NetScaler 10.1 released

• Issue ID 0327114: On a NetScaler appliance with NetScaler 10 build 69.4 nc installed, if you use the configuration utility to configure authentication on a load-balancing virtual server, the following error message appears:No Authentication Host specifiedThe configuration utility then removes the authentication host from the configuration. This behavior occurs regardless of whether you are configuring authentication host settings on the virtual server for the first time, or modifying existing authentication host settings on the virtual server.

• Issue ID 0308733: If you configure Access Gateway with additional appliances in which global server load balancing (GSLB) is enabled, when users log on with the Access Gateway Plug-in, occasionally the connection times out, a time-out error appears, such as ‘Your Citrix Access Gateway session timed-out and you are not connected,’ and the session disconnects.
• Issue ID 0319901: If you enable Integrated Caching and Web Interface on Netscaler on an Access Gateway appliance, and then change the URL for the Web Interface, Access Gateway might fail.
• Issue ID 0320210: When users connect with the Access Gateway Plug-in on a computer running Windows XP, the Group Policy Object is not applied.
• Issue ID 0321425: If you configure a virtual server with a default authentication type by using the Access Gateway wizard, if Access Gateway restarts, the configuration is not maintained and authentication fails.
• Issue ID 0329621: If you configure an endpoint policy and bind the policy to a virtual server, the preauthentication policy is not working as expected. Users with devices that meet the requirements may not be able to log on to Access Gateway.

• Issue ID 0288343: You can now configure the source IP address (SNIP or MIP address), to be used for AppFlow traffic. When you add an Appflow collector by using the add appflow collector command, you can use the -netprofile option to associate a netprofile to which the source IP address is bound. By default, the Appflow exporter takes NSIP address as the source IP address if you do not specify the -netprofile option.

  > add appflow collector <col_name> -IPAddress <IP_addr> [-netprofile {netprofile_name}]

• Issue ID 0311033 (nCore): AppFlow records can now log X-Forwarded-For HTTP header information. You can enable the logging with the set appflow param -httpXForwardedFor ENABLED command or by using the configuration utility.
• Issue ID 0313091: AppFlow records might not display the start time of the current transaction. Instead, they display the start time of the previous transaction due to reuse of connections.
• Issue ID 0320239 (nCore): HTTP method names might be occasionally truncated in the AppFlow records.

• Issue ID 0299940: The change profile type command does not work correctly.

  • If you try to change a profile type to Web 2.0, the profile type remains HTML.
  • If you try to change a profile type to XML, the Profile Type field disappears completely.

  When you use the configuration utility to change the profile type, the profile type is actually changed correctly, but the display is incorrect. When you use the NetScaler command line, the actual profile type is set as shown above.

• Issue ID 0302294: Learned relaxations are sometimes not removed from the review list after they have been deployed.  To manually remove a learned relaxation that has already been deployed, in the Manage Learned Rules dialog box select the relaxation and then click Skip.
• Issue ID 0329539 (nCore): On a NetScaler appliance with the application firewall enabled, occasionally the NetScaler appliance crashes when retrieving a page from a protected web site that sets one or more cookies.
• Issue ID 0330642: On a NetScaler appliance with both the Application Firewall and Integrated Caching features enabled, the NetScaler appliance might experience occasional resets when its memory fills up. The cause is a small memory leak.
• Issue ID 0331112 (nCore): In the NetScaler 9.3 58.2.nc build, when applying the HTML or XML SQL Injection check the application firewall does not transform special strings even when Transformation is enabled. This issue was fixed in build 58.4.nc.

• Issue ID 0328353: When you use the configuration utility to bind a cache redirection policy to a cache redirection virtual server, the policy is added to the content switching (CSW) policy tab instead of cache redirection (CRD) policy tab. If you try to resolve this issue by using the CR virtual server wizard, the following error message appears: ‘Please specify Target.’
• Issue ID 0330033: Tabs for filter/compression policy bindings are not displayed for a cache redirection virtual server, and it is not possible to bind those policies to a cache redirection virtual server.
• Issue ID 0330139: If you use the configuration utility to unset a cache virtual server for a cache redirection virtual server, the process fails and the following error message appears: invalid argument.

• Issue ID 0311617: When upgrading the NetScaler appliance to 10.70 or a later build, the appliance prompts you to enable the Call Home feature.

• Issue ID 0327119: When you create policy rules from the configuration utility, an error occurs and the policies are not configured.

