Release Notes for 9.3 Enhancement Releases

This document describes the enhancements, changes, fixed issues, and known issues provided in the enhancement releases of the Citrix® NetScaler® software.

Note: This document is also available in the Enhancement Releases section on Citrix eDocs.

Build 60.3007.e

Release version: Citrix® NetScaler® release 9.3.e build 60.3007.e

Replaces build: None

Release date: March 2013

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 60.3. The release notes are available in the Build 60.3 section on Citrix eDocs.
  • The enhancements and known issues in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

Support for Binding LACP Channels to NSVLAN

  • Issue IDs 0195111 and 0347657: You can now bind LACP channels to the NSVLAN (VLAN to which the NetScaler management IP (NSIP) address's subnet is bound) by using the set nsconfig command.

    For more information, see Configuring NSVLAN.

Support for Byte Mobile T1100-16 Hardware

  • Issue ID 0341780: The NetScaler configuration utility has been enhanced to support the new T1100-16 Byte Mobile hardware platform.

Support for 1G Copper SFP Transceivers and DAC Cables

  • Issue ID 0344262: 1G copper SFP transceivers are now supported on the ixgbe (ix) interfaces. These transceivers are hot-swappable on this interface. However, fiber SFP transceivers are not supported.

    The following SFP+ and SFP transceivers, and direct access cables, are supported:

    • Intel fiber SFP+: "FTLX8571D3BCV-IT"
    • Intel fiber SFP+: "FTLX8571D3BCV-I3"
    • Finisar fiber SFP+: "FTLX8571D3BCV"
    • Intel fiber SFP+ (LR): "FTLX1471D3BCV-IT"
    • Finisar fiber SFP+ (LR): "FTLX1471D3BCV "

    • Finisar copper SFP: "FCLF-8521-3"
    • Avago copper SFP: "ABCU-5710RZ"

    • Methode DAC cable: "DM-255-100 "
    • Methode DAC cable: "DM-255-300 "
    • Methode DAC cable: "DM-255-500 "
    Note:
    • Only 10G ports support DAC cables.
    • Fiber SFPs are not supported.

Bug Fixes

Load Balancing

  • Issue ID 0359157: A NetScaler appliance deployed in a high availability setup fails if the state of an internal DNS service changes (for example, from UP to DOWN). The state of an internal DNS service can change when the network configuration is modified (for example, when a route is added on the appliance).
  • Issue ID 0361135: The NetScaler appliance fails if you do the following:
    1. Configure an IP address based server by providing a name for the server.
    2. Use the server name to bind a service, hosted on the server, to a service group.
    3. Query the svcGrpMemberGroupFullName SNMP OID by using the snmpwalk command.

Networking

  • Issue IDs 0347657 and 0347666: If you bind an LACP channel, or a channel that does not exist on the NetScaler as a member of nsvlan, the NetScaler command line interface might fail if you run the show channel or show interface command after the appliance is restarted.

Known Issues and Workarounds

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the "show lb persistentSessions" CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'client.tcp.payload(n)', and a request is received in multiple parts such that there is a delay between the parts and a FIN is sent from client before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91672/0250820: If the token that is used for creating rule based persistence sessions is larger than 100 MB, the "show lb persistentSessions" CLI command does not display the persistence parameter.
  • Issue ID 91711/0250846: If the string (or "token") that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000). BEFORE_STR("string2").AFTER_STR("string1") if the string that is enclosed by "string1" and "string2" is not larger than 64 KB.
  • Issue ID 0272268 (nCore and nCore VPX): The Load Balancing Wizard for Citrix Branch Repeater allows you to create multiple branches with the same subnet value.
  • Issue ID 0300562 (nCore and nCore VPX): The Data Center Server Subnets screen of the Load Balancing Wizard for Citrix Branch Repeater displays an asterisk (*) as being the value of netmasks that you have set to 255.255.255.255. However, the netmask is stored correctly, and the functionality is not affected.
  • Issue ID 0320963: For a policy with action, the stateupdate option returns incorrect CS virtual server state information. The stateupdate option determines the state based on the state of LB virtual server attached to the CS virtual server but in case of a policy with action the LB virtual server is determined at the run time using the action expression and hence the state returned is always returned as down.
  • Issue ID 0320958: CS policies with action do not support SNMP.
  • Issue ID 0320951: The show cs vserver command displays hits as zero for CSW PI policies (configured with action or without action) bound to CS virtual server. Use show cs policy command to display hits for policies configured with or without action.
  • Issue ID 0334277: If you configure a transparent sessionless load balancing virtual server and set the redirection mode to MAC, the virtual server does not process traffic.

    Workaround: Configure an appropriate listen policy on the virtual server.

System

  • Issue ID 0274802: In a high availability setup, if a route monitor is added within the RTST expiry time, the RTST timer restarts. Therefore, if a new route monitors is added within the RTST expiry time, the RTST timer might not expire, and that might prevent failover.

Build 59.5003.e

Release version: Citrix® NetScaler® release 9.3.e build 59.5003.e

Replaces build: None

Release date: December 2012

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 59.5. The release notes are available in the Build 59.5 section on Citrix eDocs.
  • The enhancements and known issues in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

Stateful Connection Failover for Layer 3 DSR that uses IP Tunneling

  • Issue ID 0348302: Stateful connection failover is now supported on Layer 3 Direct Server Return (DSR) configuration that uses IP tunneling.

    Connection failover helps prevent disruption of access to applications deployed in a distributed environment. In a NetScaler High Availability (HA) setup, connection failover (or connection mirroring-CM) refers to keeping active an established TCP or UDP connection when a failover occurs.

    In stateful failover, to maintain current information about the mirrored connections, the primary appliance sends messages to the secondary appliance. The secondary appliance maintains the data related to the packets but uses it only in the event of a failover. If a failover occurs, the new primary (old secondary) appliance starts using the stored data about the mirrored connections and accepting traffic.

Bug Fixes

Networking

  • Issue ID 0298289 and 0348515: For a configured IP Tunnel with Mac Based Forwarding (MBF) enabled, HTTP monitor may fail randomly because of incorrect MAC addresses used in the Layer 2 header.

System

  • Issue ID 0301065: When using the HTTP monitor, the NetScaler appliance might send SYN packets from a port on which an earlier session was not closed by the server. The server then responds with a bad syn ack response, which causes the NetScaler appliance to send a RST to the server.

