Known Issues

Problem Report Number	Release Note
Release 22.8R2
1590662	Symptom: Enabling “Validate Server Certificate” for LDAP connections does not enforce or properly handle certificate validation. Condition: Occurs when the “Validate Server Certificate” option is used in LDAP configuration. Workaround: N/A
1562767	Symptom: Users are unable to change their AD passwords via the preference page. Condition: This occurs during password change attempts from enduser page. Workaround: N/A
1561276	Symptom: The certificate authentication end-user page becomes inaccessible after enabling the "Advanced Certificate Processing Settings" option under trusted client CA configuration. Condition: This occurs when, The “Advanced Certificate Processing Settings” option is enabled for a trusted client CA in the admin UI. Workaround: Disable "Advanced Certificate Processing Settings".
1558753	Symptom: AAA traffic segregation is not working as expected at both the global and server levels. Authentication attempts to AD or OAuth servers do not use the configured segregated port, resulting in all AAA traffic being sent via the internal port. Condition: Occurs when segregation policies are set globally or per-auth server, but the system continues to use default paths for all authentication traffic. The issue is observed on both AD and OAuth authentication flows in the current platform version. Workaround: N/A
1624414	Symptom: ICS is not sending logs to remote syslog server Conditions: When ICS is configured to send logs to remote TLS syslog server Workaround: Use TCP syslog server, if possible.
1628538	Symptom: SharePoint bookmark access throws"The page you requested could not be found." message. Workaround: N/A
1624127	Symptoms: On the AD troubleshooting page, DNS resolution checks fail if multiple AD servers are configure. DNS resolution is success for the AD which is configured as a DNS server. Condition: Configuring multiple AD servers on the ICS, Some of the AD severs DNS resolution may fail in trouble shooting page. Workaround: Configure the AD server IP as a primary DNS.
1622322	Symptoms: OAuth time skew is not working as per the configured values. Workaround: N/A
1624093	Symptoms: When configure an LDAP server, it fails with the error "Invalid server address," Condition: when configuring an LDAP server. Workaround: N/A
1607526	Symptom: Admin UI is not accessible. Condition: When configured V6 address is wrong. Workaround: Disable Next Gen Web Server from console, access the admin page and correct the IP address. Then enable Next Gen Web Server again from console.
1611707	Symptom: WAF package version is missing in the admin log. Condition: When rollback is done for WAF package. Workaround: N/A
1611987	Symptom: Debug log download is not working. Condition: When Next Gen Web Server is disabled. Workaround: Turn off the 'debug logging on' and 'include logs' fields, 'save' and then download the logs.
1628212	Symptoms: Cloud secure configuration fails with the error message: "Failed, no metadata". Condition: This occurs when configuring the Office 365 application in Cloud Secure. Workaround: 1.Download the Microsoft Office 365 (Azure AD) SAML metadata XML directly from Microsoft. 2.Save the file to your local machine. 3.In the Cloud Secure admin portal, choose to manually import SAML metadata, and upload the file you downloaded.
1627526	Symptom: Android ISAC client connection to ICS gateway fails with 'Server's security certificate is not trusted'. Conditions: ICS is running 22.8R2. Workaround: Disable Server certificate trust enforcement option under System > Configuration > Mobile.
1626143	Symptom: Creation of delegated admin role fails. Conditions: When trying to create a delegated admin role via Rest API. Workaround: Add the rule IDs 920170, 930120 in WAF exclude rule ID list, and then execute the REST API.
1626107	Symptom: Restore of binary config via /api/v1//system/binary-configuration REST API fails. Condition: When the REST API is executed against ICS running 22.8R2 and later. Workaround: Use Admin UI to backup and restore binary config.
1626479	Symptom: One of the node in the cluster is not accessible after doing restart services Condition: After restarting services Workaround: Restart the Services or reboot the node with the issue.
1624778	Symptom: Sometimes 502 bad gateway message is seen. Condition: When File browsing bookmark is accessed. Workaround: Trying accessing second time, it will work.
1617191	Symptom: After creating the AD server in an Active/Passive (A/P) cluster, the AD username and password fields are empty, even though the 'Save Credentials' setting is enabled. Condition: The appliance is running with 22.8R2 version and the device is configured in an Active/Passive (A/P) cluster mode with 'Save Credentials' option enabled on the AD authentication server. Workaround: On each login, manually enter the AD credentials (since autofill/save is not working).
1601479	Symptom: Configuring FQDN based lockdown exception rule for a connection set failing through Rest API. Condition: While configuring FQDN based lockdown exception rule for a connection set through Rest API. Workaround: Configuring the FQDN based lockdown exception manually in ICS.
