Jump to content
Welcome to our new Citrix community!

unable to get pass the netscaler pre-authentication EPA scan even though the conditions are all right.


Recommended Posts

Hello Guys,

i've made a simple pre-authentication policy on NS 12.1.50.28.nc which looks like this;

 CLIENT.APPLICATION('BROWSER_90_100_VERSION_>_10.0[COMMENT: Internet Explorer]') EXISTS

since i am connection with ie11 the policy should allow me access but i doesn't. i get the EPA scan, but after a very quick scan it is denying me access

"Access Denied 

Your device does not meet the requirements for logging on. 
For more information, contact your help desk and provide the following information: 
Date: 
6/25/2019 
Time: 
13:04 
Error: 
Case ID : fb781 
To check your device again, click Back. "

 

 in the ns.log i see the failed attempt:

 

"10.241.42.2 06/25/2019:11:07:09 GMT AAP11004 0-PPE-0 : default SSLVPN CLISEC_EXP_EVAL 7381 0 : CaseID 0b081: - Client IP 10.240.195.9 - Vserver 10.241.42.53:443 - Client security check CLIENT.SYSTEM('REG-NUM_PATH_==_HKEY\\_LOCAL\\_MACHINE\\SOFTWARE\\Citrix\\Secure\\ Access\\ Client\\_ProductVersion_REDIR-64_==_TRUE_VALUE_<_12.1.50.28[COMMENT: Numeric Registry]') EXISTS FAILED(2) on the client machine"

 

and in the NSEPA.log i also see the attempt failing:

 

12:38:15.489 | DEBUG   | downloaded total 1621 bytes
12:38:15.489 | DEBUG   | ns_HTTPrequest return value is: 1621
12:38:15.489 | DEBUG   | Library version : 1.1.2.6 
12:38:15.489 | EVENT   | EPA packge doesn't exist on disk. Error code : 3l
12:38:15.489 | DEBUG   | syspath=C:\Users\****\AppData\Local
12:38:15.489 | ERROR   | deleteAllFiles | 254 | C couldn't be deleted because of following error code 2 
12:38:15.489 | ERROR   | deleteAllFiles | 258 | FindFirstFile failed 2 
12:38:15.489 | EVENT   | Downloading EPA Lib...
12:38:15.489 | DEBUG   | syspath=C:\Users\****\AppData\Local
12:38:15.489 | EVENT   | Making GET request to https://URL****:443/epa/scripts/win/epaPackage.exe
12:38:15.490 | VERBOSE | [<GET /epa/scripts/win/epaPackage.exe HTTP/1.1
Cookie: NSC_EPAC=*****************************************************************


>]
12:38:15.496 | DEBUG   | Path to be opened : C:\Users\****\AppData\Local\Citrix\AGEE\epaPackage.exe
12:38:15.647 | DEBUG   | downloaded total 8683832 bytes
12:38:15.793 | DEBUG   | ns_HTTPrequest return value is: 8683832
12:38:15.793 | DEBUG   | ns_verifyfile: called
12:38:15.957 | ERROR   | ns_verifyTrustedCert | 162 | WinVerifyTrust failed -2146762486, err -2146762486
12:38:15.957 | ERROR   | downloadEpaLib | 294 | Failed to verify downloaded EPA library
12:38:15.957 | DEBUG   | ns_verifyfile: called
12:38:15.958 | ERROR   | ns_verifyTrustedCert | 162 | WinVerifyTrust failed -2146762496, err -2146762496
12:38:15.958 | ERROR   | checkAndLoadEPALib | 502 | Failed to verify EPA DLL
12:38:15.958 | ERROR   | initEPAlib | 593 | Failed to load EPA library 
12:38:15.958 | ERROR   | epaLibScan | 666 | Faield to initialize EPA library 
12:38:15.958 | EVENT   | ns_EvalPolicy returns 2003
12:38:15.958 | DEBUG   | ns_free_dependspol:num_mallocPolicyBuffer=0
12:38:15.958 | DEBUG   | Memory has been allocated for the buffer. 
12:38:15.958 | DEBUG   | Memory has been allocated for the buffer. 
12:38:15.958 | EVENT   | Making GET request to https://url******:443epas
12:38:15.958 | VERBOSE | [<GET epas HTTP/1.1

 

the epa plugin is being downloaded and is installed fine, its in the location where it should be C:\Users\****\AppData\Local\Citrix\AGEE.

I can't find anything on the net and hoping you guys can help.

Link to comment
Share on other sites

  • 1 month later...