Known Issues and Workarounds

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the "show lb persistentSessions" CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'client.tcp.payload(n)', and a request is received in multiple parts such that there is a delay between the parts and a FIN is sent from client before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91672/0250820: If the token that is used for creating rule based persistence sessions is larger than 100 MB, the "show lb persistentSessions" CLI command does not display the persistence parameter.
  • Issue ID 91711/0250846: If the string (or "token") that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000). BEFORE_STR("string2").AFTER_STR("string1") if the string that is enclosed by "string1" and "string2" is not larger than 64 KB.
  • Issue ID 0272268 (nCore and nCore VPX): The Load Balancing Wizard for Citrix Branch Repeater allows you to create multiple branches with the same subnet value.
  • Issue ID 0300562 (nCore and nCore VPX): The Data Center Server Subnets screen of the Load Balancing Wizard for Citrix Branch Repeater displays an asterisk (*) as being the value of netmasks that you have set to 255.255.255.255. However, the netmask is stored correctly, and the functionality is not affected.
  • Issue ID 0320963: For a policy with action, the stateupdate option returns incorrect CS virtual server state information. The stateupdate option determines the state based on the state of LB virtual server attached to the CS virtual server but in case of a policy with action the LB virtual server is determined at the run time using the action expression and hence the state returned is always returned as down.
  • Issue ID 0320958: CS policies with action do not support SNMP.
  • Issue ID 0320951: The show cs vserver command displays hits as zero for CSW PI policies (configured with action or without action) bound to CS virtual server. Use show cs policy command to display hits for policies configured with or without action.
  • Issue ID 0334277: If you configure a transparent sessionless load balancing virtual server and set the redirection mode to MAC, the virtual server does not process traffic.

    Workaround: Configure an appropriate listen policy on the virtual server.

System

  • Issue ID 0274802: In a high availability setup, if a route monitor is added within the RTST expiry time, the RTST timer restarts. Therefore, if a new route monitors is added within the RTST expiry time, the RTST timer might not expire, and that might prevent failover.

Build 58.5014.e

Release version: Citrix® NetScaler® release 9.3.e build 58.5014.e

Replaces build: None

Release date: December 2012

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 58.5. The release notes are available in the Build 58.5 section on Citrix eDocs.
  • The enhancements and known issues in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

Optimizing Receive Side Scaling for Symmetric Flow

  • Issue ID 0345208: A new receiver-side scaling (RSS) option can enhance performance by avoiding software steering of response packets between packet engines. With the default setting, the RSS algorithm can send request and reply packets of the same session to different packet engines. When a reply packet is sent to a packet engine other than the one that processed the corresponding request packet, a software module steers the packet to the packet engine that processed the request. Too great a frequency of steering by the software module can affect performance.

    If you set the new RSS Key Type parameter to SYMMETRIC, the RSS algorithm derives, at the hardware level, the same packet engine for the request and reply traffic of the same session.

    This enhancement is applicable for cases where the NetScaler appliance does not change the soucre IP address and source port of the packets before sending them out. For example,
    1. Traffic for a transparent virtual server that has MAC mode enabled and to which are bound services that have USIP and useproxyport disabled.
    2. Traffic that matches a forwarding session rule.

    This feature enables the NetScaler appliance to improve the traffic flow by speeding up traffic processing.

    For more information, see the Optimizing Receive Side Scaling for Symmetric Flow section of the Advanced Configuration chapter of the Administration Guide.

Bug Fixes

Policies

  • Issue ID 0338044: Adding the expression "CLIENT.IP.PROTOCOL" as the listen policy on a load balancing virtual server throws the "Invalid expression value" error message.

Known Issues and Workarounds

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the "show lb persistentSessions" CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'client.tcp.payload(n)', and a request is received in multiple parts such that there is a delay between the parts and a FIN is sent from client before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91672/0250820: If the token that is used for creating rule based persistence sessions is larger than 100 MB, the "show lb persistentSessions" CLI command does not display the persistence parameter.
  • Issue ID 91711/0250846: If the string (or "token") that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000). BEFORE_STR("string2").AFTER_STR("string1") if the string that is enclosed by "string1" and "string2" is not larger than 64 KB.
  • Issue ID 0272268 (nCore and nCore VPX): The Load Balancing Wizard for Citrix Branch Repeater allows you to create multiple branches with the same subnet value.
  • Issue ID 0300562 (nCore and nCore VPX): The Data Center Server Subnets screen of the Load Balancing Wizard for Citrix Branch Repeater displays an asterisk (*) as being the value of netmasks that you have set to 255.255.255.255. However, the netmask is stored correctly, and the functionality is not affected.
  • Issue ID 0320963: For a policy with action, the stateupdate option returns incorrect CS virtual server state information. The stateupdate option determines the state based on the state of LB virtual server attached to the CS virtual server but in case of a policy with action the LB virtual server is determined at the run time using the action expression and hence the state returned is always returned as down.
  • Issue ID 0320958: CS policies with action do not support SNMP.
  • Issue ID 0320951: The show cs vserver command displays hits as zero for CSW PI policies (configured with action or without action) bound to CS virtual server. Use show cs policy command to display hits for policies configured with or without action.
  • Issue ID 0334277: If you configure a transparent sessionless load balancing virtual server and set the redirection mode to MAC, the virtual server does not process traffic.

    Workaround: Configure an appropriate listen policy on the virtual server.

System

  • Issue ID 0274802: In a high availability setup, if a route monitor is added within the RTST expiry time, the RTST timer restarts. Therefore, if a new route monitors is added within the RTST expiry time, the RTST timer might not expire, and that might prevent failover.

Build 58.5009.e

Release version: Citrix® NetScaler® release 9.3.e build 58.5009.e

Replaces build: None

Release date: November 2012

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 58.5. The release notes are available in the Build 58.5 section on Citrix eDocs.
  • The enhancements, bug fixes, and known issues in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

Allowing L2 Mode on a NetScaler Instance

  • Issue IDs 0274172 and 0274497: A supplemental software pack supports L2 mode on NetScaler SDX appliances running XenServer 6.0. To upgrade to XenServer 6.0, see the Citrix NetScaler SDX Administration Guide. To install the supplemental software pack, see http://support.citrix.com/article/ctx132877.

    In Layer 2 (L2) mode, a NetScaler instance acts as a learning bridge and forwards all packets for which it is not the destination. With L2 mode enabled, the instance can receive and forward packets for MAC addresses other than its own MAC address. However, if a user wants to enable L2 mode on a NetScaler instance running on an SDX appliance, the administrator must first allow L2 mode on that instance. If you allow L2 mode, you must take precautions to avoid bridging loops. For more information about these precautions, see the Citrix NetScaler SDX Administration Guide.

Configuring VMACs on an Interface

  • Issue IDs 0274175 and 0274498: You can now configure VMACs on an interface assigned to an instance on the NetScaler SDX appliance. A NetScaler instance uses Virtual MACs (VMACs) for high availability (active-active or active-standby) configurations. A Virtual MAC address (VMAC) is a floating entity shared by the primary and the secondary nodes in a high availability setup. You must be careful when configuring VMACs. For more information, see the Citrix NetScaler SDX Administration Guide.

Controlling the L2 Conn Behavior of Load Balancing Virtual Servers

  • Issue IDs 0339846 and 0342151: The set l4 parameter command has a new parameter, l2connMethod, for specifying the MAC address, channel number, and VLAN ID attributes for the L2 Conn option behavior in a virtual server.

