Provisioning Services time sync requirements

Ever had the problem that your PVS streaming process becomes unresponsive when a time change occurs on the server or a hosted client? If you have HA enabled, a failover event will be triggered. But when all PVS servers see the time change occuring your targets will not be able to work. This is caused by the fact that PVS relies on the Kerberos method for authentication. Tthis makes a number of PVS services sensitive to time changes (just as your DC in Windows is sensitive for this). If there is a five minute (or more) difference between the Provisioning Server and your DC’s, Kerberos authentication will be broken, preventing PVS services from authenticating to the vDisk store and database.

How to fix this

Make sure that you use NTP and apply the best practices to be sure that all of your servers and clients are on the same time. Check with the vendor specific documentation on how to configure your host or client to setup the NTP correctly.

This post is based on the following KB article.

Citrix policy reference sheet

Starting with XenApp 6 and XenDesktop 5, policies configure many User and Machine based settings. This reference can assist in planning and troubleshooting policies in XenApp and XenDesktop deployments.

Go here to download this cool reference sheet and get to know a lot more abouth the different policy settings.

Hotfix XA650R01W2K8R2X64011 for XenApp 6.5

Citrix has released a new hotfix for XenApp 6.5. This fix resolves the following issue:

  1. XenApp servers behind read-only domain controllers (RODCs) might experience slow application launch issues while winlogon.exe spikes CPU usage.

    [From XA650R01W2K8R2X64011][#LA1617]

To install this hotfix:

  1. Copy the hotfix package to an empty folder on the hard drive of the server you want to update.
  2. Close all applications.
  3. Run the executable.
  4. Restart the server. This ensures that the installation completes and that the hotfix is added to the AppCenter hotfix inventory list.

To uninstall this hotfix:

  1. From the Start menu, select Control Panel > Programs and Features.
  2. Highlight the hotfix you want to uninstall and click Uninstall.
  3. Follow the directions on-screen.

Download this hotfix here.

XenServer conversion manager

With the release of the XenServer 6.1 version Citrix also released a new tool called XenServer conversion manager.

Getting Started with VMware Migration

Citrix XenServer Conversion Manager helps you convert workloads from VMware to XenServer by copying batches of VMware virtual machines to your XenServer environment.


This section details limitations for XenServer Conversion Manager that apply to this release. For information about troubleshooting converted virtual machines, see the XenServer Conversion Manager Guide.


  • Unlicensed Source Hypervisor. XenServer Conversion Manager cannot convert a virtual machine on an unlicensed vSphere ESX Server or vSphere ESXi Server.
  • Domain Controller. Citrix does not recommend using XenServer Conversion Manager to convert a source VM containing a Domain Controller. XenServer Conversion Manager can only “fix” or configure a Windows VM to start in XenServer if its virtual disks are formatted with NTFS.
  • Encryption. XenServer Conversion Manager cannot convert a VMware virtual machine that includes virtual disks with encrypted file systems.
  • Certificates. XenServer Conversion Manager does not verify the certificate on the XenServer Conversion Manager Virtual Appliance. The XenServer Conversion Manager Virtual Appliance does not verify certificates on vSphere ESX Server, vSphere ESXi Server, and vCenter Server.
  • Conversion Limits. XenServer Conversion Manager can accept up to 500 VMs at a time in a conversion job. The XenServer Conversion Manager converts one VM at a time.
  • Guest Network Settings. Settings of guest virtual network interfaces may change after the conversion. For example, the network name may change, IPv4 may become enabled, and IPv6 may become enabled.

For XenServer Conversion Manager set-up instructions, see the XenServer Conversion Manager Guide.

To set up XenServer Conversion Manager, obtain the XenServer Conversion Manager download package from the XenServer Tools page on (requires a My Citrix ID).

Packt Publishing reaches 1000 IT titles and celebrates

Birmingham-based IT publisher Packt Publishing is about to publish its 1000th title. Packt books are renowned among developers for being uniquely practical and focused.  Packt books cover highly specific tools and technologies which IT professionals might not expect to see a high quality book on.

Packt would like you to join them in celebrating this milestone with a surprise gift – to get involved you just need to have already registered, or sign up for a free Packt account before 30th September 2012.

Packt published their first book in April 2004. One of the most prolific and fastest growing tech book publishers in the world, they now have books on everything from web development to web graphics, e-learning to e-commerce, IT architecture to games, and app development.

Packt supports many of the Open Source projects covered by its books through a project royalty donation, which has contributed over £300,000 to Open Source projects up to now. As part of the celebration Packt is allocating $30,000 to share between projects and authors in a genuinely unique way, soon to be disclosed on their website.

Dave Maclean, founder of Packt Publishing explains, “At Packt we set out 8 years ago to bring practical, up to date and easy to use technical books to the specialist tools and technologies that had been largely overlooked by IT publishers. Today, I am really proud that with our authors and partners we have been able to make useful books available on over 1000 topics and make our contribution to the development community.”

For more information about Packt, the kind of books they publish, and to sign-up for a free account before the 30th of September, 2012, please visit their website:

So join the Packt website and get a free gift. As this is a publishing site it will be a nice gift .

