ADC VPX: DTLSv1.0 "Handshake failure-Internal Error"?

[Markus Hummel1709161872]

Good morning,

we're using our ADC VPX in a traditional setup just to access our Virtual Apps and Desktops farm.

Everything was setup and tested to support EDT/DTLS but something has changed an is only working sometimes now.

 

When forcing sessions to use EDT, they sometimes get an error message like this:

 

In these cases, ns.log shows the following error:

Mar 31 07:58:15 <local0.debug> 192.168.x.x 03/31/2020:05:58:15 GMT citrix-adc 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_FAILURE 1496122 0 :  SPCBId 875950 - ClientIP 192.168.x.x - ClientPort 443 - VserverServiceIP 87.158.x.x - VserverServicePort 56693 - ClientVersion DTLSv1.0 - CipherSuite "ECDHE-RSA-AES128-SHA SSLv2 Non-Export 128-bit" - Reason "Handshake failure-Internal Error"

I'm a little bit over my head here. Does anyone have an idea how to debug / fix this, please?

[Diego Oliveira]

Check if the following Citrix article helps: https://support.citrix.com/article/CTX226385

If you have any firewall between this communication, check if the port UDP 443 is allowed.

 

"If there is a security device, like a firewall, between your Receiver and your NetScaler Gateway who block UDP 443 (in a working scenario), app / desktop will launch without any problem, with TCP only (unless HDX Adaptive Transport policy is set to Diagnostic mode, which only allows EDT then)."

[Markus Hummel1709161872]

1 hour ago, Diego Oliveira said:

Check if the following Citrix article helps: https://support.citrix.com/article/CTX226385

If you have any firewall between this communication, check if the port UDP 443 is allowed.

 

"If there is a security device, like a firewall, between your Receiver and your NetScaler Gateway who block UDP 443 (in a working scenario), app / desktop will launch without any problem, with TCP only (unless HDX Adaptive Transport policy is set to Diagnostic mode, which only allows EDT then)."

I've tried these steps but still can't figure it out.

Interestingly, it seems to be working for some of my users: 10% are able to connect via UDP/EDT/DTLS, they other 90% are not.

 

I forgot to mention: ADC is installed in version 12.1 56.22.

I made an update today, but nothing seems to have changed. There a loads of "Handshake failure-Internal Error" in my debug log

[Diego Oliveira]

What is different about these users?

Same version of citrix receivers: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/technical-overview/hdx/adaptive-transport.html#troubleshoot-edt-connections

Is UDP port 2598 allowed for all VDAs?

[Julian Jakob]

14 hours ago, Markus Hummel1709161872 said:

I've tried these steps but still can't figure it out.

Interestingly, it seems to be working for some of my users: 10% are able to connect via UDP/EDT/DTLS, they other 90% are not.

 

I forgot to mention: ADC is installed in version 12.1 56.22.

I made an update today, but nothing seems to have changed. There a loads of "Handshake failure-Internal Error" in my debug log

 

Hi,

 

as you wrote 10% of your users are able and about 90% not - watch out that DTLS is not supporting IPv6 on the ADC site at this time. If your Users don't have public IPv4 Adresses anymore - only IPv6 - the fallback to TCP could fail and so no connection can be set up.

 

So what I would suggest to do is. Go to a Client which cannot connect, set the following registry key (which forces to TCP at the clientside) and check if the user can connect:

 

[HKEY_CURRENT_USER\Software\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\EDT]

 

REG_SZ = HDXOverUDP = off

 

See (https://getadmx.com/?Category=Citrix_Receiver&Policy=receiver.Policies.receiver::Policy_TransportProtocal)

 

If it's working you can deploy the regkey to all clients with the problem or go back to TCP and disable DTLS at your ADC gateway so nobody has problems to connect. 

 

Best Regards

Julian

[Ayman Shamshad]

Having similar problems. The difference is that 90% of our users are able to connect via udp and the remaining 10% are not. Fall back to tcp does NOT work. In our case, citrix adc is on azure. I have already tried changing the mtu and also tried mtu discovery. Both do not help with the problem. All users are able to connect via tcp only

In our case, the user gets this error.