    For a load balancing virtual server with L2 Conn enabled and l2connMethod parameter of the set l4 parameter command is set to Channel or Vlan or VlanChannel, a client MAC address change no longer causes the NetScaler appliance to create a new session entry. Instead, the appliance updates the existing session entry with the new MAC address. This update resolves issues (especially with MBF) that were caused by the appliance using the old session entry instead of the new one.

Support for Binding LA Channels to NSVLAN

  • Issue ID 21395/0195111: Users can now bind link aggregation channels to the NSVLAN (VLAN to which the NetScaler management IP (NSIP) address's subnet is bound) by using the 'set nsconfig' command.

Bug Fixes

Domain Name System

  • Issue ID 0318199: If core memory is not available when the NetScaler appliance is processing an RRSIG record received in a response, the appliance fails.

Load Balancing

  • Issue ID 0342151: For a load balancing virtual server with L2 conn enabled and l2connMethod parameter of the set l4 parameter command is set to Channel or Vlan or VlanChannel, a client MAC address change no longer causes the NetScaler appliance to create a new PCB/NATPCB entry. Instead, the appliance updates the existing PCB/NATPCB entry with the new MAC address. This update resolves issues (especially with MBF) that were caused by the appliance using the old PCB/NATPCB entry instead of the new one.

Networking

  • Issue ID 0340259: In a High Availability setup, the static ARP entry for a peer node will be deleted if a 'partial fail' mode is triggered.

Known Issues and Workarounds

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the "show lb persistentSessions" CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'client.tcp.payload(n)', and a request is received in multiple parts such that there is a delay between the parts and a FIN is sent from client before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91672/0250820: If the token that is used for creating rule based persistence sessions is larger than 100 MB, the "show lb persistentSessions" CLI command does not display the persistence parameter.
  • Issue ID 91711/0250846: If the string (or "token") that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000). BEFORE_STR("string2").AFTER_STR("string1") if the string that is enclosed by "string1" and "string2" is not larger than 64 KB.
  • Issue ID 0272268 (nCore and nCore VPX): The Load Balancing Wizard for Citrix Branch Repeater allows you to create multiple branches with the same subnet value.
  • Issue ID 0300562 (nCore and nCore VPX): The Data Center Server Subnets screen of the Load Balancing Wizard for Citrix Branch Repeater displays an asterisk (*) as being the value of netmasks that you have set to 255.255.255.255. However, the netmask is stored correctly, and the functionality is not affected.
  • Issue ID 0320963: For a policy with action, the stateupdate option returns incorrect CS virtual server state information. The stateupdate option determines the state based on the state of LB virtual server attached to the CS virtual server but in case of a policy with action the LB virtual server is determined at the run time using the action expression and hence the state returned is always returned as down.
  • Issue ID 0320958: CS policies with action do not support SNMP.
  • Issue ID 0320951: The show cs vserver command displays hits as zero for CSW PI policies (configured with action or without action) bound to CS virtual server. Use show cs policy command to display hits for policies configured with or without action.
  • Issue ID 0334277: If you configure a transparent sessionless load balancing virtual server and set the redirection mode to MAC, the virtual server does not process traffic.

    Workaround: Configure an appropriate listen policy on the virtual server.

System

  • Issue ID 0274802: In a high availability setup, if a route monitor is added within the RTST expiry time, the RTST timer restarts. Therefore, if a new route monitors is added within the RTST expiry time, the RTST timer might not expire, and that might prevent failover.

Build 58.5002.e

Release version: Citrix® NetScaler® release 9.3.e build 58.5002.e

Replaces build: None

Release date: September 2012

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 57.5. The release notes are available in the Build 57.5 section on Citrix eDocs.
  • The enhancements and known issues in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

Configuring SSL Close-notify at the Entity Level

Issue ID 0257122: The close-notify parameter setting for an entity no longer has to be inherited from the global settings. You can set the close-notify parameter at the entity (virtual server, service, or service group) level. This enhancement provides the flexibility to set this parameter for one entity and unset it for another entity. However, make sure that you set this parameter at the global level. Otherwise, the setting at the entity level does not apply.

For more information, see Configuring Close-Notify.

Multiple-Firewall Environment Support

Issue ID 0243576: The firewall load balancing feature allows you to load-balance traffic coming from another firewall in a multiple-firewall environment. Having firewall load balancing enabled on both the sides of NetScaler improves the traffic flow in both the egress and ingress direction and ensures faster processing of the traffic. By default, the traffic coming from a firewall is not load balanced on the other firewall across a NetScaler.

For more information, see Multiple-Firewall Environment.

Limiting Failovers Caused by Route Monitors in HA in non-INC mode

Issue ID 0332990: In an HA configuration in non-INC mode, if route monitors fail on both the nodes, failover happens every 180 seconds till one of the nodes is able to reach all the routes monitored by the respective route monitors.

Now, for a node, you can limit the number of failovers for a given interval by setting the Maximum Number of Flips and Maximum Flip Time parameters. When the limit is reached, further failovers do not happen and the node is assigned as primary even if any route monitor fails on that node. These parameters settings are set independently on each node and therefore are neither propagated nor synchronized.

For more information, see Limiting Failovers Caused by Route Monitors in non-INC mode.

Known Issues and Workarounds

Global Server Load Balancing

  • Issue ID 93051/0252048: When a load balancing virtual server that is a part of a GSLB configuration is down and receives a client request, the NetScaler appliance makes a GSLB decision and attempts an HTTP redirect or a connection proxy to a GSLB site that is UP and healthy. If source IP persistence is set on both the primary and backup GSLB virtual servers, and the core that receives the request is not the owner of the source IP persistence entry, the appliance fails when it attempts to make the GSLB decision.

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the "show lb persistentSessions" CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'client.tcp.payload(n)', and a request is received in multiple parts such that there is a delay between the parts and a FIN is sent from client before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91672/0250820: If the token that is used for creating rule based persistence sessions is larger than 100 MB, the "show lb persistentSessions" CLI command does not display the persistence parameter.
  • Issue ID 91711/0250846: If the string (or "token") that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000). BEFORE_STR("string2").AFTER_STR("string1") if the string that is enclosed by "string1" and "string2" is not larger than 64 KB.
  • Issue ID 0272268 (nCore and nCore VPX): The Load Balancing Wizard for Citrix Branch Repeater allows you to create multiple branches with the same subnet value.
  • Issue ID 0300562 (nCore and nCore VPX): The Data Center Server Subnets screen of the Load Balancing Wizard for Citrix Branch Repeater displays an asterisk (*) as being the value of netmasks that you have set to 255.255.255.255. However, the netmask is stored correctly, and the functionality is not affected.
  • Issue ID 0320963: For a policy with action, the stateupdate option returns incorrect CS virtual server state information. The stateupdate option determines the state based on the state of LB virtual server attached to the CS virtual server but in case of a policy with action the LB virtual server is determined at the run time using the action expression and hence the state returned is always returned as down.
  • Issue ID 0320958: CS policies with action do not support SNMP.
  • Issue ID 0320951: The show cs vserver command displays hits as zero for CSW PI policies (configured with action or without action) bound to CS virtual server. Use show cs policy command to display hits for policies configured with or without action.
  • Issue ID 0334277: If you configure a transparent sessionless load balancing virtual server and set the redirection mode to MAC, the virtual server does not process traffic.