• Issue ID 0230903: The content switching feature now supports the ability to bind a policy to multiple virtual servers or policy labels. To support multiple policy bind functionality, the target load balancing virtual server is specified in the action and attached to the policy. This enhancement enables you to reuse an existing policy by binding it to the virtual servers. You can also combine multiple policies in a policy label and apply the policy label to the virtual server.
• Issue ID 0330045: The configuration changes made by using the bind cs vserver and bind cs policylabel commands are not saved in the configuration file. Therefore, the CS policy bindings are lost the first time the NetScaler appliance is restarted after an upgrade to release 10.
• Issue ID 0330290: You cannot use the configuration utility to bind a content switching policy to a content switching virtual server if the policy is configured with only a domain value. The bind fails, and the following error message appears: ‘Priority cannot be specified for URL-based content switching policy.’
• Issue ID 0331029: If you use the configuration utility to open a content switching virtual server that has a default policy bound to it, the process fails and the following error message appears: No Such Resource.

• Issue ID 0323442: The DataStream feature does not support dynamic stored procedures. Consequently, dynamic stored procedures fail if they use the sp_prepexec and sp_prepare stored procedures.

• Issue ID 0324486: When creating a local GSLB site in the NetScaler configuration utility, if you set the Trigger Monitors option to MEPDOWN, the GSLB site does not appear in the details pane until after you click ‘Refresh’.
• Issue ID 0326364: Even though a GSLB virtual server is configured with the static proximity method, and some requests match a DNS policy whose action uses a DNS view to restrict matching requests to only a subset of the bound services, the NetScaler appliance uses the round robin method to load balance requests across all of the GSLB services that are bound to the GSLB virtual server. The issue can occur if the locations that correspond to the source IP addresses in the DNS requests are not found in the location database.
• Issue ID 0328911: When configuring monitoring for a GSLB service by using the NetScaler configuration utility, if you include monitors that cannot be used with GSLB services (for example, ARP monitors) along with monitors that can be used with GSLB services (for example, TCP monitors), the configuration utility displays an error message for the invalid monitor bindings, but the valid bindings succeed. When you unbind an invalid monitor from the service, the message ‘Error’ is displayed. No further information is provided in the message.

• Issue ID 0329485: When the NetScaler appliance responds to a byte range request, it might get into an infinite loop for one specific request, which might cause the appliance to fail.

• Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in release 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:

  sysctl netscaler.ns_vpx_halt.method=2

  Perform a warm reboot for the above change to take effect.

• Issue ID 0328540: After you install the initial NetScaler virtual appliance, if you try to save the configuration and licenses are not present on the appliance, the appliance becomes unresponsive. Restart the appliance and load the licenses. Restart the appliance again for the changes to take effect. Then save the configuration.
• Issue ID 0329966: After you install the initial NetScaler virtual appliance (.xva image) for build 69.4, if you run the ‘save config’ command and licenses are not present on the appliance, the appliance becomes unresponsive. Restart the appliance and load the licenses. Restart the appliance again for the changes to take effect. Then run the ‘save config’ command.

• Issue ID 0324200 (nCore): On a NetScaler appliance with the responder feature configured to redirect requests from authenticated members of a particular group to a custom web page, the redirections sometimes fail. The reason is that, when the responder feature is invoked before the AAA session is completely established (as is the case when a user selects a choice after initial logon), the user’s AAA session is not transferred from one core to the other.  Responder therefore fails to identify the user as a member of the targeted group.
• Issue ID 0330133: On a NetScaler appliance with the responder feature enabled and a respondWith response configured, if a user sends a request with a large Content-Length header, the NetScaler appliance might appear to hang. The cause of the apparent hang is that the NetScaler appliance expects a request of the specified Content-Length, and waits for the rest of the request before responding to it.

• Issue ID 0301481: On a NetScaler appliance that has a response-side rewrite policy configured and bound to a load balancing virtual server, a request sent to the virtual server might trigger a sequence of events that causes the NetScaler appliance to fail.

• Issue ID 0327173: The ciphers bound to an SSL virtual server are not displayed in the configuration utility.

• Issue ID 0306731: If the Rewrite feature is not enabled, the Enable access through receiver client option for a Web Interface(WI) site does not work. This is because the functionality of the option depends on some rewrite policies on the appliance.
• Issue ID 0315502: The Configuration Utility displays an error message when you try to disable the Web Interface feature.
• Issue ID 0315951: If the Responder feature is not enabled, the Make Site Path Case Insensitive option for a Web Interface(WI) site does not work. This is because the functionality of the option depends on some Responder polies on the appliance.
• Issue ID 0324373: In the Web Interface (WI) configuration wizard, for a WI site in gateway direct mode, the state of the Enable Access through Receiver Client option is shown selected even when there are no rewrite policies bound to the selected Access Gateway virtual server.
• Issue ID 0331904: In the Web Interface (WI) configuration wizard, the Enable Access through Receiver Client option remain selected even when you try to clear the option.

