Known Issues

Problem Report Number	Release Note
Release 22.8R2.2
Web Application Firewall (WAF) & Configuration
1449031	Symptom : When admin tries to delete more than 600 users, WAF is blocking it. Condition: Deletion of more than 600 users. Workaround: Delete 600 users at one time.
Cluster Management & Upgrade
1503708	Symptom: Upgrade of a lower version node fails during the "Verifying Package Integrity" step. Condition: This issue occurs in the following scenario: 1.Create a cluster on pre-22.8R2 version. 2.Upgrade to 22.8R2. 3.Remove the cluster in 22.8R2. 4.Roll back node-1 and upgrade again to 22.8R2. 5.After the upgrade of node-1 is successful, roll back node-2. 6.When node-2 is coming up, it joins the cluster and attempts to upgrade to 22.8R2, at which point the error occurs. Workaround: Boot the device in standalone mode and then perform the upgrade.
Authentication
1753244	Symptom: The TOTP fallback server fails to function when used in conjunction with an LDAP authentication server. Condition: This issue occurs when configuring TOTP as a fallback for LDAP based authentication. Workaround: N/A
End User Experience & Access
1700995	Symptom: When using the Safari browser, PSAL is not detected and the end user is prompted to download and install PSAL. Condition: This issue occurs when attempting to log in via the Safari browser. Workaround: Use Chrome instead of Safari for successful detection and login with PSAL.
1739513	Symptom: Web VDI bookmark access occasionally does not work. Condition: This issue occurs when two Web VDI bookmarks are configured. Workaround: Configure only one VDI bookmark and use it for access.
1751812	Symptom: PSAL is unable to launch Java applet (JSAM) on MAC machines. Condition: This issue occurs when an end user accesses a JSAM bookmark on a MAC device. Workaround: Disable the HTTP Only Device Cookie option under User Roles > Users > General > Session Options. After disabling this setting, PSAL will be able to launch the JSAM applet.
1758504	Symptom: SAM internal resources are not passed through the configured proxy server. Condition: This issue occurs when a PSAM proxy is configured with SAM resource policies. Workaround: NA
Release 22.8R2.1
HA/Cluster
1703177	Symptom: Event logs display the message "administrator manual failover" when VIP failover occurs due to the active node rebooting. Condition: This happens when the active node (holding the cluster VIP) undergoes a reboot. Workaround: When this message appears, check the Admin logs to determine if the reboot was initiated by an administrator. Look for entries such as "Server Reboot requested by Admin/Administrators" to verify the source of the reboot.
1708187	Symptom: In an Active-Passive cluster configured with virtual ports on VLANs, backend resources within a VLAN become inaccessible following a cluster VIP failover. Conditions: This issue is observed under the following circumstances: •The user role is configured with Source IP set to the VLAN virtual port. •VIP failover from the active to passive node is triggered by ICS code due to events such as gateway not reachable, system reboot, or an admin-initiated VIP failover. Workaround: Reboot the entire cluster to restore access to backend resources.
End User Portal
1697623	Symptom: The browser bar in the End User Portal (EUP) displays "URL is invalid." Condition: This occurs when the "Mask hostnames while browsing" option is enabled. Workaround: Disable "Mask hostnames while browsing" and use the browser bar.
1708517	Symptom: A black screen is displayed when accessing a file share bookmark created by the end user. Condition: This occurs when the bookmark is created through the file browse option. Workaround: •End user can access admin created bookmark & bookmark the required path to access. •Attempt to access the required file share path directly from the file browse option.
1710328	Symptom: End user receives the error message: "Invalid username or password. Please re-enter your user information" when attempting to log in to ICS. Conditions: This error occurs when: •The end user already has an active session with ICS. •The end user tries to log in again from another device or browser. Workaround: Close any existing sessions and log in again.
Authentication
1708860	Symptom: End-users occasionally receive the error message "Unable to perform TOTP auth." Conditions: •When user realm is configured with Remote TOTP as the secondary authentication method. •When error typically occurs when multiple users attempt to login simultaneously. Workaround: Enable Adaptive Authentication, if possible. This will reduce the frequency of secondary authentication requests and help prevent the error.
