Known Issues

The following table lists the known issues in respective releases:

For the complete list of current Known Issues, see here.

Problem Report Number

Release Note

Release 22.7R2


Symptom: AD domain join fails when domain name contains numerical 0 in domain name.

Condition: Domain name is having numerical 0.

Workaround: Save changes of AD config performs successful AD domain join.


Symptom: VDI desktop client launch fails.

Condition: When user uses latest VDI horizon client 2309.

Workaround: User must use VDI horizon client 2103.


Symptom: iveConcurrentUsers count is 0 in SNMP Traps.

Conditions: When max users are signed in to ICS and tries to send iveMaxConcurrentUsersSignedIn SNMP trap. This SNMP trap has the iveConcurrentUsers set to 0.

Workaround: None.


Symptom: HTML5 RDP login via smart card will not work.

Conditions: When Windows client machine is configured with windows Hello PIN and Gemalto smart card is used to login via RDP

Workaround: Disable Windows Hello will work


Symptom : "Total Maximum Bandwidth" configuration is taking more value than interface limit in hyper-v platform

Condition: In Hyper-V platform when configuring "Total Maximum Bandwidth" in Network overview page

Work Around: Admin can configure the "Total Maximum Bandwidth" lesser than interface speed limit.


Symptom: Kernel stack trace is seen on ICS console.

Conditions: Under rare conditions, Kernel stack trace is seen on ICS console.

Workaround: None. ICS has to be power cycled.

Release 22.6R2.1


Symptom : Event logs are filled with certificate expired error message.

Condition : ICS has loaded with Expired trusted server CA.

Work around: None, just a display issue.

Release 22.6R2


Symptom: PSAL fails to launch JSAM with JDK 21 on MAC Ventura 13.6.

Condition: When user try to access JSAM with JDK 21 on MAC Ventura 13.6.

Workaround: Use JDK 17 instead of JDK 21.

PRS- 417562


Symptom: User/WTS session is getting terminated.

Condition: When “Enable session timeout warning” option is enabled.

Workaround: Disable the “Enable session timeout warning” option.


Symptom: Failed to save package, cannot copy UEBA package.

Condition: Uploading new UEBA package.

Workaround: None. Contact Support for assistance.


Symptom: VPN tunneling filter deletion for IPv6 under System > Network > VPN tunneling. IPv6 filter not assigned to VPN clients if no filter is specified.

Condition: Importing binary config from 22.3, 22.4,22.5 releases.

Workaround: Add default filter * for IPv6 in System > Network > VPN tunneling


Symptom: Analytics Dashboard and Gateway logs are not synced with nSA.

Condition: ICS Gateways running on cloud with version 22.5R2 or above.

Workaround: NA

Release 22.5R2.1


Symptom: AD join from troubleshooting page fails with Error "Failed to find DC for domain <DOMAIN NAME> - Undetermined error".

Condition: When AD container name contains spaces and was different than the default "Computers".

Workaround: Use quotes in the AD configuration page if the AD container name has spaces.


Symptom : Few expired trusted server CA are not getting deleted.

Condition : When checking Trusted Server CA Page, using "Show only expired CAs" option enabled.

Workaround : Admin can import latest CAs if necessary


Symptom: Port probe: Internal port IPv6 address is incorrectly populated when the user selects Management port with family type as IPv6.

Condition: Interface port is selected first and then family type.

Workaround: Select family type first and then select the Interface as Internal/Management Port.


Symptom: OAuth token encryption using ECC certificates fails.

Workaround: Use RSA certificates for Token Encryption


Symptom: Advanced HTML5 external storage feature will not work.

Condition: When external storage server contains special characters in the password.

Workaround: Do not use any special characters in the password.


Symptom: Stats for other node are not accessible from the current cluster node.


1. Go to System > Status > Overview.

2.Select the other node from the drop down in any of the charts.

Workaround: None. Login to the other node to get the charts.


Symptom: Multiple authentication successful messages are observed in user access logs when user tries OWA 2016 or above with kerberos SSO.



Symptom: VPN fails to connect with Login Failed Error.

Condition: When Host checker is configured without enforcing at realm

Workaround: Enforce same host checker policies at realm also.

Release 22.4R2

22.4R1 Known issues are also applicable to 22.4R2.


Symptom: Enterprise on-boarding feature will not work.