Hi Stefan

 

I'am having the same issues after ungrading the NetScaler from 11.1 55.13 to 12.0 61.8, but till now just with the Chrome - Chrome is unable to download the EpaPackage.exe from the NS.

 

1st. Workaround: 

 

1. Download the file from the Netscaler (https://URL****:443/epa/scripts/win/epaPackage.exe) and copy it to --> C:\Users\<USER>\AppData\Local\Citrix\AGEE

2.  Extract the epaPackage.exe to C:\Users\<USER>\AppData\Local\Citrix\AGEE\epaPackage\

3. Rerun the EPA Test

 

2nd. Workaround

 

1. Try another Browser like Firefox or Edge or IE, so epaPackage.exe can be downloaded and extracted. Afterwards you can use any other browser to login

 

 

Link to comment
Share on other sites

  • 11 months later...

I need to bring this topic up again - i have the same problem currently with OPSWAT scans and my log telling me:

12:38:15.489 | EVENT   | EPA packge doesn't exist on disk. Error code : 3l

 

and:

 

17:00:11.567 | ERROR   | ns_verifyTrustedCert | 162 | WinVerifyTrust failed -2146762496, err -2146762496
17:00:11.567 | ERROR   | downloadEpaLib | 295 | Failed to verify downloaded EPA library
17:00:11.567 | DEBUG   | ns_verifyfile: called
17:00:11.568 | ERROR   | ns_verifyTrustedCert | 162 | WinVerifyTrust failed -2146762496, err -2146762496
17:00:11.568 | ERROR   | checkAndLoadEPALib | 517 | Failed to verify EPA DLL
17:00:11.568 | ERROR   | initEPAlib | 701 | Failed to load EPA library 
17:00:11.569 | ERROR   | epaLibScan | 786 | Faield to initialize EPA library 

 

and

 

17:25:42.992 | DEBUG   | Path to be opened : C:\Users\xxxx\AppData\Local\Citrix\AGEE\epaPackage.exe

17:25:43.071 | DEBUG   | downloaded total 980904 bytes

17:25:43.117 | DEBUG   | ns_HTTPrequest return value is: 980904

17:25:43.117 | DEBUG   | ns_verifyfile: called

17:25:43.227 | DEBUG   | ns_verifyTrustedCert success

17:25:43.227 | DEBUG   | ns_verifyfile output=Citrix Systems, Inc.

17:25:43.227 | DEBUG   | ns_verifyfile returns 1

17:25:43.242 | DEBUG   | EPA lib path is non-ansi

17:25:47.617 | DEBUG   | ns_verifyfile: called

17:25:47.633 | DEBUG   | ns_verifyTrustedCert success

17:25:47.633 | DEBUG   | ns_verifyfile output=Citrix Systems, Inc.

17:25:47.633 | DEBUG   | ns_verifyfile returns 1

17:25:47.633 | DEBUG   | EPA library couldn't be loaded ..

17:25:47.633 | DEBUG   | Failed to load EPA library 

17:25:47.633 | DEBUG   | Faield to initialize EPA library 

17:25:47.633 | DEBUG   | ns_EvalPolicy: BROWSER_60000 returns 2003

17:25:47.633 | EVENT   | ns_EvalPolicy returns 2003

17:25:47.633 | DEBUG   | ns_free_dependspol:num_mallocPolicyBuffer=0

17:25:47.633 | DEBUG   | Memory has been allocated for the buffer. 

17:25:47.633 | DEBUG   | Memory has been allocated for the buffer. 

 

 

 

I have tried a simple scan with checking for the browser im using to connect to VPN which obviously must work, but it doesn't.

A classic expression scan (for example checking for my source ip) does work.

 

The described workarounds don't work for me, the used NetScaler Version is 11.1 64.14.

 

I have tested 3 different clients and two different NetScaler (other one is 12.1 newest build). All same behaviour.

Policy Expression:

 

CLIENT.APPLICATION(BROWSER_90_100) EXISTS

 

Profile has nothing specified other than "allow".

 

Thank you very much in advance.