    Workaround: Configure an appropriate listen policy on the virtual server.


Build 57.5003.e

Release version: Citrix® NetScaler® release 9.3.e build 57.5003.e

Replaces build: None

Release date: August 2012

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 57.5. The release notes are available in the Build 57.5 section on Citrix eDocs.
  • The enhancements, bug fixes, and known issues in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

Dynamic Content Switching Load Balancing Virtual Server Selection

  • Issue ID 0248750: The NetScaler appliance now supports the dynamic selection of a load balancing virtual server. The load balancing virtual server is identified at run time by an expression in the content switching action.

Configuring SourceIP for AppFlow Traffic

  • Issue ID 0288343: You can now specify the source IP address (SNIP or MIP address) to be used for AppFlow traffic. When you add an Appflow collector by using the add appflow collector command, you can use the -netprofile parameter to associate a net profile to which the source IP address is bound. If you do not set the –netprofile parameter, the Appflow exporter uses the NSIP address as the source IP address.
    > add appflow collector <col_name> -IPAddress <IP_addr>  [-netprofile {netprofile_name}]

Bug Fixes

Load Balancing

  • Issue ID 0320961: The NetScaler appliance does not support parameter modification for policies configured with an action.

Known Issues and Workarounds

Global Server Load Balancing

  • Issue ID 93051/0252048: If a load balancing virtual server that is a part of a GSLB configuration is down and receives a client request, the NetScaler appliance makes a GSLB decision and attempts an HTTP redirect or a connection proxy to a GSLB site that is UP and healthy. If source IP persistence is set on both the primary and backup GSLB virtual servers, and the core that receives the request is not the owner of the source IP persistence entry, the appliance fails when it attempts to make the GSLB decision.

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the "show lb persistentSessions" CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'CLIENT.TCP.PAYLOAD(n)', and a request is received in multiple parts, with some delay between the parts, and the client sends a FIN before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91672/0250820: If the token that is used for creating rule based persistence sessions is larger than 100 MB, the output of the "show lb persistentSessions" CLI command does not include the persistence parameter.
  • Issue ID 91711/0250846: If the string (or "token") that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000). BEFORE_STR("string2").AFTER_STR("string1") if the string that is enclosed by "string1" and "string2" is not larger than 64 KB.
  • Issue ID 0272268 (nCore and nCore VPX): The Load Balancing Wizard for Citrix Branch Repeater allows you to create multiple branches with the same subnet value.
  • Issue ID 0300562 (nCore and nCore VPX): The Data Center Server Subnets screen of the Load Balancing Wizard for Citrix Branch Repeater displays an asterisk (*) as the value of any netmask that you have set to 255.255.255.255. However, the mask is stored correctly, and its functionality is not affected.
  • Issue ID 0320963: For a policy with an action, the stateupdate option returns incorrect content switching virtual server state information. The stateupdate option bases its determination on the state of LB virtual server attached to the content switching virtual server. Therefore, in this case, the state is always returned as DOWN, because the action expression does not determine the load balancing virtual server until run time.
  • Issue ID 0320958: Content switching policies with actions do not support SNMP.
  • Issue ID 0320951: The show cs vserver command displays hits as zero for default-syntax content swithing policies (configured with or without actions) bound to content switching virtual servers. Use the show cs policy command to display hits for content switching policies.

Build 56.5007.e

Release version: Citrix® NetScaler® release 9.3.e build 56.5007.e

Replaces build: None

Release date: June 2012

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 56.5. The release notes are available in the Build 56.5 section on Citrix eDocs.
  • The enhancements and known issues in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

Dynamic Content Switching Load Balancing Virtual Server Selection

  • Issue ID 0248750: The NetScaler appliance now supports the dynamic selection of a load balancing virtual server. The load balancing virtual server is identified at run time by an expression in the content switching action.

Known Issues and Workarounds

Global Server Load Balancing

  • Issue ID 93051/0252048: If a load balancing virtual server that is a part of a GSLB configuration is down and receives a client request, the NetScaler appliance makes a GSLB decision and attempts an HTTP redirect or a connection proxy to a GSLB site that is UP and healthy. If source IP persistence is set on both the primary and backup GSLB virtual servers, and the core that receives the request is not the owner of the source IP persistence entry, the appliance fails when it attempts to make the GSLB decision.

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the "show lb persistentSessions" CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'CLIENT.TCP.PAYLOAD(n)', and a request is received in multiple parts, with some delay between the parts, and the client sends a FIN before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91672/0250820: If the token that is used for creating rule based persistence sessions is larger than 100 MB, the output of the "show lb persistentSessions" CLI command does not include the persistence parameter.
  • Issue ID 91711/0250846: If the string (or "token") that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000). BEFORE_STR("string2").AFTER_STR("string1") if the string that is enclosed by "string1" and "string2" is not larger than 64 KB.
  • Issue ID 0272268 (nCore and nCore VPX): The Load Balancing Wizard for Citrix Branch Repeater allows you to create multiple branches with the same subnet value.
  • Issue ID 0300562 (nCore and nCore VPX): The Data Center Server Subnets screen of the Load Balancing Wizard for Citrix Branch Repeater displays an asterisk (*) as the value of any netmask that you have set to 255.255.255.255. However, the mask is stored correctly, and its functionality is not affected.
  • Issue ID 0320961: The NetScaler appliance does not support parameter modification for policies configured with an action.
  • Issue ID 0320963: For a policy with an action, the stateupdate option returns incorrect content switching virtual server state information. The stateupdate option bases its determination on the state of LB virtual server attached to the content switching virtual server. Therefore, in this case, the state is always returned as DOWN, because the action expression does not determine the load balancing virtual server until run time.
  • Issue ID 0320958: Content switching policies with actions do not support SNMP.
  • Issue ID 0320951: The show cs vserver command displays hits as zero for default-syntax content swithing policies (configured with or without actions) bound to content switching virtual servers. Use the show cs policy command to display hits for content switching policies.