1601128	Symptom: ISAC Connection using IPv6 is disconnecting when custom UDP port Condition: When custom IPv6 UDP port is configured Workaround: None
1621990	Symptom: System/User Binary import/XML import is failing with 22.8R2 gateway registered to the latest NSA controller. Workaround: System/User binary/XML import to be done from Gateway UI.
1600324	Symptom: ISAC client Disconnection is taking more time. Condition: When SLO is enabled. Workaround: Disable SLO.
1600229	Symptom: `/bin/cp cannot create regular file` message is seen on console. Condition: Reboot. Workaround: None. Error message is harmless. It can be ignored.
1600243	Symptom: L3 Tunnel fails to connect using NCP for mobile clients (Android and iOS). Condition: When NCP is chosen as Communication Protocol. Workaround: Select IFT/TLS as the Communication Protocol instead of NCP.
1621721	Symptom: HTML5 copy paste will not work. Condition: On MAC when user use Command C/V operations. Workaround: Select the required content & do right click and Copy. Paste the content in the local machine.
1590178	Symptom: Importing xml file with archival config settings is returning with password related error message. Workaround: If the exported XML is of 22.8R2.x or higher version, then the Proper strength password (as defined in default Authentication Server) for the following archival configs should be provided before import: •System configuration •User accounts •Administrative Network Configuration •Archive XML configuration
1618213	Symptom: JSAM bookmark access will not work when JRE 1.8 is installed. Condition: When enduser accesses JSAM profiles with JRE 1.8. Workaround: Install JDK instead of JRE1.8 .
1600813	Symptom: Unable to lease licenses from license server. Conditions: 22.8R2 license client is configured to lease license from license server running 22.8R2 Workaround: Use a license server running 22.7R2.x latest version.
1612333	Symptom: "IP Pool cannot be empty" error observed when switching from DHCP-based IP assignment to Pool-based for VPN Connection Profiles via REST API. Condition: This occurs when the "ip-address-pool" attribute is provided before the "ip-address-assignment" attribute in the request body. Workaround: Provide "ip-address-assignment" before the "ip-address-pool" attribute in the request body.
1610000	Symptom: ISAC connection not disconnecting immediately after SESSION_TIMEOUT Condition: Configure SESSION_TIMEOUT from session options as 6 min which is minimum value Workaround: None
1609890	Symptom: Switch to serial console on VM doesn't bring up Admin/End user UI. Condition: If serial port is not attached to VM and convert Virtual Terminal to serial console. Workaround: Attach serial port to VM to access UI.
1570129	Symptom: System boots up slow compared to previous version. Condition: Reboot. Workaround: None available.
1611701	Symptom: WAF package version is missing in the admin log. Condition: When WAF package is uploaded. Workaround: N/A
1617997	Symptoms: User login is successful even if we disable client Certificate Negotiation. Condition: When we disable "Trusted for Client Authentication" and "Participate in Client" on the trusted client CA. Workaround: Delete the client CA certificate which we want to disable the participate in client certificate negotiation from the ICS.
1590685	Symptom: During upgrade bind failed related logs seen for few seconds. Condition: Upgrade, Enable/Disable Next Generation Webserver. Workaround: NA
1562419	Symptom: Unable to attach vTPM if vTPM is detached manually. Condition: If vTPM is detached and want to re-attach then VMware VCD does not provide option to re-attach vTPM. Workaround: None. Removing vTPM makes vICS non recoverable. vTPM is mandatory component.
1506788	Symptom: Upload successful message is not populated Condition: When WAF ruleset package is uploaded. Workaround: Refer the admin logs.
1499053	Symptom: WAF functionality will not work. Condition: When admin enables Next Gen Web Server from console options. Workaround: From ICS admin UI disable and enable the WAF, then WAF functionality will work.
1449031	Symptom : When admin tries to delete more than 198 users, WAF is blocking it. Condition: Deletion of more than 198 users. Workaround: Delete 150 users at one time.
1614488	Symptom: 22.8R2 can be staged on a VMware appliance running on 22.7Rx but upgrade fails. Condition: On VMware, 22.8R2 may be staged from 22.7Rx but upgrade cannot process as upgrade from 22.7Rx to 22.8R2 is not allowed on VMware. Workaround: Use direct upgrade instead of Staged Upgrade..
1600939	Symptom: When trying to create or update an Admin Realm through REST API, ICS returns “Unknown Element” error. Conditions: When the json input in the post body contains “allow-admin-signin-external-port”. Workaround: Remove “allow-admin-signin-external-port” attribute. It is no longer supported in ICS 22.8R2 and later releases.
1621181	Symptom: Upgrade aborts with error “ADM23397: This appliance cannot be upgraded to 22.8R2.” Workaround: No workaround. This indicates that the upgrade cannot proceed because there is insufficient disk space in the boot partition because the factory reset version is very old. Contact Ivanti Support for error.

