Known Issues

The following table lists the known issues in respective releases:

For the complete list of current Known Issues, see here.

Problem Report Number

Release Note

Release 22.7R2.3

1383188

Symptom: AD domain join is failing for Windows Server 2025

Condition: AD domain join is failing for Windows Server 2025 with default windows server config.

Workaround: None

1435999

Symptom: Cluster Upgrade: Device gets stuck in "started all services" when upgrading to 22.7R2.3 image

Conditions: Under rare scenarios, when the vApp options got disabled for the VM on ESXi, and the backup vaIVEConfig is not in sync with the current config.

Workaround: None. Need to do rollback and do RDC, and then remove the backup vaIVEconfig file.

1428554

Symptom: When a full config export is triggered, xml download progress is not seen.

Condition: When full config export is triggered the progress bar of the xml download is not seen some times

Workaround: XML download happens in the background, the progress bar is not visible

1442736

Symptom: Folder view is missing in 22.X

Conditions: For Citrix listed applications.

Workaround: Currently we support block/list view.

Release 22.7R2.1

1397724

Symptom: ICS upgrade from 22.7R2.1 or later fails through REST API.

Conditions: Occurs during upgrades from 22.7R2.1 to newer versions.

Workaround: None. Use Admin UI for upgrades instead.

1387167

Symptom: Citrix Storefront web bookmark over HTML5 is not working with 2203/2402 LTSR version.

Condition: When ICS client access is selected with HTML5.

Workaround: User can use ICS client access as CTS/WSAM.

1371885

Symptoms: Importing mTLS Client Certificates and Keys/bin/tar: tlscerts/cert.pem: Not found in archive message seen on ICS console after upgrade to 22.7R2.1

Condition: On an upgrade to 22.7R2.1

Workaround: None. Functionality is not affected. These message can be ignored.

1369802

Symptom: Under rare conditions, CPU utilization goes to an average of 30 percent

Condition: When Adaptive Auth is enabled on the ICS cluster.

Work around:

Disable UEBA from System > Configuration > Behavioural Analytics.

Wait for 15 mins

Re-enable UEBA.

1380280

Symptom: Invalid Domain name error seen when AD domain name is having "0"

Condition: Domain name containing 0 fails to save with error "Invalid Domain name".

Workaround: Upgrade of ICS from older release will work but need to Reset join. New AD configuration should be without 0 in domain name.

1383587

Symptom: AD domain join takes 15 mins to join.

Condition: Upgrade to 22.7r2 or later.

Workaround: Save changes of AD config does a AD domain join

1367931

Symptom : GCP - Adding management port details of other in cluster is returning with invalid IPv6 gateway error message.

Condition : When adding the details of management port for another node in cluster environment.

Workaround: Create cluster with two interfaces (device deployed with internal and external port only).

Release 22.7R2

PCS-45286

Symptom: VDI desktop client launch fails.

Condition: When user uses latest VDI horizon client 2309.

Workaround: User must use VDI horizon client 2103.

PCS-47033

Symptom: iveConcurrentUsers count is 0 in SNMP Traps.

Conditions: When max users are signed in to ICS and tries to send iveMaxConcurrentUsersSignedIn SNMP trap. This SNMP trap has the iveConcurrentUsers set to 0.

Workaround: None.

PCS-47017

Symptom: HTML5 RDP login via smart card will not work.

Conditions: When Windows client machine is configured with windows Hello PIN and Gemalto smart card is used to login via RDP

Workaround: Disable Windows Hello will work

PCS-47022

Symptom : "Total Maximum Bandwidth" configuration is taking more value than interface limit in hyper-v platform

Condition: In Hyper-V platform when configuring "Total Maximum Bandwidth" in Network overview page

Work Around: Admin can configure the "Total Maximum Bandwidth" lesser than interface speed limit.

PCS-46998

Symptom: Kernel stack trace is seen on ICS console.

Conditions: Under rare conditions, Kernel stack trace is seen on ICS console.

Workaround: None. ICS has to be power cycled.

Release 22.6R2.1

PCS-44875

Symptom : Event logs are filled with certificate expired error message.

Condition : ICS has loaded with Expired trusted server CA.

Work around: None, just a display issue.

Release 22.6R2

PCS-44672

Symptom: PSAL fails to launch JSAM with JDK 21 on MAC Ventura 13.6.

Condition: When user try to access JSAM with JDK 21 on MAC Ventura 13.6.

Workaround: Use JDK 17 instead of JDK 21.

PRS- 417562

PRS-417355

Symptom: User/WTS session is getting terminated.

Condition: When “Enable session timeout warning” option is enabled.

Workaround: Disable the “Enable session timeout warning” option.

PCS-44362

Symptom: Failed to save package, cannot copy UEBA package.

Condition: Uploading new UEBA package.

Workaround: None. Contact Support for assistance.

PCS-43985

Symptom: VPN tunneling filter deletion for IPv6 under System > Network > VPN tunneling. IPv6 filter not assigned to VPN clients if no filter is specified.