 

 

bestregards

Link to comment
Share on other sites

Hey Carl,

 

thanks for the hint, unfortunately this didn't solve anything. Still getting these messages within my nsepa.txt file:

 

>]
09:25:55.720 | DEBUG   | Path to be opened : C:\Users\xxxxx\AppData\Local\Citrix\AGEE\epaPackage.exe
09:25:55.876 | DEBUG   | downloaded total 980904 bytes
09:25:55.923 | DEBUG   | ns_HTTPrequest return value is: 980904
09:25:55.923 | DEBUG   | ns_verifyfile: called
09:25:55.954 | DEBUG   | ns_verifyTrustedCert success
09:25:55.954 | DEBUG   | ns_verifyfile output=Citrix Systems, Inc.
09:25:55.954 | DEBUG   | ns_verifyfile returns 1
09:25:55.954 | DEBUG   | EPA lib path is non-ansi
09:26:01.975 | DEBUG   | ns_verifyfile: called
09:26:02.007 | DEBUG   | ns_verifyTrustedCert success
09:26:02.007 | DEBUG   | ns_verifyfile output=Citrix Systems, Inc.
09:26:02.007 | DEBUG   | ns_verifyfile returns 1
09:26:02.007 | DEBUG   | EPA library couldn't be loaded ..
09:26:02.007 | DEBUG   | Failed to load EPA library 
09:26:02.007 | DEBUG   | Faield to initialize EPA library 
09:26:02.007 | DEBUG   | ns_EvalPolicy: BROWSER_60000 returns 2003
09:26:02.007 | EVENT   | ns_EvalPolicy returns 2003
09:26:02.007 | DEBUG   | ns_free_dependspol:num_mallocPolicyBuffer=0
09:26:02.007 | DEBUG   | Memory has been allocated for the buffer. 
09:26:02.007 | DEBUG   | Memory has been allocated for the buffer. 
09:26:02.007 | EVENT   | Making GET request to https://vpn.xxxxxxx.de:443epas
09:26:02.007 | VERBOSE | [<GET epas HTTP/1.1
Cookie: NSC_EPAC=********************************
CSEC: JFELn8TbOI6JUdFBHAkCpA==


 post body information is hidden >]
09:26:02.022 | DEBUG   | downloaded total 225 bytes
09:26:02.022 | DEBUG   | ns_HTTPrequest return value is: 225
09:26:02.022 | DEBUG   | Received headers size 80
09:26:02.022 | DEBUG   | Login failed due to EPA Scan
09:26:02.022 | DEBUG   | No EPA scan failure. We won't add header for error messages
09:26:02.022 | DEBUG   | ns_start_epa returning Case ID : 5fc3d
09:26:02.022 | DEBUG   | num_mallocPolicyBuffer=0
09:26:02.022 | DEBUG   | releasing buffers
09:26:02.022 | DEBUG   | ns_StopSSL called
09:26:02.022 | DEBUG   | ns_UnloadSecurityLibrary done
09:26:02.022 | EVENT   | EPA has successfully completed
09:26:02.022 | DEBUG   | EPA complete. stop showing progressbar 
09:26:02.043 | DEBUG   | ShowEPADialog returned 1 

Link to comment
Share on other sites

  • 2 years later...
  • 10 months later...

what I found with this error was that the EPA scan was not being fully down loaded.  I found that on the Netscaler, the Memory limit was set to 0 after I had done my upgrade.

this is what i did to fix it. and it worked great. 

EPA not downloading to the endpoints after upgrade


Applicable Products
Citrix ADC

Symptoms or Error
Client EPA plugin downloading failure occasionally causes that the EPA scan cannot work
Solution


Verify the output by executing the below command. In this example Integrated Cache(IC) is enabled and allocated properly.

***do not enter Shell,  this is done outside of the shell command. 

> sh cache parameter
        Integrated cache global configuration:
        Memory usage limit: 1024 MBytes
        Memory usage limit (active value): 1024 MBytes
        Maximum value for Memory usage limit: 1720 MBytes

Implementation either 2 solutions below:

Solution 1:
If the Memory Usage Limit is not assigned with any value or it shows "0" Mbytes, assign the memory by executing the following command.
You can allocate up to 50% of the available memory to the Integrated Caching feature.


e.g.
***do not enter Shell,  this is done outside of the shell command. 
(may need to be typed manually,  copy and paste did not work for me)

> set cache parameter –memLimit 1024
> savec
> reboot

Solution 2:
you may disable the "Integrated cache" feature in NetScaler CLI:
e.g
>disable ns feature IC

 
Problem Cause
Integrated Caching memory either exhausted / not configured with memory. NetScaler reset connection to Client with code 9826 due to no enough memory for NET buffers in NetScaler.
Additional Resources
https://support.citrix.com/article/CTX238197/unable-to-load-vpn-gateway-page-properly-stuck-at-loading-adc-sends-reset-code-9826

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...