Condition: When end user uses on-boarding feature.

Workaround: None


Symptom: Test enrollment will not work

Condition: When end user uses on-boarding feature.

Workaround: None


Symptom : Browser based Certificate authentication is failing when TLS 1.3 is enabled on the ICS

Condition: Browser based Certificate authentication fails when admin enables TLS 1.3 on ICS.

Workaround: Admin need to enable TLS 1.2 (refer to KB)


Symptom: KB link for TLS 1.3 client support warning on the dashboard page takes you to a broken link.

Condition: Click KB45694 link shown in the dashboard for Client impact with TLS 1.3.

Workaround: See KB for details.


Symptom: Unable to set FIPS mode for web server.

Condition: FIPS mode is not supported

Workaround: None


Symptom: Console doesn't respond to user input when selecting "change SELinux mode".

Condition: Post cluster upgrade to 22.4R2.

Workaround: Restart services from the UI.


Symptom: ICS initial configuration is not getting configured automatically from vApp options

Conditions: After performing clear config operation through VM Virtual Console

Workaround: None. Configure ICS initial configuration such as IP address, admin user, self-signed cert details manually


Symptom : Active user page in cluster nodes are not in sync for connected users, this happens when the cluster splits and joins.

Condition : When cluster splits and joins this occurs.

Workaround : None, it's just a display issue. In new session it is displayed correctly.


Symptom : VM upgrade and installation progress messages before reboot are not seen on VM serial console

Condition: when upgrade was performed from 22.4r2 to higher release

Workaround: None


Symptom: Kernel rate limiting is not working on config import

Condition: During config import from 22.4r2 with Kernel rate limiting enabled to another 22.4R2 setup.

Workaround: A change in DOS/DDOS options requires an ICS reboot after config import. As a workaround undo and save the change, then redo and save from the interface.


Symptom: Active Sync with Cert and Kerberos Constrained Delegation (KCD) does not work.

Condition: When TLS 1.3 is enabled on ICS in bound settings.

Workaround: Enable TLS 1.2 on ICS in bound settings.


Symptom: On single core CPU platform, web server snapshot can be generated upon Security related configuration change.

Condition: Upon change in Security configuration (such as change in TLS version) old web server process exits with crash

Workaround: NA


Sometimes, Advanced HTML5 session does not respond to mouse clicks.

Conditions: This issue happens usually when user tries to copy text using mouse on a ssh terminal session within HTML5 session.

Workaround: Disconnecting and reconnecting the Advanced HTML5 session solves the issue.


Symptom: If the server has TLS 1.3 enforced, the existing client connections and upgrades fail.

Condition: TLS 1.3 enforced for the secure connections.

Workaround: Enable the TLS 1.2 and higher option in the server, connect to the server and upgrade to the latest versions.


Symptom : TLS 1.3 is not supported on mobile VPN client.

Condition: Mobile Authentication will not work when the user enables TLS 1.3 on ICS.

Workaround: Select TLS 1.2 on the ICS server.


Symptom: DMI based script no longer able to connect to ICS

Conditions: After ICS is upgraded to 22.4R2

Workaround: NA.


Symptom: Test connection for AWS/Azure archival server is showing as "Failed to connect to S3 bucket, WrongBucketLocation"

Condition: When configuring AWS or Azure as archival server location.

Workaround : Admin can configure SCP or FTP Server for archiving.


Symptom: Cluster creation with IPV6 and default VLAN Id is not supported.

Workaround: NA


Symptom: End-users are receiving "VPN Server is busy and unable to accept new connections." on the ISA Client, and unable to access intranet.

Conditions: When system operations (VIP failover, reboot, restart of services) are performed on the Gateway when users are logged in.

Workaround: Perform operations affecting the system such as VIP Failover, Restart of Services, Reboot only during off hours. As a workaround, end-users can re-try after a minute and they would be able to re-establish VPN.


Symptom: Upgrading from 22.4R2 to R1 builds will not show error when tried via REST API or DMI.

Workaround: Upgrade will not happen to R1 builds since it is not a supported upgrade path but no error message will be shown to admin saying that this is not supported.

Release 22.4R1



Symptom: Launching the Web bookmark via JSAM has issues.

Condition: When the PSAL is not installed on the client machine.

