Jump to content
Welcome to our new Citrix community!

When my 2 VPX Netscalers are active receive Unable to cconnect to the server. The Citrix SSL server you have selected is not accepting connections.

Recommended Posts

My setup

2 VPX(1000) Netscalers ( 1 in each datacenter location) (External Network) DMZ

2 storefront servers handling the communications( 1 storefront for each netscaler) (Internal network)


What works:

For each Netscaler that the user hits authentication works and is able to hit the storefront that is configured showing the applications.

Log into the each storefront server directly and able to login and launch applications quickly

If one Netscaler GSLB virtual server is placed in disable(OutofService) the other Netscaler the user will hit it login successfully and applications come up(little slowly) but works without any errors.

This also case vice versa with the other Netscaler.

Resolution on storefronts are working and the ica file whether it worked or not contains the STA ticket id that the netscaler has in its configuration and what is declared in storefront sta url configuration.


The problem:

When both Netscalers are online( GSLB virtual servers are enabled) whenever the user goes whether be one or other netscaler the user will login successfully but after clicking on the app it will eventually spit out the error "Unable to cconnect to the server.  Please contact the your system administrator with the following error:The Citrix SSL server you have selected is not accepting connections."


Any ideas on where I narrow down this problem? Thank you David

Link to comment
Share on other sites

- The TTL value at the client side for GSLB FQDN is expiring and the client is trying to resolve the FQDN once again which might be going to the other NetScaler.

- Make sure that the persistency is enabled for the GSLB FQDN for source-IP and it is more than the TTL value given for the FQDN, suggested to have at least 2 mins of difference



Link to comment
Share on other sites

  • 3 weeks later...
On 7/10/2019 at 0:52 AM, Paul Blitz said:

How about just make the TTL value for the DNS response larger, several minutes?


The problem with this solution will be in the time where one of the site fails.

The client would be caching the DNS record for a longer time and would not go to the other site causing a bad user experience.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...