Release 22.8R2

1590662

Symptom: Enabling “Validate Server Certificate” for LDAP connections does not enforce or properly handle certificate validation.

Condition: Occurs when the “Validate Server Certificate” option is used in LDAP configuration.

Workaround: N/A

1562767

Symptom: Users are unable to change their AD passwords via the preference page.

Condition: This occurs during password change attempts from enduser page.

Workaround: N/A

1561276

Symptom: The certificate authentication end-user page becomes inaccessible after enabling the "Advanced Certificate Processing Settings" option under trusted client CA configuration.

Condition: This occurs when, The “Advanced Certificate Processing Settings” option is enabled for a trusted client CA in the admin UI.

Workaround: Disable "Advanced Certificate Processing Settings".

1558753

Symptom: AAA traffic segregation is not working as expected at both the global and server levels. Authentication attempts to AD or OAuth servers do not use the configured segregated port, resulting in all AAA traffic being sent via the internal port.

Condition: Occurs when segregation policies are set globally or per-auth server, but the system continues to use default paths for all authentication traffic. The issue is observed on both AD and OAuth authentication flows in the current platform version.

Workaround: N/A

1624414

Symptom: ICS is not sending logs to remote syslog server

Conditions: When ICS is configured to send logs to remote TLS syslog server

Workaround: Use TCP syslog server, if possible.

1628538

Symptom: SharePoint bookmark access throws"The page you requested could not be found." message.

Workaround: N/A

1624127

Symptoms: On the AD troubleshooting page, DNS resolution checks fail if multiple AD servers are configure. DNS resolution is success for the AD which is configured as a DNS server.

Condition: Configuring multiple AD servers on the ICS, Some of the AD severs DNS resolution may fail in trouble shooting page.

Workaround: Configure the AD server IP as a primary DNS.

1622322

Symptoms: OAuth time skew is not working as per the configured values.

Workaround: N/A

1624093

Symptoms: When configure an LDAP server, it fails with the error "Invalid server address,"

Condition: when configuring an LDAP server.

Workaround: N/A

1607526

Symptom: Admin UI is not accessible.

Condition: When configured V6 address is wrong.

Workaround: Disable Next Gen Web Server from console, access the admin page and correct the IP address. Then enable Next Gen Web Server again from console.

1611707

Symptom: WAF package version is missing in the admin log.

Condition: When rollback is done for WAF package.

Workaround: N/A

1611987

Symptom: Debug log download is not working.

Condition: When Next Gen Web Server is disabled.

Workaround: Turn off the 'debug logging on' and 'include logs' fields, 'save' and then download the logs.

1628212

Symptoms: Cloud secure configuration fails with the error message: "Failed, no metadata".

Condition: This occurs when configuring the Office 365 application in Cloud Secure.

Workaround:

1.Download the Microsoft Office 365 (Azure AD) SAML metadata XML directly from Microsoft.

2.Save the file to your local machine.

3.In the Cloud Secure admin portal, choose to manually import SAML metadata, and upload the file you downloaded.

1627526

Symptom: Android ISAC client connection to ICS gateway fails with 'Server's security certificate is not trusted'.

Conditions: ICS is running 22.8R2.

Workaround: Disable Server certificate trust enforcement option under System > Configuration > Mobile.

1626143

Symptom: Creation of delegated admin role fails.

Conditions: When trying to create a delegated admin role via Rest API.

Workaround: Add the rule IDs 920170, 930120 in WAF exclude rule ID list, and then execute the REST API.

1626107

Symptom: Restore of binary config via /api/v1//system/binary-configuration REST API fails.

Condition: When the REST API is executed against ICS running 22.8R2 and later.

Workaround: Use Admin UI to backup and restore binary config.

1626479

Symptom: One of the node in the cluster is not accessible after doing restart services

Condition: After restarting services

Workaround: Restart the Services or reboot the node with the issue.

1624778

Symptom: Sometimes 502 bad gateway message is seen.

Condition: When File browsing bookmark is accessed.

Workaround: Trying accessing second time, it will work.

1617191

Symptom: After creating the AD server in an Active/Passive (A/P) cluster, the AD username and password fields are empty, even though the 'Save Credentials' setting is enabled.

Condition: The appliance is running with 22.8R2 version and the device is configured in an Active/Passive (A/P) cluster mode with 'Save Credentials' option enabled on the AD authentication server.

Workaround: On each login, manually enter the AD credentials (since autofill/save is not working).

1601479

Symptom: Configuring FQDN based lockdown exception rule for a connection set failing through Rest API.

Condition: While configuring FQDN based lockdown exception rule for a connection set through Rest API.

Workaround: Configuring the FQDN based lockdown exception manually in ICS.

1601128

Symptom: ISAC Connection using IPv6 is disconnecting when custom UDP port

Condition: When custom IPv6 UDP port is configured

Workaround: None

1621990

Symptom: System/User Binary import/XML import is failing with 22.8R2 gateway registered to the latest NSA controller.

