Known Issues

The following table lists the known issues outstanding from previous releases:

Problem Report Number

Release Note

Release 9.1R18.9 PRs
No new known issues in this release.
Release 9.1R18.8 PRs
No new known issues in this release.
Release 9.1R18.7 PRs


Symptom: RADIUS service crashes.

Condition: When logging to ICS through RADIUS.

Workaround: None.

Release 9.1R18.6 PRs
No new known issues in this release.
Release 9.1R18.5 PRs
No new known issues in this release.
Release 9.1R18.4 PRs
No new known issues in this release.
Release 9.1R18.2 PRs


Symptom: Virtual ports are not getting mapped automatically to the certificates.

Condition: when the config is imported.

Workaround: Map the certificates to the virtual ports manually.


Symptom: Re-valuation of the policies fail on ICS.

Condition: When user connects through browser.

Workaround: None.


Symptom: JITC remains enabled when NDcPP and FIPS are in disabled state.

Condition: When JITC is disabled through console.

Workaround: Disable the JITC option manually.

Release 9.1R18.1 PRs


Symptom: Error message is observed once the user log's out.

Condition: When JSAM with JDK 21 beta version is used on Windows 11 and Mac.

Workaround : Use JSAM with JDK 17 on windows and Mac OS(Sonoma and Ventura)


Symptom: Advanced html5 external storage feature will not work.

Condition: When external storage server contains special characters in the password.

Workaround: Do not use any special characters in the password.


Symptom: Pulse One sees a configuration change for each end- user login.

Condition: Due to ICS Sync with Auth servers and reload of end-user configurations.

Workaround: Add user information to exception list.

Release 9.1R18 PRs


Symptom: Errors while uploading configuration to ICS.

Condition: When multiple client packages are available.

Workaround: Ivanti recommends having only one client package.


Symptom: JSAM logout button throws an internal error message.

Condition: When open jdk-17 java is installed

Workaround: No feature impact, click the ok button on the error screen JSAM applet will logout.


Symptom: Citrix listed applications “Failed to connect” message is seen.

Condition : When SSO is not configured under bookmark page.

Workaround : Configure the SSO under bookmark page.


Symptom: Launching the Web bookmark via JSAM has issues.

Condition: When the PSAL is not installed on the client machine.

Workaround: Create web bookmark to launch via the rewriter engine instead of JSAM.


Symptom: Sometimes session disconnection is observed.

Condition: When VPN session is left idle for long time without any data transfer.

Workaround: Disconnect and reconnect the session.


Symptom: Citrix Storefront with CTS client will not launch.

Condition: When PSAL extension is enabled.

Workaround: Disable PSAL extension, CSF-CTS client will launch.


Symptom: ICS active users page shows agent type as "Windows 10 Firefox"

Condition: When user connects from Windows server 2016 Firefox browser.

Workaround: None.


Symptom: On a Mobile device, VPN Client fail to establish VPN connection.

Condition: VPN Client is not connecting to VPN and receiving fatal error from server when session options configured as Idle Timeout: 5, Session Time out: 6 and Reminder Time: 3

Workaround: Configure Session Time out as 10 or greater.


Symptom: 9. x ICS 2. x kernel is not supported on the cloud platforms.

Condition: When 9.x ICS is used on Azure and AWS cloud platforms.

Workaround: Ivanti recommends to migrate to 22.x ICS.

Release 9.1R17.1 PRs

No new known issues for this release.

Release 9.1R17 PRs

PCS- 39645

Symptom : VDI client launch is not working.

Condition : When upgrading the client from 9.1R15 to 9.1R17 with PSAL extension enabled.

Workaround : Re-install VDI launch .


Symptom : Intermittently during the Client launch and upgrades, PSAL is not detected in the first attempt.

Condition : During fresh install or upgrade of client.

Workaround : Re-launch client.


Symptom : JSAM auto launch is not working.

Condition : When Host checker is configured.

Workaround : Manually launch JSAM.


Symptom: Unable to delete the selected username data from Behavioral Analytics User Report

Condition: When compliant users are listed in the report.

Workaround: None.


Symptom: After launching JSAM an error displays, "Safari can't find the server."

Condition: When a user launches JSAM on a MAC Ventura machine using the Safari browser

Workaround: Use Chrome browser to launch JSAM


Symptom: HOB auto launch is not working.

Condition: When Windows is running on a client machine.

Workaround: Launch manually.