Condition: Importing binary config from 22.3, 22.4,22.5 releases.

Workaround: Add default filter * for IPv6 in System > Network > VPN tunneling

PZT-42049

Symptom: Analytics Dashboard and Gateway logs are not synced with nSA.

Condition: ICS Gateways running on cloud with version 22.5R2 or above.

Workaround: NA

Release 22.5R2.1

PCS-43559

Symptom: AD join from troubleshooting page fails with Error "Failed to find DC for domain <DOMAIN NAME> - Undetermined error".

Condition: When AD container name contains spaces and was different than the default "Computers".

Workaround: Use quotes in the AD configuration page if the AD container name has spaces.

PCS-42906

Symptom : Few expired trusted server CA are not getting deleted.

Condition : When checking Trusted Server CA Page, using "Show only expired CAs" option enabled.

Workaround : Admin can import latest CAs if necessary

PCS-41732

Symptom: Port probe: Internal port IPv6 address is incorrectly populated when the user selects Management port with family type as IPv6.

Condition: Interface port is selected first and then family type.

Workaround: Select family type first and then select the Interface as Internal/Management Port.

PPS-10870

Symptom: OAuth token encryption using ECC certificates fails.

Workaround: Use RSA certificates for Token Encryption

PCS-38894

Symptom: Advanced HTML5 external storage feature will not work.

Condition: When external storage server contains special characters in the password.

Workaround: Do not use any special characters in the password.

PCS-42593

Symptom: Stats for other node are not accessible from the current cluster node.

Conditions:

1. Go to System > Status > Overview.

2.Select the other node from the drop down in any of the charts.

Workaround: None. Login to the other node to get the charts.

PCS-42347

Symptom: Multiple authentication successful messages are observed in user access logs when user tries OWA 2016 or above with kerberos SSO.

Workaround:NA

PCS-42311

Symptom: VPN fails to connect with Login Failed Error.

Condition: When Host checker is configured without enforcing at realm

Workaround: Enforce same host checker policies at realm also.

Release 22.4R2

22.4R1 Known issues are also applicable to 22.4R2.

PCS-37647

Symptom: Enterprise on-boarding feature will not work.

Condition: When end user uses on-boarding feature.

Workaround: None

PCS-37637

Symptom: Test enrollment will not work

Condition: When end user uses on-boarding feature.

Workaround: None

PCS-40086

Symptom : Browser based Certificate authentication is failing when TLS 1.3 is enabled on the ICS

Condition: Browser based Certificate authentication fails when admin enables TLS 1.3 on ICS.

Workaround: Admin need to enable TLS 1.2 (refer to KB)

PCS-41506

Symptom: KB link for TLS 1.3 client support warning on the dashboard page takes you to a broken link.

Condition: Click KB45694 link shown in the dashboard for Client impact with TLS 1.3.

Workaround: See KB for details.

PCS-35445

Symptom: Unable to set FIPS mode for web server.

Condition: FIPS mode is not supported

Workaround: None

PCS-39643

Symptom: Console doesn't respond to user input when selecting "change SELinux mode".

Condition: Post cluster upgrade to 22.4R2.

Workaround: Restart services from the UI.

PCS-39986

Symptom: ICS initial configuration is not getting configured automatically from vApp options

Conditions: After performing clear config operation through VM Virtual Console

Workaround: None. Configure ICS initial configuration such as IP address, admin user, self-signed cert details manually

PCS-40824

Symptom : Active user page in cluster nodes are not in sync for connected users, this happens when the cluster splits and joins.

Condition : When cluster splits and joins this occurs.

Workaround : None, it's just a display issue. In new session it is displayed correctly.

PCS-41405

Symptom : VM upgrade and installation progress messages before reboot are not seen on VM serial console

Condition: when upgrade was performed from 22.4r2 to higher release

Workaround: None

PCS-41031

Symptom: Kernel rate limiting is not working on config import

Condition: During config import from 22.4r2 with Kernel rate limiting enabled to another 22.4R2 setup.

Workaround: A change in DOS/DDOS options requires an ICS reboot after config import. As a workaround undo and save the change, then redo and save from the interface.

PCS-40902

Symptom: Active Sync with Cert and Kerberos Constrained Delegation (KCD) does not work.

Condition: When TLS 1.3 is enabled on ICS in bound settings.

Workaround: Enable TLS 1.2 on ICS in bound settings.

PCS-40467

Symptom: On single core CPU platform, web server snapshot can be generated upon Security related configuration change.

Condition: Upon change in Security configuration (such as change in TLS version) old web server process exits with crash

Workaround: NA

PCS-40154

Symptom: 
Sometimes, Advanced HTML5 session does not respond to mouse clicks.

Conditions: This issue happens usually when user tries to copy text using mouse on a ssh terminal session within HTML5 session.

Workaround: Disconnecting and reconnecting the Advanced HTML5 session solves the issue.