1698364	Symptom: Active Directory authentication may offer or advertise vulnerable ciphers during SSL/TLS negotiation. Condition: This occurs when an enduser authenticates with Active Directory. Workaround: N/A
RDP/ File Transfer
1696607	Symptom: HTML5 RDP connection is terminated unexpectedly. Condition: This occurs when an end user attempts to send or receive files larger than 1 GB using the remote file transfer feature. Workaround: N/A.
Web Application Firewall (WAF)/Config Import
1711109	Symptom: The WAF package reverts to version 1.0.0. Condition: This occurs when the admin performs an Entire Push Config or System.cfg import from 22.8R2 GA. Workaround: •Perform a WAF reset; the package will be restored to the default version 1.0.3. •If any exclude rule IDs are configured, the admin must reconfigure those rule IDs after the reset.
1709370	Symptom: XML import/push config fails with the error message: "Can't download crs package '1.0.0' from controller as gateway is not registered with controller." Condition: This occurs when the admin performs a selective push config/XML import that includes WAF configuration. Workaround: Admin can use system configuration (cfg) upload as an alternative.
1712905	Symptom: WAF issues are observed in the following configurations: •Manually configured CDP in Sub CA for CRL checking. •Backup CDP configured in Root CA. •CRL checking options set to use CDP specified in the trusted CA. Condition: This issue occurs when an IP address is used in the CRL URL during CRL checking configuration. Workaround: Use a domain name in the CRL URL instead of an IP address.
System Upgrade / Cache
1688577	Symptom: Event logs display the following message: "Error encountered while upgrading cache (Key: vc0/federateClientSettings/serverURL, Value: Created: 1)" Condition: This occurs during the upgrade process. Workaround: N/A
TLS/Certificates
1711706	Symptom: When switching from TLS 1.2 to TLS 1.3, end-users are not prompted to select a user certificate and instead see a "Missing certificate" error. Condition: This issue occurs when the server is configured to use TLS 1.3. Workaround: One of the following workarounds may resolve the issue: •Restart the end-user machine. •Restart the ICS server. •Try accessing with a different browser.
PSAM
1699625	Symptom: Backend resources are not accessible through the PSAM tunnel when non-standard TCP ports are used. Condition: This occurs when applications are configured with non-standard TCP ports in PSAM. Workaround: NA
Release 22.8R2
Authentication (AD / LDAP / OAuth / Certificates)
LDAP
1590662	Symptom: Enabling “Validate Server Certificate” for LDAP connections does not enforce or properly handle certificate validation. Condition: Occurs when the “Validate Server Certificate” option is used in LDAP configuration. Workaround: N/A
1624093	Symptoms: When configure an LDAP server, it fails with the error "Invalid server address" Condition: when configuring an LDAP server. Workaround: N/A
Active Directory (AD)
1562767	Symptom: Users are unable to change their AD passwords via the preference page. Condition: This occurs during password change attempts from enduser page. Workaround: N/A
1624127	Symptoms: On the AD troubleshooting page, DNS resolution checks fail if multiple AD servers are configure. DNS resolution is success for the AD which is configured as a DNS server. Condition: Configuring multiple AD servers on the ICS, Some of the AD severs DNS resolution may fail in trouble shooting page. Workaround: Configure the AD server IP as a primary DNS.
1617191	Symptom: After creating the AD server in an Active/Passive (A/P) cluster, the AD username and password fields are empty, even though the 'Save Credentials' setting is enabled. Condition: The appliance is running with 22.8R2 version and the device is configured in an Active/Passive (A/P) cluster mode with 'Save Credentials' option enabled on the AD authentication server. Workaround: On each login, manually enter the AD credentials (since autofill/save is not working).
Traffic Routing
1558753	Symptom: AAA traffic segregation is not working as expected at both the global and server levels. Authentication attempts to AD or OAuth servers do not use the configured segregated port, resulting in all AAA traffic being sent via the internal port. Condition: Occurs when segregation policies are set globally or per-auth server, but the system continues to use default paths for all authentication traffic. The issue is observed on both AD and OAuth authentication flows in the current platform version. Workaround: N/A
