Jump to content
Welcome to our new Citrix community!

login exceed maximum allowed users


BCSNHF

Recommended Posts

Hi Guys

 

Here is my system setup:

Citrix Virtual Apps and Desktop version 1909

Citrix ADC VPX Release NS13.0 41.28.nc

2 x Windows server 2016 multi session servers (i.e. 2 session hosts servers) for load balancing

Citrix License type is User/Device

 

My users are using the ICA protocol and they login by opening a web browser i.e. chrome type in the URL and this guides them to

the published desktop for when they click on it launches the VDI (windows server 2016) using the Citrix workspace app installed

to their PC.

 

From time to time, my users who are logging in remotely keep getting an error. It says "Login exceeds maximum allowed user".

However when I login to the license server, it says I'm using 16 out of 22 licenses, so I know that licenses are fine.

 

What's bizarre is that all of a sudden after about 30mins, my users are able to login login again without any issues.

 

My questions are:

 

1.  Why does this keep happening every so often?

2. Where can I find out in the logs either on the Citrix ADC Gateway or elsewhere as to what is causing this?

3. Could this be caused by the amount of load on the server farm? if so, which server, the VDI servers? 

 

If it was a licensing issue as the error suggest, then it will not allow any users to login but bizarrely my user are able to after a certain

amount of time.... very confused!

 

If there is any more information you need to help me solve this conundrum please let me know.

 

Kind Regards

GMSS

Error login.jpg

Link to comment
Share on other sites

Can you tell if the license error is coming from the Gateway OR from the storefront/CVAD controllers?
If in the browser, see if the path says /vpn/<stuff> vs. /Citrix/<StoreName>  if it doesn't say /Citrix/<StoreName> then the error is coming from the Gateway in most cases.

 

Check your vpn vserver for number of licenses and a license limit on the vpn vserver itself.

1) from CLI:  show ns license  (or GUI:  System > Licenses node)

Confirm amounts for ICA proxy and SSLVPN licenses.  Depending on firmware and product edition, you might have a limit on total vpn licenses and in some ica proxy scenarios, these could be consumed.

 

2) determine if max logins set on vpn vserver

cli:  show vpn vserver <vpn vserver name>

look for a max logins parameter...

or in gui:

Gateway > virtual servers

Edit vpn vserver

Under the Basic Settings, expand the "more" section and see if max logins are set

 

If set, this could limit the total number of gateway sessions that can be created. (In a few cases past firmware would count the session wrong, compounding the problem...but usually that involved XenMobile via Gateway stuff.)

 

Your vpn session policy idle timeout may be affecting at what time those idle sessions time out and are released.

 

--

If the issue is on the CVAD licensing (16 out of 22), there might actually sessions that are not being released (depending on if you the CVAD licensing is named user or ccu-based).

 

 

 

 

 

 

 

Link to comment
Share on other sites

Hi Rhonda,

 

Firstly, thank you for taking the time to respond.

 

I think the error is coming from the Gateway as I'm able to login as a user if I'm directly on the Storefront server.

However I only see /Citrix/<Storename> in the URL after it accepts my credentials. See image

 

2003062875_2ndStage.thumb.jpg.bbf962bfc5a055b03e9d13d101fa2a10.jpg

The error "Login exceeds maximum allowed user" comes before this page at the login screen (see previous image).

Presumably this is the message that the Gateway is returning? Is there anywhere in the logs where I can find this out?

If so, can you let me know where?

 

We are not using VPN as all our users are connecting remotely using the ICA protocol. Should we be using VPN?

 

575688125_3rdStage.thumb.png.51bee596f22b55878f67de947447eb6c.png

 

>> Your vpn session policy idle timeout may be affecting at what time those idle sessions time out and are released.

 

Where can I check if this is the case and can this be changed?

 

>> If the issue is on the CVAD licensing (16 out of 22), there might actually sessions that are not being released (depending on if you the CVAD licensing is named user or ccu-based).

 

If this is the case, where an how am I able to check this ?

 

 

Many Thanks 

GMSS

Link to comment
Share on other sites

The gateway vpn vserver is used whether you are in full vpn mode or just doing ICA Proxy (its all in how the session policies are configured).

 

First:

To check for available licenses on the gateway:

cli:

1) show ns license

Under the vpn vserver, you will also see vpn license and ica proxy license counts.  Both are needed. Usually, ICA proxy connections do not require additional licensing, but there are some cases where some of the advanced features draw from the vpn license count and on older licensed appliance there may be a limit.

 

2) You also need to see if someone set a max limit on the vpn vserver property itself (which is sometimes done to limit license consumption when multiple vservers exist)

show vpn vserver <vpn vserver name>

there may be a Max AAA Login or users. UPDATE:  So in your above screenshot this is 0 which means no limit is specified. Should not be a problem.

 

3) To see if the Gateway is in fact seeing a license issue, you can look at the following:

[1] If the gateway was created using the Unified Gateway wizard, go to that node in the GUI and look in the dashboard in the right-hand pane as it has graphs with current usage and license usage numbers. If there is nothing under the Unified Gateway node, then this will be blank.