PCS-39794

Symptom: If the server has TLS 1.3 enforced, the existing client connections and upgrades fail.

Condition: TLS 1.3 enforced for the secure connections.

Workaround: Enable the TLS 1.2 and higher option in the server, connect to the server and upgrade to the latest versions.

PCS-39045

Symptom : TLS 1.3 is not supported on mobile VPN client.

Condition: Mobile Authentication will not work when the user enables TLS 1.3 on ICS.

Workaround: Select TLS 1.2 on the ICS server.

PCS-39942

Symptom: DMI based script no longer able to connect to ICS

Conditions: After ICS is upgraded to 22.4R2

Workaround: NA.

PCS-38817

Symptom: Test connection for AWS/Azure archival server is showing as "Failed to connect to S3 bucket, WrongBucketLocation"

Condition: When configuring AWS or Azure as archival server location.

Workaround : Admin can configure SCP or FTP Server for archiving.

PCS-40729

Symptom: Cluster creation with IPV6 and default VLAN Id is not supported.

Workaround: NA

PCS-41273

Symptom: End-users are receiving "VPN Server is busy and unable to accept new connections." on the ISA Client, and unable to access intranet.

Conditions: When system operations (VIP failover, reboot, restart of services) are performed on the Gateway when users are logged in.

Workaround: Perform operations affecting the system such as VIP Failover, Restart of Services, Reboot only during off hours. As a workaround, end-users can re-try after a minute and they would be able to re-establish VPN.

PCS-41014

Symptom: Upgrading from 22.4R2 to R1 builds will not show error when tried via REST API or DMI.

Workaround: Upgrade will not happen to R1 builds since it is not a supported upgrade path but no error message will be shown to admin saying that this is not supported.

Release 22.4R1

 

PCS-40794

Symptom: Launching the Web bookmark via JSAM has issues.

Condition: When the PSAL is not installed on the client machine.

Workaround: Create web bookmark to launch via the rewriter engine instead of JSAM.

PCS-40656

Symptom: On a Mobile device, if user logged in to web portal via browser and launching VPN connection will fail to establish VPN session.

Condition: When Secure Application Manager feature disabled under a user role configuration on ICS then a mobile device user who logged in to web portal via browser at first and then launching VPN connection using VPN bookmark will fail to establish VPN session.

Workaround: Enable Secure Application Manager feature under a user role configuration on ICS.

PCS-41115

Symptom: JSAM logout button throws an internal error message.

Condition: when open jdk-17 java is installed

Workaround: No feature impact, click the ok button on the error screen JSAM applet will logout.

PCS-41007

Symptom: ICS does not send logs to remote syslog servers and NSA impacting analytics

Conditions:

This is seen in the following scenario:

1.Preferred mode is set to IPv6

2.Hostname is used to specify remote syslog server, and it resolves to both IPv4 and IPv6

3.Preferred network to contact NSA is set via Management port

4.Management port is configured with IPv6, but in disabled state

Workaround:

1.Re-enable IPv6 on management port, if possible (or) Remove IPv6 from management port

2.Do restart of services or make a change in any of the syslog server config in Admin UI.

PCS-40067

Symptom: Missing certificate error is not displayed when user connects to Certificate based VPN profile without a mapped certificate in the profile

Workaround: Map/add user certificate to the profile

PCS-39675

Symptom: Start button for JSAM launch in Ubuntu is failing

Workaround: No workaround

PCS-38989

Symptom: Connection with syslog server is failing.

Workaround : Restart the syslog server.

PCS-40006

Symptom: File browsing with hostname is going through IPV4 address when "Preferred DNS Response:" is configured as IPv6.

Workaround: Use the IPv6 address instead of host name.

PCS-40007

Symptom: File browsing with hostname is not working when DNS response has IPv6 address only.

Condition: When file server/share is configured with hostname, hostname is not get resolve to IPv6 address. This is because getaddrinfo API is not supporting IPv6 resolution.

Workaround: NA

PCS-40910

Symptom: When file server/share is configured with hostname, hostname will not get resolve to IPv6 address.

Conditions: File Server/Share configuration with hostname.

Workaround: Use IPv6 address while configuring instead of hostname.

PPS-10665

Symptom: Compliance check fails on MacOSX, while using IPv6.

Workaround: None

Release 22.3R1

 

PCS-37354

Symptom: Ping6 with host name is not working.

Condition: When admin performs ping6 operation using host name.

Workaround: Admin can perform ping6 using IPv6 address.

PZT-36727

Symptom: SNMP timeouts occurring than usual expected rate.

Condition: When the queries are sent aggressively like around 57 queries/sec timeouts occur.

Workaround: Increase the querying time for example to 57 queries in 2-3 seconds to see comparatively see less timeouts.

PCS-39623

Symptom: Upgrade of cluster node fails with "Unable to extract installer" error message.