OAuth
1622322	Symptoms: OAuth time skew is not working as per the configured values. Workaround: N/A
Certificates
1561276	Symptom: The certificate authentication end-user page becomes inaccessible after enabling the "Advanced Certificate Processing Settings" option under trusted client CA configuration. Condition: This occurs when, The “Advanced Certificate Processing Settings” option is enabled for a trusted client CA in the admin UI. Workaround: Disable "Advanced Certificate Processing Settings".
1617997	Symptoms: User login is successful even if we disable client Certificate Negotiation. Condition: When we disable "Trusted for Client Authentication" and "Participate in Client" on the trusted client CA. Workaround: Delete the client CA certificate which we want to disable the participate in client certificate negotiation from the ICS.
Role/Access Control (Admin/User/Delegated)
1626143	Symptom: Creation of delegated admin role fails. Conditions: When trying to create a delegated admin role via Rest API. Workaround: Add the rule IDs 920170, 930120 in WAF exclude rule ID list, and then execute the REST API.
Web Application Firewall (WAF)
1611707	Symptom: WAF package version is missing in the admin log. Condition: When rollback is done for WAF package. Workaround: N/A
1611701	Symptom: WAF package version is missing in the admin log. Condition: When WAF package is uploaded. Workaround: N/A
1506788	Symptom: Upload successful message is not populated Condition: When WAF ruleset package is uploaded. Workaround: Refer the admin logs.
1499053	Symptom: WAF functionality will not work. Condition: When admin enables Next Gen Web Server from console options. Workaround: From ICS admin UI disable and enable the WAF, then WAF functionality will work.
1449031	Symptom : When admin tries to delete more than 198 users, WAF is blocking it. Condition: Deletion of more than 198 users. Workaround: Delete 150 users at one time.
1624455	Symptom: When attempting to push either selected or entire configuration to multiple targets in a single push job, the operation fails if the targets are configured with different Shared Secret Keys. Condition: This issue occurs when multiple targets have different Shared Secret Keys configured and a single push job is used to deploy configurations to these targets (either selected or entire configuration). Workaround: To successfully push configurations to multiple targets in one push job, ensure that all selected targets are configured with the same Shared Secret Key.
Clustering / High Availability
1626479	Symptom: One of the node in the cluster is not accessible after doing restart services Condition: After restarting services Workaround: Restart the Services or reboot the node with the issue.
REST API
1626107	Symptom: Restore of binary config via /api/v1//system/binary-configuration REST API fails. Condition: When the REST API is executed against ICS running 22.8R2 and later. Workaround: Use Admin UI to backup and restore binary config.
1612333	Symptom: "IP Pool cannot be empty" error observed when switching from DHCP-based IP assignment to Pool-based for VPN Connection Profiles via REST API. Condition: This occurs when the "ip-address-pool" attribute is provided before the "ip-address-assignment" attribute in the request body. Workaround: Provide "ip-address-assignment" before the "ip-address-pool" attribute in the request body.
1601479	Symptom: Configuring FQDN based lockdown exception rule for a connection set failing through Rest API. Condition: While configuring FQDN based lockdown exception rule for a connection set through Rest API. Workaround: Configuring the FQDN based lockdown exception manually in ICS.
1600939	Symptom: When trying to create or update an Admin Realm through REST API, ICS returns “Unknown Element” error. Conditions: When the json input in the post body contains “allow-admin-signin-external-port”. Workaround: Remove “allow-admin-signin-external-port” attribute. It is no longer supported in ICS 22.8R2 and later releases.
Admin UI / Console / Web Server
1607526	Symptom: Admin UI is not accessible. Condition: When configured V6 address is wrong. Workaround: Disable Next Gen Web Server from console, access the admin page and correct the IP address. Then enable Next Gen Web Server again from console.