Workaround: Create web bookmark to launch via the rewriter engine instead of JSAM.


Symptom: On a Mobile device, if user logged in to web portal via browser and launching VPN connection will fail to establish VPN session.

Condition: When Secure Application Manager feature disabled under a user role configuration on ICS then a mobile device user who logged in to web portal via browser at first and then launching VPN connection using VPN bookmark will fail to establish VPN session.

Workaround: Enable Secure Application Manager feature under a user role configuration on ICS.


Symptom: JSAM logout button throws an internal error message.

Condition: when open jdk-17 java is installed

Workaround: No feature impact, click the ok button on the error screen JSAM applet will logout.


Symptom: ICS does not send logs to remote syslog servers and NSA impacting analytics


This is seen in the following scenario:

1.Preferred mode is set to IPv6

2.Hostname is used to specify remote syslog server, and it resolves to both IPv4 and IPv6

3.Preferred network to contact NSA is set via Management port

4.Management port is configured with IPv6, but in disabled state


1.Re-enable IPv6 on management port, if possible (or) Remove IPv6 from management port

2.Do restart of services or make a change in any of the syslog server config in Admin UI.


Symptom: Missing certificate error is not displayed when user connects to Certificate based VPN profile without a mapped certificate in the profile

Workaround: Map/add user certificate to the profile


Symptom: Start button for JSAM launch in Ubuntu is failing

Workaround: No workaround


Symptom: Connection with syslog server is failing.

Workaround : Restart the syslog server.


Symptom: File browsing with hostname is going through IPV4 address when "Preferred DNS Response:" is configured as IPv6.

Workaround: Use the IPv6 address instead of host name.


Symptom: File browsing with hostname is not working when DNS response has IPv6 address only.

Condition: When file server/share is configured with hostname, hostname is not get resolve to IPv6 address. This is because getaddrinfo API is not supporting IPv6 resolution.

Workaround: NA


Symptom: When file server/share is configured with hostname, hostname will not get resolve to IPv6 address.

Conditions: File Server/Share configuration with hostname.

Workaround: Use IPv6 address while configuring instead of hostname.


Symptom: Compliance check fails on MacOSX, while using IPv6.

Workaround: None

Release 22.3R1



Symptom: Ping6 with host name is not working.

Condition: When admin performs ping6 operation using host name.

Workaround: Admin can perform ping6 using IPv6 address.


Symptom: SNMP timeouts occurring than usual expected rate.

Condition: When the queries are sent aggressively like around 57 queries/sec timeouts occur.

Workaround: Increase the querying time for example to 57 queries in 2-3 seconds to see comparatively see less timeouts.


Symptom: Upgrade of cluster node fails with "Unable to extract installer" error message.


1.Upgrade triggered on a Cluster

2.Node-1 upgrades successfully to 22.3R1

3.Node-1 asks Node-2 to upgrade

4. Node-2 copies the package from Node-1, but fails to extract the installer. This is due to free disk space constraints on Node-2


1.Power cycle Node-2

2.Press Tab and boot into Standalone mode

3.Access the UI and follow the procedure mentioned in KB44877 to clean up space

4.Reboot and join the cluster. Upgrade of cluster node is done successfully


Symptom : Intermittently during the fresh install and upgrades of Client launches, PSAL is not getting detected in the first attempt.

Condition : During fresh install and upgrade of client launches.

Workaround : Retry to the Client launches, it works.


Symptom: Start button for JSAM launch in Ubuntu is failing

Workaround: No workaround


Symptom : Error prompts when 'Citrix All Listed Application' is clicked. Failed to contact server, check the network connection and try again.

Condition : XML export and import of 'Citrix All Listed Application' along with other citrix bookmarks.

Workaround: Delete the 'Citrix All Listed Application' bookmark and recreate manually using Terminal profile via admin login.


Symptom : Only 'Citrix listed applications' bookmarks is shown in the user home page.

Condition : Issue is encountered only when 'Citrix listed applications' is the 1st entry in Users >User Roles >[User-Name] >Terminal Services >Sessions.

Workaround: Reorder the Terminal Services Sessions from Users >User Roles >[User-Name] >Terminal Services >Sessions page using up-down arrows and don't keep 'Citrix listed application' as the 1st entry.


Symptom: Enterprise onboarding profile push will not work on mobile end point.