Conditions:

1.Upgrade triggered on a Cluster

2.Node-1 upgrades successfully to 22.3R1

3.Node-1 asks Node-2 to upgrade

4. Node-2 copies the package from Node-1, but fails to extract the installer. This is due to free disk space constraints on Node-2

Workaround:

1.Power cycle Node-2

2.Press Tab and boot into Standalone mode

3.Access the UI and follow the procedure mentioned in KB44877 to clean up space

4.Reboot and join the cluster. Upgrade of cluster node is done successfully

PCS-39641

Symptom : Intermittently during the fresh install and upgrades of Client launches, PSAL is not getting detected in the first attempt.

Condition : During fresh install and upgrade of client launches.

Workaround : Retry to the Client launches, it works.

PCS-39675

Symptom: Start button for JSAM launch in Ubuntu is failing

Workaround: No workaround

PCS-38218

Symptom : Error prompts when 'Citrix All Listed Application' is clicked. Failed to contact server, check the network connection and try again.

Condition : XML export and import of 'Citrix All Listed Application' along with other citrix bookmarks.

Workaround: Delete the 'Citrix All Listed Application' bookmark and recreate manually using Terminal profile via admin login.

PCS-38455

Symptom : Only 'Citrix listed applications' bookmarks is shown in the user home page.

Condition : Issue is encountered only when 'Citrix listed applications' is the 1st entry in Users >User Roles >[User-Name] >Terminal Services >Sessions.

Workaround: Reorder the Terminal Services Sessions from Users >User Roles >[User-Name] >Terminal Services >Sessions page using up-down arrows and don't keep 'Citrix listed application' as the 1st entry.

PCS-38731

Symptom: Enterprise onboarding profile push will not work on mobile end point.

Condition: When a new VPN client is installed on the Mobile end point.

Workaround: By using MDM server required profiles can be pushed to the mobile end point.

PCS-39459

Symptom: Upgrade is not working from 9.1R15(18393)classic to 9.1R17 HLGW(22091)

Condition: Upgrade from 9.1R15 build 18393 to 9.1R17 HLGW.

Workaround: Increase the idle timeout and max session length. Set the idle timeout to (300) and the max session length (360) minutes.

PSD-13168

Symptoms: When browser extension is enabled, PSAL upgrade to latest might fail.

Condition: Client launch might fail if PSAL browser extension is enabled on a upgrade scenario.

Workaround: Reinstall of PSAL will launch clients without a issue.

PCS-39504

Symptom: On launching JSAM/HOB, any of the following issues is observed on MAC Ventura machine.

"Failed to contact server." error displays

"Detected an internal error, please retry". error displays

Multiple PSAL popups appear.

JSAM/HOB is not launching on first try.

Condition: When using a lower PSAL version (22.2R1 or lower) on MAC OS Ventura .

Workaround:

1.Log out of the browser

2.Log in again and cancle the PSAL popup message, "Do you want to allow this page to open PulseApplicationLauncher?"

3.The PSAL download page appears after some time.

4.Download and install the new version of PSAL.

5.Log out and log in again

PCS-38955

Symptom : FTP is not working with IPv6 FTP server

Condition : When admin configured IPv6 FTP server for archival

Workaround : Admin can use IPv4 FTP server for archiving

PCS-36442

Symptom: "Failed to contact server" error prompted.

Condition: "Failed to contact server" error observed sometimes when auto-launch is enabled.

Workaround: None

PCS-37839

Symptom: Citrix default ICA launch fail.

Condition: When a user uses Citrix workspace app 2112 or later.

Workaround: User can use Citrix workspace app version 2109.

PCS-37845

Symptom: VDI-Citrix Xendesktop launch fail.

Condition: When a user uses Citrix workspace app 2112 or later.

Workaround: User can use Citrix workspace app version 2109.

PCS-37219

Symptom: sg_agent is not able to detect the smart card, when end users use MAC OS with smart card redirect support RDP to windows machine.

Condition: As per BSSL, since no RDC clients available on MAC, you may not have any solution as of now.

Workaround : None.

PCS-39271

Symptom: None of the selected username data is deleted from the Behavioral Analytics User Report list.

Condition: When compliant users is listed in report.

Workaround: NA

PCS-32175

Symptom: The auth traffic is not following the selection of traffic interface.

Condition: Even if admin configures auth traffic to go through management, it still goes through internal interface.

Workaround: NA

PCS-36629

Symptom: ESP Throughput is dropping when users logins from two different source IP on Openstack KVM ISA6Kv

Condition: With payload of 1300 bytes or higher, you might experience performance drop due to fragmentation.

Workaround: With payload of 1300 bytes or lower, you will not hit this issue.

PCS-36937

Symptom: Enduser is not able to receive multicast traffic

Condition: When the enduser is connected to VPN in ESP

Workaround: NA

PCS-34315

Symptom: AD server will not able to join when default VLAN is enabled.

Conditions: Default VLAN is enabled on interfaces.

Workaround: Enable Traffic decoupling and Map the setting of system-level interface and interface should be the default-VLAN interface of the internal interface.