1611987	Symptom: Debug log download is not working. Condition: When Next Gen Web Server is disabled. Workaround: Turn off the 'debug logging on' and 'include logs' fields, 'save' and then download the logs.
Cloud Secure Config
1628212	Symptoms: Cloud secure configuration fails with the error message: "Failed, no metadata". Condition: This occurs when configuring the Office 365 application in Cloud Secure. Workaround: 1.Download the Microsoft Office 365 (Azure AD) SAML metadata XML directly from Microsoft. 2.Save the file to your local machine. 3.In the Cloud Secure admin portal, choose to manually import SAML metadata, and upload the file you downloaded.
ISAC/Mobile Client / VPN Issues
1600243	Symptom: L3 Tunnel fails to connect using NCP for mobile clients (Android and iOS). Condition: When NCP is chosen as Communication Protocol. Workaround: Select IFT/TLS as the Communication Protocol instead of NCP.
1601128	Symptom: ISAC Connection using IPv6 is disconnecting when custom UDP port Condition: When custom IPv6 UDP port is configured Workaround: None
1600324	Symptom: ISAC client Disconnection is taking more time. Condition: When SLO is enabled. Workaround: Disable SLO.
1610000	Symptom: ISAC connection not disconnecting immediately after SESSION_TIMEOUT Condition: Configure SESSION_TIMEOUT from session options as 6 min which is minimum value Workaround: None
1627526	Symptom: Android ISAC client connection to ICS gateway fails with 'Server's security certificate is not trusted'. Conditions: ICS is running 22.8R2. Workaround: Disable Server certificate trust enforcement option under System > Configuration > Mobile.
Bookmark / File Browsing / Portal/End User UI
1628538	Symptom: SharePoint bookmark access throws"The page you requested could not be found." message. Workaround: N/A
1624778	Symptom: Sometimes 502 bad gateway message is seen. Condition: When File browsing bookmark is accessed. Workaround: Trying accessing second time, it will work.
1618213	Symptom: JSAM bookmark access will not work when JRE 1.8 is installed. Condition: When enduser accesses JSAM profiles with JRE 1.8. Workaround: Install JDK instead of JRE1.8 .
License and Export/Import Issues
1600813	Symptom: Unable to lease licenses from license server. Conditions: 22.8R2 license client is configured to lease license from license server running 22.8R2 Workaround: Use a license server running 22.7R2.x latest version.
1621990	Symptom: System/User Binary import/XML import is failing with 22.8R2 gateway registered to the latest NSA controller. Workaround: System/User binary/XML import to be done from Gateway UI.
1590178	Symptom: Importing xml file with archival config settings is returning with password related error message. Workaround: If the exported XML is of 22.8R2.x or higher version, then the Proper strength password (as defined in default Authentication Server) for the following archival configs should be provided before import: •System configuration •User accounts •Administrative Network Configuration •Archive XML configuration
vTPM / VM / VMware
1562419	Symptom: Unable to attach vTPM if vTPM is detached manually. Condition: If vTPM is detached and want to re-attach then VMware VCD does not provide option to re-attach vTPM. Workaround: None. Removing vTPM makes vICS non recoverable. vTPM is mandatory component.
1609890	Symptom: Switch to serial console on VM doesn't bring up Admin/End user UI. Condition: If serial port is not attached to VM and convert Virtual Terminal to serial console. Workaround: Attach serial port to VM to access UI.
1614488	Symptom: 22.8R2 can be staged on a VMware appliance running on 22.7Rx but upgrade fails. Condition: On VMware, 22.8R2 may be staged from 22.7Rx but upgrade cannot process as upgrade from 22.7Rx to 22.8R2 is not allowed. Workaround: None. Upgrade from 22.7Rx to 22.8R2 is not allowed.
Miscellaneous / System
1570129	Symptom: System boots up slow compared to previous version. Condition: Reboot. Workaround: None available.
1600229	Symptom: `/bin/cp cannot create regular file` message is seen on console. Condition: Reboot. Workaround: None. Error message is harmless. It can be ignored.
1621181	Symptom: Upgrade aborts with error “ADM23397: This appliance cannot be upgraded to 22.8R2.” Workaround: No workaround. This indicates that the upgrade cannot proceed because there is insufficient disk space in the boot partition because the factory reset version is very old. Contact Ivanti Support for error.
Upgrade
1590685	Symptom: During upgrade bind failed related logs seen for few seconds. Condition: Upgrade, Enable/Disable Next Generation Webserver. Workaround: NA

