Jump to content
Welcome to our new Citrix community!

Netscaler gateway Application not running

Recommended Posts

When accessing the published apps from the gateway. I get the error The citrix SSL server you have selected is not accepting connections.


When I test using the storefront URL internally, it is working fine. And when I test using the Gateway VIP it gives this error. 


The VIP,SNIP and Servers are all in one subnet. THis is for testing. However I am stuck with this error. It was working fine until I installed an application on the App server and it requested a restart to a machine. Since then, The netscaler gateway gives me this error.


I checked the certificate, downgraded the receiver, tested from different browsers and different users, yet the same error appears.


Link to comment
Share on other sites

You should check the syslog and nslog on the ADC for any other specific errors that may give you some insight into what is happening. (Notes at end.)

And check the "Delivery Service" eventlog on the destination storefront server(s), to see what they are reporting.


Also, it helps to know at which phase of connection, the error reports in:

1) Can you successfully pass authentication on gateway and is the gateway generating the error or is the error occurring at hand off to StoreFront (prior to retrieving resources).  You can tell if the path still says /vpn/index.htm or /vpn/tmindex.htm you are still on the vpn vserver so the issue is BEFORE contacting storefront.  If you see the gateway fqdn with the /citrix/<storename web> path, then the issue is either in the session policy details of the store to reach or likely an issue on the storefront during the authentication verification phase or xml broker enumeration phase.  SToreFront should have errors that would help know what to look at next.


2) If you are getting a list of applications back, but the issue occurs during launch.  Then it is likely related to resource selection (Storefront/XML brokers),  STA requests (from storefront) or STA redemption from gateway.  There are ways to narrow this down, but more info would help.


If the internal uses are working, but external via your test gateway is failing, then a few things to look at include:

1) Do you have the same ADC doing gateway AND storefront load balancing?  Because you made the note about the test environment and vip/snips all in same subnet, there could be an issue here colliding with the storefront's ability to detect gateway (external) vs storefront only (internal) users and may require either beacons OR the gateway definition to be updated to distinguish between gateway vs storefront users.


2) Also, because of your "test" networks, you may be missing firewall rules or routes affecting the gateway to storefront communication that you may not normally encounter. So an nstrace may be required.


3) Alway validate your certs on gateway and Storefront; validate your session policy has proper storefront store paths specified. Verify storefront has proper details for gateway integrated and xml brokers listed.  Verify gateway can resolve names to ips for storefront destinations.


Log Examples:

To check syslog on ADC:


cd /var/log

tail -f ns.log | grep -v CMD_EXECUTED

(This will give you all the non-config change events). Gateway stuff will span modules:  AAA, TCP, SSLVPN. Look for authentication, authorization denies, and gateway/sta events.


For nslog:


cd /var/nslog

nsconmsg -K newnslog -d consmsg

nsconmsg -K newnslog -d event


In one of these you will see the status of the gateway probe to storefront (not the services) but the storefront lb vserver check.  If Gateway cannot probe the "storefront" destination via the lb vip you have specified, the gateway will assume storefront is not working and will not attempt an HDX proxy connection. You will see a monitor probe failure listing your lb vserver name (not a service name).   


On StoreFront (all storefront servers):
Check the event log, and look specifically in the Delivery Services log  as this will be most of the storefront events. If the request is getting to storefront at all, this will be the best indicator of what storefront is having an issue with and can point you to specific xml brokers or other issues.


For delivery controllers, check the regular Application log for key events related to Citrix Broker Service (though other issues may be highlighted).



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...