Known Issues

Problem Report Number	Release Note
Release 21.9R1 PRs
PCS-30626	Symptom: Failed to update profile for user error is seen in user access logs for every user. Condition: Importing system and user binary configs from 9.x where UEBA was configured and working fine. Solution: The UEBA package has to be imported manually for the Adaptive Authentication feature to continue to work fine and stop getting these messages for every user.
PCS-31165	Symptom: ESP to SSL session fallback happens randomly on L3 session. Conditions: In AA Cluster setup, when VPN Tunneling connection profile is configured with ESP to SSL fallback, sometimes L3-VPN session can fallback to SSL mode after a node leaves and joins the Cluster. Workaround: Restarting Services on the Cluster resumes all users VPN session to ESP mode.
PCS-30694	Symptom: Number of concurrent users (xx) exceeded the system limit (2) seen in user access logs. Conditions: When nSA Named User Mode is enabled in System > Configuration > Licensing Workaround: None. End-user does not see any warning and logins will work.
PCS-31051	Symptom: Max Concurrent Users do not get updated immediately. Conditions: After installing ICS-EVAL license. Workaround:None. System takes around 3-4 minutes for the page to get updated.
PCS-30919	Symptom: In Advanced HTML5 session, Copy paste functionality does not work after a while Conditions:When connected to backend windows machines through Advanced HTML5 session Workaround:Disconnect and Reconnect to Advanced HTML5 session
PCS-31161	Symptom: • Error updating data for chart cloud_secure_roles seen in Admin logs •Dashboard charts are not getting updated Conditions: After upgrading to 21.9R1 gateway build Workaround: None. Dashboard charts get updated after a while.
PCS-30280	Symptom: Not able to launch windows/citrix terminal services through IPv6 address. Condition: when end user uses IPv6 address to launch WTS/CTS Workaround: launch with IPv4 address.
PCS-31156	Symptom: Sessions are not synced between nodes on an AA/AP cluster. Condition: PCS failover because of reboot/power cycle. Workaround: New sessions after node recovery will be synced across both nodes and data on insights will be accurate.
PCS-31234	Symptom: html5 graph shows incorrect value for RDP sessions. Condition: RDP sessions created on PCS. Workaround: No workaround.
PCS-31046	Symptom: XML import from 9.x PCS GW to 21.x GW fails with a directory-server attribute error in a corner condition. Condition: When exported XML from 9.x gateway has a authentication server as system local server and attribute server set to "same as above". Workaround:In the XML file either: 1.Set <directory-server> attribute value as None: <directory-server>None</directory-server>. 2.Or remove the <directory-server> attribute, save file, XML import will be successful after that.
PCS-31168	Symptom : WSAM resources being accessed through PCS even though resources are denied in PSAM policy. Condition: when changing PSAM/WSAM policy from allow to deny. Workaround: NA
PCS-30652	Symptom: Antivirus host checker policy will be failed with error server has not received any information on mac os big surr. Condition: when Host checker policy with antivirus is configured on mac os big surr for pre-auth/post-auth. Workaround: NA
PCS-31058	Symptom: On ISA-V or PSA-v VMware platform, spikes in dashboard throughput graph are seen every 5 minutes, when NTP server is configured. Condition: If NTP server is configured and there is time drift on gateway. Workaround: Change view of graph to 2 days or more. Or use "Sync time with ESX host" in VMware tools and remove NTP server configuration on gateway.
PCS-31213	Symtom: Multicast traffic does not flow thru ICS GW when using IGMPv3. Condition: Only when 3rd party tool send multicast traffic with IGMPv3. Workaround: For multicast to work, IGMPv2 should be configured on 3rd party tool.
PCS-30439	Symptoms : End user login fails for users created in Local authentication server with clear text password enabled. Condition: creating local authentication server with clear text enabled. Workaround: For Non IKEv2 use cases, use without enabling clear text password.
PCS-31193	Symptom:HealthCheck REST API /api/v1/system/healthcheck?status=all returns Security gateway is inaccessible error. Conditions: When the default gateway of internal port is NOT reachable. Workaround: Make the internal gateway as reachable.
PCS-30658	Symptom: Run Gateway Diagnostics option does not return any output. Conditions: When triggering Run Gateway Diagnostics option from System Maintenance. Workaround: None. This command is not supported on ICS.
PCS-29657	Symptom: Kill command is seen on ISA-V virtual console. Condition: On a fresh deploy of ISA-V on VMware ESXi, AWS or Azure. Workaround: No functionality is affected. The message can be safely ignored.
PCS-30629	Symptom: End-user sees old sign-in page instead of modernised sign-in page. Conditions: 1.ICS is configured to use Remote TOTP for Secondary Auth 2.Remote TOTP server is NOT reachable Workaround: None. If the Remote TOTP server is reachable, this page would NOT be seen.
PCS-30854	Symptom: XML Import or Push Config fails with /users/user-roles/user-role[name=xyz-role]/html5-access/sessions Conditions: When trying to do XML import or Push Config of Selective Config. Workaround: •XML Import: Remove sessions block under html5-access from XML file and then do XML import. •Push Config: There is no workaround.

