Jump to content

Protocol error when I try gateway access


Recommended Posts

Posted

Hi everyone!!

 

I have some problems to connecto to my citrix infrastructure.

 

I explain:

 

netscaler dmz / vip dmz

storefront dmz

 

ddc lan

vda lan2

 

When I try to launch an app internally  ==> mydesktop.mycompany.com all works fine (I connect to netscaler vip 172.16.13.x) and I can launch app and desktops.

 

But when I try to connect through Netscaler gateway I obtain the message "protocol driver error" (my storefront open ok and list the apps etc...)

 

I found only the following errors in my delivery controller:

 

image.thumb.png.c5608a0ed3513fd8a3737123df61e643.png

 

VDA of course is registered in broker .

 

 

edit: I find some clue....the server vda has another vlan. I check it the connectivity with broker, stf, vip netscaler.....ip gateway....all works fine). All firewall is open for testing.

 

So.....if I change VDA Ip to the same vlan of broker all works fine...I can connect fine.

 

any idea?

Posted
12 minutes ago, Sam Jacobs said:

Did you create a NetScaler instance on StoreFront with your STA list?

Does it match the STA list on the NetScaler?

Yes I think

 

Hi..

 

Yes I hope.

 

In my storefront I have:

image.png.d9abb834fe06ac1a96c129e029825025.png

 

and in Netscaler:

image.png.67600ff5d563c4f23a975b2bf8c7724e.png

 

Posted

What version of Citrix ADC/NetScaler are you running?

Which version of StoreFront and XenDesktop/CVAD is in use?

Do you have the necessary firewall ports open between Gateway NSIP or SNIP and the authentication destinations, snip to storefront, and snip to all VDA IP addresses on the internal facing firewall?

 

Typical Configuration Summary:

On StoreFront:

1) Create the Gateway definition:

    - Gateway FQDN

    - VIP or leave blank of NSGateway vpn vserver (try to avoid using SNIP if this ADC is doing both gateway and storefront load balancing)

    - Configure list of STA's as the individual names of the controllers. Verify that your STA/XML ports are actually running on https:443 if that is the protocol you are configuring.

2) On Selected Store, verify you have enabled remote access and linked to the appropriate gateway instance

3) Verify authentication for storefront now includes explicit authentication and passthrough authentication from gateway

4)  Verify StoreFront/CVAD Site xml broker communication is working and no cert trust issues are present (though this should be good, since you said the internal users can connect via this store).

 

Finally, check the storefront server(s) event viewer under the Citrix Delivery Service for any errors that might give you more configuration details.

 

On Gateway

1) Create the vpn vserver (or verify what you created by wizard)  Citrix (NetScaler) Gateway > Virtual Servers node. You can edit the vserver to see more properties than the wizard shows.

Verify the external Gateway FQDN resolves to the proper VIP (either the VIP of the vpn vserver or the content switching vserver if in unified gateway mode)

2) Verify the gateway has the correct list of STA's (also individual list of controllers) and they are GREEN/UP (this was verified by you already)

3) Verify you have a trusted cert on the vpn vserver and the client devices has no issues; if it is untrusted connections will fail during the launch phase.

4) Confirm the settings in the session profile the vpn vserver is using:

     - on the Published Applications tab (of the session profile), is ICAProxy:ON

     - Verify the StoreFront Address is actually https://<storefront fqdn>/Citrix/<StoreNameWeb>  This should be the WEB path and not just the services path: Example: https://storefront.demo.dom/Citrix/Store1Web not /Store1

     - Verify the SSON domain is specified and that when the user authenticates to gateway the domain is not provided in the user authentication. User authenticates as user1; not domain\user1.  The session profile contains the domain to passthrough. (If using UPN other variations are needed)

     - Verify under the client experience tab "enable passthrough to web applications" is also enabled. 


 

Finally, on NS 11.1/12.0 or later, the Gateway will only attempt an ICA Proxy connection with StoreFront if it sees that the storefront destination is valid.

1) Verify from the ADC you can resolve the <storefront fqdn> to an IP. A ping from shell can confirm part.

2) The Gateway sends an explicit probe and must have a SNIP that can reach the actuall storefront VIP (if load balanced) evevn if it load balanced on itself. If this test fails it won't attempt to talk to storefront.

You can view nslog to see if there are events related to this.

 

For the user to connect via gateway:

- The gateway SNIP must be able to reach all target VDA's. So are firewall ports from the gateway SNIP to all destination VDA IPs?  Ports include TCP:2598 and 1494 and UDP:2598:1494 internally.  (In addition to regular gateway storefront communication, but it sounded like you said that was working, just the final launch was failing.)

 

Gateway logs to check:

 

Check syslog for additional gateway errors beyond the usual that might be reported:

shell

cd /var/log

# any of these may you find useful events...

tail -f ns.log

more ns.log | grep error -i

more ns.log | grep storefront -i

more ns.log | grep sta -i

 

To view nslog to see if it is having trouble validating storefront is reachable:

shell

cd /var/nslog

nsconmsg -K newnslog -d event | grep <storefrontfqdn> -i

nsconmsg -K newnslog -d consmsg | grep <storefrontfqdn> -i   # i think this is the one you want to view first

 

You can also run an nstrace from the gateway to see if something else is happening between gateway and the storefront server.

Posted
10 hours ago, Rhonda Rowland1709152125 said:

What version of Citrix ADC/NetScaler are you running?

Which version of StoreFront and XenDesktop/CVAD is in use?