Symptom: JSAM is not launching with a browser extension on MAC devices.

Condition: Using JSAM and HOB when Browser extension is enabled.

Workaround: Use custom protocol.

PCS- 38955

Symptom: FTP is not working with IPv6 FTP server.

Condition: When IPv6 FTP server is configured for archival.

Workaround: Use IPv4 FTP server for archiving.


Symptom: Enterprise onboarding profile push will not work on mobile end point.

Condition: When a new VPN client is installed on the Mobile end point.

Workaround: By using MDM server required profiles can be pushed to the mobile end point.


Symptom: Only 'Citrix listed applications' bookmarks is shown in the user home page.

Condition: when 'Citrix listed applications' is the 1st entry in Users->User Roles->[User-Name]->Terminal Services->Sessions.

Workaround: Avoid 'Citrix listed applications' as the first entry. Reorder the Terminal Services Sessions from Users->User Roles->[User-Name]->Terminal Services->Sessions page using up-down arrows.


Symptom: Displays error “Failed to contact server , Please check the network connection and try again”.

Condition: During XML export and import of “Citrix All Listed Application” along with other Citrix bookmarks

Workaround: Delete the “Citrix all listed application” bookmark and recreate manually using Terminal profile through admin login.


Symptom: VDI-Citrix Xendesktop launch fails.

Condition: When a user uses Citrix workspace app 2112 or later.

Workaround: Use Citrix workspace app version 2109.


Symptom: Citrix default ICS launch fails.

Condition: When a user uses Citrix workspace app 2112 or later.

Workaround: Use Citrix workspace app version 2109.


Symptom: Oauth authentication fails in the end user page while using dynamic URL.

Condition: When creating oauth server with dynamic URL and trying the authentication after upgrade.


1. To delete existing Oauth configuration and create a new configuration in the latest version

2. Upgrade without using dynamic URL (with manual configuration)

Release 9.1R16.1 PRs

No new known issues found in this release.

Release 9.1R16 PRs

PRS- 412081

Symptom: Not able to launch JSAM and PDC client.

Condition: When an end-user tries from Client Apps page.

Workaround: Launch the clients from end-user home page.


Usernames with special characters sometimes may not get updated in the Named Users Database on the License Server.

Condition: When Named Users Remote Repo mode is enabled on License Server

Username with special characters tries to login to a gateway registered with the License Server

Workaround: None.


Symptom: Client launch fails on upgrade.

Condition: When browser extension is enabled.

Workaround: Reinstall PSAL.


Symptom: When the User Record sync is enabled across nodes and end user creates a HTML5 bookmark in one node .Further when the same enduser logins to other node the created HTML5 bookmark is not present.

Condition: When User record sync is enabled and enduser creates HTML5 bookmark.

Workaround: None.


Symptom: "Failed to contact server" error observed sometimes when auto-launch is enabled.

Condition: When auto-launch is enabled.

Workaround: None

PCS- 36282

Symptom: JSAM launch is failing for intel-based MAC system with error stating one of the library file may be malicious.

Condition: JSAM launch fails.

Workaround: None.


Symptom: RPM based PSAL download instead of DEB based PSAL download in a Debian system.

Condition: Client installation will not work for Debian based Linux like Ubuntu.

Workaround: None

Release 9.1R15 PRs


Symptom: HTML5 Session recording file is not uploaded to SMB server.

Condition: When the SMB-Server is on a different VLAN than that of ICS.

Workaround: None.


Symptom: For non-existing remote machine ACL check is passed.

Condition: When end-user access HTML5 bookmark of non-existing RDP remote machine.

Workaround: None.


Symptom: Garbled characters are seen in Virtual desktop bookmarks.

Condition: When language is set as Chinese.

Workaround: None.


Symptom: PSAL not launched because RPM format PSAL file downloaded on Ubuntu machine.

Condition: When Firefox version 91.5.0esr (64 bit) is used.

Workaround: Use Firefox version 68.10.0esr (64 bit) to avoid PSAL launch issue.


Symptom: Second Node upgrade is failing in Cluster setup.

Condition: when upgrading through Pulse one.

Workaround: None.


Symptom: Sometimes one of the nodes in AA cluster deployed in AWS will show as enabled and unreachable after upgrade.

Condition: When upgrading ICS AA cluster deployed in AWS Environment to 9.1R15.

Workaround: Reboot the instance in AA cluster from AWS.


Symptom: In end user page Pulse collaboration is shown in the Preferences -> Advanced -> Under upload logs.