XenServer 6.1 released

Citrix has released today a new version of it’s free hypervisor XenServer. Version 6.1 is now available for download on the Citrix website.

New Features and Improvements Since XenServer 6.0

XenServer 6.1.0 includes the following new features and ongoing improvements:

Storage XenMotion:

Storage XenMotion allows running VMs to be moved from one host to another. This includes the case where (a) VMs are not located on storage shared between the hosts and (b) hosts are not in the same resource pool. This enables system administrators to: Continue reading “XenServer 6.1 released”

Hotfix XS602E009 for XenServer 6.0.2

Citrix has released a new hotfix for it’s free hypervisor XenServer version 6.0.2. Read here what issues are fixed and how to install it.

Issues Resolved In This Hotfix

This hotfix resolves the following issues:

  1. Windows Virtual Machines (VM) may hang during the boot process and may have to be forced to reboot.
  2. When Dynamic Memory Control (DMC) is enabled the VM’s virtual memory space may become 100% consumed, this can lead to applications failing to start, freezing and so on.
  3. After a VM migration, Debian 5.0 (Lenny) VMs can crash, hang, or display the incorrect time.
  4. When the Citrix Xen Guest Agent service is running, Cut and Paste will not work between a XenDesktop virtual desktop and the endpoint device.

Installing the Hotfix

  • The attachment to this article is a zip file. It contains the hotfix update package. Customers should use either XenCenter or the XenServer Command Line Interface (CLI) to install this update. As with any software update, please back up your data before applying this hotfix. Citrix recommends updating all hosts within a pool sequentially. Upgrading of hosts should be scheduled to minimize the amount of time the pool runs in a mixed state where some hosts have been upgraded and some have not. Running a mixed pool of updated and non-updated hosts for general operation is not supported. Continue reading “Hotfix XS602E009 for XenServer 6.0.2”

NetScaler 10.1 released

What’s new and fixed in this release:

Changes and Fixes


  • Issue ID 0327114: On a NetScaler appliance with NetScaler 10 build 69.4 nc installed, if you use the configuration utility to configure authentication on a load-balancing virtual server, the following error message appears:No Authentication Host specifiedThe configuration utility then removes the authentication host from the configuration. This behavior occurs regardless of whether you are configuring authentication host settings on the virtual server for the first time, or modifying existing authentication host settings on the virtual server.

Access Gateway

  • Issue ID 0308733: If you configure Access Gateway with additional appliances in which global server load balancing (GSLB) is enabled, when users log on with the Access Gateway Plug-in, occasionally the connection times out, a time-out error appears, such as ‘Your Citrix Access Gateway session timed-out and you are not connected,’ and the session disconnects.
  • Issue ID 0319901: If you enable Integrated Caching and Web Interface on Netscaler on an Access Gateway appliance, and then change the URL for the Web Interface, Access Gateway might fail.
  • Issue ID 0320210: When users connect with the Access Gateway Plug-in on a computer running Windows XP, the Group Policy Object is not applied.
  • Issue ID 0321425: If you configure a virtual server with a default authentication type by using the Access Gateway wizard, if Access Gateway restarts, the configuration is not maintained and authentication fails.
  • Issue ID 0329621: If you configure an endpoint policy and bind the policy to a virtual server, the preauthentication policy is not working as expected. Users with devices that meet the requirements may not be able to log on to Access Gateway.


  • Issue ID 0288343: You can now configure the source IP address (SNIP or MIP address), to be used for AppFlow traffic. When you add an Appflow collector by using the add appflow collector command, you can use the -netprofile option to associate a netprofile to which the source IP address is bound. By default, the Appflow exporter takes NSIP address as the source IP address if you do not specify the -netprofile option.
    > add appflow collector <col_name> -IPAddress <IP_addr> [-netprofile {netprofile_name}]
  • Issue ID 0311033 (nCore): AppFlow records can now log X-Forwarded-For HTTP header information. You can enable the logging with the set appflow param -httpXForwardedFor ENABLED command or by using the configuration utility.
  • Issue ID 0313091: AppFlow records might not display the start time of the current transaction. Instead, they display the start time of the previous transaction due to reuse of connections.
  • Issue ID 0320239 (nCore): HTTP method names might be occasionally truncated in the AppFlow records.

Application Firewall

  • Issue ID 0299940: The change profile type command does not work correctly.

    • If you try to change a profile type to Web 2.0, the profile type remains HTML.
    • If you try to change a profile type to XML, the Profile Type field disappears completely.

    When you use the configuration utility to change the profile type, the profile type is actually changed correctly, but the display is incorrect. When you use the NetScaler command line, the actual profile type is set as shown above.