[2] Next, go to the Citrix Gateway node in the GUI (NetScaler Gateway node in earlier systems), in the right-pane you should have a couple of options such as:

Show ICA Connections (or active Ica sessions)

Show VPN Connections

Your ICA Proxy should all be under the ICA connections (whether EDT/DTLS or TCP based).  You can see what the gateway is showing as connections here (not directly correlated with licensing, but you might have more than you expected.)

Check the vpn connections, to make sure you aren't consuming vpn licenses unexpectedly. Because if you need those and you have a limited number, you could reach some limits.

 

=========

Second:

Based on your questions above:

 

32 minutes ago, BCSNHF said:

Presumably this is the message that the Gateway is returning? Is there anywhere in the logs where I can find this out?

For logs:

On the Gateway, you are looking at Syslog events.  Syslog is the audit log and it contains events specific to gateway as well.  In the GUI, you can go to System > Auditing (and then look in the right pane for current logs). Going to the CLI and then shell to look at the files directly can sometimes be more useful.

shell

cd /var/log

# either of these may help view logs as they occur

tail -f ns.log | grep -v CMD_EXECUTED

# to search for events in the current log - to see if an event is found

more ns.log | grep license -i

 

On the CVAD environment, I would start by using Citrix Director and then the recent errors in the main dashboard or the past errors under history.

Director will sometimes report reasons why resources are unavailable (related to vda registration failures, unavailable capacity) and give you additional reasons to help with troubleshooting.  If the licensing issue is coming from CVAD, then it may catch the event and give you additional info before additional troubleshooting is performed and may help clarify where the issue originates from.   

 

38 minutes ago, BCSNHF said:

We are not using VPN as all our users are connecting remotely using the ICA protocol. Should we be using VPN?

 

The vpn vserver (gateway) does full vpn, ica proxy, and clientless (web only) functions.  The details are in the session policy configuration.  You are likely doing ICA proxy only, but some advanced features draw from the vpn license counts instead of the ica proxy license count.  You only need the vpn vserver in full vpn mode if you want to connect to CVAD and non-cvad resources and are comfortable with vpn tunnel configurations.  To get access to CVAD only apps/desktops it is not required; the vpn vserver in ica proxy mode provides remote access and the user device only required a Citrix Receiver/Workspace App.

 

40 minutes ago, BCSNHF said:

Your vpn session policy idle timeout may be affecting at what time those idle sessions time out and are released.

 

Where can I check if this is the case and can this be changed?

 

By default, when you authentication via the vpn vserver (aka Citrix Gateway), the idle timeout is 30 minutes.  This timeout needs to match the storefront idle timeout so that when storefront needs an idle user to start a new login, the gateway is also prompting for a new login.  StoreFront idle timeouts are in the SToreFront's Store's Receiver for Web settings.

On the gateway, the session idle timeout is configured in a session policy applied to the vpn vserver OR to a specific aaa group or the global vpn parameters.

From the cli,

show vpn vserver <vpn vserver name>

See which session policy if any are bound.

In the GUI, select your vpn vserver and click Edit. Scroll down to policies and see which session policy is bound. Select it and clikc "edit policy action" to see the settings it contains.

 

Then review that session policy's session profile (aka action) for the Session Timeout parameter on the second tab (which is Client Experience, I believe)

This timeout should be the same as the storefront idle timeout.  Once a user logs on, if they do not keep launching apps/interacting with storefront and the connection is idle, then after so much time they will be logged out (which also releases any gateway license). If this is too long and you have a shortage of licenses on the gateway, you could be exceeding your count of licenses.  

 

47 minutes ago, BCSNHF said:

>> If the issue is on the CVAD licensing (16 out of 22), there might actually sessions that are not being released (depending on if you the CVAD licensing is named user or ccu-based).

 

If this is the case, where an how am I able to check this ?

 

to check your CVAD licensing:

1) Which version of XD or CVAD are you on (In case I missed it)?

2) In Citrix Studio for (all XD 7.x and CVAD versions):  go to the Licensing tab. Then choose "Product Editions" in the right pane and here you can confirm the license type in use:
STD/ADV/PREM

and license allocation model:

named users or named device 

or 

ccu

 

3) For events related to licensing in CVAD. Start with Director first.  

Then in the CVAD Controller, use event viewer and check the Application event log for license events or errors with the Citrix Broker Service.

Finally, you can check the citrix license server dashboard for alerts. But actual logging you'd have to look up in the Citrix Licensing Admin guide as I don't recall off the top of my head.

 

Hopefully, this will give you a sense of where to look for info on the gateway and on the CVAD environment.

Otherwise you can engage support for troubleshooting.

 

 

 

 

 

 

 

 

Link to comment
Share on other sites

Hi Rhonda,

 

Many thanks again for your detail explanation.

 

>>1) Which version of XD or CVAD are you on (In case I missed it)?

 

I'm using CVAD 1909.

