Known Issues

Release 22.6R2.1

Symptom : Event logs are filled with certificate expired error message.

Condition : ICS has loaded with Expired trusted server CA.

Work around: None, just a display issue.

Release 22.6R2

Symptom: PSAL fails to launch JSAM with JDK 21 on MAC Ventura 13.6.

Condition: When user try to access JSAM with JDK 21 on MAC Ventura 13.6.

Workaround: Use JDK 17 instead of JDK 21.

Symptom: User/WTS session is getting terminated.

Condition: When “Enable session timeout warning” option is enabled.

Workaround: Disable the “Enable session timeout warning” option.

Symptom: Failed to save package, cannot copy UEBA package.

Condition: Uploading new UEBA package.

Workaround: None. Contact Support for assistance.

Symptom: VPN tunneling filter deletion for IPv6 under System > Network > VPN tunneling. IPv6 filter not assigned to VPN clients if no filter is specified.

Condition: Importing binary config from 22.3, 22.4,22.5 releases.

Workaround: Add default filter * for IPv6 in System > Network > VPN tunneling

Symptom: Analytics Dashboard and Gateway logs are not synced with nSA.

Condition: ICS Gateways running on cloud with version 22.5R2 or above.

Workaround: NA

Release 22.5R2.1

Symptom: AD join from troubleshooting page fails with Error "Failed to find DC for domain <DOMAIN NAME> - Undetermined error".

Condition: When AD container name contains spaces and was different than the default "Computers".

Workaround: Use quotes in the AD configuration page if the AD container name has spaces.

Symptom : Few expired trusted server CA are not getting deleted.

Condition : When checking Trusted Server CA Page, using "Show only expired CAs" option enabled.

Workaround : Admin can import latest CAs if necessary

Symptom: Port probe: Internal port IPv6 address is incorrectly populated when the user selects Management port with family type as IPv6.

Condition: Interface port is selected first and then family type.

Workaround: Select family type first and then select the Interface as Internal/Management Port.

Symptom: OAuth token encryption using ECC certificates fails.

Workaround: Use RSA certificates for Token Encryption

Symptom: Advanced HTML5 external storage feature will not work.

Condition: When external storage server contains special characters in the password.

Workaround: Do not use any special characters in the password.

Symptom: Stats for other node are not accessible from the current cluster node.

Conditions:

1. Go to System > Status > Overview.

2.Select the other node from the drop down in any of the charts.

Workaround: None. Login to the other node to get the charts.

Symptom: Multiple authentication successful messages are observed in user access logs when user tries OWA 2016 or above with kerberos SSO.

Workaround:NA

Symptom: VPN fails to connect with Login Failed Error.

Condition: When Host checker is configured without enforcing at realm

Workaround: Enforce same host checker policies at realm also.

Release 22.4R2

22.4R1 Known issues are also applicable to 22.4R2.

Symptom: Enterprise on-boarding feature will not work.

Condition: When end user uses on-boarding feature.

Workaround: None

Symptom: Test enrollment will not work

Condition: When end user uses on-boarding feature.

Workaround: None

Symptom : Browser based Certificate authentication is failing when TLS 1.3 is enabled on the ICS

Condition: Browser based Certificate authentication fails when admin enables TLS 1.3 on ICS.

Workaround: Admin need to enable TLS 1.2 (refer to KB)

Symptom: KB link for TLS 1.3 client support warning on the dashboard page takes you to a broken link.

Condition: Click KB45694 link shown in the dashboard for Client impact with TLS 1.3.

Workaround: See KB for details.

Symptom: Unable to set FIPS mode for web server.

Condition: FIPS mode is not supported

Workaround: None

Symptom: Console doesn't respond to user input when selecting "change SELinux mode".

Condition: Post cluster upgrade to 22.4R2.

Workaround: Restart services from the UI.

Symptom: ICS initial configuration is not getting configured automatically from vApp options

Conditions: After performing clear config operation through VM Virtual Console

Workaround: None. Configure ICS initial configuration such as IP address, admin user, self-signed cert details manually

Symptom : Active user page in cluster nodes are not in sync for connected users, this happens when the cluster splits and joins.

Condition : When cluster splits and joins this occurs.

Workaround : None, it's just a display issue. In new session it is displayed correctly.

Symptom : VM upgrade and installation progress messages before reboot are not seen on VM serial console

Condition: when upgrade was performed from 22.4r2 to higher release

Workaround: None

Symptom: Kernel rate limiting is not working on config import

Condition: During config import from 22.4r2 with Kernel rate limiting enabled to another 22.4R2 setup.

