Markus Hummel1709161872 Posted March 31, 2020 Share Posted March 31, 2020 Good morning, we're using our ADC VPX in a traditional setup just to access our Virtual Apps and Desktops farm. Everything was setup and tested to support EDT/DTLS but something has changed an is only working sometimes now. When forcing sessions to use EDT, they sometimes get an error message like this: In these cases, ns.log shows the following error: Mar 31 07:58:15 <local0.debug> 192.168.x.x 03/31/2020:05:58:15 GMT citrix-adc 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_FAILURE 1496122 0 : SPCBId 875950 - ClientIP 192.168.x.x - ClientPort 443 - VserverServiceIP 87.158.x.x - VserverServicePort 56693 - ClientVersion DTLSv1.0 - CipherSuite "ECDHE-RSA-AES128-SHA SSLv2 Non-Export 128-bit" - Reason "Handshake failure-Internal Error" I'm a little bit over my head here. Does anyone have an idea how to debug / fix this, please? Link to comment Share on other sites More sharing options...
Diego Oliveira Posted March 31, 2020 Share Posted March 31, 2020 Check if the following Citrix article helps: https://support.citrix.com/article/CTX226385 If you have any firewall between this communication, check if the port UDP 443 is allowed. "If there is a security device, like a firewall, between your Receiver and your NetScaler Gateway who block UDP 443 (in a working scenario), app / desktop will launch without any problem, with TCP only (unless HDX Adaptive Transport policy is set to Diagnostic mode, which only allows EDT then)." Link to comment Share on other sites More sharing options...
Markus Hummel1709161872 Posted March 31, 2020 Author Share Posted March 31, 2020 1 hour ago, Diego Oliveira said: Check if the following Citrix article helps: https://support.citrix.com/article/CTX226385 If you have any firewall between this communication, check if the port UDP 443 is allowed. "If there is a security device, like a firewall, between your Receiver and your NetScaler Gateway who block UDP 443 (in a working scenario), app / desktop will launch without any problem, with TCP only (unless HDX Adaptive Transport policy is set to Diagnostic mode, which only allows EDT then)." I've tried these steps but still can't figure it out. Interestingly, it seems to be working for some of my users: 10% are able to connect via UDP/EDT/DTLS, they other 90% are not. I forgot to mention: ADC is installed in version 12.1 56.22. I made an update today, but nothing seems to have changed. There a loads of "Handshake failure-Internal Error" in my debug log Link to comment Share on other sites More sharing options...
Diego Oliveira Posted March 31, 2020 Share Posted March 31, 2020 What is different about these users? Same version of citrix receivers: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/technical-overview/hdx/adaptive-transport.html#troubleshoot-edt-connections Is UDP port 2598 allowed for all VDAs? Link to comment Share on other sites More sharing options...
Julian Jakob Posted April 1, 2020 Share Posted April 1, 2020 14 hours ago, Markus Hummel1709161872 said: I've tried these steps but still can't figure it out. Interestingly, it seems to be working for some of my users: 10% are able to connect via UDP/EDT/DTLS, they other 90% are not. I forgot to mention: ADC is installed in version 12.1 56.22. I made an update today, but nothing seems to have changed. There a loads of "Handshake failure-Internal Error" in my debug log Hi, as you wrote 10% of your users are able and about 90% not - watch out that DTLS is not supporting IPv6 on the ADC site at this time. If your Users don't have public IPv4 Adresses anymore - only IPv6 - the fallback to TCP could fail and so no connection can be set up. So what I would suggest to do is. Go to a Client which cannot connect, set the following registry key (which forces to TCP at the clientside) and check if the user can connect: [HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\EDT] REG_SZ = HDXOverUDP = off See (https://getadmx.com/?Category=Citrix_Receiver&Policy=receiver.Policies.receiver::Policy_TransportProtocal) If it's working you can deploy the regkey to all clients with the problem or go back to TCP and disable DTLS at your ADC gateway so nobody has problems to connect. Best Regards Julian Link to comment Share on other sites More sharing options...
Ayman Shamshad Posted May 18, 2020 Share Posted May 18, 2020 Having similar problems. The difference is that 90% of our users are able to connect via udp and the remaining 10% are not. Fall back to tcp does NOT work. In our case, citrix adc is on azure. I have already tried changing the mtu and also tried mtu discovery. Both do not help with the problem. All users are able to connect via tcp only In our case, the user gets this error. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now