Jump to content
Welcome to our new Citrix community!

Session Timeout NetScaler Gateway 5 Minutes


Christian Maus

Recommended Posts

Hello everybody,

 

having an issue with a timeout after exact 5 minutes.

 

Once the user is login via a Citrix Gateway on the first login schema (LDAP) , the next login schema apperars (OTP). After exact 5 minutes without no enter in this window, the session gets disconnected and user needs to re-enter LDAP credentials.  Where are those 5 minutes coming from (we want to decrease this time).

 

Any idea, where I can find this setting?

 

root@NetScaler# tail -f /var/log/ns.log | grep -i aaa

Aug 26 12:15:59 <local0.info> 1.1.1.1 08/26/2020:10:15:59 GMT NetScaler 0-PPE-2 : default AAATM LOGOUT 56639 0 :  User citrixuser - Client_ip 1.2.3.4 - Nat_ip "Mapped Ip" - Vserver 1.2.3.5:443 - Start_time "08/26/2020:10:10:59 GMT" - End_time "08/26/2020:10:15:59 GMT" - Duration 00:05:00  - Http_resources_accessed 0 - Total_TCP_connections 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "TimedOut" - Group(s) "N/A"

 

 

In the ns.conf i only find a hint with 300 seconds in the ssl policy "Session Ticket Life Time (secs)"

 

Any hints would be appreciated.

 

Thanks!

Chris

 

Link to comment
Share on other sites

Hi, the 'Session Ticket Life Time (secs)' is controlled in SSL Profiles.  I assume you've tried changing the value but no joy.

A couple of things spring to mind.

If you monitor aaad.debug, does the timeout get recorded any differently from the ns.log entry and give a clue as to the process that is failing/causing the timeout?  May help further googling..?

 

Also, have you read https://support.citrix.com/article/CTX236072  - I've never had to use it, but may give a hint as to what to look at?

 

Good luck!

 

Link to comment
Share on other sites

Hello Stuart,

 

i do not see any indications on, where to find this. 

The "Session Ticket Life Time (secs)" is set to 300 sec, but this is also the minimum time.

 

We want to decrease the Session Timeout to 2 Minutes (in case no one enters anything in the 2nd Factor).

 

I checked again with aaad.debug:

 

 

Wed Sep  2 08:03:06 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_drv.c[925]: receive_ldap_user_search_event 0-50296: User search succeeded, attempting user authentication(Bind) for <MAIN-USER>
Wed Sep  2 08:03:06 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5948]: register_timer 0-50296: setting timer 132161
Wed Sep  2 08:03:06 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_drv.c[2125]: receive_ldap_user_bind_event 0-50296: Got user bind event.
Wed Sep  2 08:03:06 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_common.c[465]: ns_ldap_check_result 0-50296: checking LDAP result.  Expecting 97 (LDAP_RES_BIND)
Wed Sep  2 08:03:06 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_common.c[503]: ns_ldap_check_result 0-50296: ldap_result found expected result LDAP_RES_BIND
Wed Sep  2 08:03:06 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_drv.c[2134]: receive_ldap_user_bind_event 0-50296: Bind OK.
Wed Sep  2 08:03:06 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[6025]: unregister_timer 0-50296: releasing timer 132161
Wed Sep  2 08:03:06 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_drv.c[2228]: receive_ldap_user_bind_event 0-50296: User authentication (Bind event) for user MAIN-USER succeeded
Wed Sep  2 08:03:06 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[4166]: send_accept 0-50296: sending accept to kernel for : MAIN-USER
Wed Sep  2 08:03:06 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[4082]: aaad_alloc_serialize_keyValue_attrs 0-50296: Total attribute values to PE : 68, email=MAIN-USER@test.de

Wed Sep  2 08:09:17 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_common.c[465]: ns_ldap_check_result 0-50302: checking LDAP result.  Expecting 97 (LDAP_RES_BIND)
Wed Sep  2 08:09:17 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_common.c[503]: ns_ldap_check_result 0-50302: ldap_result found expected result LDAP_RES_BIND
Wed Sep  2 08:09:17 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_drv.c[221]: receive_ldap_bind_event 0-50302: Bind OK
Wed Sep  2 08:09:17 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[6025]: unregister_timer 0-50302: releasing timer 132180
Wed Sep  2 08:09:17 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_drv.c[290]: receive_ldap_bind_event 0-50302: Original slen: 0
Wed Sep  2 08:09:17 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/ldap_drv.c[302]: receive_ldap_bind_event 0-50302: Received LDAP Bind event, username is coming in invalid format

Wed Sep  2 08:09:17 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5033]: send_reject_with_code 0-50302: Not trying cascade again 4001
Wed Sep  2 08:09:17 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5035]: send_reject_with_code 0-50302: sending reject to kernel for :
Wed Sep  2 08:09:17 2020
 /usr/home/build/adc/usr.src/netscaler/aaad/naaad.c[5056]: send_reject_with_code 0-50302: Rejecting with error code 4001
Wed Sep  2 08:09:20 2020

 

 

 

#

Sep  2 08:03:06 <local0.warn> 1.4.107.211 09/02/2020:08:03:06 GMT NetScalerc0-PPE-0 : default SSLVPN Message 14693703 0 :  "Created nFactor session for user MAIN-USER"
Sep  2 08:08:06 <local0.info> 1.4.107.211 09/02/2020:08:08:06 GMT NetScalerc0 0-PPE-0 : default AAATM LOGOUT 14695691 0 :  User MAIN-USER - Client_ip 1.2.3.4 - Nat_ip "Mapped Ip" - Vserver 1.1.1.3:443 - Start_time "09/02/2020:08:03:06 GMT" - End_time "09/02/2020:08:08:06 GMT" - Duration 00:05:00  - Http_resources_accessed 0 - Total_TCP_connections 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "TimedOut" - Group(s) "N/A"
 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...