AAA-TM

• Issue ID 0303507: NetScaler automatic domain join is failing with Likewise 6.1. If you attempt to create a Kerberoes authentication action, the attempt fails with the following error message:LsaAdJoinDomain (40041) Invalid parameterTo work around this issue, at the NetScaler command line open a Unix shell, adn then type the following command to manually join the domain:/opt/likewise/bin/domainjoin-cli join <DOMAINNAME> <DomainUserName>
  Note: You must issue this command after each reboot.
• Issue ID 0310205: If you attempt to kill a user session by using the username parameter with either the NetScaler command line ‘kill session’ command or the configuration utility, the session is not terminated on either the NetScaler appliance or the client.
• Issue ID  0327446: On an Outlook for Web Access (OWA) 2010 server that is protected by AAA-TM with single sign-on (SSO) enabled, when a user who uses the Firefox or Chrome browsers logs off, some OWA 2010 images do not appear.

Access Gateway

AppExpert

AppFlow

Application Firewall

• Issue ID 0282932: If you use the Signature Editor to add a signature rule for a response-side check (such as the Credit Card or Safe Object check), in addition to one or more response patterns you must also add at least one request pattern. If you do not, then when you try to save the new signature rule, the configuration utility displays an error message and does not save the rule.
• Issue ID 0284009: If sessionless URL closure is enabled, and Validate Referer Header is set to If Present, a spurious Referer header check error is generated and logged when a web form with an action URL is submitted.  If blocking is enabled for the Start URL check, then requests that contain web forms with action URLs are blocked. To work around this issue, if you configure Sessionless URL Closure, set Validate Referer Header to Off.
• Issue ID 0301813: When deploying a learned Cross-Site Request Forgery relaxation from the Syslog Viewer, the configuration utility does not deploy the relaxation, but displays the following error message: ‘CSRF Tag validation failed’.
• Issue ID 0303044: Only QualysGuard WAS 1.0 scan reports are supported for importing as application firewall signature rules. WAS 2.0 scan reports are not supported.

Cache Redirection

• Issue ID 0287688: If you set the L2Conn parameter for a cache redirection virtual server before you finish setting up the cache redirection configuration (including the other participating entities, such as the load balancing virtual server and the services that should be bound to the load balancing virtual server), the NetScaler appliance sends clients the SYN-ACK segments that it receives from the cache or origin servers during connection establishment with those servers. Clients respond to the SYN-ACK segments with a TCP RESET. Consequently, the requests are dropped.Workaround: Enable the L2Conn parameter for the cache redirection virtual server after you finish setting up the cache redirection configuration.

Configuration Utility

• Issue ID 0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.
• Issue ID 0269337: If you use the Google Chrome browser, with the toolbars installed, to access the configuration utility, the toolbars distort the views.Workaround: Hide the toolbars in Chrome browser when you access the configuration utility.
• Issue ID 0278097: In the configuration utility, if you click Application Firewall in the navigation pane, the scroll bar moves up and the subnodes of the Application Firewall node disappear. You have to scroll down to view the subnodes.
• Issue ID 0319070: The Setup wizard is not launched automatically if a mapped IP (MIP) address or a Subnet IP (SNIP) address is not configured on the NetScaler appliance.
• Issue ID 0333048: Using the Configuration Utility in Internet Explorer version 8, when you attempt to bind 250 or more VIP addresses to a VLAN, the Configuration Utility displays an unresponsive script error.
• Issue ID 0333834: If the PDF reader plug-in is not set in your browser and you try to open an HTML document from the Downloads tab of the NetScaler configuration utility, you are prompted to open the document in Adobe Reader.
• Issue ID 0334042: The configuration utility does not display a details panel for all the entities.Workaround: Select the entity and click ‘Open’ to display the details.
• Issue ID 0333745: When you access the NetScaler configuration utility from a Mac machine, the keyboard short cut keys may be unresponsive. In the NetScaler configuration utility, short cut keys work differently in Java and HTML. For example, in Java, shortcut keys for the copy-paste functions are <CRTL C> and <CRTL V> and in HTML they are <CMD C> and <CMD V> .Workaround: Use the HTML shortcut keys if Java shortcut keys are not working and vice-versa.

Documentation

• Issue ID 0277923: The documentation for the Content Switching feature states that if a policy that is bound to a content switching virtual server evaluates to TRUE, and the policy’s Goto expression specifies END, policy evaluation terminates at that policy. However, the documentation does not mention that, if the content switching virtual server has a default virtual server, the request is forwarded to the default load balancing virtual server when policy evaluation is terminated.

