Jump to content
Welcome to our new Citrix community!

NSEPA 13.0.64.35 via HTTP proxy returns 12029


Recommended Posts

Hi all,

 

we had Netscaler 13.0-58.32 up an running and were using EPA scans to secure access to our published desktops.

 

For internal and external access the EPA scan was used.

 

After upgrading to 64.35 the NSEPA.exe seem no longer support access through HTTP proxy. 

 

In nsepa.txt I can see 

=========================
nsepa.exe
Date: 2020-10-5
Time: 16:14:40
Version: 13.0.64.35
=========================
16:14:40.108 | DEBUG   | Browser handle is 00020258 
16:14:40.108 | DEBUG   | isPostEPA is set to 0 in UI 
16:14:40.108 | DEBUG   | Start listening for messages
16:14:40.568 | DEBUG   | EPA dialog is ready. Window ID=00080678
16:14:40.568 | DEBUG   | No setting for language exists. We will use system language
16:14:40.568 | DEBUG   | syspath=C:\Users\thats.me\AppData\Local
16:14:40.573 | DEBUG   | It is pre-Auth EPA and user hasn't marked this as trusted connection. We will show trust dialog 
16:14:40.664 | DEBUG   | Google analytics Request sent successfully
16:14:40.664 | DEBUG   | Sending v=1&aip=1&tid=UA-59929653-34&cid=289e5a56-e9cc-4a5f-9858-8197abf4a02d&an=WinEPA&av=13.0.64.35&ul=de&t=screenview&cd=Chrome for Google Analytics request.
16:14:40.821 | DEBUG   | Google analytics Request sent successfully
16:14:42.938 | DEBUG   | User trusts the vserver 
16:14:42.939 | DEBUG   | created a new thread for EPA 
------------------------------------------------------------------------------------------
				Phase: Pre Authentication EPA
------------------------------------------------------------------------------------------
16:14:42.940 | EVENT   | Initiating EPA SCAN
16:14:42.940 | DEBUG   | EPA plugin got triggered with cookie
16:14:42.940 | DEBUG   | vip=255.255.255.254
16:14:42.940 | DEBUG   | ns_enablessl=1 basevport=0xbb01
16:14:42.940 | DEBUG   | Input params: cookie length 32 location https://this.ismydomain.de/epa/epa.html/ debug DEBUG vip this.ismydomain.de version 13.0.64.35
16:14:42.941 | EVENT   | Making GET request to https://this.ismydomain.de:443epatype
16:14:42.941 | VERBOSE | [<GET epatype HTTP/1.1

Cookie: NSC_TMAS=********************************

Date: 1601907282



>]
16:15:03.998 | ERROR   | ns_GetLastError | 163 | HttpSendRequest -- Error 12029 A connection with the server could not be established


16:15:03.999 | DEBUG   | Looks like network failure. We won't remove saved user cert preferences (if such preferences exist) error-code : 12029
16:15:03.999 | DEBUG   | ns_HTTPrequest return value is: -4
16:15:03.999 | ERROR   | ns_start_epa | 971 | Error while checking EPA type
16:15:03.999 | DEBUG   | ns_start_epa returning Endpunktscan konnte nicht gestartet werden.
16:15:03.999 | DEBUG   | num_mallocPolicyBuffer=0
16:15:03.999 | DEBUG   | releasing buffers
16:15:03.999 | DEBUG   | ns_StopSSL called
16:15:04.000 | DEBUG   | ns_UnloadSecurityLibrary done
16:15:04.000 | EVENT   | EPA has successfully completed
16:15:04.000 | DEBUG   | EPA complete. stop showing progressbar 
16:15:04.013 | EVENT   | EPA check finished : Error while running EPA scans 
16:15:04.091 | DEBUG   | ShowEPADialog returned 1 

With previous version - on same PC with same network setup it looked like this:

=========================
nsepa.exe
Date: 2020-10-2
Time: 10:54:42
Version: 13.0.58.32
=========================
10:54:42.896 | DEBUG   | Browser handle is 004A0FC4 
10:54:42.896 | DEBUG   | isPostEPA is set to 0 in UI 
10:54:42.896 | DEBUG   | Start listening for messages
10:54:43.351 | DEBUG   | Google analytics Request sent successfully
10:54:43.351 | DEBUG   | Sending v=1&aip=1&tid=UA-59929653-34&cid=289e5a56-e9cc-4a5f-9858-8197abf4a02d&an=WinEPA&av=13.0.58.32&ul=de&t=screenview&cd=Chrome for Google Analytics request.
10:54:43.397 | DEBUG   | EPA dialog is ready. Window ID=004814CE
10:54:43.398 | DEBUG   | No setting for language exists. We will use system language
10:54:43.398 | DEBUG   | syspath=C:\Users\thats.me\AppData\Local
10:54:43.404 | DEBUG   | It is pre-Auth EPA and user hasn't marked this as trusted connection. We will show trust dialog 
10:54:43.429 | DEBUG   | Google analytics Request sent successfully
10:54:45.515 | DEBUG   | User trusts the vserver 
10:54:45.515 | DEBUG   | created a new thread for EPA 
------------------------------------------------------------------------------------------
				Phase: Pre Authentication EPA
------------------------------------------------------------------------------------------
10:54:45.516 | EVENT   | Initiating EPA SCAN
10:54:45.516 | DEBUG   | EPA plugin got triggered with cookie
10:54:45.516 | DEBUG   | vip=255.255.255.254
10:54:45.517 | DEBUG   | ns_enablessl=1 basevport=0xbb01
10:54:45.517 | DEBUG   | Input params: cookie length 32 location https://this.ismydomain.de/epa/epa.html/ debug DEBUG vip this.ismydomain.de version 13.0.58.32
10:54:45.517 | EVENT   | Making GET request to https://this.ismydomain.de:443epatype
10:54:45.517 | VERBOSE | [<GET epatype HTTP/1.1

Cookie: NSC_TMAS=********************************

Date: 1601628885



>]
10:54:45.839 | DEBUG   | downloaded total 156 bytes
10:54:45.839 | DEBUG   | ns_HTTPrequest return value is: 156
10:54:45.839 | DEBUG   | csec_opts header is not present, first device cert will be selected based on last expiry date 
10:54:45.839 | EVENT   | Device Cert check Absent and EPA is Present 
10:54:45.839 | EVENT   | Making GET request to https://this.ismydomain.de:443epaq
10:54:45.839 | VERBOSE | [<GET epaq HTTP/1.1

Cookie: NSC_TMAS=********************************

Date: 1601628885



>]
10:54:46.151 | DEBUG   | downloaded total 479 bytes
10:54:46.151 | DEBUG   | ns_HTTPrequest return value is: 479
10:54:46.151 | DEBUG   | Received headers size 34816
10:54:46.151 | DEBUG   | Received headers size 5000

 

As soon as I connect same PC running 64.35 to a different network not having a proxy in between EPA-Scan works again.

 

I already checked network traffic and saw the GET request with "epatype" is NOT using proxy when using the latest version.

 

Does somebody already stumbled over same issue or is there maybe any configuration change which is now required with 64.35 ?

 

Thank you in advance

Heiko

 

 

Link to comment
Share on other sites

This sounds like a code BUG. I would recommend you to perform the following testing in order to determine where the problem is at but most likely is on the NSGW Client side:

  1. Disable plugin upgrade on Session Policy
  2. Uninstall 13.0.64.35 plugin from client
  3. Install 13.0-58.32 plugin on client (download from citrix.com)
  4. Connect to 13.0.64.35 gateway using 13.0.58.32 plugin in network with HTTP Proxy.
  5. If works, issue is at the NSGW Plugin side, as WA you could disable plugin upgrade and push 13.0.58.32 installer to all endpoints.
  6. If doesn't, issue is at the ADC code level.

Regardless, open a case with TS for getting this addressed.

 

Hope this helps

  • Like 1
Link to comment
Share on other sites

Thank you - seems I just required one to push myself to right direction ;-)

 

Indeed it looks like a bug in nsepa.exe. I reverted to 13.0.58.32 and access through proxy worked again. Confusingly the bug seem to be introduced with 13.0.61.48 already. After I saw it working again using 13.0.58.32, I updated to 13.0.61.48 and again it was no longer using proxy connection. After reverting to 13.0.58.32 again my connection worked

 

As of now it seems 13.0.61.48 and 13.0.64.35 are broken.

 

It's strange this wasn't mentioned here and that's why I spend some more words. Maybe this helps others facing same issue.

 

Maybe it's a silly question, but how can I open a case with technical support ?

 

Thanks

Heiko

 

Link to comment
Share on other sites

  • 9 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...