  • Issue ID 0302294: Learned relaxations are sometimes not removed from the review list after they have been deployed.  To manually remove a learned relaxation that has already been deployed, in the Manage Learned Rules dialog box select the relaxation and then click Skip.
  • Issue ID 0329539 (nCore): On a NetScaler appliance with the application firewall enabled, occasionally the NetScaler appliance crashes when retrieving a page from a protected web site that sets one or more cookies.
  • Issue ID 0330642: On a NetScaler appliance with both the Application Firewall and Integrated Caching features enabled, the NetScaler appliance might experience occasional resets when its memory fills up. The cause is a small memory leak.
  • Issue ID 0331112 (nCore): In the NetScaler 9.3 build, when applying the HTML or XML SQL Injection check the application firewall does not transform special strings even when Transformation is enabled. This issue was fixed in build

Cache Redirection

  • Issue ID 0328353: When you use the configuration utility to bind a cache redirection policy to a cache redirection virtual server, the policy is added to the content switching (CSW) policy tab instead of cache redirection (CRD) policy tab. If you try to resolve this issue by using the CR virtual server wizard, the following error message appears: ‘Please specify Target.’
  • Issue ID 0330033: Tabs for filter/compression policy bindings are not displayed for a cache redirection virtual server, and it is not possible to bind those policies to a cache redirection virtual server.
  • Issue ID 0330139: If you use the configuration utility to unset a cache virtual server for a cache redirection virtual server, the process fails and the following error message appears: invalid argument.

Call Home

  • Issue ID 0311617: When upgrading the NetScaler appliance to 10.70 or a later build, the appliance prompts you to enable the Call Home feature.

Cloud Gateway

  • Issue ID 0327119: When you create policy rules from the configuration utility, an error occurs and the policies are not configured.

Configuration Utility

  • Issue ID 0298686 (nCore): If the details pane contains too may records to display on one screen, the header row moves off the screen if you scroll down.
  • Issue ID 0311358: The NetScaler configuration utility fails to load when accessed from Internet Explorer version 7 browser running on Windows 2003 or Windows XP.
  • Issue ID 0314769: When the certificate used to sign the JAR files expires, the application’s digital signature cannot be verified. An error is displayed when the user tries to access the NetScaler GUI.
  • Issue ID 0319061: The configuration utility does not throw the ‘Feature not supported’ prompt when configuring the following unsupported features on a NetScaler cluster: Bridge groups, Network Bridge, VMAC6, and FIS.
  • Issue ID 0322821: When the SRADV (Static Route Advertisement) mode is ON, the static routes which are not explicitly disabled for advertisement will be advertised using all the routing protocols. However, the advertised protocols column for route in the configuration utility does not show any protocol list. This issue is observed only in a cluster setup.
  • Issue ID 0322894: The configuration utility displays an inappropriate error message when adding a forwarding session that has an invalid subnet mask. This issue is observed only in a cluster setup.
  • Issue ID 0322914: When the IP is not resolved for a hostname based SNMP manager, the ‘Resolved IP’ column of the SNMP Manager table is shown as blank instead of ‘Unresolved IP’. This issue is observed only in a cluster setup.
  • Issue ID 0323175: The configuration utility displays a negative value for the index of the data set or pattern set, when the index is set to its maximum value. The command line interface displays the correct value.
  • Issue ID 0325400: After adding a local authentication policy by using the configuration utility, the request profile field is showing blank. By default, the request profile must be Local. This issue is observed only in a cluster setup.
  • Issue ID 0326018: The dashboard does not display the Precision Time Protocol (PTP) counters for the cluster node. This issue is observed only in a cluster setup.
  • Issue ID 0326354: In System > Settings > Change global system settings, regardless of the base threshold value configured for surge protection, the value is displayed as 0. This issue is observed only in a cluster setup.
  • Issue ID 0326413: An error occurs if you use the NetScaler configuration utility to configure a large preauthentication policy (for example, a policy with 900 characters).
  • Issue ID 0327136: The configuration utility does not allow you to set the ‘Max Clients’ parameter of a service to its maximum value of 4294967294. This issue is observed only in a cluster setup.
  • Issue ID 0327551: In the configuration utility, all features appear to be enabled even when the features are disabled.
  • Issue ID 0328660: In the configuration utility, when you view the virtual server persistence sessions, a persistence type setting of DIAMETER is displayed as SOURCE IP.
  • Issue ID 0328715: In the configuration utility, the details of the monitor bound to a service do not include response codes for a monitor of type DIAMETER.
  • Issue ID 0328747:  In the Reporting tool, when users try to generate ‘system entities statistics’ report for GSLB domains, the GSLB domain names configured on the appliance might not be displayed in the entities list.
  • Issue ID 0328844: While configuring the OCSP responder through the configuration utility, the default value of the HTTP response timeout is erroneously taken as 0ms. The default value of the HTTP response timeout must be 2000ms. This issue is observed only in a cluster setup.
  • Issue ID 0329154: In System > Auditing > Recent audit messages, when you set number of audit messages to be displayed to 256 (maximum allowed value), a ‘Value entered is out of range’ error message is displayed on clicking Refresh. This issue is observed only in a cluster setup.
  • Issue ID 0329826: If you use the configuration utility to view the license for features, warning messages are seen for the features that are licensed but not supported. This issue is observed only in a cluster setup.
  • Issue ID 0331158: When you access NetScaler configuration utility in IE 8 or IE 9, the web browser displays only a grey bar at the top of the screen as the browser is probably displaying the compatibility view.
  • Issue ID 0331604: If you access a load balancing virtual server after a NOPOLICY is bound to it, the configuration utility might display the following error: ‘no such policy exists’
  • Issue ID 0332795: On systems that have JRE 1.6.0_24 and 1.7.0_06, the configuration utility cannot load the Java applet. Therefore, you cannot perform any operations on the configuration utility.
  • Issue ID 0332876: When you use the configuration utility to change the password of a user, the Change Password dialog displays encrypted password in the Password and Confirm Password fields.
  • Issue ID 0333026: On a system running the Windows 7, 64-bit operating system, the configuration utility cannot load the Java applet. Therefore, you cannot perform any operations on the configuration utility.