Workaround: System/User binary/XML import to be done from Gateway UI.

1600324

Symptom: ISAC client Disconnection is taking more time.

Condition: When SLO is enabled.

Workaround: Disable SLO.

1600229

Symptom: `/bin/cp cannot create regular file` message is seen on console.

Condition: Reboot.

Workaround: None. Error message is harmless. It can be ignored.

1600243

Symptom: L3 Tunnel fails to connect using NCP for mobile clients (Android and iOS).

Condition: When NCP is chosen as Communication Protocol.

Workaround: Select IFT/TLS as the Communication Protocol instead of NCP.

1621721

Symptom: HTML5 copy paste will not work.

Condition: On MAC when user use Command C/V operations.

Workaround: Select the required content & do right click and Copy. Paste the content in the local machine.

1590178

Symptom: Importing xml file with archival config settings is returning with password related error message.

Workaround: If the exported XML is of 22.8R2.x or higher version, then the Proper strength password (as defined in default Authentication Server) for the following archival configs should be provided before import:

•System configuration

•User accounts

•Administrative Network Configuration

•Archive XML configuration

1618213

Symptom: JSAM bookmark access will not work when JRE 1.8 is installed.

Condition: When enduser accesses JSAM profiles with JRE 1.8.

Workaround: Install JDK instead of JRE1.8 .

1600813

Symptom: Unable to lease licenses from license server.

Conditions: 22.8R2 license client is configured to lease license from license server running 22.8R2

Workaround: Use a license server running 22.7R2.x latest version.

1612333

Symptom: "IP Pool cannot be empty" error observed when switching from DHCP-based

IP assignment to Pool-based for VPN Connection Profiles via REST API.

Condition: This occurs when the "ip-address-pool" attribute is provided before the "ip-address-assignment" attribute in the request body.

Workaround: Provide "ip-address-assignment" before the "ip-address-pool" attribute in the request body.

1610000

Symptom: ISAC connection not disconnecting immediately after SESSION_TIMEOUT

Condition: Configure SESSION_TIMEOUT from session options as 6 min which is minimum value

Workaround: None

1609890

Symptom: Switch to serial console on VM doesn't bring up Admin/End user UI.

Condition: If serial port is not attached to VM and convert Virtual Terminal to serial console.

Workaround: Attach serial port to VM to access UI.

1570129

Symptom: System boots up slow compared to previous version.

Condition: Reboot.

Workaround: None available.

1611701

Symptom: WAF package version is missing in the admin log.

Condition: When WAF package is uploaded.

Workaround: N/A

1617997

Symptoms: User login is successful even if we disable client Certificate Negotiation.

Condition: When we disable "Trusted for Client Authentication" and "Participate in Client" on the trusted client CA.

Workaround: Delete the client CA certificate which we want to disable the participate in client certificate negotiation from the ICS.

1590685

Symptom: During upgrade bind failed related logs seen for few seconds.

Condition: Upgrade, Enable/Disable Next Generation Webserver.

Workaround: NA

1562419

Symptom: Unable to attach vTPM if vTPM is detached manually.

Condition: If vTPM is detached and want to re-attach then VMware VCD does not provide option to re-attach vTPM.

Workaround: None. Removing vTPM makes vICS non recoverable. vTPM is mandatory component.

1506788

Symptom: Upload successful message is not populated

Condition: When WAF ruleset package is uploaded.

Workaround: Refer the admin logs.

1499053

Symptom: WAF functionality will not work.

Condition: When admin enables Next Gen Web Server from console options.

Workaround: From ICS admin UI disable and enable the WAF, then WAF functionality will work.

1449031

Symptom : When admin tries to delete more than 198 users, WAF is blocking it.

Condition: Deletion of more than 198 users.

Workaround: Delete 150 users at one time.

1614488

Symptom: 22.8R2 can be staged on a VMware appliance running on 22.7Rx but upgrade fails.

Condition: On VMware, 22.8R2 may be staged from 22.7Rx but upgrade cannot process as upgrade from 22.7Rx to 22.8R2 is not allowed on VMware.

Workaround: Use direct upgrade instead of Staged Upgrade..

1600939

Symptom: When trying to create or update an Admin Realm through REST API, ICS returns “Unknown Element” error.

Conditions: When the json input in the post body contains “allow-admin-signin-external-port”.

Workaround: Remove “allow-admin-signin-external-port” attribute. It is no longer supported in ICS 22.8R2 and later releases.

1621181

Symptom: Upgrade aborts with error “ADM23397: This appliance cannot be upgraded to 22.8R2.”

Workaround: No workaround. This indicates that the upgrade cannot proceed because there is insufficient disk space in the boot partition because the factory reset version is very old. Contact Ivanti Support for error.