PCS-39434

Symptom: Time on the ICS gateway goes out of sync, even through configured with NTP servers

Conditions: When DNS preferred mode is set to IPv6

Workaround:

1.Set DNS preferred mode to IPv4

2.Go to System > Status > Overview page. Click Edit link under System Date & Time

3.Click Save Changes.

PCS-39255

Symptom : The dashboard graphs for HC failures and OS types are not populated.

Workaround : Restart services to fix the issue.

PCS-39073

Symptoms: When you try to launch JSAM on MAC OS using browser extension you will see an error saying "jnlib file is malicious"

Condition: By default, browser extension is not enabled and customer do not see any major impact unless they enable browser extension. If browser extension is enabled then it is recommended not to use JSAM and HOB.

Workaround: Use custom protocol which is the workflow by default.

PCS-39227

Symptoms: After launching JSAM an error prompts, "Safari can't find the server."

Condition: When a user launches JSAM on a MAC Ventura machine using the Safari browser, user may see "Safari can't find the server."

Workaround: The user can use the Chrome browser for the JSAM launch.

PCS-39265

Symptom: HOB auto launch is not working.

Condition: When a user uses Windows as a client machine.

Workaround: User can do manual launch.

PCS-38630

Symptom: Upgrade from pre-22.3R1 > 22.3R1 appears to be stuck after importing system data.

Conditions: When upgrading the gateway from pre-22.3R1 > 22.3R1

Workaround:The issue is seen due to increase in ICS package size. Refer KB on how to workaround this issue.

PCS-39291

Symptom: When Home Icon in Floating tool bar is clicked, the end-user gets ‘The page you requested could not be found’ error.

Conditions: When the user clicks on Home Icon in the floating tool bar within a Advanced HTML5 session.

Workaround: Clear the browser cache and retry.

PCS-36999

Symptom: Oauth authentication fails in the end user page while using dynamic URL. Oauth configurations are created using dynamic URL and upgraded to latest version. Authentication fails inconsistently while trying this scenario.

Condition: When creating Oauth server with dynamic URL and trying the authentication after upgrade.

Workaround:

To delete existing Oauth configuration and create a new configuration in the latest version.

Upgrade without using dynamic URL (with manual configuration)

PCS-38597

Symptom : In Dual Stack LDAP Authentication, user authentication fails if Primary server is IPv6 and backup servers are IPv4.

Condition: Issue exists only when primary server is configured as IPv6 and backup servers are IPv4, only in dual stack case.

Workaround: Configure IPv4 servers as Primary and IPv6 servers as Backup servers.

PCS-37815

Symptom: Upgrade of gateway using DMI fails.

Conditions: When trying to upgrade gateway using DMI RPCs.

Workaround: Use Admin UI to upgrade the gateway.

Release 22.2R1

 

PCS-37128

Symptom: XML import fails in release 22.2R1 version when HTML5 resource profiles exported from release 9.1R15 or R16 .

Condition: Importing HTML5 resource profiles in to 22.2R1.

Workaround: NA

PCS-35512

Symptom: User browses to appserver URL with 8083 port (http://appserver:8083/test.asp), it re-directs to some other webpage.

Condition: When the user configure the appserver with kerberos functionality and tries to access the URL: http://appserver:8083/test.asp in end user page.

Workaround: Instead of browsing end user page, directly browse the login URL: http://appserver:8083/test.asp

PCS-36912

Symptom: Displays "Exceeded maximum of 51 write attempts".

Conditions: During restart/reboot of the system.

Workaround: None. No functionality impact.

PCS-36787

Symptom: Certificate validity check shows certificate expired for less than 90 days.

Condition: During certificate validity check.

Workaround: No functional impact, ignore the message.

PCS-37104

Symptom : Downloaded Protected Zip File (1KB) is empty but actual file size is 2.07MB.

Condition : When the user configures the Appserver with protected file share and then downloads any protected file.

Workaround: Instead of getting files downloaded through zip, download individual file by clicking.

PCS-35628

Symptom: Installing Ivanti Secure Access Client through browser fails.

Condition: After end user login, click on bookmark "PULSE UNIFIED CLIENT" start button, It fails to installIvanti Secure Access Client.

Workaround: User to download Ivanti Secure Access Client directly from Server (System > Maintenance > Installers) and install on end point.

PCS-36683

Symptom: Setup client uninstall will not work sometimes.

Condition: When a user tries to uninstall setup client.

Workaround: User has to reboot the client machine.

PCS-36764

Symptom: File cannot be downloaded or deleted from the end user UI.

Conditions:

Bookmarks for a file server have to be present in the end user UI.

Files have to be present in the server upon navigating from bookmark to the file server.

Workaround: None

PCS-36556

Symptom: Binary configuration import from 9.x classic to 22.2 gateway causes the gateway to disconnected from the nSA and hence no configuration upload happens to the nSA.

Condition: During Binary configuration import from 9.x classic to a 22.2 gateway, which is already registered to nSA. The configuration import brings the registered ICS device in a gateway not ready state on nSA thereby not updating the newly imported ICS configurations to nSA .