Build 56.5006.e

Release version: Citrix® NetScaler® release 9.3.e build 56.5006.e

Replaces build: None

Release date: June 2012

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 56.5. The release notes are available in the Build 56.5 section on Citrix eDocs.
  • The enhancements, bug fixes, and known issues in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

AES cipher support on SSLv3 protocol

The following AES ciphers are now supported on the SSLv3 protocol.
  1. Cipher Name: TLS1-AES-256-CBC-SHA

    Description: TLSv1 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

  2. Cipher Name: TLS1-AES-128-CBC-SHA

    Description: TLSv1 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1

  3. Cipher Name: TLS1-DHE-DSS-AES-256-CBC-SHA

    Description: TLSv1 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1

  4. Cipher Name: TLS1-DHE-DSS-AES-128-CBC-SHA

    Description: TLSv1 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1

  5. Cipher Name: TLS1-DHE-RSA-AES-256-CBC-SHA

    Description: TLSv1 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

  6. Cipher Name: TLS1-DHE-RSA-AES-128-CBC-SHA

    Description: TLSv1 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1

  7. Cipher Name: TLS1-ADH-AES-128-CBC-SHA

    Description: TLSv1 Kx=DH Au=None Enc=AES(128) Mac=SHA1

  8. Cipher Name: TLS1-ADH-AES-256-CBC-SHA

    Description: TLSv1 Kx=DH Au=None Enc=AES(256) Mac=SHA1

Logging out of a AAA-TM Session

You can now configure a traffic management action on the NetScaler appliance to log out a AAA-TM session. At the NetScaler command line, type one of the following commands to add the action or modify an existing action:
  • add tm trafficAction <name> -initiateLogout (yes|no)
  • set tm trafficAction <name> -initiateLogout (yes|no)

To put the logout action into effect, associate it with a policy and bind the policy to Global or an appropriate bind point.

Managing Services and Service Groups from Command Center

From the Monitoring tab of the Command Center client, you can now enable or disable services bound to a service group that was created by using server names instead of IP addresses.

Using Semicolons as a Delimiter for URL Parameters

You can now configure the application firewall to recognize semicolons (;) as delimiters in URLs processed by application firewall security checks. This setting is required in environments that use the semicolon, instead of the ampersand (&) as the delimiter.
  • To configure the semicolon as the URL delimiter by using the configuration utility, select the Allow Semi-colon Form Field Separator check box, in Application Firewall Profiles dialog box, under the Settings tab.
  • To configure the semicolon as the URL delimiter by using the NetScaler command line, at the NetScaler command prompt, type the following command: set appfw profile <name> -semicolonFieldSeparator ON

Bug Fixes

Application Firewall

  • Issue IDs 0305296 and 0307266: If a profile has the "Allow Semi-colon Form Field separator" option selected, or the NetScaler command line option "-semicolonFieldSeparator ON" set, a web form that uses the GET method might be blocked. To work around this issue, disable this option.

Known Issues and Workarounds

Global Server Load Balancing

  • Issue ID 93051/0252048: If a load balancing virtual server that is a part of a GSLB configuration is down and receives a client request, the NetScaler appliance makes a GSLB decision and attempts an HTTP redirect or a connection proxy to a GSLB site that is UP and healthy. If source IP persistence is set on both the primary and backup GSLB virtual servers, and the core that receives the request is not the owner of the source IP persistence entry, the appliance fails when it attempts to make the GSLB decision.

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the "show lb persistentSessions" CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'CLIENT.TCP.PAYLOAD(n)', and a request is received in multiple parts, with some delay between the parts, and the client sends a FIN before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91672/0250820: If the token that is used for creating rule based persistence sessions is larger than 100 MB, the output of the "show lb persistentSessions" CLI command does not include the persistence parameter.
  • Issue ID 91711/0250846: If the string (or "token") that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000). BEFORE_STR("string2").AFTER_STR("string1") if the string that is enclosed by "string1" and "string2" is not larger than 64 KB.
  • Issue ID 0272268 (nCore and nCore VPX): The Load Balancing Wizard for Citrix Branch Repeater allows you to create multiple branches with the same subnet value.
  • Issue ID 0300562 (nCore and nCore VPX): The Data Center Server Subnets screen of the Load Balancing Wizard for Citrix Branch Repeater displays an asterisk (*) as the value of any netmask that you have set to 255.255.255.255. However, the mask is stored correctly, and its functionality is not affected.

Build 54.4006.e

Release version: Citrix® NetScaler® release 9.3.e build 54.4006.e

Replaces build: None

Release date: April 2012

Readme version: 2.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 54.4. The readme is available in the Build 54.4 section on Citrix eDocs.
  • The enhancements, changes and fixes, and known issues in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

Connection Mirroring Support for Layer 2 Connection Parameters

The NetScaler appliance supports connection mirroring for Layer 2 connection parameters. When a failover occurs, the secondary appliance in the high availability (HA) pair picks up and manages the TCP connections that clients had established with the former primary appliance. Connection mirroring for Layer 2 connection parameters is required for resuming TCP connections in deployments that depend on those parameters for proper functioning. An example of such a deployment is the load balancing of Branch Repeater appliances. To configure connection mirroring for a Branch Repeater load balancing deployment, do the following on only the primary appliance in the HA pair:
  1. Configure connection mirroring for the load balancing virtual server. In Branch Repeater load balancing environments, only stateful connection failover is supported. For more information about configuring connection failover for a load balancing virtual server, see “Configuring Connection Failover” in the “Load Balancing” chapter of the Citrix NetScaler Traffic Management Guide for release 9.3.e.
  2. Configure connection mirroring for the forwarding session that you have configured for the deployment. For more information about configuring connection failover for a forwarding session, see “Configuring Forwarding Session Rules” in the “Interfaces” chapter of the Citrix NetScaler Networking Guide for release 9.3.e.
  3. Configure a Virtual Router ID (VRID) and bind it to the interface that communicates with the Branch Repeater appliances. For more information about configuring a VRID and binding it to an interface, see “Configuring Virtual MAC Addresses” in the “High Availability” chapter of the Citrix NetScaler Networking Guide for release 9.3.e.

Support for Clearing a Specific Persistence Session

You can specify a persistence parameter in the "clear lb persistentSessions" command to clear the persistence session associated with only that parameter. Following is the command synopsis for clearing the session associated with a specific persistence parameter: clear lb persistentSessions [<vServer> [-persistenceParam <string>]] In the command, "persistenceParam" is the persistence parameter whose session you want to clear. For more information about clearing persistence sessions, see "Clearing Persistence Sessions" in the "Load Balancing" chapter of the Citrix NetScaler Traffic Management Guide for release 9.3.e.

Support for Overriding Persistence for Overloaded Services

When a service is loaded or is otherwise unavailable, service to clients is degraded. To work around this situation, you might have to configure the NetScaler appliance to temporarily forward to other services the requests that would otherwise be included in the persistence session that is associated with the overloaded service. In other words, you might have to override the persistence setting that is configured for the load balancing virtual server until the service returns to a state in which it can accept requests. You can achieve this functionality by binding a load monitor to the virtual server and setting the “skippersistency” parameter for the virtual server. For more information about overriding persistence for an overloaded service, see “Overriding Persistence Settings for Overloaded Services” in the “Load Balancing” chapter of the Citrix NetScaler Traffic Management Guide for release 9.3.e.

Wizard for Setting Up Branch Repeater Load Balancing

The NetScaler configuration utility now includes a wizard that you can use to set up a load balancing configuration for Branch Repeater appliances. You can use the Load Balancing Wizard for Citrix Branch Repeater to configure static mapping, in which requests from specific clients are always forwarded to the same Branch Repeater appliance. To configure load balancing of Branch Repeater appliances by using the NetScaler configuration utility
  1. In the navigation pane, click Load Balancing.
  2. In the details pane, click Load Balancing wizard for Branch Repeater.
  3. Follow the instructions on the screen.

