to a nonexistent directory.

  You can stack trace this issue by searching for the following message in the /var/log/messages file:

  Core dump of pid xxx (yyy) uid zzz could not be done at %s; switching core dump pattern to default: /var/core/%N-%P

  Where xxx, yyy, and zzz are specific values.
  [# 646464, 607629, 634970, 644162, 652390, 657167, 664426, 671795]

• On the NetScaler SDX 25000A platform, you cannot create NetScaler VPX instances on the NetScaler SDX appliance after using the clean install option to reset the appliance to a NetScaler SDX 11.1.50.x. image.
  [# 664825]

• Upgrading the Management Service to NetScaler SDX release 11.1.50.x fails with the following error message and with error code 10008:

  This platform sysid 450088 is not supported..
  [# 670131]

• In an ESX environment, a CLAG channel that includes a VMXNET3 interface might continue to send LACPDUs to its partner even when it is in DETACHED state.
  [# 642389]

• If you add additional SR-IOV or PCI passthrough interfaces to an existing NetScaler virtual appliance configured with SR-IOV or PCI passthrough interfaces, the existing interface names might get corrupted.
  [# 659827, 662429]

• For extended ACL rules that are associated with NAT configurations (for example, RNAT rules and Large Scale NAT configurations), the NetScaler GUI displays the TCP established parameter as enabled even though the parameter is disabled.
  [# 597458]

• In a high availability setup, after a failover, the new primary node does not set the R bit and F bit in BGP open messages that are used to inform the upstream router that the node has restarted gracefully.
  [# 665774]

• In a high availability (HA) setup, after an HA force failover operation, the NetScaler appliance removes (but not properly) static default route6s of all non-default traffic domains from its memory.

  Though the “show route6 operation” does not display these route6s but adding them again fails with the following error message: “ERROR: Resource already exist”. This is because these route6s were not completely removed from memory.

  This issue also happens on a standalone NetScaler appliance when a traffic domain that has default route6s is removed.
  [# 644265]

• Restarting a NetScaler appliance that has a VLAN bound to a traffic domain and is configured as a SYNC VLAN or NSVLAN might cause configuration loss of binding between the VLAN and the traffic domain.
  [# 648839]

• The link and the link light are down when a 1G Copper SFP is inserted or used with 10G XL710 NICs available in SDX 14xxx 10G model.
  [# 654699]

• In rare cases, a user-mode process failure can cause kernel failure, either at the same time or later. If the kernel fails, the NetScaler appliance dumps core memory. This failure can occur on nCore MPX, VPX, or SDX, appliances, although the most common occurrence is on a NetScaler VPX instance on a NetScaler SDX appliance.
  [# 634900, 641199]

• SSL processing is delayed if the server sends a DES cipher with TLS1.2 protocol in the server_hello message to the NetScaler appliance. Although this combination is deprecated, the appliance tries to process it. The operation fails at the SSL card and blocks the card for a few seconds, causing latency in processing any new requests on the same card.
  [# 661628]

• If you upgrade to release 11.1, SSL client authentication fails if a 4096-bit client certificate is used.
  [# 600815, 343395]

• If a profile is bound to an SSL virtual server, the NITRO API displays incorrect SSL virtual server settings. The correct settings are displayed in the profile.
  [# 628135]

• The “set ssl vserver” or the “unset ssl vserver” command fails with the following error:

  Internal error
  [# 670927, 673889]

• The NetScaler appliance might dump core and restart if it receives SSL traffic while AppFlow is enabled.
  [# 668689, 672376, 672526, 673897, 674128]

• If you try to load large certificate files (> 256kB), the NetScaler appliance might dump core and restart, because of insufficient memory.
  [# 643614, 624364, 646510, 667980]

• The SSL handshake fails if a server certificate is linked to its issuer certificate, OCSP stapling is enabled, and an SSL client requests the server-certificate status.
  [# 671777]

• A NetScaler appliance might dump core and restart repeatedly if the SSL3-EDH-RSA-DES-CBC3-SHA cipher is selected when heavy traffic has exhausted the appliance’s memory.
  [# 661818]

• In a MPTCP connection, if a client negotiates a Maximum Segment Size (MSS) value of more than 1460 bytes, and the NetScaler appliance receives an ICMP protocol error message after fragmenting and sending a Data Security Standard (DSS) packet, the appliance fails. This happens because of incorrect handling of DSS packets with a segment sizes.
  [# 648275]

• A NetScaler appliance constantly fails and dumps core memory, filling the Var directory with core files.
  [# 647955]

• In an MPTCP connection, a NetScaler appliance sets the TCP PSH flag during retransmission of FastClose and DataFIN packets.
  [# 667765]

• A NetScaler appliance might crash at a random location and dump a core file unrelated to the actual cause of the problem.
  [# 660574]