Release 22.8R2.2

Web Application Firewall (WAF) & Configuration

1449031

Symptom : When admin tries to delete more than 600 users, WAF is blocking it.

Condition: Deletion of more than 600 users.

Workaround: Delete 600 users at one time.

Cluster Management & Upgrade

1503708

Symptom: Upgrade of a lower version node fails during the "Verifying Package Integrity" step.

Condition: This issue occurs in the following scenario:

1.Create a cluster on pre-22.8R2 version.

2.Upgrade to 22.8R2.

3.Remove the cluster in 22.8R2.

4.Roll back node-1 and upgrade again to 22.8R2.

5.After the upgrade of node-1 is successful, roll back node-2.

6.When node-2 is coming up, it joins the cluster and attempts to upgrade to 22.8R2, at which point the error occurs.

Workaround: Boot the device in standalone mode and then perform the upgrade.

Authentication

1753244

Symptom: The TOTP fallback server fails to function when used in conjunction with an LDAP authentication server.

Condition: This issue occurs when configuring TOTP as a fallback for LDAP based authentication.

Workaround: N/A

End User Experience & Access

1700995

Symptom: When using the Safari browser, PSAL is not detected and the end user is prompted to download and install PSAL.

Condition: This issue occurs when attempting to log in via the Safari browser.

Workaround: Use Chrome instead of Safari for successful detection and login with PSAL.

1739513

Symptom: Web VDI bookmark access occasionally does not work.

Condition: This issue occurs when two Web VDI bookmarks are configured.

Workaround: Configure only one VDI bookmark and use it for access.

1751812

Symptom: PSAL is unable to launch Java applet (JSAM) on MAC machines.

Condition: This issue occurs when an end user accesses a JSAM bookmark on a MAC device.

Workaround: Disable the HTTP Only Device Cookie option under User Roles > Users > General > Session Options. After disabling this setting, PSAL will be able to launch the JSAM applet.

1758504

Symptom: SAM internal resources are not passed through the configured proxy server.

Condition: This issue occurs when a PSAM proxy is configured with SAM resource policies.

Workaround: NA

Release 22.8R2.1

HA/Cluster

1703177

Symptom: Event logs display the message "administrator manual failover" when VIP failover occurs due to the active node rebooting.

Condition: This happens when the active node (holding the cluster VIP) undergoes a reboot.

Workaround: When this message appears, check the Admin logs to determine if the reboot was initiated by an administrator. Look for entries such as "Server Reboot requested by Admin/Administrators" to verify the source of the reboot.

1708187

Symptom: In an Active-Passive cluster configured with virtual ports on VLANs, backend resources within a VLAN become inaccessible following a cluster VIP failover.

Conditions: This issue is observed under the following circumstances:

•The user role is configured with Source IP set to the VLAN virtual port.

•VIP failover from the active to passive node is triggered by ICS code due to events such as gateway not reachable, system reboot, or an admin-initiated VIP failover.

Workaround: Reboot the entire cluster to restore access to backend resources.

End User Portal

1697623

Symptom: The browser bar in the End User Portal (EUP) displays "URL is invalid."

Condition: This occurs when the "Mask hostnames while browsing" option is enabled.

Workaround: Disable "Mask hostnames while browsing" and use the browser bar.

1708517

Symptom: A black screen is displayed when accessing a file share bookmark created by the end user.

Condition: This occurs when the bookmark is created through the file browse option.

Workaround:

•End user can access admin created bookmark & bookmark the required path to access.

•Attempt to access the required file share path directly from the file browse option.

1710328

Symptom: End user receives the error message: "Invalid username or password. Please re-enter your user information" when attempting to log in to ICS.

Conditions: This error occurs when:

•The end user already has an active session with ICS.

•The end user tries to log in again from another device or browser.

Workaround: Close any existing sessions and log in again.

Authentication

1708860

Symptom: End-users occasionally receive the error message "Unable to perform TOTP auth."

Conditions:

•When user realm is configured with Remote TOTP as the secondary authentication method.

•When error typically occurs when multiple users attempt to login simultaneously.

Workaround: Enable Adaptive Authentication, if possible. This will reduce the frequency of secondary authentication requests and help prevent the error.

1698364

Symptom: Active Directory authentication may offer or advertise vulnerable ciphers during SSL/TLS negotiation.