Condition: When admin enabled client-side logging.

Workaround: None.


Symptom: XML Export for OAuth Servers is missing Traffic port selection settings.

Condition: Traffic port selection is configured to be at Auth Server Level.

Workaround: Configure Port Selection for OAuth Server from Admin UI as desired.


Symptom: Role names are not showing for telnet/ssh and unix bookmarks in deprecated list during upgrade for roles configured with telnet/ssh and unix features bookmarks and didn't enable it in roles.

Condition: Roles configured with telnet/ssh and unix bookmarks and didn't enable telnet/ssh and unix in that role.

Workaround: Admin has to check for the role and delete the bookmarks.


Symptom: In New Sign-In Policy page meeting content is shown.

Condition: When admin creates a new sign in policy.

Workaround: No functionality impact. Ignore the text.


Symptom: ICS client fetches meeting license from the license server.

Condition: When license server is used to fetch the license.

Workaround: No functionality impact. Ignore the text.


Symptom: Meeting related information is shown in SNMP MIB file.

Condition: In the SNMP MIB file.

Workaround: No functionality impact. Ignore the text.


Symptom: If upgrade (using REST API/DMI/Pulse ONE) fails due to presence of deprecated features, the list of deprecated configurations is not given in upgrade failure message.

Condition: When upgrade is done through web UI, a list of deprecated configuration elements to be removed is displayed in the upgrade failure message. - For upgrades through REST API/DMI/PulseOne, the upgrade failure message does not give the list of deprecated features to be removed.

Workaround: - The list of deprecated features gets displayed in the serial console. - Admin needs to check the serial console for details.


Symptom: Interface is getting disconnected.

Condition: On configuring static link speed (not Auto), the link is getting disconnected.

Workaround: The link speed can be set as 'Auto'.


Symptom: Enable Pulse Collaboration integration on this connection is shown in Pulse secure SA connection page.

Condition: In the SA connection page.

Workaround: No functionality impact. Ignore the text.


Symptom: ICS on continuous reboot when enabling "Clear all configuration data at this device".

Condition: When option is enabled.

Workaround: On admin UI, disable the option under System Maintenance --> Options --> Clear all configuration data at this device.


Symptom: LS cluster: Admin sessions are not getting synced.

Condition: AA cluster gets set to config-only cluster.

Workaround: None.


Symptom: Unable to run /etc/ seen on ICS console on upgrade to 9.1R15.

Condition: This message is seen predominantly on VMware ESXi.

Workaround: None.


Symptom: Unable to change VLS cluster type from Active-Passive to Active-Active.

Condition: When creating cluster on VLS.

Workaround: None.


Symptom: Pushing sign-in URLs, notifications and pages not supported.

Condition: When creating any sign-in settings with URL.

Workaround: None.

Release 9.1R14 PRs


Symptom: When creating an Advanced HTML5 RDP bookmark, "Fetch Domain" does not retrieve domain name.

Condition: When the AD-Server for which the domain is being retrieved is on a different VLAN than that of ICS.

Workaround: Enter the domain name manually.


Symptom: when end user access L7 rewriter applications and click Home, end user sees "The requested resource is not valid."

Condition: When Referrer Header Validation under Configuration > Security > Miscellaneous is enabled.

Workaround: Admin can configure to enable the options to open bookmark in new window or new tab under User role settings for rewriter applications


Symptom: Unable to download the file of type .ps1 with the Advanced HTML5 session.

Condition: When using chrome browser.

Workaround: Use Firefox browser.


Symptom: JSAM, Pulse collaboration, Telnet/SSH clients is not working.

Condition: When client machine is a M1 MacBook

Workaround: None.


Symptom: The Advanced HTML5 connections graph in the admin UI Overview, takes more time than the duration mentioned in Refresh Interval to display the correct values.

Condition: When users initiate or close one or more Advanced HTML5 connections, the sessions tab reflects these changes immediately, but takes longer than expected to reflect in the graphs.

Workaround: None.


Symptom: Modifying IP config using console with VLAN interface fails.

Condition: After setting Default VLAN ID, when trying to modify, the IP config values are not reflected in cache.

workaround: None.


Symptom: XML export/import fails

Condition: When name field of roles have nested square brackets.

Workaround: Make sure we rename with no square brackets as workaround.


Symptom: Audio does not work with Google Chrome on Citrix Desktop.