Content Switching

  • Issue ID 0230903: The content switching feature now supports the ability to bind a policy to multiple virtual servers or policy labels. To support multiple policy bind functionality, the target load balancing virtual server is specified in the action and attached to the policy. This enhancement enables you to reuse an existing policy by binding it to the virtual servers. You can also combine multiple policies in a policy label and apply the policy label to the virtual server.
  • Issue ID 0330045: The configuration changes made by using the bind cs vserver and bind cs policylabel commands are not saved in the configuration file. Therefore, the CS policy bindings are lost the first time the NetScaler appliance is restarted after an upgrade to release 10.
  • Issue ID 0330290: You cannot use the configuration utility to bind a content switching policy to a content switching virtual server if the policy is configured with only a domain value. The bind fails, and the following error message appears: ‘Priority cannot be specified for URL-based content switching policy.’
  • Issue ID 0331029: If you use the configuration utility to open a content switching virtual server that has a default policy bound to it, the process fails and the following error message appears: No Such Resource.


  • Issue ID 0323442: The DataStream feature does not support dynamic stored procedures. Consequently, dynamic stored procedures fail if they use the sp_prepexec and sp_prepare stored procedures.

Global Server Load Balancing

  • Issue ID 0324486: When creating a local GSLB site in the NetScaler configuration utility, if you set the Trigger Monitors option to MEPDOWN, the GSLB site does not appear in the details pane until after you click ‘Refresh’.
  • Issue ID 0326364: Even though a GSLB virtual server is configured with the static proximity method, and some requests match a DNS policy whose action uses a DNS view to restrict matching requests to only a subset of the bound services, the NetScaler appliance uses the round robin method to load balance requests across all of the GSLB services that are bound to the GSLB virtual server. The issue can occur if the locations that correspond to the source IP addresses in the DNS requests are not found in the location database.
  • Issue ID 0328911: When configuring monitoring for a GSLB service by using the NetScaler configuration utility, if you include monitors that cannot be used with GSLB services (for example, ARP monitors) along with monitors that can be used with GSLB services (for example, TCP monitors), the configuration utility displays an error message for the invalid monitor bindings, but the valid bindings succeed. When you unbind an invalid monitor from the service, the message ‘Error’ is displayed. No further information is provided in the message.

Integrated Caching

  • Issue ID 0329485: When the NetScaler appliance responds to a byte range request, it might get into an infinite loop for one specific request, which might cause the appliance to fail.

Load Balancing

  • Issue ID 0314738: If you issue the ‘force HA sync -force’ command when HA synchronization is disabled on both nodes, the services on the secondary node are marked as DOWN. The services remain in that state until after a failover.   When a failover occurs, the failover of some services might be delayed by a few seconds while monitors learn the actual states of those services. Until the monitors learn and correct the states, new connections to those services might be rejected. Consequently, you might also observe a brief period of outage following a failover.
  • Issue ID 0323317: The configuration commands for binding views to GSLB services are not shown in the output of the show ns runningConfig or show gslb runningConfig commands. Additionally, the configuration commands are lost during a reboot or upgrade.
  • Issue ID 0323891: The NetScaler CLI and configuration utility display incorrect values for the following counters, which are used for monitoring services, including GSLB services :
    •  Total number of monitoring probes sent
    •  Total number of failed probes
    •  Current number of failed probes
  • Issue ID 0324061: When you configure a SIP-UDP load balancing virtual server by using the NetScaler command-line interface, the default setting for persistence type is CALLID. However, when you use the configuration utility to configure a SIP-UDP virtual server, the default setting for persistence type is NONE.
  • Issue ID 0324576: The automatic domain based service group scaling option (the autoScale parameter) has been moved from the bind serviceGroup command to the add serviceGroup command. The possible values of the parameter have changed from YES and NO to DNS and DISABLED, respectively.
    To configure a service group to scale automatically, using the NetScaler command line, at the NetScaler command prompt, type the following command:

    add serviceGroup <serviceGroupName>@ <serviceType> -autoScale DNS

    To configure a service group to scale automatically, using the NetScaler configuration utility, go to Load Balancing > Service Groups > Add. In the Create Service Group dialog box, on the Advanced tab, from the Auto Scale Mode list, select DNS.

  • Issue ID 0329191  (nCore): If an AppExpert application that was used to load user configuration to the NetScaler appliance is removed, the appliance becomes unavailable.
  • Issue ID 0330276: The virtual router IDs (VRIDs) that are configured on the NetScaler appliance are not available in the Virtual Router ID list in the Create IP and Configure IP dialog boxes (Network > IPs > Add/Open). Consequently, you cannot use the configuration utility to bind a VRID to a virtual server.


  • Issue ID 0320571: The state of a service is shown as UP even when the service is down. Consequently, the NetScaler appliance continues to forward requests to that service, and clients do not receive responses to their requests.