Condition: This occurs when an enduser authenticates with Active Directory.

Workaround: N/A

RDP/ File Transfer

1696607

Symptom: HTML5 RDP connection is terminated unexpectedly.

Condition: This occurs when an end user attempts to send or receive files larger than 1 GB using the remote file transfer feature.

Workaround: N/A.

Web Application Firewall (WAF)/Config Import

1711109

Symptom: The WAF package reverts to version 1.0.0.

Condition: This occurs when the admin performs an Entire Push Config or System.cfg import from 22.8R2 GA.

Workaround:

•Perform a WAF reset; the package will be restored to the default version 1.0.3.

•If any exclude rule IDs are configured, the admin must reconfigure those rule IDs after the reset.

1709370

Symptom: XML import/push config fails with the error message: "Can't download crs package '1.0.0' from controller as gateway is not registered with controller."

Condition: This occurs when the admin performs a selective push config/XML import that includes WAF configuration.

Workaround: Admin can use system configuration (cfg) upload as an alternative.

1712905

Symptom: WAF issues are observed in the following configurations:

•Manually configured CDP in Sub CA for CRL checking.

•Backup CDP configured in Root CA.

•CRL checking options set to use CDP specified in the trusted CA.

Condition: This issue occurs when an IP address is used in the CRL URL during CRL checking configuration.

Workaround: Use a domain name in the CRL URL instead of an IP address.

System Upgrade / Cache

1688577

Symptom: Event logs display the following message: "Error encountered while upgrading cache (Key: vc0/federateClientSettings/serverURL, Value: Created: 1)"

Condition: This occurs during the upgrade process.

Workaround: N/A

TLS/Certificates

1711706

Symptom: When switching from TLS 1.2 to TLS 1.3, end-users are not prompted to select a user certificate and instead see a "Missing certificate" error.

Condition: This issue occurs when the server is configured to use TLS 1.3.

Workaround: One of the following workarounds may resolve the issue:

•Restart the end-user machine.

•Restart the ICS server.

•Try accessing with a different browser.

PSAM

1699625

Symptom: Backend resources are not accessible through the PSAM tunnel when non-standard TCP ports are used.

Condition: This occurs when applications are configured with non-standard TCP ports in PSAM.

Workaround: NA

Release 22.8R2

Authentication (AD / LDAP / OAuth / Certificates)

LDAP

1590662

Symptom: Enabling “Validate Server Certificate” for LDAP connections does not enforce or properly handle certificate validation.

Condition: Occurs when the “Validate Server Certificate” option is used in LDAP configuration.

Workaround: N/A

1624093

Symptoms: When configure an LDAP server, it fails with the error "Invalid server address"

Condition: when configuring an LDAP server.

Workaround: N/A

Active Directory (AD)

1562767

Symptom: Users are unable to change their AD passwords via the preference page.

Condition: This occurs during password change attempts from enduser page.

Workaround: N/A

1624127

Symptoms: On the AD troubleshooting page, DNS resolution checks fail if multiple AD servers are configure. DNS resolution is success for the AD which is configured as a DNS server.

Condition: Configuring multiple AD servers on the ICS, Some of the AD severs DNS resolution may fail in trouble shooting page.

Workaround: Configure the AD server IP as a primary DNS.

1617191

Symptom: After creating the AD server in an Active/Passive (A/P) cluster, the AD username and password fields are empty, even though the 'Save Credentials' setting is enabled.

Condition: The appliance is running with 22.8R2 version and the device is configured in an Active/Passive (A/P) cluster mode with 'Save Credentials' option enabled on the AD authentication server.

Workaround: On each login, manually enter the AD credentials (since autofill/save is not working).

Traffic Routing

1558753

Symptom: AAA traffic segregation is not working as expected at both the global and server levels. Authentication attempts to AD or OAuth servers do not use the configured segregated port, resulting in all AAA traffic being sent via the internal port.

Condition: Occurs when segregation policies are set globally or per-auth server, but the system continues to use default paths for all authentication traffic. The issue is observed on both AD and OAuth authentication flows in the current platform version.

Workaround: N/A

OAuth

1622322

Symptoms: OAuth time skew is not working as per the configured values.