Condition: When Google Chrome running on Citrix desktop is accessed from PCS browser interface using VDI bookmark.

Workaround: Pass "--disable-features=AudioServiceOutOfProcess" as arguments when starting Google Chrome.

Example: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-features=AudioServiceOutOfProcess



Symptom: Advance HTML5 user is shown "Number of Advanced HTML5 connections for this session has reached the maximum allowed limit. Please close any unused session(s) and retry." even though user does not have 5 Advanced HTML5 connections.

Condition: Network disconnect on user side or server side.

Workaround: Retry after 15 minutes. The connections become available within 1 to 15 minutes from the time of network disconnect.


Symptom: Sometimes WSAM resources is accessed through PCS even though resources has denied in PSAM policy.

Condition: When changing PSAM/WSAM policy from allow to deny.

Workaround: None.

Release 9.1R13.1 PRs


Symptom: Toolbar not visible for bookmarks in PTP mode when using Chrome and Edge browsers.

Condition: Condition: When web bookmark is configured to access over PTP mode instead of rewriter mode.

Workaround: Open Ivanti Connect Secure home page URL in a new tab to see the toolbars again. If opening through bookmarks from Ivanti Connect Secure home page, select to open in new tab using right click.


Symptom: UI shows ISA concurrent users for an existing 9.x license client.

Condition: When editing an existing 9.x license client on license server running 9.1R13.1.

Workaround: Ignore the ISA concurrent users field. Leasing functionality is not affected.

Release 9.1R13 PRs


Symptom: Display of messages like "unregister_netdevice: waiting for tun_0_327 to become free. Usage count = 1".

Condition: When IPv6 is configured.

Workaround: None


Symptom:OS check passes on latest Windows 11 machine when checks are configured for "Windows 10-64-Bit".

OS check will pass on Windows 10 machine when checks are configured for latest "Windows 11-64-Bit".

Windows 11 (preview version) returns version string as Windows 10 in the kernel.

Condition: OS check policy for Windows 11 systems.

Workaround: NA


Symptom: Telnet/SSH bookmarks are not working on Windows 11 as IE is deprecated.

Condition: When using Windows 11 as client machine and accessing Ivanti Connect Secure through browser.

Workaround: Access Telnet/SSH bookmarks using HTML5 solution.

Release 9.1R12.1 PRs

No new known issues found in this release.

Release 9.1R12 PRs


Symptom: In A/P Cluster, users might notice a delay in the VPN session resumption when restart service triggered on cluster by Admin.

Condition: In A/P Cluster, delay in user VPN session resumption happens when Admin does restart services on cluster.

Workaround: It is a delay in session resumption and session shall resume after some time. Admin can restart services during the maintenance window.


Symptom: Downloading files with 6in4 and 4in6 not working properly in PSA hardware whereas 4in4 and 6in6 are working.

Condition: ESP mixed mode configured on HW.

Workaround: Disable “Use ESP tunnel for 6in4 and 4in6 traffic" in Configuration --> VPN Tunneling.


Symptom: VMware tools version shows as Unsupported Older Version.

Condition: When Ivanti Connect Secure is deployed on ESXi version 7.0.

Workaround: None. Functionalities such as Reboot, Shutdown, Power Off, NTP sync will continue to work without any issues.

Release 9.1R11.5 PRs

No new known issues found in this release.

Release 9.1R11.4 PRs


Symptom: Static IP allocation fails for both single and multi-session enabled users.

Condition: Overlapping IP pools are configured in VPN profile.

Workaround: If the overlapping IP pool is broken up/split up this issue is not seen.


Symptom: Static IP allocation fails for both single and multi-session enabled users.

Condition: Users having multiple preferred IP addresses and/or multiple users assigned same preferred IP address.

Workaround: None.


Symptom: Pulse Desktop Client (PDC) always displays upgrade prompt even when client version on the endpoint and the server are same. Clicking on upgrade prompt performs no action (Cosmetic/UI issue).

Condition: Occurs when the Pulse Desktop Client has Symantec signed binaries and the Ivanti Connect Secure on which it is hosted (9.1R11.3/ 9.1R10.2/ 9.1R9.2/ 9.1R8.4) is signed by Digicert.

Workaround: Disable End-point upgrade on Ivanti Connect Secure (Ivanti Connect Secure). Enable again only when a higher version of PDC is activated on Ivanti Connect Secure and let the users trigger the client upgrade through the browser.


Symptom: Sometimes back-end resources are not accessible over L7 VPN.

