Jump to content
Welcome to our new Citrix community!

GSLB Persistance Issues


Donal McCarthy

Recommended Posts

I have been going around in circles with this topic and ened some help

Setting up a pair of Netscaler MPX 5550 with GSLB in an active/active configuration

Each netscaler is on a different subnet with a matching LB storefront and AGEE pointing to an IP on their respective subnet. 

I have setup GSLB with the netscalers being Authoratative DNS for each the storefront FQDN and the AGEE FQDN.

 

When users connect via the AGEE FEDB sometimes it will work and present their apps on storefrone and soemtimes users will get the "cannot complete your request error"

I check logs on the storefront servers and I see the following errors:

 

1.  

None of the AG callback services responded

 

 

2.

A CitrixAGBasic Login request has failed.

Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticatorException, Citrix.DeliveryServicesClients.Authentication, Version=2.1.0.0, Culture=neutral, PublicKeyToken=null

AuthenticateInternal encountered an exception.

at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)

at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.Authenticate(HttpRequestBase request)

at Citrix.Web.AuthControllers.Controllers.AuthenticationController.DoAGSSOLogin()

System.Net.WebException, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

The remote server returned an error: (403) Forbidden.

Url: https://STOREFRONTFQDN/Citrix/Authentication/CitrixAGBasic/Authenticate

ExceptionStatus: ProtocolError

ResponseStatus: Forbidden

at System.Net.HttpWebRequest.GetResponse()

at Citrix.DeliveryServicesClients.Utilities.HttpHelpers.ReceiveResponse(HttpWebRequest req)

at Citrix.DeliveryServicesClients.Authentication.ProtocolEnumerator.TokenRequestClient.SendTokenRequest(String url, RequestToken requestToken, String primaryToken, String languages, CookieContainer cookieContainer, IEnumerable`1 acceptHeaders, IDictionary`2 additionalHeaders)

at Citrix.DeliveryServicesClients.Authentication.AG.AGAuthenticator.AuthenticateInternal(HttpRequestBase clientRequest, String agAuthentServiceUrl, String tokenForServiceID, String tokenForServiceURL, TimeSpan requestedTokenLifetime)

 

 

3.

The AG Web Service at: https://AGEEFQDN/CitrixAuthService/AuthService.asmx failed with the following error. This endpoint will be ignored until: 11/19/2013 3:25:33 PM

Citrix.DeliveryServices.Authentication.CitrixAGBasic.Exceptions.AGCommunicationException, Citrix.DeliveryServices.Authentication.CitrixAGBasic, Version=2.4.0.0, Culture=neutral, PublicKeyToken=null

A communication error occurred while attempting to contact the NetScaler Gateway authentication service at https://phila.crowncork.com/CitrixAuthService/AuthService.asmx. Check that the authentication service is running.

at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)

at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.CitrixAGBasicWebService.GetAccessInfo(String sessionId, String username, String domain)

System.Net.WebException, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

The underlying connection was closed: The connection was closed unexpectedly.

at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)

at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)

at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)

at Citrix.DeliveryServices.Authentication.CitrixAGBasic.AGAuthService.AuthenticationServiceSoap.GetAccessInformation(String sessionId, String username, String domain)

at Citrix.DeliveryServices.Authentication.CitrixAGBasic.Client.AGClient.GetAccessInfo(String sessionId, String username, String domain)

 

Link to comment
Share on other sites

  • 6 years later...

I figured this out.  Had to do with that we disabled the weaker encryption options on the vserver.  We disabled SSLv3, TLSv1 and 1.1, only leaving TLSv1.2 and 1.3.  Well, we're still using storefront v3.12, so those encryption levels weren't supported by this older version of storefront.  Once I reenabled the weaker TLS versions the errors went away.  We're planning on updating the storefront servers to 3.5 this week, then I'll up those encryption versions again.

 

Also, as a side note, another way I prevented the "Cannot Complete Your Request" errors when logging in with these active/active NetScalers, I put the external ip and URL in the hosts file for each storefront server at their respective sites.  That way they will never get confused with the DNS changing when they're trying to call back to authenticate.

 

Hope that helps.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...