Jump to content
Welcome to our new Citrix community!

help understanding NetScaler Gateway 'show aaa session' output


Dave Bishop

Recommended Posts

I'm trying to understand what the sho aaa output is showing on a NetScaler running Gateway service (v12.1)
I ran sho aaa session & got one user listed twice:
         ClientIp (ClientPort)  ->  ServerIp(ServerPort)
        ----------------------- -----------------------
PE id : 1
User name: abc123               Session Type: VPN               Session Key: 6dcbba<.....>
User name: abc123               Session Type: VPN               Session Key: 6dcb49<.....>
 Done

I then ran:
sho vpn icaConnection
1)      User name: abc123       Domain name: my.domain.uk
        Client IP(Client Port): public.ip.238.20(40127)
        XenApp/XenDesktop IP(XenApp/XenDesktop Port): 10.private.ip.here(2598)
        Transport Protocol : TCP
2)      User name: abc456       Domain name: my.domain.uk
        Client IP(Client Port): public.ip.221.149(58997)
        XenApp/XenDesktop IP(XenApp/XenDesktop Port): 10.private.ip.here(2598)
        Transport Protocol : TCP
3)      User name: abc789       Domain name: my.domain.uk
        Client IP(Client Port): public.ip.214.96(31696)
        XenApp/XenDesktop IP(XenApp/XenDesktop Port): 10.private.ip2.here(2598)
        Transport Protocol : TCP
 Done
 
 some time later, I re-ran the commands and sho aaa session returned no users, however user abc123 was still connected as an ica user.

So, to my question, this is my guess at what its showing, is it correct?
The 'sho aaa session' output just shows users which at that instant in time are logging into the gateway/portal page. Once they have authenticated, they setup an ica connection.
After a period of time, they time out of Gateway and so are not shown on 'sho aaa session', however because they have an active ica connection, they remain connected and are listed in 'sho icaConnection'
hope this makes sense, any help appreciated.

Link to comment
Share on other sites

9 minutes ago, Dave Bishop said:

I'm trying to understand what the sho aaa output is showing on a NetScaler running Gateway service (v12.1)
I ran sho aaa session & got one user listed twice:
         ClientIp (ClientPort)  ->  ServerIp(ServerPort)
        ----------------------- -----------------------
PE id : 1
User name: abc123               Session Type: VPN               Session Key: 6dcbba<.....>
User name: abc123               Session Type: VPN               Session Key: 6dcb49<.....>
 Done

I then ran:
sho vpn icaConnection
1)      User name: abc123       Domain name: my.domain.uk
        Client IP(Client Port): public.ip.238.20(40127)
        XenApp/XenDesktop IP(XenApp/XenDesktop Port): 10.private.ip.here(2598)
        Transport Protocol : TCP
2)      User name: abc456       Domain name: my.domain.uk
        Client IP(Client Port): public.ip.221.149(58997)
        XenApp/XenDesktop IP(XenApp/XenDesktop Port): 10.private.ip.here(2598)
        Transport Protocol : TCP
3)      User name: abc789       Domain name: my.domain.uk
        Client IP(Client Port): public.ip.214.96(31696)
        XenApp/XenDesktop IP(XenApp/XenDesktop Port): 10.private.ip2.here(2598)
        Transport Protocol : TCP
 Done
 
 some time later, I re-ran the commands and sho aaa session returned no users, however user abc123 was still connected as an ica user.

So, to my question, this is my guess at what its showing, is it correct?
The 'sho aaa session' output just shows users which at that instant in time are logging into the gateway/portal page. Once they have authenticated, they setup an ica connection.
After a period of time, they time out of Gateway and so are not shown on 'sho aaa session', however because they have an active ica connection, they remain connected and are listed in 'sho icaConnection'
hope this makes sense, any help appreciated.

Hi Dave, 

 

Your understanding is correct. AAA session and ICA session are two separate entities from the Gateway perspective. 

 

Val 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...