Workaround: A change in DOS/DDOS options requires an ICS reboot after config import. As a workaround undo and save the change, then redo and save from the interface.

Symptom: Active Sync with Cert and Kerberos Constrained Delegation (KCD) does not work.

Condition: When TLS 1.3 is enabled on ICS in bound settings.

Workaround: Enable TLS 1.2 on ICS in bound settings.

Symptom: On single core CPU platform, web server snapshot can be generated upon Security related configuration change.

Condition: Upon change in Security configuration (such as change in TLS version) old web server process exits with crash

Workaround: NA

Symptom: 
Sometimes, Advanced HTML5 session does not respond to mouse clicks.

Conditions: This issue happens usually when user tries to copy text using mouse on a ssh terminal session within HTML5 session.

Workaround: Disconnecting and reconnecting the Advanced HTML5 session solves the issue.

Symptom: If the server has TLS 1.3 enforced, the existing client connections and upgrades fail.

Condition: TLS 1.3 enforced for the secure connections.

Workaround: Enable the TLS 1.2 and higher option in the server, connect to the server and upgrade to the latest versions.

Symptom : TLS 1.3 is not supported on mobile VPN client.

Condition: Mobile Authentication will not work when the user enables TLS 1.3 on ICS.

Workaround: Select TLS 1.2 on the ICS server.

Symptom: DMI based script no longer able to connect to ICS

Conditions: After ICS is upgraded to 22.4R2

Workaround: NA.

Symptom: Test connection for AWS/Azure archival server is showing as "Failed to connect to S3 bucket, WrongBucketLocation"

Condition: When configuring AWS or Azure as archival server location.

Workaround : Admin can configure SCP or FTP Server for archiving.

Symptom: Cluster creation with IPV6 and default VLAN Id is not supported.

Workaround: NA

Symptom: End-users are receiving "VPN Server is busy and unable to accept new connections." on the ISA Client, and unable to access intranet.

Conditions: When system operations (VIP failover, reboot, restart of services) are performed on the Gateway when users are logged in.

Workaround: Perform operations affecting the system such as VIP Failover, Restart of Services, Reboot only during off hours. As a workaround, end-users can re-try after a minute and they would be able to re-establish VPN.

Symptom: Upgrading from 22.4R2 to R1 builds will not show error when tried via REST API or DMI.

Workaround: Upgrade will not happen to R1 builds since it is not a supported upgrade path but no error message will be shown to admin saying that this is not supported.

Release 22.4R1

Symptom: Launching the Web bookmark via JSAM has issues.

Condition: When the PSAL is not installed on the client machine.

Workaround: Create web bookmark to launch via the rewriter engine instead of JSAM.

Symptom: On a Mobile device, if user logged in to web portal via browser and launching VPN connection will fail to establish VPN session.

Condition: When Secure Application Manager feature disabled under a user role configuration on ICS then a mobile device user who logged in to web portal via browser at first and then launching VPN connection using VPN bookmark will fail to establish VPN session.

Workaround: Enable Secure Application Manager feature under a user role configuration on ICS.

Symptom: JSAM logout button throws an internal error message.

Condition: when open jdk-17 java is installed

Workaround: No feature impact, click the ok button on the error screen JSAM applet will logout.

Symptom: ICS does not send logs to remote syslog servers and NSA impacting analytics

Conditions:

This is seen in the following scenario:

1.Preferred mode is set to IPv6

2.Hostname is used to specify remote syslog server, and it resolves to both IPv4 and IPv6

3.Preferred network to contact NSA is set via Management port

4.Management port is configured with IPv6, but in disabled state

Workaround:

1.Re-enable IPv6 on management port, if possible (or) Remove IPv6 from management port

2.Do restart of services or make a change in any of the syslog server config in Admin UI.

Symptom: Missing certificate error is not displayed when user connects to Certificate based VPN profile without a mapped certificate in the profile

Workaround: Map/add user certificate to the profile

Symptom: Start button for JSAM launch in Ubuntu is failing

Workaround: No workaround

Symptom: Connection with syslog server is failing.

Workaround : Restart the syslog server.

Symptom: File browsing with hostname is going through IPV4 address when "Preferred DNS Response:" is configured as IPv6.

Workaround: Use the IPv6 address instead of host name.

Symptom: File browsing with hostname is not working when DNS response has IPv6 address only.

Condition: When file server/share is configured with hostname, hostname is not get resolve to IPv6 address. This is because getaddrinfo API is not supporting IPv6 resolution.

Workaround: NA

Symptom: When file server/share is configured with hostname, hostname will not get resolve to IPv6 address.