NetScaler SDX Appliance

  • Issue ID 0326655: If you upgrade the Management Service from an earlier build to build 56.x or 57.x, restarting the appliance while data migration is in progress might corrupt your data contents.
  • Issue ID 0326663: In release 9.3, the upgrade process fails if you attempt to upgrade the Management Service from build 48.6 to build 56.5 or 57.5.
  • Issue ID 0326878: The Management Service shows duplicate entries for NetScaler VPX instances because of intermittent database connection failures. This is only a display issue. However, if a VPX instance is configured with an external authentication server for the nsroot (administrator) user, the authentication server might show several authentication failures.
  • Issue ID 0327984: You can now apply a hotfix for XenServer from the Management Service. On the Configuration tab, expand Management Service, and then click XenServer Files. In the details pane, click Hotfixes, and then click Upload. After uploading the hotfix to the appliance, click Apply. If an error occurs in the process of applying the hotfix, an error message displays the cause of the problem.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in release 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt.method=2

    Perform a warm reboot for the above change to take effect.

  • Issue ID 0328540: After you install the initial NetScaler virtual appliance, if you try to save the configuration and licenses are not present on the appliance, the appliance becomes unresponsive. Restart the appliance and load the licenses. Restart the appliance again for the changes to take effect. Then save the configuration.
  • Issue ID 0329966: After you install the initial NetScaler virtual appliance (.xva image) for build 69.4, if you run the ‘save config’ command and licenses are not present on the appliance, the appliance becomes unresponsive. Restart the appliance and load the licenses. Restart the appliance again for the changes to take effect. Then run the ‘save config’ command.


  • Issue ID 0321868: BGP does not advertise default route to the peer, with default-originate flag, if the state of a learnt default route toggles.
  • Issue ID 0324432: The NetScaler appliance forwards (L3 mode) certain response packets with IP header checksum value 0xFFFF, which is an invalid value according to RFC 1624. As a result, the router drops these packets.
  • Issue ID 0330118: OSPF maximum age link-state advertisements (LSAs) are not removed from the NetScaler appliance because the maximum age walker processes suspended indefinitely.
  • Issue ID 0330165: After upgrading the Netscaler appliance to 10.69.4 build, the appliance does not learn a ARP entry from a ARP reply packet, if the MAC addresses in the Ethernet header (Source MAC) and ARP header(Sender MAC) of the ARP reply packet are different.


  • Issue ID 0276184: NetScaler release 10 build 70.x is supported on the new MPX 8200/8400/8600 platforms.


  • Issue ID 0291487: NetScaler appliances running version 9.2 build 52.1 or later and have a large number (in the hundreds) of policy bindings can experience performance issues on ‘save ns config’ and ‘show config’ operations. This can lead to interruption in services.
  • Issue ID 0322964: Removed the ‘unset audit syslogPolicy’ and ‘unset audit nslogPolicy’ commands from NetScaler release 10 build 70 onwards.
  • Issue ID 0324700: Removed the ‘unset filter policy’ command from NetScaler release 10 build 70 onwards.


  • Issue ID 0324200 (nCore): On a NetScaler appliance with the responder feature configured to redirect requests from authenticated members of a particular group to a custom web page, the redirections sometimes fail. The reason is that, when the responder feature is invoked before the AAA session is completely established (as is the case when a user selects a choice after initial logon), the user’s AAA session is not transferred from one core to the other.  Responder therefore fails to identify the user as a member of the targeted group.
  • Issue ID 0330133: On a NetScaler appliance with the responder feature enabled and a respondWith response configured, if a user sends a request with a large Content-Length header, the NetScaler appliance might appear to hang. The cause of the apparent hang is that the NetScaler appliance expects a request of the specified Content-Length, and waits for the rest of the request before responding to it.


  • Issue ID 0301481: On a NetScaler appliance that has a response-side rewrite policy configured and bound to a load balancing virtual server, a request sent to the virtual server might trigger a sequence of events that causes the NetScaler appliance to fail.


  • Issue ID 0327173: The ciphers bound to an SSL virtual server are not displayed in the configuration utility.


  • Issue ID 0271783: If you configure an RNAT rule and enable the TCP proxy option for RNAT, the NetScaler appliance functions as a proxy for internal clients and maintains separate client-side and server-side connections. In certain scenarios, this behavior might result in a service type mismatch between the client-side and server-side connections, and the appliance might reboot with a core dump.
  • Issue IDs 0306352 and 0332253: When using the configuration utility or SSH to log on to the appliance, the “Connection limit to CFE exceeded” message might be displayed. This message is displayed if an earlier session was closed without logging out of the session.
  • Issue ID 0306660 (nCore): You can now use the ‘set ns tcpparam connFlushIfNoMem <connFlushIfNoMem>’ command on a NetScaler appliance to close existing connections if memory is not available for a new connection. When using this command, you must specify the type of connection to be closed. By default, this feature is disabled on the appliance.
  • Issue IDs 0312893 and 0331073: When you run the ‘show run’ command, the NetScaler appliance might fail even if the you have permission to run the command.
  • Issue ID 0325665: An unrelated error code is displayed on executing the ‘set filter prebodyinjection/postbodyinjection’ commands.
  • Issue ID 0323190: In rare cases, the NetScaler appliance fails when some pages are recovered from the free queue before the page table scan is complete.
  • Issue ID 0327118: In the configuration utility, the minimum and maximum values allowed for number of audit messages is incorrect. The maximum and minimum values displayed are 255 and 0, but the correct values are 256 and 1.
  • Issue ID 0330336 (nCore): IPv6 addresses might occasionally be captured in the audit log, even though IPv6 addresses are not configured.