Terminating Established Connections that Match Simple ACLs

For a simple ACL, the NetScaler appliance blocks any new connections that match the conditions specified in the ACL. The appliance does not block any packets related to existing connections that were established before the ACL was created. However, you can immediately terminate the established connections by running a flush operation from the command line interface or the configuration utility. Flush can be useful in the following cases:
  • You receive a list of blacklisted IP addresses and want to completely block those IP addresses from accessing your servers. In this case, you create simple ACLs to block any new connections from those IP addresses, and then run flush to terminate any existing connections.
  • You want to terminate a large number of connections from a particular network without taking the time to terminate them one by one.

Configuring Clock Synchronization on the NetScaler SDX Appliance

You can now configure your NetScaler SDX appliance to synchronize its local clock with a Network Time Protocol (NTP) server. As a result, the clock on the SDX appliance has the same date and time settings as the other servers on your network. The clock synchronization configuration does not change if the appliance is restarted, upgraded, or downgraded. However, the configuration does not get propagated to the secondary NetScaler instance in a high availability setup.

Installing an SSL Certificate on the NetScaler SDX Appliance

You can now replace the default certificate that is shipped with the NetScaler SDX appliance with your own certificate. Installing an SSL certificate terminates all current client connections with the Management Service, so you have to log back on to the Management Service for any additional configuration tasks.

Single Sign-On to the Management Service and the NetScaler Instances on the NetScaler SDX Appliance

Logging on to the Management Service on a NetScaler SDX Appliance gives you direct access to the NetScaler instances that are provisioned on the appliance, if you upgrade the Management Service and the NetScaler instances to this build. After providing your user credentials to log on to the Management Service, you do not have to provide the user credentials again for logging on to an instance. By default, the Timeout value is set to 30 minutes and the configuration tab opens in a new browser window.

Upgrading the XenServer Software on the NetScaler SDX Appliance

You can now upgrade to the latest version of the XenServer software. The upgrade process can take up to 20 minutes. Before upgrading the software, upload the ISO image files to the appliance. For more information, see the NetScaler SDX Administration Guide at http://support.citrix.com/article/CTX130065.

Changes and Fixes

Application Firewall

  • Issue ID 0285648: With sessionless form field consistency enabled, when a web form's digest is corrupted and sent to a user, and the user submits the form back to the application firewall, the application firewall may crash.

Monitoring

  • Issue ID 0282876 (nCore and nCore VPX): Address Resolution Protocol(ARP) monitors do not update the Layer 2 parameters in the server information on non-master cores.

Networking

  • Issue ID 90094/0249449: Timeouts set for the anyClient and anyServer parameters of the set timeout command now also apply to the client and server transparent NAT sessions.

System

  • Issue ID 0278806 (nCore): If a 10G ixgbe interface is reset, the hardware controller RX logic can possibly write to the data area of a NetScaler packet buffer (NSB) after it has been returned to the NSB free pool. This can result in NSB corruption. Interface reset can be triggered by various events, including changing flow control settings with the "set interface" command.
  • Issue ID 0290271 (nCore): If a 1G e1k interface is reset, the hardware controller RX logic can possibly write to the data area of a NetScaler packet buffer (NSB) after it has been returned to the NSB free pool. This can result in NSB corruption. Interface reset can be triggered by various events, including changing flow control settings with the "set interface" command.

Known Issues and Workarounds

Global Server Load Balancing

  • Issue ID 93051/0252048: If a load balancing virtual server that is a part of a GSLB configuration is down and receives a client request, the NetScaler appliance makes a GSLB decision and attempts an HTTP redirect or a connection proxy to a GSLB site that is UP and healthy. If source IP persistence is set on both the primary and backup GSLB virtual servers, and the core that receives the request is not the owner of the source IP persistence entry, the appliance fails when it attempts to make the GSLB decision.

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the "show lb persistentSessions" CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'CLIENT.TCP.PAYLOAD(n)', and a request is received in multiple parts, with some delay between the parts, and the client sends a FIN before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91672/0250820: If the token that is used for creating rule based persistence sessions is larger than 100 MB, the output of the "show lb persistentSessions" CLI command does not include the persistence parameter.
  • Issue ID 91711/0250846: If the string (or "token") that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000). BEFORE_STR("string2").AFTER_STR("string1") if the string that is enclosed by "string1" and "string2" is not larger than 64 KB.
  • Issue ID 0272268 (nCore and nCore VPX): The Load Balancing Wizard for Citrix Branch Repeater allows you to create multiple branches with the same subnet value.
  • Issue ID 0300562 (nCore and nCore VPX): The Data Center Server Subnets screen of the Load Balancing Wizard for Citrix Branch Repeater displays an asterisk (*) as the value of any netmask that you have set to 255.255.255.255. However, the mask is stored correctly, and its functionality is not affected.

Build 53.5006.e

Release version: Citrix® NetScaler® release 9.3.e build 53.5006.e

Replaces build: None

Release date: December 2011

Readme version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 53.5. The readme is available in the Build 53.5 section on Citrix eDocs.
  • The enhancements, changes and fixes, and known issues in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

Cloud Bridge

  • Req ID 0270815: The configuration utility now includes a wizard that helps you to easily configure a cloud bridge between a NetScaler appliance on any network and NetScaler VPX instances on the SOFTLAYER enterprise cloud.

    For more information, see the Cloud Bridge chapter of the Citrix NetScaler Networking Guide, available at http://support.citrix.com/article/CTX130085.

  • Req ID 0262566: The following statistical counters have been introduced for IPSEC tunnels:
    • Bytes Received
    • Bytes Sent
    • Packets Received
    • Packets Sent

    For more information, see the man page for the 'stat IPSEC counters' command.

  • Req ID 0261540: For an IPSEC tunnel, the NetScaler appliance now performs the standard IKEv2 liveliness check on the peer at a regular interval, which is user configurable. After performing the check, the appliance displays the status of the tunnel as UP or DOWN.
  • Req ID 0258969: By using the configuration utility, you can now configure a cloud bridge between a NetScaler appliance on any network and NetScaler VPX instances on the COTENDO enterprise cloud.

Networking

  • Req ID 84792/0245142: In a High Availability (HA) configuration, you can now create route monitors in non-INC mode. Route monitors are propagated and get synchronized only in the non-INC mode. Route monitors are useful in a non-INC mode HA configuration in whichyou want the non-reachability of a gateway from a primary node to be one of the conditions for HA failover.

    For more information, see the "Configuring Route Monitors" section in the High Availability chapter of the Citrix NetScaler Networking Guide, available at http://support.citrix.com/article/CTX130085.

  • Req ID 0262405: You can now configure the NetScaler appliance to respond or not respond to ARP requests for a Virtual IP (VIP) address on the basis of the state of the virtual servers associated with that VIP.