Release 21.9R1 PRs

PCS-30626

Symptom: Failed to update profile for user error is seen in user access logs for every user.

Condition: Importing system and user binary configs from 9.x where UEBA was configured and working fine.

Solution: The UEBA package has to be imported manually for the Adaptive Authentication feature to continue to work fine and stop getting these messages for every user.

PCS-31165

Symptom: ESP to SSL session fallback happens randomly on L3 session.

Conditions: In AA Cluster setup, when VPN Tunneling connection profile is configured with ESP to SSL fallback, sometimes L3-VPN session can fallback to SSL mode after a node leaves and joins the Cluster.

Workaround: Restarting Services on the Cluster resumes all users VPN session to ESP mode.

PCS-30694

Symptom: Number of concurrent users (xx) exceeded the system limit (2) seen in user access logs.

Conditions: When nSA Named User Mode is enabled in System > Configuration > Licensing

Workaround: None. End-user does not see any warning and logins will work.

PCS-31051

Symptom: Max Concurrent Users do not get updated immediately.

Conditions: After installing ICS-EVAL license.

Workaround:None. System takes around 3-4 minutes for the page to get updated.

PCS-30919

Symptom: In Advanced HTML5 session, Copy paste functionality does not work after a while

Conditions:When connected to backend windows machines through Advanced HTML5 session

Workaround:Disconnect and Reconnect to Advanced HTML5 session

PCS-31161

Symptom:

• Error updating data for chart cloud_secure_roles seen in Admin logs

•Dashboard charts are not getting updated

Conditions: After upgrading to 21.9R1 gateway build

Workaround: None. Dashboard charts get updated after a while.

PCS-30280

Symptom: Not able to launch windows/citrix terminal services through IPv6 address.

Condition: when end user uses IPv6 address to launch WTS/CTS

Workaround: launch with IPv4 address.

PCS-31156

Symptom: Sessions are not synced between nodes on an AA/AP cluster.

Condition: PCS failover because of reboot/power cycle.

Workaround: New sessions after node recovery will be synced across both nodes and data on insights will be accurate.

PCS-31234

Symptom: html5 graph shows incorrect value for RDP sessions.

Condition: RDP sessions created on PCS.

Workaround: No workaround.

PCS-31046

Symptom: XML import from 9.x PCS GW to 21.x GW fails with a directory-server attribute error in a corner condition.

Condition: When exported XML from 9.x gateway has a authentication server as system local server and attribute server set to "same as above".

Workaround:In the XML file either:

1.Set <directory-server> attribute value as None: <directory-server>None</directory-server>.

2.Or remove the <directory-server> attribute, save file, XML import will be successful after that.

PCS-31168

Symptom : WSAM resources being accessed through PCS even though resources are denied in PSAM policy.

Condition: when changing PSAM/WSAM policy from allow to deny.

Workaround: NA

PCS-30652

Symptom: Antivirus host checker policy will be failed with error server has not received any information on mac os big surr.

Condition: when Host checker policy with antivirus is configured on mac os big surr for pre-auth/post-auth.

Workaround: NA

PCS-31058

Symptom: On ISA-V or PSA-v VMware platform, spikes in dashboard throughput graph are seen every 5 minutes, when NTP server is configured.

Condition: If NTP server is configured and there is time drift on gateway.

Workaround: Change view of graph to 2 days or more. Or use "Sync time with ESX host" in VMware tools and remove NTP server configuration on gateway.

PCS-31213

Symtom: Multicast traffic does not flow thru ICS GW when using IGMPv3.

Condition: Only when 3rd party tool send multicast traffic with IGMPv3.

Workaround: For multicast to work, IGMPv2 should be configured on 3rd party tool.

PCS-30439

Symptoms : End user login fails for users created in Local authentication server with clear text password enabled.

Condition: creating local authentication server with clear text enabled.

Workaround: For Non IKEv2 use cases, use without enabling clear text password.

PCS-31193

Symptom:HealthCheck REST API /api/v1/system/healthcheck?status=all returns Security gateway is inaccessible error.

Conditions: When the default gateway of internal port is NOT reachable.

Workaround: Make the internal gateway as reachable.

PCS-30658

Symptom: Run Gateway Diagnostics option does not return any output.

Conditions: When triggering Run Gateway Diagnostics option from System Maintenance.

Workaround: None. This command is not supported on ICS.

PCS-29657

Symptom: Kill command is seen on ISA-V virtual console.

Condition: On a fresh deploy of ISA-V on VMware ESXi, AWS or Azure.

Workaround: No functionality is affected. The message can be safely ignored.

PCS-30629

Symptom: End-user sees old sign-in page instead of modernised sign-in page.

Conditions:

1.ICS is configured to use Remote TOTP for Secondary Auth

2.Remote TOTP server is NOT reachable

Workaround: None. If the Remote TOTP server is reachable, this page would NOT be seen.

PCS-30854

Symptom: XML Import or Push Config fails with /users/user-roles/user-role[name=xyz-role]/html5-access/sessions

Conditions: When trying to do XML import or Push Config of Selective Config.

Workaround:

•XML Import: Remove sessions block under html5-access from XML file and then do XML import.

•Push Config: There is no workaround.