Conditions: File Server/Share configuration with hostname.

Workaround: Use IPv6 address while configuring instead of hostname.

Symptom: Compliance check fails on MacOSX, while using IPv6.

Workaround: None

Release 22.3R1

Symptom: Ping6 with host name is not working.

Condition: When admin performs ping6 operation using host name.

Workaround: Admin can perform ping6 using IPv6 address.

Symptom: SNMP timeouts occurring than usual expected rate.

Condition: When the queries are sent aggressively like around 57 queries/sec timeouts occur.

Workaround: Increase the querying time for example to 57 queries in 2-3 seconds to see comparatively see less timeouts.

Symptom: Upgrade of cluster node fails with "Unable to extract installer" error message.

Conditions:

1.Upgrade triggered on a Cluster

2.Node-1 upgrades successfully to 22.3R1

3.Node-1 asks Node-2 to upgrade

4. Node-2 copies the package from Node-1, but fails to extract the installer. This is due to free disk space constraints on Node-2

Workaround:

1.Power cycle Node-2

2.Press Tab and boot into Standalone mode

3.Access the UI and follow the procedure mentioned in KB44877 to clean up space

4.Reboot and join the cluster. Upgrade of cluster node is done successfully

Symptom : Intermittently during the fresh install and upgrades of Client launches, PSAL is not getting detected in the first attempt.

Condition : During fresh install and upgrade of client launches.

Workaround : Retry to the Client launches, it works.

Symptom: Start button for JSAM launch in Ubuntu is failing

Workaround: No workaround

Symptom : Error prompts when 'Citrix All Listed Application' is clicked. Failed to contact server, check the network connection and try again.

Condition : XML export and import of 'Citrix All Listed Application' along with other citrix bookmarks.

Workaround: Delete the 'Citrix All Listed Application' bookmark and recreate manually using Terminal profile via admin login.

Symptom : Only 'Citrix listed applications' bookmarks is shown in the user home page.

Condition : Issue is encountered only when 'Citrix listed applications' is the 1st entry in Users >User Roles >[User-Name] >Terminal Services >Sessions.

Workaround: Reorder the Terminal Services Sessions from Users >User Roles >[User-Name] >Terminal Services >Sessions page using up-down arrows and don't keep 'Citrix listed application' as the 1st entry.

Symptom: Enterprise onboarding profile push will not work on mobile end point.

Condition: When a new VPN client is installed on the Mobile end point.

Workaround: By using MDM server required profiles can be pushed to the mobile end point.

Symptom: Upgrade is not working from 9.1R15(18393)classic to 9.1R17 HLGW(22091)

Condition: Upgrade from 9.1R15 build 18393 to 9.1R17 HLGW.

Workaround: Increase the idle timeout and max session length. Set the idle timeout to (300) and the max session length (360) minutes.

Symptoms: When browser extension is enabled, PSAL upgrade to latest might fail.

Condition: Client launch might fail if PSAL browser extension is enabled on a upgrade scenario.

Workaround: Reinstall of PSAL will launch clients without a issue.

Symptom: On launching JSAM/HOB, any of the following issues is observed on MAC Ventura machine.

• "Failed to contact server." error displays

• "Detected an internal error, please retry". error displays

•Multiple PSAL popups appear.

•JSAM/HOB is not launching on first try.

Condition: When using a lower PSAL version (22.2R1 or lower) on MAC OS Ventura .

Workaround:

1.Log out of the browser

2.Log in again and cancle the PSAL popup message, "Do you want to allow this page to open PulseApplicationLauncher?"

3.The PSAL download page appears after some time.

4.Download and install the new version of PSAL.

5.Log out and log in again

Symptom : FTP is not working with IPv6 FTP server

Condition : When admin configured IPv6 FTP server for archival

Workaround : Admin can use IPv4 FTP server for archiving

Symptom: "Failed to contact server" error prompted.

Condition: "Failed to contact server" error observed sometimes when auto-launch is enabled.

Workaround: None

Symptom: Citrix default ICA launch fail.

Condition: When a user uses Citrix workspace app 2112 or later.

Workaround: User can use Citrix workspace app version 2109.

Symptom: VDI-Citrix Xendesktop launch fail.

Condition: When a user uses Citrix workspace app 2112 or later.

Workaround: User can use Citrix workspace app version 2109.

Symptom: sg_agent is not able to detect the smart card, when end users use MAC OS with smart card redirect support RDP to windows machine.

Condition: As per BSSL, since no RDC clients available on MAC, you may not have any solution as of now.

Workaround : None.