Workaround: Clear the nSA registration status by navigating to System > Ivanti Neurons for Secure access > Clear config and then Restart the Gateway service from Maintenance > Platform > Restart Services. After restart, register again with nSA.

PCS-37090

Symptom: Black screen is shown when user tries to download PSAL from Safari browser.

Condition: When PSAL is downloaded and installed for the first time.

Workaround: After PSAL is installed, access the end user page and launch JSAM.

PCS-37092

Symptom: End user Onboarding option is not displaying on MAC OS.

Condition: When a user uses MAC OS.

Workaround: N/A

PCS-36675

Symptom: Panel Preferences for Admin/end user bookmarks is not shown.

Condition: When a user access the end user Panel Preferences page.

Workaround: N/A

PCS-36684

Symptom: Page refresh issue on end user portal.

Condition: When a user configures wrong VDI login details and reconfigures with correct login details.

Workaround: User has to re-login to the end user portal.

Release 22.1R6

 

PCS-36319

Symptom: Save All Logs option missing from Events/User Access/Admin Access Logs.

Condition: When Admin navigates to Monitoring > Events > Logs and tries to Save Logs.

Workaround: NA

PCS-34870

Symptom: Clear config data fails with errors.

Condition: On ISA8000 platform admin console, when “Clear all configuration data at this Ivanti Connect Secure” is run from the “System Operations” options.

Workaround: After performing Clear config data, restart the system and choose the “Factory reset” option. This issue will be fixed in the future release.

PCS-35850

Symptom: Disk and RAID status appears as Unknown for some time.

Condition: After adding the disk from console, when user immediately checks Disk and RAID status from UI, it appears asUnknown.

Workaround: After adding the disk from console, wait for one minute before checking Disk and RAID status from UI. It might take up to one min to sync the status between GUI and console.

 

 

Release 22.1R1

 

PCS-36093

Symptom: Configuration import fails with reason: software version used to create import file was '9.1R14 (build 16847)' current version of software is '22.1R1 (build 421)'.

Condition: When admin tries to import configuration from release 9.1R14 / 9.1R14.1 to 22.1R1.

Workaround: NA

PCS-34435

Symptom: Third party related error messages seen on VA console.

Condition: Connect Secure registered with nSA.

Workaround: None. These messages can be ignored as it does not affect functionality.

PCS-34301

Symptom: Connect Secure is not sending Microsoft Intune server request.

Condition: During the user authentication.

Workaround: Restart services will restart the MDM services.

PCS-33729

Symptom: Cache cleaner policy is not getting imported when importing XML file for user role configured with cache cleaner policy.

Condition: During XML import of user role with cache cleaner policy.

Workaround: None. Assigning cache cleaner policy to a user role is a deprecated feature.

PCS-34315

Symptom: AD server is not able to join when default VLAN is enabled.

Condition: Default VLAN enabled on interfaces.

Workaround: Enable Traffic decoupling and map the setting of system-level interface and interface to default-VLAN interface of the internal interface.

PCS-34546

9.X HLGW : KVM :

Symptom: Post upgrade, not able to access GUI.

Condition: After upgrading KVM appliance with gateway build.

Workaround: NA

PCS-34530

Symptom : Rollback via console is not working on KVM appliance.

Condition:Using rollback option in KVM appliance.

Workaround: NA

PCS-34411

Symptom: Logs are not pushed from gateways to nSA.

Condition: During 21.9R1 and 21.12R1 gateways upgrade to 22.1R1 and after certificate rotation, logs are not pushed.

Work Around: Restarting the gateway services.

PCS-34253

Symptom : Cluster VIP owner details are not in sync between nSA and gateways.

Condition : 22.1R1 Connect Secure AP cluster setup registered with nSA.

Work Around : Rebooting the cluster setup will resolve the issue.

PCS-34681

Symptom: Roll back option not available in nSA for AA cluster.

Condition: Connect Secure status is not updated properly to nSA.

Workaround: Reboot the AA cluster.

PCS-34357

Symptom : Bandwidth consumption is more than configured when downloading files using SSL tunnel mode.

Condition : Bandwidth policy has configured with minimum and maximum value and assigned to user roles which is having SSL as VPN tunnel mode.

Workaround : Configure user roles with ESP tunnel mode for roles configured with bandwidth policy.

PCS-34870

Symptom: Reboot fails on selecting clear config from CLI menu.

Condition: Select option 4 and then 6 from CLI menu.

Workaround:

Factory Reset and proceed or,

If you have saved default config or clean config. Binary import can be done as workaround.

PCS-34485

Symptom: Time track back by ~4 hours on Connect Secure.

Conditions: After admin restarts system services.

Workaround: None. Time gets re-synced with NTP servers automatically.

 

 

Release 21.12R1

PCS-32765

Symptom:Intermediate file bookmark page is shown when end user tries to access file bookmark.

Conditions:When end user tries to access Windows file bookmark.