Condition: When a new VPN client is installed on the Mobile end point.

Workaround: By using MDM server required profiles can be pushed to the mobile end point.


Symptom: Upgrade is not working from 9.1R15(18393)classic to 9.1R17 HLGW(22091)

Condition: Upgrade from 9.1R15 build 18393 to 9.1R17 HLGW.

Workaround: Increase the idle timeout and max session length. Set the idle timeout to (300) and the max session length (360) minutes.


Symptoms: When browser extension is enabled, PSAL upgrade to latest might fail.

Condition: Client launch might fail if PSAL browser extension is enabled on a upgrade scenario.

Workaround: Reinstall of PSAL will launch clients without a issue.


Symptom: On launching JSAM/HOB, any of the following issues is observed on MAC Ventura machine.

"Failed to contact server." error displays

"Detected an internal error, please retry". error displays

Multiple PSAL popups appear.

JSAM/HOB is not launching on first try.

Condition: When using a lower PSAL version (22.2R1 or lower) on MAC OS Ventura .


1.Log out of the browser

2.Log in again and cancle the PSAL popup message, "Do you want to allow this page to open PulseApplicationLauncher?"

3.The PSAL download page appears after some time.

4.Download and install the new version of PSAL.

5.Log out and log in again


Symptom : FTP is not working with IPv6 FTP server

Condition : When admin configured IPv6 FTP server for archival

Workaround : Admin can use IPv4 FTP server for archiving


Symptom: "Failed to contact server" error prompted.

Condition: "Failed to contact server" error observed sometimes when auto-launch is enabled.

Workaround: None


Symptom: Citrix default ICA launch fail.

Condition: When a user uses Citrix workspace app 2112 or later.

Workaround: User can use Citrix workspace app version 2109.


Symptom: VDI-Citrix Xendesktop launch fail.

Condition: When a user uses Citrix workspace app 2112 or later.

Workaround: User can use Citrix workspace app version 2109.


Symptom: sg_agent is not able to detect the smart card, when end users use MAC OS with smart card redirect support RDP to windows machine.

Condition: As per BSSL, since no RDC clients available on MAC, you may not have any solution as of now.

Workaround : None.


Symptom: None of the selected username data is deleted from the Behavioral Analytics User Report list.

Condition: When compliant users is listed in report.

Workaround: NA


Symptom: The auth traffic is not following the selection of traffic interface.

Condition: Even if admin configures auth traffic to go through management, it still goes through internal interface.

Workaround: NA


Symptom: ESP Throughput is dropping when users logins from two different source IP on Openstack KVM ISA6Kv

Condition: With payload of 1300 bytes or higher, you might experience performance drop due to fragmentation.

Workaround: With payload of 1300 bytes or lower, you will not hit this issue.


Symptom: Enduser is not able to receive multicast traffic

Condition: When the enduser is connected to VPN in ESP

Workaround: NA


Symptom: AD server will not able to join when default VLAN is enabled.

Conditions: Default VLAN is enabled on interfaces.

Workaround: Enable Traffic decoupling and Map the setting of system-level interface and interface should be the default-VLAN interface of the internal interface.


Symptom: Time on the ICS gateway goes out of sync, even through configured with NTP servers

Conditions: When DNS preferred mode is set to IPv6


1.Set DNS preferred mode to IPv4

2.Go to System > Status > Overview page. Click Edit link under System Date & Time

3.Click Save Changes.


Symptom : The dashboard graphs for HC failures and OS types are not populated.

Workaround : Restart services to fix the issue.


Symptoms: When you try to launch JSAM on MAC OS using browser extension you will see an error saying "jnlib file is malicious"

Condition: By default, browser extension is not enabled and customer do not see any major impact unless they enable browser extension. If browser extension is enabled then it is recommended not to use JSAM and HOB.

Workaround: Use custom protocol which is the workflow by default.


Symptoms: After launching JSAM an error prompts, "Safari can't find the server."

Condition: When a user launches JSAM on a MAC Ventura machine using the Safari browser, user may see "Safari can't find the server."

Workaround: The user can use the Chrome browser for the JSAM launch.


Symptom: HOB auto launch is not working.

Condition: When a user uses Windows as a client machine.

Workaround: User can do manual launch.


Symptom: Upgrade from pre-22.3R1 > 22.3R1 appears to be stuck after importing system data.