Domain Name System

• Issue IDs 0268748 and 0333310: In a cluster setup, if you save the configuration and reboot an appliance, the default name-server records for the thirteen root servers, and their associated address records, become unavailable. If you need them, you have to add them manually after you perform a reboot.
• Issue ID 0291053: Under the following sequence of events, the NetScaler appliance sends the client a cached NXDOMAIN response instead of the IP addresses that are configured in the DNS action for response rewrite:
  1. A security-aware name server sends the appliance a DNSSEC-enabled NXDOMAIN response for a non-existent domain. The appliance, which is designed to not rewrite DNSSEC-enabled responses, relays the negative response to the client without modifying it. The appliance also caches the response.
  2. A client sends the appliance a request for the same domain, but it does not set the DNSSEC OK EDNS header bit.

  This behavior is expected, and ensures that security-aware and security-oblivious clients receive the same response.

• Issue ID 0301348: Even though the NetScaler user interface allows you to create DNS policy labels, the DNS policy label functionality is not supported in this release.

Global Server Load Balancing

• Issue ID 0287825 and 0287827: If the master node and slave node in a Global Server Load Balancing (GSLB) configuration are running different NetScaler releases, the site synchronization process fails when the master node is collecting GSLB configuration information from the slave node. The issue is specific to NetScaler releases 9.2, 9.3, and 10. The issue occurs if one node (either the master or the slave) is running NetScaler release 10 and the other node is running NetScaler release 9.2 or 9.3.
• Issue ID 0326001: If a GSLB virtual server’s primary and backup GSLB methods are both set to round trip time (RTT) or static proximity and source IP persistence is enabled, when the primary GSLB method fails, the backup GSLB method also fails.Workaround: If you use RTT or static proximity as the primary GSLB method, do not use the same method as the backup GSLB method.

Load Balancing

• Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the ‘show lb persistentSessions’ CLI command displays an internal representation of thepersistence parameter instead of the actual persistence parameter.
• Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule ‘client.tcp.payload(n)’, and a request is received in multiple parts such that there is a delay between the parts and a FIN is sent from client before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
• Issue ID 91711/0250846: If the string (or ‘token’) that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000).BEFORE_STR(‘string2’).AFTER_STR(‘string1’) if the string that is enclosed by ‘string1’ and ‘string2’ is not larger than 64 KB.
• Issue ID 94405/0258207: If you specify a persistence rule for a load balancing virtual server without specifying a persistence type or setting the load balancing method to TOKEN, the NetScaler appliance discards the rule without checking its validity. This behavior is by design.
• Issue ID 0318310: While creating a load balancing monitor, you cannot specify a send string that has a length of more than 76 characters. This issue is observed only in a cluster setup.
• Issue ID 0331621: While creating SSL or load balancing virtual servers with default responder action, the NetScaler appliance throws a ‘No such resource’ error. This issue is observed only in a cluster setup.

NetScaler SDX Appliance

• Issue ID 0261232: If you set the date on the Management Service to an earlier date, the inventory and stats are not updated in the Management Service user interface.Workaround: Log on to the Management Service by using an SSH client, such as PuTTY. At the shell prompt, type : #/etc/rc.d/svmd restart
• Issue ID 0274175: Virtual MAC addresses are now supported on the NetScaler SDX appliance.

Networking

• Issue ID 0276933: When you change the next hop parameter of a PBR for IPv4 traffic, the new hop is taken into account even if you have not applied the PBRs.
• Issue ID 0283035 and 0299716: In a cluster setup, the ‘bind vlan’ command throws an error when interface and IP address are specified together.
• Issue ID 0288450: The ‘show lacp’ command does not display the lacp configurations. This issue is observed only in a cluster setup.
• Issue ID 0316144: In a cluster setup, the Precision Time Protocol (PTP) time across cluster nodes will not be synchronized when PTP packets are dropped due to backplane switch or if the physical resources are over-committed in a virtual environment.
  Workaround:

  • Disable PTP using the command ‘set ptp -state disable’ and configure NTP to synchronize the time across the cluster nodes.
  • If the backplane switch is like the Extreme switch, disable the multicast PTP packets from reaching the CPU by using the following command (this might cause some relevant features, such as routing, from not working):ipmcforwarding to-cpu off ports 41-48< backplane-interfaces>

Rewrite

• Issue ID 0305831: The man pages for add and set rewrite action do not include xpath_html (xp<delimiter>xpath expression<delimiter>) as a search expression.

SSL