Web Interface

  • Issue ID 0306731: If the Rewrite feature is not enabled, the Enable access through receiver client option for a Web Interface(WI) site does not work. This is because the functionality of the option depends on some rewrite policies on the appliance.
  • Issue ID 0315502: The Configuration Utility displays an error message when you try to disable the Web Interface feature.
  • Issue ID 0315951: If the Responder feature is not enabled, the Make Site Path Case Insensitive option for a Web Interface(WI) site does not work. This is because the functionality of the option depends on some Responder polies on the appliance.
  • Issue ID 0324373: In the Web Interface (WI) configuration wizard, for a WI site in gateway direct mode, the state of the Enable Access through Receiver Client option is shown selected even when there are no rewrite policies bound to the selected Access Gateway virtual server.
  • Issue ID 0331904: In the Web Interface (WI) configuration wizard, the Enable Access through Receiver Client option remain selected even when you try to clear the option.

Known Issues and Workarounds


  • Issue ID 0303507: NetScaler automatic domain join is failing with Likewise 6.1. If you attempt to create a Kerberoes authentication action, the attempt fails with the following error message:LsaAdJoinDomain (40041) Invalid parameterTo work around this issue, at the NetScaler command line open a Unix shell, adn then type the following command to manually join the domain:/opt/likewise/bin/domainjoin-cli join <DOMAINNAME> <DomainUserName>
    Note: You must issue this command after each reboot.
  • Issue ID 0310205: If you attempt to kill a user session by using the username parameter with either the NetScaler command line ‘kill session’ command or the configuration utility, the session is not terminated on either the NetScaler appliance or the client.
  • Issue ID  0327446: On an Outlook for Web Access (OWA) 2010 server that is protected by AAA-TM with single sign-on (SSO) enabled, when a user who uses the Firefox or Chrome browsers logs off, some OWA 2010 images do not appear.

Access Gateway

  • Issue ID 0249975: When users log on with the Access Gateway Plug-in, the ‘File Transfer’  tab on the Access Interface is available, but the ‘File Transfer option’  is not available if users right-click the Access Gateway icon in the notification area.
  • Issue ID 92543/0251596: After you configure Access Gateway to provide user connections through Citrix Receiver, when users right-click the Receiver icon in the notification area, the Log on option does not appear. Users must connect by using the Web browser or they must right-click the Receiver icon, click Preferences, and then click Plug-in status. You can also enable the log on option to appear when users right-click the Receiver icon by adding the following settings in the registry:

    • Add the Receiver key (if the key does not already exist) under the following registry locations:

      • HKEY_CURRENT_USERSoftwareCitrix
      • HKEY_LOCAL_MACHINESoftwareCitrix
    • Add the Inventory key in the following registry locations:

      • HKEY_CURRENT_USERSoftwareCitrixReceiver
      • HKEY_CURRENT_USERSoftwareCitrixReceiver
    • In the ‘Inventory  key’, configure the following ‘REG_SZ’  values:

      • VPNAddress.  Provide the value as the Web address for the Access Gateway appliance; for example, https://<AccessGatewayFQDN>.
      • VPNPrompt1. Provide the value as ‘UserName’.
      • VPNPrompt2. Provide the value as ‘Password’.In addition, if you configure double-source authentication that requires authentication with LDAP plus RSA authentication, you need to also add the following as ‘REG_SZ’:
      • VPNPrompt3.  Provide the value as ‘*Passcode’.
  • Issue ID 0261547: When you enable Access Gateway as a reverse proxy and you enable basic preauthentication and post- authentication scans, as well as encryption and client choices, when users log on with the Access Gateway Plug-in, the preauthentication scan passes, but the post-authentication scan fails.
  • Issue ID 0275079: When users access applications published on XenApp, each user consumes multiple Access Gateway licenses per application. Instead, one session ID should be shared across the applications the user accesses. As a result, users exceed their allocated license count and an SSL error occurs.
  • Issue ID 0278218: If you configure an endpoint policy, the preauthentication policy runs as expected. When users try to log on with the Access Gateway Plug-in, however, occasionally the post-authentication policy does not work as expected and authentication fails.
  • Issue ID 0285995: If you configure Access Gateway to assign an intranet IP address to user devices that connect to Access Gateway, when users log on with the Access Gateway Plug-in, the secure DNS dynamic update does not occur and the intranet IP address is not registered with the DNS Server.
  • Issue ID 0288469: After you configure a virtual server to use the Access Gateway Plug-in for Java, when users log on with the Access Gateway Plug-in by using a browser that has a 64-bit Java Runtime Environment (JRE) installed, the plug-in fails to establish a connection.
  • Issue ID 0291264: If you create a Web Interface 5.4 site and enable authentication through Access Gateway, and you enable single sign-on with a smart card to the Web Interface that enables smart card pass-through, when users log on with the Access Gateway Plug-in, the users’ desktops are not listed on the Web Interface.
  • Issue ID 0291821: If you create a Web Interface 5.4 site and enable authentication with a smart card through Access Gateway, and you configure the ‘Single Sign-on Domain’  on the ‘Published Applications’  tab using the format instead of domainname, when users start a published application or desktop, authentication fails.
  • Issue ID 0292005: When users connect with clientless access and try to download a file larger than 1 gigabyte (GB) from the file share on the home page, as the file is downloading, if an upload is attempted, the download process fails but the upload continues.
  • Issue ID 0298971: When users log on with the Access Gateway Plug-in for Java and the Web Interface opens in Internet Explorer 9, if users do not turn on Compatibility View in Internet Explorer, when they click a published application, the following error appears: Resource shortcuts are not available.
  • Issue ID 0299515: If you configure an intranet IP address on Access Gateway, when users connect with the Access Gateway Plug-in on a computer running Windows XP Service Pack 3 and try to access a CIFS share hosted on a computer in the secure network, users receive an error that the share is inaccessible.
  • Issue ID 0300511: When users log on using clientless access and click a bookmark from the home page to open a Distributed File Share (DFS), if the target folder resides on a different computer than the computer where the domain DFS server resides, the share does not open.
  • Issue ID 0309017: When you configure a preauthentication and post-authentication policy with an expression to scan a user device for a file, Access Gateway does not check for expression syntax. As a result, Access Gateway accepts inappropriate syntax configuration and the scan fails.
  • Issue ID 0319607: If an authentication server and Access Gateway reside in the same domain, the appliance may fail.