Do you have the necessary firewall ports open between Gateway NSIP or SNIP and the authentication destinations, snip to storefront, and snip to all VDA IP addresses on the internal facing firewall?

 

Typical Configuration Summary:

On StoreFront:

1) Create the Gateway definition:

    - Gateway FQDN

    - VIP or leave blank of NSGateway vpn vserver (try to avoid using SNIP if this ADC is doing both gateway and storefront load balancing)

    - Configure list of STA's as the individual names of the controllers. Verify that your STA/XML ports are actually running on https:443 if that is the protocol you are configuring.

2) On Selected Store, verify you have enabled remote access and linked to the appropriate gateway instance

3) Verify authentication for storefront now includes explicit authentication and passthrough authentication from gateway

4)  Verify StoreFront/CVAD Site xml broker communication is working and no cert trust issues are present (though this should be good, since you said the internal users can connect via this store).

 

Finally, check the storefront server(s) event viewer under the Citrix Delivery Service for any errors that might give you more configuration details.

 

On Gateway

1) Create the vpn vserver (or verify what you created by wizard)  Citrix (NetScaler) Gateway > Virtual Servers node. You can edit the vserver to see more properties than the wizard shows.

Verify the external Gateway FQDN resolves to the proper VIP (either the VIP of the vpn vserver or the content switching vserver if in unified gateway mode)

2) Verify the gateway has the correct list of STA's (also individual list of controllers) and they are GREEN/UP (this was verified by you already)

3) Verify you have a trusted cert on the vpn vserver and the client devices has no issues; if it is untrusted connections will fail during the launch phase.

4) Confirm the settings in the session profile the vpn vserver is using:

     - on the Published Applications tab (of the session profile), is ICAProxy:ON

     - Verify the StoreFront Address is actually https://<storefront fqdn>/Citrix/<StoreNameWeb>  This should be the WEB path and not just the services path: Example: https://storefront.demo.dom/Citrix/Store1Web not /Store1

     - Verify the SSON domain is specified and that when the user authenticates to gateway the domain is not provided in the user authentication. User authenticates as user1; not domain\user1.  The session profile contains the domain to passthrough. (If using UPN other variations are needed)

     - Verify under the client experience tab "enable passthrough to web applications" is also enabled. 


 

Finally, on NS 11.1/12.0 or later, the Gateway will only attempt an ICA Proxy connection with StoreFront if it sees that the storefront destination is valid.

1) Verify from the ADC you can resolve the <storefront fqdn> to an IP. A ping from shell can confirm part.

2) The Gateway sends an explicit probe and must have a SNIP that can reach the actuall storefront VIP (if load balanced) evevn if it load balanced on itself. If this test fails it won't attempt to talk to storefront.

You can view nslog to see if there are events related to this.

 

For the user to connect via gateway:

- The gateway SNIP must be able to reach all target VDA's. So are firewall ports from the gateway SNIP to all destination VDA IPs?  Ports include TCP:2598 and 1494 and UDP:2598:1494 internally.  (In addition to regular gateway storefront communication, but it sounded like you said that was working, just the final launch was failing.)

 

Gateway logs to check:

 

Check syslog for additional gateway errors beyond the usual that might be reported:

shell

cd /var/log

# any of these may you find useful events...

tail -f ns.log

more ns.log | grep error -i

more ns.log | grep storefront -i

more ns.log | grep sta -i

 

To view nslog to see if it is having trouble validating storefront is reachable:

shell

cd /var/nslog

nsconmsg -K newnslog -d event | grep <storefrontfqdn> -i

nsconmsg -K newnslog -d consmsg | grep <storefrontfqdn> -i   # i think this is the one you want to view first

 

You can also run an nstrace from the gateway to see if something else is happening between gateway and the storefront server.

Thanks i'll check all this today 

 

But... For the firewall ports i have the next configuration ;

Snip: 172.16.13.200

Vip stf: 172.16.13.50

StoreFront servers : 172.16.13.40

Brokers:10.1.0.x

Vda: 10.2.0.x

 

INTERNALLY I can launch https://mydesktop.mydomain.com(172.16.13.50) and launch app without problem 

 

If I try the same externally (ns gateway) i open StoreFront, can login but error to launch app 

 

Si internally works I think the ports are OK isn't ? 

 

On the other hand... If I change Vda servers network to 10.1.0.x all works fine 

So... Why ? Some problem to gateway to contact the vda ? 

 

All the firewall ports are open..(any any) between dmz 172.16.13.x and 10.2.0.x /10.1.0.x.....etc.......but same error.

Ns resolve , ping etc vda servers

 

Posted

the internal test confirms storefront/controllers/vda works, but because its not crossing the same firewall or using the same flow, you could still have a gateway related issue.

If it works internally, its not guaranteed ports on firewall are correct, since the assumption is that there is a firewall between your ADC and your storefront/vdas; internal connection test is crossing this firewall or using the same components (as in no gateway involved.)

 

If it works when the VDAs are in the 10.1.0.0 network and not the 10.2.0.0 network, then there is some sort of issues between gateway and teh VDA destinations:

- route problem

- firewall rule

- Verify your SNIP can actually reach the 10.2.0.x destination by doing a ping -S <snip> <target address>; otherwise a ping just uses the NSIP.

So a trace may help to confirm this aspect of connectivity.

 

But if moving the VDA's to 10.1.0.0 fixes your problem, then that does work. But it also indicates you have an issue between the Gateway -- firewall -- VDA network 10.2.0.0/24.

 

 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...