    For more information, see the "Configuring ARP Response Suppression for Virtual IP addresses (VIPs)" section in the IP Addressing chapter of the Citrix NetScaler Networking Guide, available at http://support.citrix.com/article/CTX130085.

  • Req ID 94655/0258893: You can now bind a NetScaler owned SNIP address to an interface without using Layer 3 VLANs. Any packets related to the SNIP address will go only through the bound interface.

    For more information, see the "Binding an NetScaler Owned IP address to an Interface" section in the Interface chapter of the Citrix NetScaler Networking Guide, available at http://support.citrix.com/article/CTX130085.

Changes and Fixes

Networking

  • Issue IDs 94162/0257992 and 0262493: For a connection from a virtual server to the bound server, the NetScaler appliance uses the SNIP address instead of the net profile IP addresses configured for the virtual server.

Configuration Utility

  • Issue ID 0269486: In a High availability (HA) configuration, the configuration utility does not display the route monitors configured on the NetScaler appliances. Also, when a route monitor is configured to monitor a default route, the configuration utility displays the secondary node's IP address as 0.0.0.0.

System

  • Issue ID 93475/0257369: When the NetScaler appliance releases memory for a data structure, which is used for tracking NAT info, an associated field related to net bridge configuration fails to get released. When the server side connection picks the same data structure, the appliance sends data on a bridge, which is not configured. This leads to memory leak.
  • Issue ID 94442/0258246 and 93593/0257475: When device name length exceeds 256 characters, then the length stored is truncated. However, the NetScaler appliance allocates more memory to store the device name and while releasing the memory, the appliance releases less memory than the extended. This leads to memory leak.

High Availability

  • Issue ID 92866/0251883: In an HA configuration in non-inc mode, the config sync operation does not sync the bind Routemonitor command to the secondary appliance.
  • Issue ID 93068/0252065: In an HA configuration in non-inc mode, when the configuration is cleared by the clear config command or as part of a config sync operation, route monitors are modified but no health check is done. Therefore, node state is not updated properly.

Known Issues and Workarounds

Global Server Load Balancing

  • Issue ID 93051/0252048: If a load balancing virtual server that is a part of a GSLB configuration is down and receives a client request, the NetScaler appliance makes a GSLB decision and attempts an HTTP redirect or a connection proxy to a GSLB site that is UP and healthy. The appliance fails when making this GSLB decision if source IP persistence is set on both the primary and backup GSLB virtual servers and if the core that receives the request is not the owner of the source IP persistence entry.

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the "show lb persistentSessions" CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'CLIENT.TCP.PAYLOAD(n)', and a request is received in multiple parts, with some delay between the parts, and the client sends a FIN before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91672/0250820: If the token that is used for creating rule based persistence sessions is larger than 100 MB, the output of the "show lb persistentSessions" CLI command does not include the persistence parameter.
  • Issue ID 91711/0250846: If the string (or "token") that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000). BEFORE_STR("string2").AFTER_STR("string1") if the string that is enclosed by "string1" and "string2" is not larger than 64 KB.

Build 51.5006.e

Release version: Citrix® NetScaler® release 9.3.e build 51.5006.e

Replaces build: None

Release date: September 2011

Readme version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 51.5. The readme is available in the Build 51.5 section on Citrix eDocs.
  • The enhancements and known issues in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

Sessionless Field Consistency

With the sessionless Field Consistency Check feature, the application firewall does not store web forms in memory. Instead, it adds a hidden form field named as_ffc_field to each form before forwarding it to the client. When the client submits the form, the application firewall extracts as_ffc_field and compares it to the remaining form to establish field consistency.

By default, sessionless Field Consistency is disabled. The following CLI commands configure sessionless Field Consistency:

add appfw profile <name> -sessionlessFieldConsistency (ON|OFF|postOnly)

set appfw profile <name> -sessionlessFieldConsistency (ON|OFF|postOnly)

Virtual Server - Options of Response to PING

You can now configure the NetScaler appliance not to respond to a ping message if the virtual server is DOWN. This option is available for load balancing, content switching, cache redirection, and VPN virtual servers. It can be set at the IP-address level or the virtual-server level. By default, the appliance responds to a ping message even if one or more virtual servers are DOWN. The option functions as described below:

On an IP address:
Option Effect
NONE Always responds
ONE_VSERVER Responds if at least one virtual server on this IP address is UP
ALL_VSERVER Responds only if all the virtual servers on this IP address are UP
VSVR_CNTRLD Responds according to the setting on the virtual servers
On a virtual server:
PASSIVE on all virtual servers Always responds
ACTIVE on all virtual servers Responds if even one virtual server is UP
ACTIVE on some and PASSIVE on others Responds if even one virtual server set to ACTIVE is UP

This option can be set on an IP address only if it is a VIP address.

CLI commands:

set ip <IPAddress> -icmpresponse (NONE | ONE_VSERVER | ALL_VSERVERS | VSVR_CNTRLD)

set lb vserver <name> -icmpVsrResponse (PASSIVE | ACTIVE)

You can replace lb with cs, cr or vpn.

GUI:

Create/Configure IP dialog box: The ICMP Response dropdown list

Create/Configure Virtual Server>>Advanced tab: The ICMP VServer Response dropdown list

Denying Nonsecure SSL Renegotiation

SSL and TLS renegotiations are vulnerable to an MITM attack that injects its own content as a prefix to a TLS connection. A new option addresses this vulnerability. If you specify NONSECURE as the value of the denySSLReneg parameter in the "set ssl parameter" command, any nonsecure renegotiations are denied. For more information about this attack, see RFC 5746. For more information about setting this parameter, see "Configuring Advanced SSL Settings" in the "SSL Offload and Acceleration" chapter of the Citrix NetScaler Traffic Management Guide at http://support.citrix.com/article/CTX130084.

Rule Based Persistence Support for Load Balancing Virtual Servers of Type TCP and SSL_TCP

You can now configure a rule to define persistence criteria for load balancing virtual servers of type TCP and SSL_TCP. The persistence criteria can be based on TCP/IP protocol data, Layer 2 data, TCP options, and TCP payloads (even if the protocol that is encapsulated in the TCP payload is not HTTP). In the "add lb vserver" or "set lb vserver" CLI command, set the "persistenceType" parameter to "RULE," and then configure a rule for the rule parameter. You can define rules to configure persistence based on source and destination ports, source and destination IP addresses and IP octets, source and destination MAC addresses, VLAN IDs, payload content, and so on. Following are examples of expressions that you can use to define persistence criteria:

  • CLIENT.TCP.PAYLOAD(500).TYPECAST_NVLIST_T('=',';').VALUE("field1"). The value of field1, obtained after casting the first 500 bytes of the TCP payload to a name-value list that consists of name-value pairs in the format <name>=<value>;.
  • CLIENT.TCP.SRCPORT. The source port in the client request.
  • CLIENT.IP.DST. The destination IP address in the client request.
  • CLIENT.IP.SRC.GET4. The fourth octet (rightmost octet) of the source IP address in the client request.
  • CLIENT.ETHER.DSTMAC.GET5. The fifth octet of the destination MAC address in the client request.
  • CLIENT.VLAN.ID. The ID of the VLAN through which the request arrived.