  • Issue ID 0323436: The NetScaler configuration utility can display a maximum of 4500 bound patterns of a pattern set.


  • Issue ID 0333560 (nCore): AppFlow records generated by the NetScaler appliance might contain junk characters.

Application Firewall

  • Issue ID 0282932: If you use the Signature Editor to add a signature rule for a response-side check (such as the Credit Card or Safe Object check), in addition to one or more response patterns you must also add at least one request pattern. If you do not, then when you try to save the new signature rule, the configuration utility displays an error message and does not save the rule.
  • Issue ID 0284009: If sessionless URL closure is enabled, and Validate Referer Header is set to If Present, a spurious Referer header check error is generated and logged when a web form with an action URL is submitted.  If blocking is enabled for the Start URL check, then requests that contain web forms with action URLs are blocked. To work around this issue, if you configure Sessionless URL Closure, set Validate Referer Header to Off.
  • Issue ID 0301813: When deploying a learned Cross-Site Request Forgery relaxation from the Syslog Viewer, the configuration utility does not deploy the relaxation, but displays the following error message: ‘CSRF Tag validation failed’.
  • Issue ID 0303044: Only QualysGuard WAS 1.0 scan reports are supported for importing as application firewall signature rules. WAS 2.0 scan reports are not supported.

Cache Redirection

  • Issue ID 0287688: If you set the L2Conn parameter for a cache redirection virtual server before you finish setting up the cache redirection configuration (including the other participating entities, such as the load balancing virtual server and the services that should be bound to the load balancing virtual server), the NetScaler appliance sends clients the SYN-ACK segments that it receives from the cache or origin servers during connection establishment with those servers. Clients respond to the SYN-ACK segments with a TCP RESET. Consequently, the requests are dropped.Workaround: Enable the L2Conn parameter for the cache redirection virtual server after you finish setting up the cache redirection configuration.

Configuration Utility

  • Issue ID 0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.
  • Issue ID 0269337: If you use the Google Chrome browser, with the toolbars installed, to access the configuration utility, the toolbars distort the views.Workaround: Hide the toolbars in Chrome browser when you access the configuration utility.
  • Issue ID 0278097: In the configuration utility, if you click Application Firewall in the navigation pane, the scroll bar moves up and the subnodes of the Application Firewall node disappear. You have to scroll down to view the subnodes.
  • Issue ID 0319070: The Setup wizard is not launched automatically if a mapped IP (MIP) address or a Subnet IP (SNIP) address is not configured on the NetScaler appliance.
  • Issue ID 0333048: Using the Configuration Utility in Internet Explorer version 8, when you attempt to bind 250 or more VIP addresses to a VLAN, the Configuration Utility displays an unresponsive script error.
  • Issue ID 0333834: If the PDF reader plug-in is not set in your browser and you try to open an HTML document from the Downloads tab of the NetScaler configuration utility, you are prompted to open the document in Adobe Reader.
  • Issue ID 0334042: The configuration utility does not display a details panel for all the entities.Workaround: Select the entity and click ‘Open’ to display the details.
  • Issue ID 0333745: When you access the NetScaler configuration utility from a Mac machine, the keyboard short cut keys may be unresponsive. In the NetScaler configuration utility, short cut keys work differently in Java and HTML. For example, in Java, shortcut keys for the copy-paste functions are <CRTL C> and <CRTL V> and in HTML they are <CMD C> and <CMD V> .Workaround: Use the HTML shortcut keys if Java shortcut keys are not working and vice-versa.