Condition: When both L3 & L7 VPN are connected.

Workaround: Disconnect the L3 VPN & access back-end resources. Connect back to L3 VPN.

Release 9.1R11.3 PRs


Symptom: The PSAL installation prompts for admin credentials on windows 8.1 for Local user.

Condition: On Windows 8.1 Endpoints.

Workaround: Right click on the PSAL msi->Properties and enable Unblock. Click Apply and OK. Then install the PSAL.


Symptom: Upgrade prompts missing on connecting to latest Ivanti Connect Secure.

Condition: When endpoint has PSIS Installed.

Workaround: Uninstall PSIS.

Release 9.1R11 PRs


Symptom: Pulse client is assigned an IP address from static pool while configuration is to prefer IP from LDAP/Radius attribute.

Condition: LDAP/Radius attribute template and static IP address/range is configured in a single user profile as resources.

Workaround: Split the connection profile into multiple profiles like one Profile with LDAP/Radius attributes/resources and other configuration and another profile with static IP address/range and other configuration. The new profiles can be ordered correctly to maintain the expected order of resources.


Symptom: User sessions are not syncing with one of the node in Active-Active cluster.

Condition: LMDB related error messages observed.

Workaround: Clear session data.

Release 9.1R10 PRs


Symptom: For advanced HTML5 sessions, on administrator UI shows IP address instead of hostname under virtual desktop sessions page.

Condition: When an advanced HTML5 bookmark is configured with a hostname.

Workaround: None.No functionality impact.


Symptom: For basic HTML5 connections file transfer is not working on macOS.

Condition: When a basic httml5 bookmark is accessed by using Safari browser.

Workaround: Access basic html5 bookmark using chrome browser.


Symptom: Active user page “Agent Type” shows “Mac OS 10.15" in place of “Mac OS 11.0.1".

Condition: When using Safari on macOS version BigSur 11.0.1.

Workaround: None.


Symptom: For advanced HTML5 connections, graph shows invalid values.

Condition: When user access advanced HTML5 bookmarks.

Workaround: Check the HTML5 session count on the virtual desktop sessions page.

Release 9.1R9.1 PRs


Symptom: Ctrl+C (abort) command is not working for advanced html5 sessions.

Condition: When user access Putty SSH session within Windows 10VM through advanced html5 bookmark.

Workaround: None.

Release 9.1R9 PRs


Symptom: “IP Owned by device with HWADDR” messages at MAJOR level seen in Admin logs after upgrade to 9.1R9.

Condition: These messages are seen during the following sequence:

1. Active Passive Cluster upgrade (Example: Node-1 and Node-2)

2. Upgrade started on Node-1. Node-1 with upgraded version is starting up.

3. Node-2 holds the VIP, till it goes for a reboot.

Workaround: None. These messages do not cause any impact to the cluster functionality.


Symptom: Pull state from server not leasing licenses to all the nodes in cluster. Following event logs are seen:

E.g.: 2020-10-19 17:25:01 - DFS_VA_NODE_115_19 - [] Root::System()[] - Lease request on behalf of DFS_VA_NODE_115_20 by DFS_VA_NODE_115_19 failed: Not Cluster Member, status code=0x22..

Condition: When, occasionally, both the cluster nodes talk to license server to fetch the license clients.


1. Do XML export of license clients.

2. Delete the affected license clients using admin UI.

3. Re-import the license clients from XML file.


Symptom: For existing HTML5 profiles configuration through REST may not set solution type properly always.

Condition: While updating the existing HTML5 profile solution type.

Workaround: Create new profile through REST API.


Symptom: For Advanced HTML5 user's Zoom sessions, audio stream can be inconsistent.

Condition: When Zoom application is used for meeting session over Advanced HTML5 session.

Workaround: Use Microsoft Teams application.


Symptom: For Advanced HTML5 RDP sessions, Microsoft Teams video call might disconnect the session.

Condition: When making a Microsoft Teams video call in Advanced HTML5 RDP session.

Workaround: None.


Symptom: For Advanced HTML5 sessions, some documents may not invoke print function properly.

Condition: When printing a text document with Notepad++.

Workaround: Use default document mode.


Symptom: REST based import of user role fails with the following error: "/sam/sam-options/wsam-autoinstall] Unsupported attribute type 0".