Symptom: None of the selected username data is deleted from the Behavioral Analytics User Report list.

Condition: When compliant users is listed in report.

Workaround: NA

Symptom: The auth traffic is not following the selection of traffic interface.

Condition: Even if admin configures auth traffic to go through management, it still goes through internal interface.

Workaround: NA

Symptom: ESP Throughput is dropping when users logins from two different source IP on Openstack KVM ISA6Kv

Condition: With payload of 1300 bytes or higher, you might experience performance drop due to fragmentation.

Workaround: With payload of 1300 bytes or lower, you will not hit this issue.

Symptom: Enduser is not able to receive multicast traffic

Condition: When the enduser is connected to VPN in ESP

Workaround: NA

Symptom: AD server will not able to join when default VLAN is enabled.

Conditions: Default VLAN is enabled on interfaces.

Workaround: Enable Traffic decoupling and Map the setting of system-level interface and interface should be the default-VLAN interface of the internal interface.

Symptom: Time on the ICS gateway goes out of sync, even through configured with NTP servers

Conditions: When DNS preferred mode is set to IPv6

Workaround:

1.Set DNS preferred mode to IPv4

2.Go to System > Status > Overview page. Click Edit link under System Date & Time

3.Click Save Changes.

Symptom : The dashboard graphs for HC failures and OS types are not populated.

Workaround : Restart services to fix the issue.

Symptoms: When you try to launch JSAM on MAC OS using browser extension you will see an error saying "jnlib file is malicious"

Condition: By default, browser extension is not enabled and customer do not see any major impact unless they enable browser extension. If browser extension is enabled then it is recommended not to use JSAM and HOB.

Workaround: Use custom protocol which is the workflow by default.

Symptoms: After launching JSAM an error prompts, "Safari can't find the server."

Condition: When a user launches JSAM on a MAC Ventura machine using the Safari browser, user may see "Safari can't find the server."

Workaround: The user can use the Chrome browser for the JSAM launch.

Symptom: HOB auto launch is not working.

Condition: When a user uses Windows as a client machine.

Workaround: User can do manual launch.

Symptom: Upgrade from pre-22.3R1 > 22.3R1 appears to be stuck after importing system data.

Conditions: When upgrading the gateway from pre-22.3R1 > 22.3R1

Workaround:The issue is seen due to increase in ICS package size. Refer KB on how to workaround this issue.

Symptom: When Home Icon in Floating tool bar is clicked, the end-user gets ‘The page you requested could not be found’ error.

Conditions: When the user clicks on Home Icon in the floating tool bar within a Advanced HTML5 session.

Workaround: Clear the browser cache and retry.

Symptom: Oauth authentication fails in the end user page while using dynamic URL. Oauth configurations are created using dynamic URL and upgraded to latest version. Authentication fails inconsistently while trying this scenario.

Condition: When creating Oauth server with dynamic URL and trying the authentication after upgrade.

Workaround:

•To delete existing Oauth configuration and create a new configuration in the latest version.

•Upgrade without using dynamic URL (with manual configuration)

Symptom : In Dual Stack LDAP Authentication, user authentication fails if Primary server is IPv6 and backup servers are IPv4.

Condition: Issue exists only when primary server is configured as IPv6 and backup servers are IPv4, only in dual stack case.

Workaround: Configure IPv4 servers as Primary and IPv6 servers as Backup servers.

Symptom: Upgrade of gateway using DMI fails.

Conditions: When trying to upgrade gateway using DMI RPCs.

Workaround: Use Admin UI to upgrade the gateway.

Release 22.2R1

Symptom: XML import fails in release 22.2R1 version when HTML5 resource profiles exported from release 9.1R15 or R16 .

Condition: Importing HTML5 resource profiles in to 22.2R1.

Workaround: NA

Symptom: User browses to appserver URL with 8083 port (http://appserver:8083/test.asp), it re-directs to some other webpage.

Condition: When the user configure the appserver with kerberos functionality and tries to access the URL: http://appserver:8083/test.asp in end user page.

Workaround: Instead of browsing end user page, directly browse the login URL: http://appserver:8083/test.asp

Symptom: Displays "Exceeded maximum of 51 write attempts".

Conditions: During restart/reboot of the system.

Workaround: None. No functionality impact.

Symptom: Certificate validity check shows certificate expired for less than 90 days.

Condition: During certificate validity check.

Workaround: No functional impact, ignore the message.

Symptom : Downloaded Protected Zip File (1KB) is empty but actual file size is 2.07MB.

Condition : When the user configures the Appserver with protected file share and then downloads any protected file.

Workaround: Instead of getting files downloaded through zip, download individual file by clicking.