Following is an example of a command that you can use to configure rule based persistence based on the destination IP address in the client request: add lb vserver mylbvserver SSL_TCP 192.0.2.0 443 -persistenceType RULE -rule CLIENT.IP.DST.

You cannot set the "resRule" parameter for load balancing virtual servers of type TCP or SSL_TCP.

For more information, see the "Load Balancing" chapter of the Citrix NetScaler Traffic Management Guide at http://support.citrix.com/article/CTX130084, which includes a section titled "Configuring Persistence Based on User-Defined Rules." The chapter also has a "Use Cases" section, in which "Configuring Rule Based Persistence Based on a Name-Value Pair in a TCP Byte Stream" describes how to configure rule based persistence for servers that communicate Financial Information eXchange (FIX) protocol data over TCP.

Known Issues and Workarounds

Global Server Load Balancing

  • Issue ID 93051: If a load balancing virtual server that is a part of a GSLB configuration is down and receives a client request, the NetScaler appliance makes a GSLB decision and attempts an HTTP redirect or a connection proxy to a GSLB site that is UP and healthy. The appliance fails when making this GSLB decision if source IP persistence is set on both the primary and backup GSLB virtual servers and if the core that receives the request is not the owner of the source IP persistence entry.

Load Balancing

  • Issue ID 90395: If the rule that is used for creating rule based persistence sessions is a compound expression, the "show lb persistentSessions" CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'CLIENT.TCP.PAYLOAD(n)', and a request is received in multiple parts, with some delay between the parts, and the client sends a FIN before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91672/0250820: If the token that is used for creating rule based persistence sessions is larger than 100 MB, the output of the "show lb persistentSessions" CLI command does not include the persistence parameter.
  • Issue ID 91711: If the string (or "token") that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000). BEFORE_STR("string2").AFTER_STR("string1") if the string that is enclosed by "string1" and "string2" is not larger than 64 KB.

Build 50.3002.e

Release version: Citrix® NetScaler® release 9.3.e build 50.3002.e

Replaces build: None

Release date: August 2011

Readme version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 50.3. The readme is available in the Build 50.3 section on Citrix eDocs.
  • The enhancements and known issues in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

Content Switching

When you run the 'show cs vserver' command, you can now view the content switching policies associated with the virtual server in the order of the priority of the policies rather than by the chronological order in which they are bound.

This enhancement can help you know the order in which the content switching polices are applied and, therefore, understand how client requests are routed. The configuration utility also shows the content switching policies in the order of their priority.

For more information, see the "Viewing the Properties of Content Switching Virtual Servers" section in the Content Switching chapter of the Citrix NetScaler Traffic Management Guide, available at http://support.citrix.com/article/CTX128670.

Networking

You can now enable a NetScaler appliance to forward all the ICMP fragments of an ICMP echo request, destined to a network device, and the ICMP fragments of the corresponding echo response.

One example of the usefulness of this enhancement involves a NetScaler appliance and a Windows 2000 Server.

The Windows 2000 server sends an ICMP request of size 2048 for slow link detection. The NetScaler appliance successfully forwards the ICMP fragments of the ICMP request to the destination network device, and the ICMP fragments of the ICMP response from the network device to the Windows 2000 server.

Surge Protection

If you want to flush the surge queue of a service, service group, or a load balancing or content switching virtual server, now you do not need to disable the NetScaler entity. With this enhancement, you can manage the traffic in surge conditions without affecting the existing traffic.

Options are added to the command line interface and configuration utility to flush a surge queue. Flushing a surge queue does not affect the existing connections. Only the requests present in the surge queue get deleted. For those requests, the client has to make a fresh request.

When you flush the surge queue of a virtual server, the surge queues of all the services and service groups bound to it are flushed. When you flush the surge queue of a service group, surge queues of all its members are flushed. You can flush the surge queue of one or more members of a service group without flushing the surge queues of all its members. You can flush the surge queue of a specific service.

In the configuration utility, when you select an entity the 'Flush Surge Queue' option is available in the action pane. In the command line interface 'flush ns surgeQ' option is added with necessary options.

For more information, see the "Flushing the Surge Queue" section in the Load Balancing chapter of the Citrix NetScaler Traffic Management Guide, available at http://support.citrix.com/article/CTX128670.

Known Issues and Workarounds

High Availability

  • Issue ID 92866: In an HA configuration in non-inc mode, the config sync operation does not sync the 'bind Routemonitor' command to the secondary appliance.
  • Issue ID 93068: In an HA configuration in non-inc mode, when the configuration is cleared by the clear config command or as part of a config sync operation, route monitors aremodified but no health check is done. Therefore, node state is not updated properly.

Build 49.5001.e

Release version: Citrix® NetScaler® release 9.3.e build 49.5001.e

Replaces build: None

Release date: June 2011

Readme version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 49.5.
  • The enhancements in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

Networking (Req ID 76605)

You can now create a rule that creates an entry, called a forwarding session entry, on the NetScaler appliance for traffic that originates from a particular network and is forwarded by the appliance. Such a rule is useful in cases where the NetScaler appliance forwards a client request to a server and the response from the server needs to traverse back through the same path as the client request. For more information, see the "Configuring Forwarding Session Rule" section in the Citrix NetScaler Networking Guide, available at http://support.citrix.com/article/CTX130085.

Load Balancing (Req ID 80657)

You can specify an IP address to be used by the NetScaler appliance as the source IP address for communication with the physical servers and peer devices. You can create IP sets, which are sets of IP addresses. You can create net profiles, which have an IP address or an IP Set, and bind a net profile to a service, service group, load balancing virtual server, or monitor. The appliance uses the IP address specified in the net profile as the source IP address. For more information, see the "Using a Specified Source IP for Backend Communication" section in the in the Citrix NetScaler Traffic Management Guide, available at http://support.citrix.com/article/CTX130084.


Build 48.6002.e

Release version: Citrix® NetScaler® release 9.3.e build 48.6002.e

Replaces build: None

Release date: June 2011

Readme version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 9.3 build 48.6.
  • The enhancements in this release apply to Citrix NetScaler 9.3.e nCore™.

Enhancements

Load Balancing (Req ID 85661)

When adding or modifying a service, you can now specify a string as a server ID. The string can have up to 47 characters and contain alphanumeric characters and dashes.

In the command line interface use the -customServerId <string> parameter instead of -serverId <positive integer>, which is being deprecated.

Example: set service SE_WEB_SVR1 -customServerId 4324-7658-fer9-4324.

For more information, in Citrix eDocs, see NetScaler > NetScaler 9.3 > Load Balancing > Customizing a Load Balancing Configuration > Persistence and Persistence Connections > Custom Server ID Persistence.

Back to top