1. User role config obtained from Ivanti Connect Secure running pre-9.1R9 through REST.

2. Admin uses REST PUT|POST to import the config from Step 1 on Ivanti Connect Secure running 9.1R9.

Workaround: Replace wsam-autoinstall with wsam-autouninstall and use REST based import.


Symptom: Noticeable slowness seen in upgrade from 9.1R4 to 9.1R8 on AWS platform.

Condition: When the load on data center is high. Also, depends on the network parameters in the given zone.

Workaround: Please plan upgrades with sufficient upgrade window.

Release 9.1R8.2 PRs


Symptom: SAML SLO is not initiated from Ivanti Connect Secure to its IDP when the user’s browser-based session is ended.

Condition: When user is authenticated using any browser to Ivanti Connect Secure with SAML authentication method where Ivanti Connect Secure is SAML SP, user session is ended in browser because of idle timeout or max session timeout or if admin ends the user session from Ivanti Connect Secure Admin console. Currently only manual sign out from browser session is supported to send SLO request to IDP from Ivanti Connect Secure side.

Workaround: Close the browser window and launch a new browser window, so that user is prompted for authentication again for security reasons.

Release 9.1R8.1 PRs

No new known issues found in this release

Release 9.1R8 PRs


Symptom: Local proxy PAC file not working in Internet Explorer 11.

Condition: When PAC file resides on a local system.

Workaround: Store the PAC file on an HTTP/HTTPS-accessible server and use that link for Internet Explorer 11 proxy settings.


Symptom: Windows client connecting to Ivanti Connect Secure using Firefox ESR 68.10 intermittently throws error during Compliance check through Proxy configuration.

Condition: Using Firefox ESR 68.10 version.

Workaround: Once a successful connection is established from the client to the server using Chrome/IE, try connecting to the server using Firefox ESR. This works as expected.


Symptom: Pulse collaboration client version is not same in Mac and Windows.

Condition: When user installs 9.1R8 Pulse collaboration client.

Workaround: None.


Symptom: Archiving on AWS S3 storage and Azure is failing when DNS server is not reachable from internal interface.

Condition: When admin trying to Archive using AWS S3 bucket or Azure storage account on management port and DNS server is not reachable through internal port.

Workaround: Admin has to configure internal port for DNS resolution, Archival interface can be internal/management for archiving on AWS S3 bucket or Azure storage account.


Symptom: Websocket URL is not accessible.

Condition: When trying to access URL.

Workaround: None


Symptom: Active user page is not displaying node details correctly for the users connected in AA cluster after split and join.

Condition: After cluster split and re-join.

Workaround: Display issue, user sessions will not get impacted. Newly connected sessions are showing the details correctly.


Symptom: Host checker is getting timed out (can be seen on user access log) and user is getting logged out.

Condition: When periodic evaluation is enabled.

Workaround: This issue is not replicable every time, but as a workaround, we have suggested to disable dynamic evaluation or increase the periodic policy evaluation interval.


Symptom: Host Checker installation error found Intermittently while installing Host Checker or Pulse Client [HC enabled] through browser [Chromium Edge/Chrome/Firefox].

Condition: Fresh Installation of Host Checker or Pulse Client [Host Checker enabled] through browser [Chromium Edge/Chrome/Firefox] after uninstalling old Host Checker components


  • Uninstall the Host Checker/Pulse Client components manually and reboot the system.
  • OR

  • Manually kill Host Checker process before installing Pulse Client/Host Checker components.


Symptom: Client upload logs fails for Network Connect and JSAM.

Condition: After launching Network Connect and JSAM on Windows 10, client upload log fails.

Workaround: None


Symptom: Update in PSAM Resource policies configuration from Admin portal is not getting applied immediately to existing users with UDP PSAM sessions.

Condition: When Admin changes ACL action from Deny to Allow for a particular UDP based resource (i.e., UDP Server Application) for which user already has UDP PSAM Session active, user will still see access denied and vice-versa. But this condition might occur very rarely in real world scenario.

Workaround: Admin can choose to delete existing UDP PSAM user sessions for which ACL action changes from Deny to Allow and vice-versa.

Alternatively, user can disconnect and connect PSAM UDP based application session.


Symptom: Pulse client is not showing correct error message when there is no bandwidth to allocate for L3 tunnel.

Error message in Pulse client - "Unable to allocate IP address".

Condition: When there is no bandwidth to allocate for L3 tunnel for that specific user.

Workaround: Display issue, correct error message will get displayed in User Access logs.

Error message in User Access logs - "Cannot find a qualified bandwidth management policy for user based on current available bandwidth."