Conditions: When upgrading the gateway from pre-22.3R1 > 22.3R1

Workaround:The issue is seen due to increase in ICS package size. Refer KB on how to workaround this issue.


Symptom: When Home Icon in Floating tool bar is clicked, the end-user gets ‘The page you requested could not be found’ error.

Conditions: When the user clicks on Home Icon in the floating tool bar within a Advanced HTML5 session.

Workaround: Clear the browser cache and retry.


Symptom: Oauth authentication fails in the end user page while using dynamic URL. Oauth configurations are created using dynamic URL and upgraded to latest version. Authentication fails inconsistently while trying this scenario.

Condition: When creating Oauth server with dynamic URL and trying the authentication after upgrade.


To delete existing Oauth configuration and create a new configuration in the latest version.

Upgrade without using dynamic URL (with manual configuration)


Symptom : In Dual Stack LDAP Authentication, user authentication fails if Primary server is IPv6 and backup servers are IPv4.

Condition: Issue exists only when primary server is configured as IPv6 and backup servers are IPv4, only in dual stack case.

Workaround: Configure IPv4 servers as Primary and IPv6 servers as Backup servers.


Symptom: Upgrade of gateway using DMI fails.

Conditions: When trying to upgrade gateway using DMI RPCs.

Workaround: Use Admin UI to upgrade the gateway.

Release 22.2R1



Symptom: XML import fails in release 22.2R1 version when HTML5 resource profiles exported from release 9.1R15 or R16 .

Condition: Importing HTML5 resource profiles in to 22.2R1.

Workaround: NA


Symptom: User browses to appserver URL with 8083 port (http://appserver:8083/test.asp), it re-directs to some other webpage.

Condition: When the user configure the appserver with kerberos functionality and tries to access the URL: http://appserver:8083/test.asp in end user page.

Workaround: Instead of browsing end user page, directly browse the login URL: http://appserver:8083/test.asp


Symptom: Displays "Exceeded maximum of 51 write attempts".

Conditions: During restart/reboot of the system.

Workaround: None. No functionality impact.


Symptom: Certificate validity check shows certificate expired for less than 90 days.

Condition: During certificate validity check.

Workaround: No functional impact, ignore the message.


Symptom : Downloaded Protected Zip File (1KB) is empty but actual file size is 2.07MB.

Condition : When the user configures the Appserver with protected file share and then downloads any protected file.

Workaround: Instead of getting files downloaded through zip, download individual file by clicking.


Symptom: Installing Ivanti Secure Access Client through browser fails.

Condition: After end user login, click on bookmark "PULSE UNIFIED CLIENT" start button, It fails to installIvanti Secure Access Client.

Workaround: User to download Ivanti Secure Access Client directly from Server (System > Maintenance > Installers) and install on end point.


Symptom: Setup client uninstall will not work sometimes.

Condition: When a user tries to uninstall setup client.

Workaround: User has to reboot the client machine.


Symptom: File cannot be downloaded or deleted from the end user UI.


Bookmarks for a file server have to be present in the end user UI.

Files have to be present in the server upon navigating from bookmark to the file server.

Workaround: None


Symptom: Binary configuration import from 9.x classic to 22.2 gateway causes the gateway to disconnected from the nSA and hence no configuration upload happens to the nSA.

Condition: During Binary configuration import from 9.x classic to a 22.2 gateway, which is already registered to nSA. The configuration import brings the registered ICS device in a gateway not ready state on nSA thereby not updating the newly imported ICS configurations to nSA .

Workaround: Clear the nSA registration status by navigating to System > Ivanti Neurons for Secure access > Clear config and then Restart the Gateway service from Maintenance > Platform > Restart Services. After restart, register again with nSA.


Symptom: Black screen is shown when user tries to download PSAL from Safari browser.

Condition: When PSAL is downloaded and installed for the first time.

Workaround: After PSAL is installed, access the end user page and launch JSAM.


Symptom: End user Onboarding option is not displaying on MAC OS.

Condition: When a user uses MAC OS.

Workaround: N/A


Symptom: Panel Preferences for Admin/end user bookmarks is not shown.

Condition: When a user access the end user Panel Preferences page.

Workaround: N/A


Symptom: Page refresh issue on end user portal.