Symptom: Installing Ivanti Secure Access Client through browser fails.

Condition: After end user login, click on bookmark "PULSE UNIFIED CLIENT" start button, It fails to installIvanti Secure Access Client.

Workaround: User to download Ivanti Secure Access Client directly from Server (System > Maintenance > Installers) and install on end point.

Symptom: Setup client uninstall will not work sometimes.

Condition: When a user tries to uninstall setup client.

Workaround: User has to reboot the client machine.

Symptom: File cannot be downloaded or deleted from the end user UI.

Conditions:

•Bookmarks for a file server have to be present in the end user UI.

•Files have to be present in the server upon navigating from bookmark to the file server.

Workaround: None

Symptom: Binary configuration import from 9.x classic to 22.2 gateway causes the gateway to disconnected from the nSA and hence no configuration upload happens to the nSA.

Condition: During Binary configuration import from 9.x classic to a 22.2 gateway, which is already registered to nSA. The configuration import brings the registered ICS device in a gateway not ready state on nSA thereby not updating the newly imported ICS configurations to nSA .

Workaround: Clear the nSA registration status by navigating to System > Ivanti Neurons for Secure access > Clear config and then Restart the Gateway service from Maintenance > Platform > Restart Services. After restart, register again with nSA.

Symptom: Black screen is shown when user tries to download PSAL from Safari browser.

Condition: When PSAL is downloaded and installed for the first time.

Workaround: After PSAL is installed, access the end user page and launch JSAM.

Symptom: End user Onboarding option is not displaying on MAC OS.

Condition: When a user uses MAC OS.

Workaround: N/A

Symptom: Panel Preferences for Admin/end user bookmarks is not shown.

Condition: When a user access the end user Panel Preferences page.

Workaround: N/A

Symptom: Page refresh issue on end user portal.

Condition: When a user configures wrong VDI login details and reconfigures with correct login details.

Workaround: User has to re-login to the end user portal.

Release 22.1R6

Symptom: Save All Logs option missing from Events/User Access/Admin Access Logs.

Condition: When Admin navigates to Monitoring > Events > Logs and tries to Save Logs.

Workaround: NA

Symptom: Clear config data fails with errors.

Condition: On ISA8000 platform admin console, when “Clear all configuration data at this Ivanti Connect Secure” is run from the “System Operations” options.

Workaround: After performing Clear config data, restart the system and choose the “Factory reset” option. This issue will be fixed in the future release.

Symptom: Disk and RAID status appears as Unknown for some time.

Condition: After adding the disk from console, when user immediately checks Disk and RAID status from UI, it appears asUnknown.

Workaround: After adding the disk from console, wait for one minute before checking Disk and RAID status from UI. It might take up to one min to sync the status between GUI and console.

Release 22.1R1

Symptom: Configuration import fails with reason: software version used to create import file was '9.1R14 (build 16847)' current version of software is '22.1R1 (build 421)'.

Condition: When admin tries to import configuration from release 9.1R14 / 9.1R14.1 to 22.1R1.

Workaround: NA

Symptom: Third party related error messages seen on VA console.

Condition: Connect Secure registered with nSA.

Workaround: None. These messages can be ignored as it does not affect functionality.

Symptom: Connect Secure is not sending Microsoft Intune server request.

Condition: During the user authentication.

Workaround: Restart services will restart the MDM services.

Symptom: Cache cleaner policy is not getting imported when importing XML file for user role configured with cache cleaner policy.

Condition: During XML import of user role with cache cleaner policy.

Workaround: None. Assigning cache cleaner policy to a user role is a deprecated feature.

Symptom: AD server is not able to join when default VLAN is enabled.

Condition: Default VLAN enabled on interfaces.

Workaround: Enable Traffic decoupling and map the setting of system-level interface and interface to default-VLAN interface of the internal interface.

9.X HLGW : KVM :

Symptom: Post upgrade, not able to access GUI.

Condition: After upgrading KVM appliance with gateway build.

Workaround: NA

Symptom : Rollback via console is not working on KVM appliance.

Condition:Using rollback option in KVM appliance.

Workaround: NA

Symptom: Logs are not pushed from gateways to nSA.

Condition: During 21.9R1 and 21.12R1 gateways upgrade to 22.1R1 and after certificate rotation, logs are not pushed.

Work Around: Restarting the gateway services.

Symptom : Cluster VIP owner details are not in sync between nSA and gateways.

Condition : 22.1R1 Connect Secure AP cluster setup registered with nSA.

Work Around : Rebooting the cluster setup will resolve the issue.