Release 9.1R7 PRs

Known issues found in this release are resolved.

Release 9.1R6 PRs

Known issues found in this release are resolved.

Release 9.1R5 PRs


Symptom: Cannot register the device with Intune to get SCEP profile that has IMEI as common name.

Condition: The devices like Wi-fi only iPad / Wi-Fi only android tablets that do not have IMEI support or do not have IMEI.

Workaround: None.


Symptom: Cluster VIP is not getting migrated to other node when active node's internal interface is not reachable and external port is reachable.

Condition: In AP Cluster configured with both internal and external port, when active node's internal port became unreachable.

Workaround: Reboot the cluster node having issue with internal interface is unreachable.


Symptom: User sessions will be removed for the session logged in at the time of second node upgrade in AP cluster.

Condition: During AP cluster upgrade, when the first node comes up after upgrading newer version, it informs other node to upgrade. During this time if any new user logs in, then all those sessions will be removed after second node goes for upgrade.

Workaround: User needs to re-login.


Symptom: Reliable users may be prompted for secondary authentication despite Adaptive authentication being enabled for the realm.

Condition: Adaptive Authentication feature may not work in some scenarios where nodes are in the cluster setup.

Workaround: None.

Release 9.1R4.3 PRs

No new known issues found in this release

Release 9.1R4.2 PRs

No new known issues found in this release

Release 9.1R4.1 PRs

No new known issues found in this release

Release 9.1R4 PRs


Symptom: Bookmark based access flow for Cloud based apps does NOT support MFA.

Condition: When user tries to access any Cloud apps using Bookmark based flow, MFA based Conditional Access policies does Not work and will Deny the access to user.

Workaround: Access Cloud apps using SP Initiated flow for MFA to work, or do NOT configure MFA for these Bookmark based Cloud apps.


Symptom: Pulse Collaboration meeting is not getting launched with PSAL in macOS Catalina from the second time.

Condition: In macOS Catalina, Pulse Collaboration meeting can be launched only after the fresh download of the client. If we try to relaunch the meeting, it is getting failed.

Workaround: Delete the Pulse Collaboration client folder and perform a fresh download before launching the meeting.


Symptom: TOTP server, Certificate server and SAML server authentication do not work for MFA based Conditional Access policy settings.

Condition: When TOTP server, Certificate server and SAML server are configured as MFA server for Conditional Access.

Workaround: Any other supported Authentication server can be configured as MFA server.


Symptom: License report doesn't show the software version for one of the members cluster setup.

Condition: When cluster is in license client

Workaround: None (Display issue).


Symptom: HOB launch on CentOS failing when Oracle JDK is installed.

Condition: Oracle JDK installed on CentOS.

Workaround: Install OpenJDK.


Symptom: AliCloud Ivanti Connect Secure-7K-V: Watchdog restarting cgi-server auth processes (cgi).

Condition: Beyond 20K concurrent users under Pulse ESP and PSAM throughput test.

Workaround: None


Symptom: Hob auto-launch - PSAL failing with error "Failed to contact server".

Condition: When auto-launch is enabled on HOB bookmark.

Workaround: Disable auto-launch.


Symptom: SSH does not work after restarting services in AWS and Azure.

Condition: After performing restart services.

Workaround: SSH works after a reboot.


Symptom: Rewriter issues with SharePoint 2019 – a few buttons and icons does not load and rename file does not work.

Condition: When using Ivanti Connect Secure web bookmark for the new SharePoint 2019 server.

Workaround: Switch to Classic View in SharePoint 2019.


Symptom: Host Checker error found Intermittently while installing Pulse Client via Chromium Edge browser in presence of Host Checker configured.

Condition: Host Checker configured.

Workaround: Click on Ignore button.

Release 9.1R3 PRs


Symptom: When trying to restart Ivanti Connect Secure from vCenter, Ivanti Connect Secure shuts down instead of restart.

Condition: When trying to restart Ivanti Connect Secure using the Restart Guest option from vCenter.

Workaround: Restart Ivanti Connect Secure using the PSA-V virtual console.


Symptom: DNS address and domain names are taken from DHCP server when deploying new Ivanti Connect Secure instance in AWS and Azure.

Condition: When passing DNS address and domain name as parameter for initial configuration, DNS address and domain name are taken from DHCP server.

Workaround: Reconfigure DNS address and domain in network over view page.