Condition: When a user configures wrong VDI login details and reconfigures with correct login details.

Workaround: User has to re-login to the end user portal.

Release 22.1R6



Symptom: Save All Logs option missing from Events/User Access/Admin Access Logs.

Condition: When Admin navigates to Monitoring > Events > Logs and tries to Save Logs.

Workaround: NA


Symptom: Clear config data fails with errors.

Condition: On ISA8000 platform admin console, when “Clear all configuration data at this Ivanti Connect Secure” is run from the “System Operations” options.

Workaround: After performing Clear config data, restart the system and choose the “Factory reset” option. This issue will be fixed in the future release.


Symptom: Disk and RAID status appears as Unknown for some time.

Condition: After adding the disk from console, when user immediately checks Disk and RAID status from UI, it appears asUnknown.

Workaround: After adding the disk from console, wait for one minute before checking Disk and RAID status from UI. It might take up to one min to sync the status between GUI and console.



Release 22.1R1



Symptom: Configuration import fails with reason: software version used to create import file was '9.1R14 (build 16847)' current version of software is '22.1R1 (build 421)'.

Condition: When admin tries to import configuration from release 9.1R14 / 9.1R14.1 to 22.1R1.

Workaround: NA


Symptom: Third party related error messages seen on VA console.

Condition: Connect Secure registered with nSA.

Workaround: None. These messages can be ignored as it does not affect functionality.


Symptom: Connect Secure is not sending Microsoft Intune server request.

Condition: During the user authentication.

Workaround: Restart services will restart the MDM services.


Symptom: Cache cleaner policy is not getting imported when importing XML file for user role configured with cache cleaner policy.

Condition: During XML import of user role with cache cleaner policy.

Workaround: None. Assigning cache cleaner policy to a user role is a deprecated feature.


Symptom: AD server is not able to join when default VLAN is enabled.

Condition: Default VLAN enabled on interfaces.

Workaround: Enable Traffic decoupling and map the setting of system-level interface and interface to default-VLAN interface of the internal interface.


9.X HLGW : KVM :

Symptom: Post upgrade, not able to access GUI.

Condition: After upgrading KVM appliance with gateway build.

Workaround: NA


Symptom : Rollback via console is not working on KVM appliance.

Condition:Using rollback option in KVM appliance.

Workaround: NA


Symptom: Logs are not pushed from gateways to nSA.

Condition: During 21.9R1 and 21.12R1 gateways upgrade to 22.1R1 and after certificate rotation, logs are not pushed.

Work Around: Restarting the gateway services.


Symptom : Cluster VIP owner details are not in sync between nSA and gateways.

Condition : 22.1R1 Connect Secure AP cluster setup registered with nSA.

Work Around : Rebooting the cluster setup will resolve the issue.


Symptom: Roll back option not available in nSA for AA cluster.

Condition: Connect Secure status is not updated properly to nSA.

Workaround: Reboot the AA cluster.


Symptom : Bandwidth consumption is more than configured when downloading files using SSL tunnel mode.

Condition : Bandwidth policy has configured with minimum and maximum value and assigned to user roles which is having SSL as VPN tunnel mode.

Workaround : Configure user roles with ESP tunnel mode for roles configured with bandwidth policy.


Symptom: Reboot fails on selecting clear config from CLI menu.

Condition: Select option 4 and then 6 from CLI menu.


Factory Reset and proceed or,

If you have saved default config or clean config. Binary import can be done as workaround.


Symptom: Time track back by ~4 hours on Connect Secure.

Conditions: After admin restarts system services.

Workaround: None. Time gets re-synced with NTP servers automatically.



Release 21.12R1


Symptom:Intermediate file bookmark page is shown when end user tries to access file bookmark.

Conditions:When end user tries to access Windows file bookmark.

Workaround: After end user provides credentials to access windows file bookmark, if you see the same file bookmark again, then you need to select the desired file bookmark.


Symptom: XML import fails for UserRecordSync configuration.

Condition: When UserRecordSync is enabled.

Workaround: NA


Symptom: Bookmarks are not getting Synced for end user.

Condition: When UserRecordSync is enabled.

Workaround: NA


Symptom: Pushing sign-in URLs, notifications and pages not supported.

Condition: Create any sign-in settings with URL.

Workaround: NA


Symptom: Latest syslog Server is displayed if entire cluster is selected.

