Jump to content
Welcome to our new Citrix community!
  • 1

Invalid packet during CGP handshake phase.

Sergiu-Konrad Kork




Looking for some help as i can't get something sorted and its starting to drive me nuts.


Only relevant error is this, and it is found on the worker:


The Citrix ICA Transport Driver connection from <NS_SNIP>:<some_random_upper_port> to port 2598 received an invalid packet during its CGP handshake phase.


When this happens the connection does not get through, with either one of following:

- session window starts and then disappears

- session window starts, lingers for a while and then puts out "unknown client error 0"

- session window starts, lingers for a while and then puts out "the connection to failed with status: network issues are preventing your connection (socket error 10054)"

- session window starts, lingers for a while and then puts out "Resource not available"




- XA 7.18

- VPX NS with internal (server network) and external (DMZ) network cards

- EDT enabled and configured (with fallback on TCP)


On this environment all users connect strictly via the NS, there are no "internal" connections. Server network is completely isolated.

Depending on the user's source location, i get 3 outcomes:

- when users are in the office (using the specific office vlans) they get no errors, and EDT work

- when users are coming in over the internet (there's a public IP that does a NAT to the NSAG IP) they get no errors but EDT does not work, only TCP connection

- when users are coming in from ONE of the three company VPNs they get no errors but EDT does not work, only TCP connection

- when users are coming in from the other 2 company VPNs they get 100% failure rate with one of the 4 outcomes listed above. This is the problem. And the thing is it goes away when I disable the SR on the storefront's configuration for the Netscaler.

To complicate things even more, we have a second identical deployment (they are built together, mirrored - one is prod and the other is staging) for which the above red line does NOT apply. In fact, for the second deployment the above red line turns into "always works, including EDT". Moreover, if I add the problematic deployment's XA farm into the same store of the working deployment's SF, i also get EDT connections with no failure. If i do it the other way around, I always get the red line.

Except for the obvious differences in DNS addresses (with associated certificates) and IPs, the two deployments are virtually identical in configuration. Moreover, the farms itself is provisioned by AppLayering from the same sources (only the platform layer is different as they are in separate domains) and using MCS. 



Getting nowhere with network support (everything is fine after 2 weeks of checks and traces) not with proxy setting support (proxy rules are in place depending on destination).


What the hell is "invalid packet during its CGP handshake phase" ? :) 



Link to comment

9 answers to this question

Recommended Posts

  • 0

You mention two environments and one works, and one doesn't. What I don't mentioned are the NetScaler Gateway Session Profiles. Do you have two different IP addresses for each environment to connect to? Are the NetScaler Gateway Session Profiles configured properly for each of the backend StoreFront environments? 

Link to comment
  • 0

Thank you for the suggestion!


I've rechecked the session policy/profiles just now: other than the obvious differences in the back-end address, they are the same. The "published application" has different values ofc, pointing to their respecting back-end storefront servers and their stores, using the FQDN of the SF load-balancers on the Netscalers (DNS entry resolvable to IPs by the NS, no cert issues).


Yes, the two environments are fully separated, They have the exact same configuration when it comes to published resources and their ACLs, they have each component in the same vLan as the other one  (ofc, different IPs). 

They have separate:

- DB servers and DBs,

- infrastructure servers (SFs, DDCs)

- workers (VDAs)

- Netscalers

- AD domains (prod/staging)



Once more, it's not as simple as "one works, one doesn't". This applies only in a specific scenario: when the user first connects to 2 specific company VPNs, and then accesses Citrix.

All the other scenarios (user is in office, user comes from public internet, user connects to another VPN than those 2) have both environments working. Although EDT doesn't always work, as described in the first post.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...