Workaround: N/A

Certificates

1561276

Symptom: The certificate authentication end-user page becomes inaccessible after enabling the "Advanced Certificate Processing Settings" option under trusted client CA configuration.

Condition: This occurs when, The “Advanced Certificate Processing Settings” option is enabled for a trusted client CA in the admin UI.

Workaround: Disable "Advanced Certificate Processing Settings".

1617997

Symptoms: User login is successful even if we disable client Certificate Negotiation.

Condition: When we disable "Trusted for Client Authentication" and "Participate in Client" on the trusted client CA.

Workaround: Delete the client CA certificate which we want to disable the participate in client certificate negotiation from the ICS.

Role/Access Control (Admin/User/Delegated)

1626143

Symptom: Creation of delegated admin role fails.

Conditions: When trying to create a delegated admin role via Rest API.

Workaround: Add the rule IDs 920170, 930120 in WAF exclude rule ID list, and then execute the REST API.

Web Application Firewall (WAF)

1611707

Symptom: WAF package version is missing in the admin log.

Condition: When rollback is done for WAF package.

Workaround: N/A

1611701

Symptom: WAF package version is missing in the admin log.

Condition: When WAF package is uploaded.

Workaround: N/A

1506788

Symptom: Upload successful message is not populated

Condition: When WAF ruleset package is uploaded.

Workaround: Refer the admin logs.

1499053

Symptom: WAF functionality will not work.

Condition: When admin enables Next Gen Web Server from console options.

Workaround: From ICS admin UI disable and enable the WAF, then WAF functionality will work.

1449031

Symptom : When admin tries to delete more than 198 users, WAF is blocking it.

Condition: Deletion of more than 198 users.

Workaround: Delete 150 users at one time.

1624455

Symptom: When attempting to push either selected or entire configuration to multiple targets in a single push job, the operation fails if the targets are configured with different Shared Secret Keys.

Condition: This issue occurs when multiple targets have different Shared Secret Keys configured and a single push job is used to deploy configurations to these targets (either selected or entire configuration).

Workaround: To successfully push configurations to multiple targets in one push job, ensure that all selected targets are configured with the same Shared Secret Key.

Clustering / High Availability

1626479

Symptom: One of the node in the cluster is not accessible after doing restart services

Condition: After restarting services

Workaround: Restart the Services or reboot the node with the issue.

REST API

1626107

Symptom: Restore of binary config via /api/v1//system/binary-configuration REST API fails.

Condition: When the REST API is executed against ICS running 22.8R2 and later.

Workaround: Use Admin UI to backup and restore binary config.

1612333

Symptom: "IP Pool cannot be empty" error observed when switching from DHCP-based

IP assignment to Pool-based for VPN Connection Profiles via REST API.

Condition: This occurs when the "ip-address-pool" attribute is provided before the "ip-address-assignment" attribute in the request body.

Workaround: Provide "ip-address-assignment" before the "ip-address-pool" attribute in the request body.

1601479

Symptom: Configuring FQDN based lockdown exception rule for a connection set failing through Rest API.

Condition: While configuring FQDN based lockdown exception rule for a connection set through Rest API.

Workaround: Configuring the FQDN based lockdown exception manually in ICS.

1600939

Symptom: When trying to create or update an Admin Realm through REST API, ICS returns “Unknown Element” error.

Conditions: When the json input in the post body contains “allow-admin-signin-external-port”.

Workaround: Remove “allow-admin-signin-external-port” attribute. It is no longer supported in ICS 22.8R2 and later releases.

Admin UI / Console / Web Server

1607526

Symptom: Admin UI is not accessible.

Condition: When configured V6 address is wrong.

Workaround: Disable Next Gen Web Server from console, access the admin page and correct the IP address. Then enable Next Gen Web Server again from console.

1611987

Symptom: Debug log download is not working.

Condition: When Next Gen Web Server is disabled.

Workaround: Turn off the 'debug logging on' and 'include logs' fields, 'save' and then download the logs.

Cloud Secure Config

1628212

Symptoms: Cloud secure configuration fails with the error message: "Failed, no metadata".

Condition: This occurs when configuring the Office 365 application in Cloud Secure.