  • Issue ID 0277923: The documentation for the Content Switching feature states that if a policy that is bound to a content switching virtual server evaluates to TRUE, and the policy’s Goto expression specifies END, policy evaluation terminates at that policy. However, the documentation does not mention that, if the content switching virtual server has a default virtual server, the request is forwarded to the default load balancing virtual server when policy evaluation is terminated.

Domain Name System

  • Issue IDs 0268748 and 0333310: In a cluster setup, if you save the configuration and reboot an appliance, the default name-server records for the thirteen root servers, and their associated address records, become unavailable. If you need them, you have to add them manually after you perform a reboot.
  • Issue ID 0291053: Under the following sequence of events, the NetScaler appliance sends the client a cached NXDOMAIN response instead of the IP addresses that are configured in the DNS action for response rewrite:
    1. A security-aware name server sends the appliance a DNSSEC-enabled NXDOMAIN response for a non-existent domain. The appliance, which is designed to not rewrite DNSSEC-enabled responses, relays the negative response to the client without modifying it. The appliance also caches the response.
    2. A client sends the appliance a request for the same domain, but it does not set the DNSSEC OK EDNS header bit.

    This behavior is expected, and ensures that security-aware and security-oblivious clients receive the same response.

  • Issue ID 0301348: Even though the NetScaler user interface allows you to create DNS policy labels, the DNS policy label functionality is not supported in this release.

Global Server Load Balancing

  • Issue ID 0287825 and 0287827: If the master node and slave node in a Global Server Load Balancing (GSLB) configuration are running different NetScaler releases, the site synchronization process fails when the master node is collecting GSLB configuration information from the slave node. The issue is specific to NetScaler releases 9.2, 9.3, and 10. The issue occurs if one node (either the master or the slave) is running NetScaler release 10 and the other node is running NetScaler release 9.2 or 9.3.
  • Issue ID 0326001: If a GSLB virtual server’s primary and backup GSLB methods are both set to round trip time (RTT) or static proximity and source IP persistence is enabled, when the primary GSLB method fails, the backup GSLB method also fails.Workaround: If you use RTT or static proximity as the primary GSLB method, do not use the same method as the backup GSLB method.

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the ‘show lb persistentSessions’ CLI command displays an internal representation of thepersistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule ‘client.tcp.payload(n)’, and a request is received in multiple parts such that there is a delay between the parts and a FIN is sent from client before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91711/0250846: If the string (or ‘token’) that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000).BEFORE_STR(‘string2’).AFTER_STR(‘string1’) if the string that is enclosed by ‘string1’ and ‘string2’ is not larger than 64 KB.
  • Issue ID 94405/0258207: If you specify a persistence rule for a load balancing virtual server without specifying a persistence type or setting the load balancing method to TOKEN, the NetScaler appliance discards the rule without checking its validity. This behavior is by design.
  • Issue ID 0318310: While creating a load balancing monitor, you cannot specify a send string that has a length of more than 76 characters. This issue is observed only in a cluster setup.
  • Issue ID 0331621: While creating SSL or load balancing virtual servers with default responder action, the NetScaler appliance throws a ‘No such resource’ error. This issue is observed only in a cluster setup.

NetScaler SDX Appliance

  • Issue ID 0261232: If you set the date on the Management Service to an earlier date, the inventory and stats are not updated in the Management Service user interface.Workaround: Log on to the Management Service by using an SSH client, such as PuTTY. At the shell prompt, type : #/etc/rc.d/svmd restart
  • Issue ID 0274175: Virtual MAC addresses are now supported on the NetScaler SDX appliance.


  • Issue ID 0276933: When you change the next hop parameter of a PBR for IPv4 traffic, the new hop is taken into account even if you have not applied the PBRs.
  • Issue ID 0283035 and 0299716: In a cluster setup, the ‘bind vlan’ command throws an error when interface and IP address are specified together.
  • Issue ID 0288450: The ‘show lacp’ command does not display the lacp configurations. This issue is observed only in a cluster setup.
  • Issue ID 0316144: In a cluster setup, the Precision Time Protocol (PTP) time across cluster nodes will not be synchronized when PTP packets are dropped due to backplane switch or if the physical resources are over-committed in a virtual environment.

    • Disable PTP using the command ‘set ptp -state disable’ and configure NTP to synchronize the time across the cluster nodes.
    • If the backplane switch is like the Extreme switch, disable the multicast PTP packets from reaching the CPU by using the following command (this might cause some relevant features, such as routing, from not working):ipmcforwarding to-cpu off ports 41-48< backplane-interfaces>


  • Issue ID 0305831: The man pages for add and set rewrite action do not include xpath_html (xp<delimiter>xpath expression<delimiter>) as a search expression.


  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 0283661: In a cluster setup, if you add an SSL certificate on the configuration coordinator, and immediately execute the add certkey command, the command succeeds on the configuration coordinator but might fail on the other cluster nodes if the certificates on the configuration coordinator are not synchronized with the other cluster nodes before the command is executed.Workaround: Copy the certkey under /nsconfig/ssl/ folder on all the cluster nodes or confirm that the certificates are synchronized before executing the add certkey command on the configuration coordinator.

Download the latest firmware here (requires a valid My Citrix ID).