Workaround: After end user provides credentials to access windows file bookmark, if you see the same file bookmark again, then you need to select the desired file bookmark.

PCS-32717

Symptom: XML import fails for UserRecordSync configuration.

Condition: When UserRecordSync is enabled.

Workaround: NA

PCS-32594

Symptom: Bookmarks are not getting Synced for end user.

Condition: When UserRecordSync is enabled.

Workaround: NA

PCS-32543

Symptom: Pushing sign-in URLs, notifications and pages not supported.

Condition: Create any sign-in settings with URL.

Workaround: NA

PCS-32467

Symptom: Latest syslog Server is displayed if entire cluster is selected.

Condition: Multiple syslog servers must be added in the cluster mode.

Workaround: NA

PCS-32324

Symptom: Error messages related to upgrading cache seen under event logs.

Condition: After the Connect Secure upgrade.

Workaround: NA

PCS-30489

Symptom:Bandwidth is not restricted even though minimum and maximum levels are configured.

Condition:When Admission Privilege Level is configured for bandwidth management in ESP and SSL mode.

Workaround:NA

PCS-30439

Symptoms : End user login fails for users created in Local authentication server with clear text password enabled.

Condition: Creating local authentication server with clear text enabled.

Workaround: For Non IKE use cases, do not enable clear text password option.

PCS-29121

Symptom : Toolbar not visible for bookmarks in PTP mode when using Chrome and Edge browsers.

Condition : When web bookmark is configured to be accessed over PTP mode instead of rewriter mode.

Workaround :

Open Connect Secure home page URL in new tab to see the toolbars.

While clicking on bookmarks from Connect Secure home page, select to open in new tab.

PCS-32836

Symptom: Pulse Client copyright date is not updated with 2022 year.

Condition: Pulse Client copyrights year is shown as 2021.

Workaround: NA

PCS-32596

Symptom: Upgrade from 9.1R13 and 9.1R12 GA to 9.1R13.1 is failing at the upload step with Access restricted error.

Condition: When Administrator session is set to default and an upgrade is initiated using the package file.

Workaround: Increase idle timeout to 400 and Max Session Length to 600 before starting the upgrade. Administrators > Delegated Admin Roles > Administrators > session timeout

PCS-32374

Symptom: AD authentication fails with Role based VLAN.

Condition: When AD authentication is selected.

Workaround: NA

PCS-30917

Symptom: During session extension from Pulse Client or automatic session extension for the end user portal. New session count is getting incremented for the gateway, but old session is not deleted from nSA.

Condition: During session extension from Pulse Client or automatic session extension for the end user portal and license count has exhausted.

Workaround: NA

PCS-32833

Symptom: The status info like cluster reboot/ICT/cluster upgrades are not synced between Gateways in nSA cluster.

Condition: In any cluster, the cluster wide actions status are not synced.

Workaround: This is only status information, the actually tasks are already performed.

PCS-32906

Symptom: ISA VM machine ID getting changed.

Conditions: Navigate to System>Maintenance>Options and Check/Uncheck the "Enable Virtual Terminal console" check box and then click "save changes".

Workaround: NA

PCS-32354

Symptom: Registration status of Connect Secure is in green color.

Condition: Importing binary config of existing registered Connect Secure system config.

Workaround: Clearing and re-registration of nSA.

PCS-32834

Symptom: Test connection for AWS/Azure archival server is showing as "Failed to connect to S3 bucket, WrongBucketLocation".

Condition: When configuring AWS or Azure as archival server location.

Workaround : Admin can configure SCP or FTP Server for archiving.

PCS-28777

Symptom: End User is not able to launch Apps listed in MS RDweb console.

Condition: End User is using Google Chrome Browser to login.

Workaround: End User can use MS Edge or Firefox browser to login and launch Apps.

PCS-31245

Symptom: Logs from 9.x hlgw setup is not sent to nSA

Condition: When DNS preferred settings has configured with IPv6 in network overview page.

Workaround : Admin can configure DNS preferred settings as IPv4 in network overview page.

PCS-32404

Symptom: AP Cluster VIP migration is taking around 2 minutes when cluster VIP configured with IPv6 address

Condition: When cluster VIP configured with IPv6 address.

Workaround : None, time is a time delay in cluster VIP migration and cluster VIP migrates to other node.

PCS-33249

Symptom: Error message “ERROR: ld.so. object '/home/lib/libdspreload.so' from /etc/ld/so/preload cannot be preloaded:” appears at the end of successful completion of Connect Secure boot

Condition: After the completion of Connect Secure installation and boot

Workaround: None. This does not affect the Connect Secure functionality.

 

Release 21.9R1

PCS-30626

Symptom: Failed to update profile for user error is seen in user access logs for every user.

Condition: Importing system and user binary configs from 9.x where UEBA is configured.

Workaround: The UEBA package has to be imported manually for the Adaptive Authentication feature to continue to work fine and stop getting these messages for every user.

