Jump to content
Welcome to our new Citrix community!

NSG 12.1 SSL Error 4


Robbin Nollen

Recommended Posts

Hi,

 

I am currently setting up a NetScaler Gateway 12.1 (48.13) with a Windows 10 1709 VDI environment using XD 7.15 with the latest CU. For some reason I am not able to configure the NSG properly for this enviroment.  The issue that I have is when I try to launch a published desktop; I got an SSL error: "SSL Error 4: The Operation completed successfully".


On the internet there are allot of documents which describe this issue. Solutions are to upgrade the NetScaler (but I already running a late version), the issue also occurs with Windows 10 1703; but I am running 1709. Also tried to change the order of Cyphers in the VDI; that didn't solved it either. Down and upgraded the receiver; same issue. I don't see any issues with the certificate; don't see anything strange using SSLLabs. But ofcourse I miss something, otherwise it would work :) So I basically running out of ideas; anyone got an idea? 

 

Locally (without NSG) everything is working OK.

 

 

error.JPG

Link to comment
Share on other sites

17 hours ago, Basant Ballabh Bhatt1709158446 said:

Please check your SSL certificates at the NetScaler and Storefront, It should have proper Intermediate and root certificate chain installed.

I have checked my certificates. I didn't see any issue here. The certifcates are linked to the intermediate and Root CA. Everything is loaded. Also tried to changing the NSG certificate; same issue. So maybe it is something with my certificates, but I don't see the issue. Validated the Certificates on the NSG; Storefront and the DDC. 

Link to comment
Share on other sites

2 hours ago, Pedro Silva1709157617 said:

Double check STA's configured on NSG and Storefront match and that they are the correct ones for those farm.

 

Check your proxy and FW to allow connections on port 1494/2594 from NSG SNIp to VDI's.

 

More FW rules here https://support.citrix.com/article/CTX101810#NetScaler

Thanks for you're reply. I have created several NetScaler services to a random VDI to see if the services and the VDI ports are UP. Basically they where all up; checked also if non existing ports where down; to verify the services.. Also checked the connections to the STA's with this method. That also looked OK... So I think on the communication part this looks OK..

Link to comment
Share on other sites

So focus on "Double check STA's configured on NSG and Storefront match and that they are the correct ones for those farm."

 

If this doesn't help you will need to take a network trace on client machine and Netscaler and correlate the connections. Might be client side issue (proxy,etc..)

Link to comment
Share on other sites

On ‎18‎-‎7‎-‎2018 at 2:51 PM, Pedro Silva1709157617 said:

So focus on "Double check STA's configured on NSG and Storefront match and that they are the correct ones for those farm."

 

If this doesn't help you will need to take a network trace on client machine and Netscaler and correlate the connections. Might be client side issue (proxy,etc..)

It has definitely got to do something with the networking / routing / configuration. When I create a Wireshark trace on the VDI, I don't see any traffic coming from the SNIP. When I run a trace on the NetScaler; I do see the IP address of the VDI; the traphic has got to do something with DNS multicast or something like that; In my traces I see a connection to 224.0.0.252 with the name of my VM and a whois going to the internal DNS servers. After this; it is blank.. Don't see anything coming from or going to the SNIP or the VDI IP address. Difficult this; but basically no connection has been set up..

Link to comment
Share on other sites

1 hour ago, Pedro Silva1709157617 said:

create a 2 test services on the Netscaler to VDI IP on ports 2596 and 1494. you will then be able to see if the netscaler is able to establish a connection

 

Created a new clean VM/VDI using Windows 10 1709 dec ISO, so not using our Master image. Installed the VDA Remote PC. VM is on the same subnet SNIP and hyper-v hosts as the VPX. Created two test services on port 1494 and 2598 (HTTP; tcp monitor) and the services are UP. This part is looking OK, But unfortunately still SSL error 4 when I try to access the VDI remotely.. 

Link to comment
Share on other sites

  • 2 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...