Condition: Multiple syslog servers must be added in the cluster mode.

Workaround: NA


Symptom: Error messages related to upgrading cache seen under event logs.

Condition: After the Connect Secure upgrade.

Workaround: NA


Symptom:Bandwidth is not restricted even though minimum and maximum levels are configured.

Condition:When Admission Privilege Level is configured for bandwidth management in ESP and SSL mode.



Symptoms : End user login fails for users created in Local authentication server with clear text password enabled.

Condition: Creating local authentication server with clear text enabled.

Workaround: For Non IKE use cases, do not enable clear text password option.


Symptom : Toolbar not visible for bookmarks in PTP mode when using Chrome and Edge browsers.

Condition : When web bookmark is configured to be accessed over PTP mode instead of rewriter mode.

Workaround :

Open Connect Secure home page URL in new tab to see the toolbars.

While clicking on bookmarks from Connect Secure home page, select to open in new tab.


Symptom: Pulse Client copyright date is not updated with 2022 year.

Condition: Pulse Client copyrights year is shown as 2021.

Workaround: NA


Symptom: Upgrade from 9.1R13 and 9.1R12 GA to 9.1R13.1 is failing at the upload step with Access restricted error.

Condition: When Administrator session is set to default and an upgrade is initiated using the package file.

Workaround: Increase idle timeout to 400 and Max Session Length to 600 before starting the upgrade. Administrators > Delegated Admin Roles > Administrators > session timeout


Symptom: AD authentication fails with Role based VLAN.

Condition: When AD authentication is selected.

Workaround: NA


Symptom: During session extension from Pulse Client or automatic session extension for the end user portal. New session count is getting incremented for the gateway, but old session is not deleted from nSA.

Condition: During session extension from Pulse Client or automatic session extension for the end user portal and license count has exhausted.

Workaround: NA


Symptom: The status info like cluster reboot/ICT/cluster upgrades are not synced between Gateways in nSA cluster.

Condition: In any cluster, the cluster wide actions status are not synced.

Workaround: This is only status information, the actually tasks are already performed.


Symptom: ISA VM machine ID getting changed.

Conditions: Navigate to System>Maintenance>Options and Check/Uncheck the "Enable Virtual Terminal console" check box and then click "save changes".

Workaround: NA


Symptom: Registration status of Connect Secure is in green color.

Condition: Importing binary config of existing registered Connect Secure system config.

Workaround: Clearing and re-registration of nSA.


Symptom: Test connection for AWS/Azure archival server is showing as "Failed to connect to S3 bucket, WrongBucketLocation".

Condition: When configuring AWS or Azure as archival server location.

Workaround : Admin can configure SCP or FTP Server for archiving.


Symptom: End User is not able to launch Apps listed in MS RDweb console.

Condition: End User is using Google Chrome Browser to login.

Workaround: End User can use MS Edge or Firefox browser to login and launch Apps.


Symptom: Logs from 9.x hlgw setup is not sent to nSA

Condition: When DNS preferred settings has configured with IPv6 in network overview page.

Workaround : Admin can configure DNS preferred settings as IPv4 in network overview page.


Symptom: AP Cluster VIP migration is taking around 2 minutes when cluster VIP configured with IPv6 address

Condition: When cluster VIP configured with IPv6 address.

Workaround : None, time is a time delay in cluster VIP migration and cluster VIP migrates to other node.


Symptom: Error message “ERROR: object '/home/lib/' from /etc/ld/so/preload cannot be preloaded:” appears at the end of successful completion of Connect Secure boot

Condition: After the completion of Connect Secure installation and boot

Workaround: None. This does not affect the Connect Secure functionality.


Release 21.9R1


Symptom: Failed to update profile for user error is seen in user access logs for every user.

Condition: Importing system and user binary configs from 9.x where UEBA is configured.

Workaround: The UEBA package has to be imported manually for the Adaptive Authentication feature to continue to work fine and stop getting these messages for every user.


Symptom: ESP to SSL session fallback happens randomly on L3 session.

Conditions: In AA Cluster setup, when VPN Tunneling connection profile is configured with ESP to SSL fallback, sometimes L3-VPN session can fallback to SSL mode after a node leaves and joins the Cluster.

Workaround: Restarting Services on the Cluster resumes all users VPN session to ESP mode.