PCS-31165

Symptom: ESP to SSL session fallback happens randomly on L3 session.

Conditions: In AA Cluster setup, when VPN Tunneling connection profile is configured with ESP to SSL fallback, sometimes L3-VPN session can fallback to SSL mode after a node leaves and joins the Cluster.

Workaround: Restarting Services on the Cluster resumes all users VPN session to ESP mode.

PCS-30694

Symptom: Number of concurrent users (xx) exceeded the system limit (2) seen in user access logs.

Conditions: When nSA Named User Mode is enabled in System > Configuration > Licensing.

Workaround: None. End-user does not see any warning and logins will work.

PCS-31051

Symptom: Max Concurrent Users do not get updated immediately.

Conditions: After installing Connect Secure-EVAL license.

Workaround:None. System takes around 3-4 minutes for the page to get updated.

PCS-30919

Symptom: In Advanced HTML5 session, Copy paste functionality does not work after a while.

Conditions:When connected to backend windows machines through Advanced HTML5 session.

Workaround:Disconnect and Reconnect to Advanced HTML5 session.

PCS-31161

Symptom:

Error updating data for chart cloud_secure_roles seen in Admin logs.

Dashboard charts are not getting updated.

Conditions: After upgrading to 21.9R1 gateway build

Workaround: None. Dashboard charts get updated after a while.

PCS-30280

Symptom: Not able to launch Windows/Citrix terminal services through IPv6 address.

Condition: When end user enters IPv6 address to launch WTS/CTS.

Workaround: Launch with IPv4 address.

PCS-31156

Symptom: Sessions are not synced between nodes on an AA/AP cluster.

Condition: Connect Secure failover because of reboot/power cycle.

Workaround: New sessions after node recovery will be synced across both nodes and data on insights will be accurate.

PCS-31234

Symptom: HTML5 graph shows incorrect value for RDP sessions.

Condition: RDP sessions created on Connect Secure.

Workaround: No workaround.

PCS-31046

Symptom: XML import from 9.x Connect Secure Gateway to 21.x Gateway fails with a directory-server attribute error in a corner condition.

Condition: When exported XML from 9.x Gateway has a authentication server as system local server and attribute server set to "same as above".

Workaround:In the XML file either:

1.Set <directory-server> attribute value as None: <directory-server>None</directory-server>.

2.Or remove the <directory-server> attribute, save file, XML import will be successful after that.

PCS-31168

Symptom : WSAM resources being accessed through Connect Secure even though resources are denied is PSAM policy.

Condition: While modifying PSAM/WSAM policy from allow to deny.

Workaround: NA

PCS-30652

Symptom: Antivirus host checker policy fails with error "server has not received any information on Mac OS big sur".

Condition: When Host checker policy with antivirus is configured on Mac Os big sur for pre-auth/post-auth.

Workaround: NA

PCS-31058

Symptom: On ISA-V or PSA-v VMware platform, spikes in dashboard throughput graph are seen every 5 minutes, when NTP server is configured.

Condition: If NTP server is configured and there is time drift on gateway.

Workaround: Change view of graph to 2 days or more. Or use "Sync time with ESX host" in VMware tools and remove NTP server configuration on gateway.

PCS-31213

Symtom: Multicast traffic does not flow thru Connect Secure Gateway when using IGMPv3.

Condition: Only when 3rd party tool send multicast traffic with IGMPv3.

Workaround: For multicast to work, IGMPv2 should be configured on 3rd party tool.

PCS-30439

Symptoms : End user login fails for users created in Local authentication server with clear text password is enabled.

Condition: Creating local authentication server with clear text enabled.

Workaround: For Non IKEv2 use cases, use without enabling clear text password.

PCS-31193

Symptom: HealthCheck REST API /api/v1/system/healthcheck?status=all returns Security gateway is inaccessible error.

Conditions: When the default gateway of internal port is NOT reachable.

Workaround: Make the internal gateway as reachable.

PCS-30658

Symptom: Run Gateway Diagnostics option does not return any output.

Conditions: When triggering Run Gateway Diagnostics option from System Maintenance.

Workaround: None. This command is not supported on Connect Secure.

PCS-29657

Symptom: Kill command is seen on ISA-V virtual console.

Condition: On a fresh deploy of ISA-V on VMware ESXi, AWS or Azure.

Workaround: No functionality is affected. The message can be safely ignored.

PCS-30629

Symptom: End-user sees old sign-in page instead of modernised sign-in page.

Conditions:

1.Connect Secure is configured to use Remote TOTP for Secondary Auth.

2.Remote TOTP server is not reachable.

Workaround: None. If the Remote TOTP server is reachable, this page is not seen.

PCS-30854

Symptom: XML Import or Push Config fails with /users/user-roles/user-role[name=xyz-role]/html5-access/sessions.

Conditions: When trying to do XML import or Push Config of Selective Config.

Workaround:

XML Import: Remove sessions block under html5-access from XML file and then do XML import.

Push Config: There is no workaround.