Workaround:

1.Download the Microsoft Office 365 (Azure AD) SAML metadata XML directly from Microsoft.

2.Save the file to your local machine.

3.In the Cloud Secure admin portal, choose to manually import SAML metadata, and upload the file you downloaded.

ISAC/Mobile Client / VPN Issues

1600243

Symptom: L3 Tunnel fails to connect using NCP for mobile clients (Android and iOS).

Condition: When NCP is chosen as Communication Protocol.

Workaround: Select IFT/TLS as the Communication Protocol instead of NCP.

1601128

Symptom: ISAC Connection using IPv6 is disconnecting when custom UDP port

Condition: When custom IPv6 UDP port is configured

Workaround: None

1600324

Symptom: ISAC client Disconnection is taking more time.

Condition: When SLO is enabled.

Workaround: Disable SLO.

1610000

Symptom: ISAC connection not disconnecting immediately after SESSION_TIMEOUT

Condition: Configure SESSION_TIMEOUT from session options as 6 min which is minimum value

Workaround: None

1627526

Symptom: Android ISAC client connection to ICS gateway fails with 'Server's security certificate is not trusted'.

Conditions: ICS is running 22.8R2.

Workaround: Disable Server certificate trust enforcement option under System > Configuration > Mobile.

Bookmark / File Browsing / Portal/End User UI

1628538

Symptom: SharePoint bookmark access throws"The page you requested could not be found." message.

Workaround: N/A

1624778

Symptom: Sometimes 502 bad gateway message is seen.

Condition: When File browsing bookmark is accessed.

Workaround: Trying accessing second time, it will work.

1618213

Symptom: JSAM bookmark access will not work when JRE 1.8 is installed.

Condition: When enduser accesses JSAM profiles with JRE 1.8.

Workaround: Install JDK instead of JRE1.8 .

License and Export/Import Issues

1600813

Symptom: Unable to lease licenses from license server.

Conditions: 22.8R2 license client is configured to lease license from license server running 22.8R2

Workaround: Use a license server running 22.7R2.x latest version.

1621990

Symptom: System/User Binary import/XML import is failing with 22.8R2 gateway registered to the latest NSA controller.

Workaround: System/User binary/XML import to be done from Gateway UI.

1590178

Symptom: Importing xml file with archival config settings is returning with password related error message.

Workaround: If the exported XML is of 22.8R2.x or higher version, then the Proper strength password (as defined in default Authentication Server) for the following archival configs should be provided before import:

•System configuration

•User accounts

•Administrative Network Configuration

•Archive XML configuration

vTPM / VM / VMware

1562419

Symptom: Unable to attach vTPM if vTPM is detached manually.

Condition: If vTPM is detached and want to re-attach then VMware VCD does not provide option to re-attach vTPM.

Workaround: None. Removing vTPM makes vICS non recoverable. vTPM is mandatory component.

1609890

Symptom: Switch to serial console on VM doesn't bring up Admin/End user UI.

Condition: If serial port is not attached to VM and convert Virtual Terminal to serial console.

Workaround: Attach serial port to VM to access UI.

1614488

Symptom: 22.8R2 can be staged on a VMware appliance running on 22.7Rx but upgrade fails.

Condition: On VMware, 22.8R2 may be staged from 22.7Rx but upgrade cannot process as upgrade from 22.7Rx to 22.8R2 is not allowed.

Workaround: None. Upgrade from 22.7Rx to 22.8R2 is not allowed.

Miscellaneous / System

1570129

Symptom: System boots up slow compared to previous version.

Condition: Reboot.

Workaround: None available.

1600229

Symptom: `/bin/cp cannot create regular file` message is seen on console.

Condition: Reboot.

Workaround: None. Error message is harmless. It can be ignored.

1621181

Symptom: Upgrade aborts with error “ADM23397: This appliance cannot be upgraded to 22.8R2.”

Workaround: No workaround. This indicates that the upgrade cannot proceed because there is insufficient disk space in the boot partition because the factory reset version is very old. Contact Ivanti Support for error.

Upgrade

1590685

Symptom: During upgrade bind failed related logs seen for few seconds.

Condition: Upgrade, Enable/Disable Next Generation Webserver.

Workaround: NA