Symptom: Number of concurrent users (xx) exceeded the system limit (2) seen in user access logs.

Conditions: When nSA Named User Mode is enabled in System > Configuration > Licensing.

Workaround: None. End-user does not see any warning and logins will work.


Symptom: Max Concurrent Users do not get updated immediately.

Conditions: After installing Connect Secure-EVAL license.

Workaround:None. System takes around 3-4 minutes for the page to get updated.


Symptom: In Advanced HTML5 session, Copy paste functionality does not work after a while.

Conditions:When connected to backend windows machines through Advanced HTML5 session.

Workaround:Disconnect and Reconnect to Advanced HTML5 session.



Error updating data for chart cloud_secure_roles seen in Admin logs.

Dashboard charts are not getting updated.

Conditions: After upgrading to 21.9R1 gateway build

Workaround: None. Dashboard charts get updated after a while.


Symptom: Not able to launch Windows/Citrix terminal services through IPv6 address.

Condition: When end user enters IPv6 address to launch WTS/CTS.

Workaround: Launch with IPv4 address.


Symptom: Sessions are not synced between nodes on an AA/AP cluster.

Condition: Connect Secure failover because of reboot/power cycle.

Workaround: New sessions after node recovery will be synced across both nodes and data on insights will be accurate.


Symptom: HTML5 graph shows incorrect value for RDP sessions.

Condition: RDP sessions created on Connect Secure.

Workaround: No workaround.


Symptom: XML import from 9.x Connect Secure Gateway to 21.x Gateway fails with a directory-server attribute error in a corner condition.

Condition: When exported XML from 9.x Gateway has a authentication server as system local server and attribute server set to "same as above".

Workaround:In the XML file either:

1.Set <directory-server> attribute value as None: <directory-server>None</directory-server>.

2.Or remove the <directory-server> attribute, save file, XML import will be successful after that.


Symptom : WSAM resources being accessed through Connect Secure even though resources are denied is PSAM policy.

Condition: While modifying PSAM/WSAM policy from allow to deny.

Workaround: NA


Symptom: Antivirus host checker policy fails with error "server has not received any information on Mac OS big sur".

Condition: When Host checker policy with antivirus is configured on Mac Os big sur for pre-auth/post-auth.

Workaround: NA


Symptom: On ISA-V or PSA-v VMware platform, spikes in dashboard throughput graph are seen every 5 minutes, when NTP server is configured.

Condition: If NTP server is configured and there is time drift on gateway.

Workaround: Change view of graph to 2 days or more. Or use "Sync time with ESX host" in VMware tools and remove NTP server configuration on gateway.


Symtom: Multicast traffic does not flow thru Connect Secure Gateway when using IGMPv3.

Condition: Only when 3rd party tool send multicast traffic with IGMPv3.

Workaround: For multicast to work, IGMPv2 should be configured on 3rd party tool.


Symptoms : End user login fails for users created in Local authentication server with clear text password is enabled.

Condition: Creating local authentication server with clear text enabled.

Workaround: For Non IKEv2 use cases, use without enabling clear text password.


Symptom: HealthCheck REST API /api/v1/system/healthcheck?status=all returns Security gateway is inaccessible error.

Conditions: When the default gateway of internal port is NOT reachable.

Workaround: Make the internal gateway as reachable.


Symptom: Run Gateway Diagnostics option does not return any output.

Conditions: When triggering Run Gateway Diagnostics option from System Maintenance.

Workaround: None. This command is not supported on Connect Secure.


Symptom: Kill command is seen on ISA-V virtual console.

Condition: On a fresh deploy of ISA-V on VMware ESXi, AWS or Azure.

Workaround: No functionality is affected. The message can be safely ignored.


Symptom: End-user sees old sign-in page instead of modernised sign-in page.


1.Connect Secure is configured to use Remote TOTP for Secondary Auth.

2.Remote TOTP server is not reachable.

Workaround: None. If the Remote TOTP server is reachable, this page is not seen.


Symptom: XML Import or Push Config fails with /users/user-roles/user-role[name=xyz-role]/html5-access/sessions.

Conditions: When trying to do XML import or Push Config of Selective Config.


XML Import: Remove sessions block under html5-access from XML file and then do XML import.

Push Config: There is no workaround.