Access Gateway broken after 13.0 84.10 or 84.11

[Gabriel Munoz]

Happening to us as well on the latest 21.50. Disabling HSTS fixed it for us. Citrix said they are tracking it under bug ID NSHELP-30832.

They told me possibly by the end of this month for a fix.

[Georg Pfahler]

still happening on 13.1, 24.38

[Bret Toews1709160791]

Same issue here on 13.0 85.19

 

Disabled HSTS as workaround

[Lukas Rusch1709162191]

Same issue with build NS13.0 86.17.nc. Yesterday we updated from NS12.1.

 

But it seems that not all users are affected with this - I can't figure out why.

 

Can I create those HSTS rewrite policies and bind them to already existing VS with policies? We have to policies binded to VS with the following expressions:

HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")

HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT

 

 

[Joost Sannen]

12 hours ago, Lukas Rusch1709162191 said:

Same issue with build NS13.0 86.17.nc. Yesterday we updated from NS12.1.

 

But it seems that not all users are affected with this - I can't figure out why.

 

Can I create those HSTS rewrite policies and bind them to already existing VS with policies? We have to policies binded to VS with the following expressions:

HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")

HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT

 

 

If you created a rewrite policy like in my post reply of March 25 you've got to bind it as a Rewrite Policy of Type Request.

[Joost Sannen]

Just tested 13.1 27.59 and the problem remains. Waiting on a debug build from Citrix for testing.

[Stacey Lewis1709159460]

Bug still exists in 13.0 86.17 released in June 2022

[Joost Sannen]

On 7/12/2022 at 7:19 PM, Joost Sannen said:

Just tested 13.1 27.59 and the problem remains. Waiting on a debug build from Citrix for testing.

Debug build installed, reproduced the issue, waiting for analysing the data now.

[James Leonard1709161179]

We had the same issue, client went from 12.1 -> 13.1 27.59 after disabling HSTS to get around the issue discussed

 

Following for updates on an eventual fix

[zheise996]

We just also tried going from 13.0 (83.29 same as the OP) to 13.1 27.59 yesterday and ran into this issue. What a mess. Does anyone have a citrix support contract and have any tickets open? If not, I will do so. Ridiculous that this has been broken for six months now, judging by the 4 pages of comments. What the heck, Citrix. It'd be nice if there was a 'known issues' page we could follow.

Edited August 15, 2022 by Zach Heise
adding original version number detail

[Joost Sannen]

20 hours ago, zheise996 said:

We just also tried going from 13.0 (83.29 same as the OP) to 13.1 27.59 yesterday and ran into this issue. What a mess. Does anyone have a citrix support contract and have any tickets open? If not, I will do so. Ridiculous that this has been broken for six months now, judging by the 4 pages of comments. What the heck, Citrix. It'd be nice if there was a 'known issues' page we could follow.

Hi Zach, Citrix is analyzing logs but please do open a support case too. Thank you.

[zheise996]

Submitted my ticket, got this as a response. At this point, we're sitting comfortably back on 13.0 build 83.29 and are not super interested in going through the pain and suffering of another failed update for our users anytime soon.

 

If it was fixed, supposedly, in 13.1 build 11.3 - but you still need a run a command from the shell afterward? Odd way to do a fix.

 

Quote

Greetings,

Yes this was a known issue and we have reported to the engineering team and issue was fixed in 13.1 11.3, NSHELP-28367 this is the NS HELP id.

However, you can run the below-given command once you upgrade the firmware to fix the issue.

Need to run it from the shell

nsapimgr_wr.sh -ys call=toggle_vpn_datalen_multipleof_mss


Regards
Manik Reddy
Technical Support Engineer
Delivery Networks, Americas Support

Citrix Systems India Private Limited (U70200KA1995PTC019308)
Prestige Dynasty, Ground Floor #33/2, Ulsoor Road, Bangalore–560042, Karnataka, India

 

[Joost Sannen]

Hmm, you got more info than I did. Tested this morning with 13.1 30.52 and the problem is still there. Asked Citrix for more information about the shell command.

[zheise996]

On 9/5/2022 at 4:19 AM, Joost Sannen said:

Hmm, you got more info than I did. Tested this morning with 13.1 30.52 and the problem is still there. Asked Citrix for more information about the shell command.

 

Yes, my tech agent shared this link with me that had reasoning for how and why this shell command works - https://issues.citrite.net/browse/NSHELP-28367 - but he neglected to remember it was an internal-only link, that us non-Citrix employees cannot see. So basically there is no supporting documentation (that mere mortals like you and I can read) for this supposed 'fix' he shared with me. That leaves a very bad taste in my mouth.

[Joost Sannen]

Well finally got word from Citrix. Issue has been fixed in the upcoming version 13.0 build 88.x and 13.1 36.x . @Julian Jakob in another post: 13.0 - 88.x with ETA Oct 18th

[Dave Tibolla]

13.0 build 88.12 is out, however I see no mention of this issue in the release notes.  Anyone have confirmation that the fix is actually in there? 

[Sjoerd Dijsselbloem1709163201]

12 hours ago, Dave Tibolla said:

13.0 build 88.12 is out, however I see no mention of this issue in the release notes.  Anyone have confirmation that the fix is actually in there? 

I am curious about this to. I can not see anything in the release notes.

[Joost Sannen]

The ID is NSHELP-31782. And I can't find it neither in the release notes of 13.0 88.12 . Waiting for 13.1 36.xx

[Paul Burden]

I've been told by citrix support today that the latest version 13.0.88.16 fixes this issue, although i can't see the mention in the release notes.  i've asked them to clarify before i upgrade to this .  Just in case others want to try and see if it does indeed resolve the issue

[Fred Cray]

We are having this issue and applied 13.0.88.16 on our test VPX and problem still occurs. Disabling HSTS in the SSL Profile allows it to work. Opening a ticket today.

[Paul Burden]

i queried the citrix support engineer who apologised and has now told me that 

"For the 13.0 build 89.x latest , fix was available in this , I heard that the issue is resolved we referred this NSHELP-31478."

i have yet to test this latest version, but just wanted to make this info available for others to test..

[Patrick Paijmans1709162692]

Is there any news or update on this isseu?

I cannot believe this stil has not been fixed.

 

I dont recognise this problem when i google for NSHELP-31478

[Joost Sannen]

I could not find it either and asked Citrix Support last December. From Citrix support I got 'this is fixed and verified in 13.1-39.8 and hence it will be included in the upcoming General Available (GA) build' . So this should work in 13.1 42.47 .  I didn't test it myself yet. Maybe someone else can confirm it finally has been fixed?

[Georg Pfahler]

we are on 13.1 37.38 and the issue is gone.

 

I think it got fixed there:

https://docs.netscaler.com/en-us/citrix-adc/current-release/citrix-adc-release-notes/release-notes-13-1-33-54.html

[Kari Ruissalo]

I also went ahead and checked this issue with Citrix support. The answer was:

Quote

I checked further on NSHELP-31478, and it is resolved in 13.1-37.32 (or upper versions) or 13.0- 89+ versions.

 

We are proceeding with firmware updates based on this information, we'll upgrade to 13.0-90.7.