Symptom: Not able to enable "copy/paste" option for end user created bookmarks after upgrade from 9.1R2 to 9.1R3.

Condition: After an upgrade, not able to enable "copy/paste" option in the end user created bookmarks.

Workaround: The user has to delete and create the bookmarks to enable "copy/paste" option.


Symptom: Not able to enable "copy/paste" option via RDP launcher URL.

Condition: When trying to enable "Copy/paste" option via RDP launcher URL.


  • User should use admin created bookmark.
  • User should use end-user created bookmark.


Symptom: AWS or Azure new Ivanti Connect Secure deployment fails when customer using old templates with admin password is less than 10 characters.

Condition: When the template contains admin password with less than 10 characters.

Workarounds: Customer has to provide admin password length with minimum of 10 characters.


Symptom: Azure Ivanti Connect Secure - Network interface speed is showing as “Unknown” in the Network Overview page.

Condition: When deploying new Ivanti Connect Secure instance in Azure, the network interface speed is showing as “Unknown” in the Network Overview page.

Workaround: This is just a display issue.


Symptom: Intermittently, Behavioral analytics dashboard page shows "Unable to connect to database" error.

Condition: Sometimes, when admin navigates to Behavioral analytics dashboard page, "Unable to connect to database" error is seen.

Workaround: Administrator can reload the Behavioral analytics dashboard page after some time to get the details on the page.


Symptom: When File rule configured for validating a file location using System default Directories <%HOME%> policy evaluation failed on macOS 10.14x or any higher versions.

Condition: If file located at System Directories <%HOME%> and configured a Hostcheck policy with File Rule for macOS 10.14.x or higher versions.

Workaround: Need to add permissions for "Pulse Client" under "Accessibility" and "Full Disk Access" and which can be accessed from "System Preferences" > "Security & Privacy"-> "Privacy

Or without providing permission /tmp location can be used for File validation.


Symptom: Pulse collaboration not getting launched in macOS.

Condition: When the Java version above 8 is installed in the macOS, Pulse collaboration will not launch.

Workaround: Use Java version 8 for launching the Pulse collaboration in macOS.

Release 9.1R2 PRs


Symptom: Shutdown of PSA-V deployed on KVM hypervisor does not complete.


  • PSA-V is deployed on KVM hypervisor.
  • Shutdown is initiated from PSA-V virtual console.

Workaround: None


Symptom: DNS Search Order notes for macOS needs correction as Device only DNS is supported in macOS.

Condition: macOS supports Device only DNS.

Workaround: None


Symptom: Older PSIS is not upgrading to 9.1R2 PSIS version.

Condition: When CTS, WTS and VDI gets upgraded to 9.1R2 in Windows 10 Redstone 5 and later, PSIS is not upgraded to latest version.

Workaround: None. Old PSIS will continue to work and no impact seen.


Symptom: Using REST API - Archiving Schedule settings change from hourly to specified time does not update the hour/minute setting.

Condition: None

Workaround: Apply the same API again the second time.


Symptom: JSAM fails to launch on Mac OS Catalina 10.15.


  • Configured a role with Host checker.
  • Configured JSAM access with auto-launch.

Workaround: None


Symptom: After single logout with Ivanti Connect Secure as SP, the SP lands on either IdP page or SP page.

Condition: Ivanti Connect Secure is configured as IdP and another Ivanti Connect Secure configured as SP with single logout enable.

Workaround: None.

Release 9.1R1 PRs


Symptom: Named User Remote Repo (NURR) mode does not work when MSSP unlimited license is installed on the License server.

Condition: MSSP Unlimited License installed on License server.

Workaround: MSSP customers with MSSP SKU to not use NURR mode.


Symptom: DNS Port selection will not take any effect. DNS traffic will go through Internal Port only.

Condition: On a Ivanti Connect Secure Virtual Appliance, when Administrative Network is enabled under Traffic Segregation. This issue is not applicable for PSA Hardware Devices.

Workaround: None

Cloud Secure


Symptom: Blocked ECP users will not be updated if Generic is selected under LDAP server Type.

Condition: LDAP server type selected is Generic.

Workaround: Select the LDAP server type as Active Directory.


Symptom: Blocked ECP users will have a “Blocked till time” of 5 minutes.

Condition: Request count for a particular user is less than 3.

Workaround: None


Symptom: Blocked ECP users will not be removed from the ECP reports page based on “Blocked till time”.

Condition: When a user entry is present in the ECP reports page.

Workaround: None