WIXLIB

Citrix NetScaler 1000V Release NotesCitrix NetScaler 11.0-68.10First Published: 201 -0 -07Cisco Systems, Inc.www.cisco.comCisco has more than 200 offices worldwide.Addresses, phone numbers, and fax numbersare listed on the Cisco website atwww.cisco.com/go/offices.

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALLSTATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THATSHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSEOR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuantto part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercialenvironment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may causeharmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be requiredto correct the interference at their own expense.The following information is for FCC compliance of Class B devices: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuantto part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates,uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.However, there is no guarantee that interference will not occur in a particular installation. If the equipment causes interference to radio or television reception, which can bedetermined by turning the equipment off and on, users are encouraged to try to correct the interference by using one or more of the following measures: Reorient or relocate the receiving antenna.Increase the separation between the equipment and receiver.Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.Consult the dealer or an experienced radio/TV technician for help.Modifications to this product not authorized by Cisco could void the FCC approval and negate your authority to operate the product.The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s publicdomain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITHALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUTLIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OFDEALING, USAGE, OR TRADE PRACTICE.IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCOOR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to thisURL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnershiprelationship between Cisco and any other company. (1110R)Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command displayoutput, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers inillustrative content is unintentional and coincidental.Citrix and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the United States Patentand Trademark Office and in other countries. All other product names, company names, marks, logos, and symbols are trademarks of their respective owners. 201 Cisco Systems, Inc. All rights reserved.

Contents11.0-68.10.4What’s New? .4Fixed Issues.5Known Issues.9What's New in Previous NetScaler 11.0 Releases . 31Fixed Issues in Previous NetScaler 11.0 Releases . 75Release History . 121

11.0-68.10Upda ted: September 08, 2016 Rel ease notes version: 1.0Thi s release notes document describes the enhancements and changes and specifies the issues that exist, for the NetScalerrel ease 11.0 Build 68.10. See Release History.What’s New?The enhancements a nd changes that a re a vailable i n Build 68.10.NetScaler VPX Appliance New license for NetScaler VPX on ESX PlatformThe following licenses are now a vailable for NetScaler VPX a ppliance on ESX platform:- 25M- 5G- 10G- 15G- 25G- 40GFor more i nformation about recommended i nterfaces a nd performance details, refer to the l atest VPX da tasheet.[# 623179]

Fixed IssuesThe i ssues that are a ddressed i n Build 68.10.Application Firewall The na me of a user defined signature objects must not contain a hash character (#), but the feedback message lists i ta s a n allowed character.[# 648010] If the HTML res ponse page contains a pair of hyphens (--) in the comment ta g, the NetScaler a ppliance might parsethe res ponse page incorrectly. This could result i n a vi olation.[# 648104] Appl ications might not l oad properly when the memory max allowed va lue for the AppFW pool is l ow. This lowmemory condition ca n also ca use memory a llocation errors that result in numerous connection resets.[# 649031, 651536] The NetScaler appliance fails if the signature match function a ccesses invalid memory while ma tching signature rules.[# 643854] The exported, l earned data for fi eld formats does not match the output of the following command: sh appfw l earningda ta .[# 329025, 303481] In a hi gh availability (HA) deployment, a memory l eak can occur i f a uto-update of a pplication firewall s ignatures i sena bled or you update the signatures by using the Merge Default (-mergedefault) option.[# 620878, 629043, 641457, 649075]Cache Redirection Cl a ssic ca che redirection policies send CONNECT requests to the cache, as expected, i f they do not match the policyrul e, but default syntax ca che redirection policies send them to the origin s erver i nstead. With this fix, default syntaxca che redirection policies s end nonmatching requests to the ca che.[# 637826]

Clustering A force cl uster s ync operation causes the cluster's static ARP configuration to become i nconsistent.[# 635231]DNS A cl ear config operation in a Cl uster deployment does not set non-CCO nodes to the default va lue for the "maxpi peline" parameter.[# 648087]Load Balancing The NetScaler appliance fails to send an assertion back to the service provider when the SAML request comes wi thouta n ID field. When behavi ng as a samlidp, the ID field from the authnReq is remembered, so it ca n be sent back i n thea s sertion. When service providers do not s end IDs, we used to fail due to a logic error.[# 648489] A s ecure HTTP-ECV monitor might time out i f the back-end s erver s ends a l arge certificate.[# 638148] In the SAML response, the RelayState fi eld is truncated. When the samlidp feature is processed, the URL decodes theenti re content before parsing for i ndividual elements. The customer's service provider s ends the RelayState that wasencoded. When the s ervice provider posts the assertion back, the RelayState is truncated resulting i n a n SP failure.[# 648337] NetSca ler VPX Appliance If you deploy NetScaler VPX on Azure i n HA mode, the VPN vi rtual s ervers on the secondary node a re not reachablea fter a failover. This is because, during a synchronization operation, the NSIP a ddress of the primary node i s used tocrea te the vi rtual server on the s econdary node. After a failover, when the s econdary node becomes the new primary,the VPN vi rtua l server has the NSIP a ddress of the old primary.[# 651670]

Networking A NetSca ler a ppliance with OSPFv3 dynamic routing protocol configured might measure the length of OSPFv3 LSApa ckets i n Network Byte Order i nstead of Host Byte Order for comparison wi th the minimum required packet l ength.As a res ult, the NetScaler a ppliance becomes unresponsive.[# 652131] For SIP a nd RTSP Application La yer Ga teways (ALGs) to work properly for a large Scale NAT (LSN) configuration on aNetSca ler appliance, it is mandatory to configure all ports of the NAT IP address for FULL cone NAT. That is, EndpointIndependent Ma pping (EIM) and Endpoint Independent Filtering (EIF) must be enabled on these ports, even thoughthey a re not used by SIP a nd RTSP tra ffic.[# 641719] Duri ng a "force sync" operation in a cluster deployment, performing a "save config" o peration on a node might l eadto a ful l or partial configuration loss on that node. With this fix, the "save config" operation i s not permitted during a"force s ync" operation.[# 642375] In a hi gh availability (HA) setup, high latency mi ght occur during configuration synchronization, resulting i n someconfi gurations not getting synchronized to the secondary node. In this situation, a n HA failover results i n l oss ofconfi guration.[# 607929]Policies Whi le evaluating default s yntax expression for l ocal time zone, a NetScaler a ppliance incorrectly a pplies US daylights a vi ngs ti me (DST) rules in non-US ti mezone. This results i n setting a n offset time for an hour. For example, thedefa ult expression !(SYS.TIME.GE (LOCAL 8h) & SYS.TIME.LE(LOCAL 17h)) returns 'Fa lse' i f the l ocal time in USti mezone is between 0800 a nd 1700. In the UK ti mezone, this expression incorrectly returns 'False' if the local ti me isbetween 0700 a nd 0759 a nd returns 'True' i f the l ocal time is between 1700 a nd 1759 from 8 Ma r 2015 (the s tart ofUS DST) to 28 Ma r 2015 (the da y before the s tart of UK DST) a nd also from 25 Oct 2015 (the da y a fter the end of UKDST) to 31 Oct (the da y before the end of US DST).[# 556230]SSL The output of the "stat ssl -detail" command is different for back-end entities than for front-end entities. The outputfor ba ck-end entities does not i nclude statistics for s essions, handshakes, or client authentications for TLS protocolvers i ons 1.1 a nd version 1.2.