 

I have also now been through the ns.log on the Gateway via the command line and this is the error I'm was getting:

 

===========================

 

Feb 11 09:19:36 <local0.info> x.x.0.23 02/11/2021:09:19:36 GMT GatewayVPX 0-PPE-0 : default SSLVPN Message 14890 0 :  "Failed to process setclient for id <e0>, user <test.user> due to <license limit reached>"
Feb 11 09:19:36 <local0.info> x.x.0.23 02/11/2021:09:19:36 GMT GatewayVPX 0-PPE-0 : default SSLVPN LOGOUT 14891 0 :  User test.user- Client_ip 46.x.x.x - Nat_ip "Mapped Ip" - Vserver x.x.0.x:443 - Start_time "02/11/2021:09:19:36 GMT" - End_time "02/11/2021:09:19:36 GMT" - Duration 00:00:00  - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 0 - Total_UDP_flows 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "InternalError" - Group(s) "N/A"

 

============================

 

What strange is that without even doing anything, my users after 30min or so was able to login fine!  What is worrying is that I've not exceed my license limit and yet this is what the Gateway had return when my users were trying to login at the time.... 

 

Any ideas what this LogoutMethod "InternalError"  is and how to fix it?

 

Kind Regards

GMSS

Link to comment
Share on other sites

Hi Carl,

 

Many thanks for you contribution to this.

 

>>ICA Only = false means that your Gateway appliance must have Gateway Universal licenses.  If you change ICA Only to true then no Gateway Universal licenses are needed.

 

I've now enabled ICA Only to True. Will this help with the issue I'm facing? I guess only time will tell...

 

Kind Regards

GMSS

 

 

Link to comment
Share on other sites

Hi Martin,

 

>> Check this: Threat Advisory - DTLS Amplification Distributed Denial of Service Attack on Citrix ADC and Citrix Gateway

 

Many thanks for this, I'm going to try and get this done when I get a clear window.

 

Kind Regards

GMSS 

Link to comment
Share on other sites

30 minutes ago, BCSNHF said:

e now enabled ICA Only to True. Will this help with the issue I'm facing? I guess only time will tell...

GMSS,

The detail of whether this setting will or won't help, is tied to the "show ns license" command.

You can see this in the GUI: System > License.

When you look at the list of licenses, it will tell you

SSLVPN (Gateway) feature is enabled and give you two different license counts

ICA users:  (usually is unlimited)

VPN users (or Gateway users wording my vary): this will either be a number or unlimited.   If it is also unlimited, then the issue isn't with type of license consumed.  If this is only a number like 5 or 10 or 25, then it very well could have been the cause of your license limit when the ICA only value was OFF and now that it is ON you will draw from the other pool.

As long as your gateway isn't using epa scans, preauth policies, or smartaccess control for the CVAD environment the ICA ONLY flag is fine.

 

If they were both unlimited and you are seeing a license allocation error on the gateway, then  something else is going on.

 

 

 

 

Link to comment
Share on other sites

Hi Rhonda,

 

I think we're getting really close to finding out what's supposedly happening. This is what I have in terms of the Gateway License:

 

image.thumb.png.3c51655c1f51f06a60ce2e133750f757.png

 

It is showing that the "Maximum Citrix Gateway Users Allowed is set to 5". So am I right in saying that this is for concurrent users where if the 6th user tries to sign in at the same time, it errors with a licensing error? I'm assuming that this cannot be change due to the license type and only way is to purchase an upgraded license?

 

>> As long as your gateway isn't using epa scans, preauth policies, or smartaccess control for the CVAD environment the ICA ONLY flag is fine.

 

The Gateway isn't using any of these. So do you think now that I've got the ICA Only set to True, will I also need to increase "Maximum Citrix Gateway Users Allowed" by buying a new gateway license or by setting ICA Only to True should help with my issue?

 

image.thumb.png.49ba22744eaab99f9e416e1e947615dd.png

 

Many Thanks

GMSS

Link to comment
Share on other sites

If you do not require features requiring the full vpn license, then the ICA Proxy license is the only license required.

Setting the vpn vserver to ICA ONLY flag, should consume only the ICA Proxy licenses.

 

There are certain features even in ICA Proxy configs that require use of the vpn license and not just the ICA Proxy license. But if you aren't using those features there shouldn't be a problem.

 

1) Change the vpn vserver property that Carl told you about to ICA ONLY: ON

2) See if this affects your license limit error or not.

 

Your ICA Proxy config that might rely on the full vpn license would be these settings:

1) Use of preauthentication policies on the vpn vserver

2) Use of session policies with either EPA/OPSWAT scans in the policy expression OR in the session profile client security string

3) The use of Smart Access settings where the result of a gateway session policy evaluation is passed through to the CVAD environment. This would be shown in Delivery Group "Access Controll" filters OR in the CVAD Policy "Access Control" filters needing the GAteway connection meeting a certain condition.

 

If you are not dependent on any of these, then you can use ICA Proxy only flag, consume the ICA Proxy ccu licenses on the GAteway (without limit).  And this should eliminate the gateay license consumption issue.

 

If you need the vpn depdendent functions, then additional vpn licenses (aka universal licenses) would be needed.  

 

TLDR:  ICA Proxy only connections, without the use of certain advanced features do not require additional licensing per user on the gateway.

If you are using full vpn connections (vpn tunnels with the gateway client and not just the citrix workspace/receiver) OR you are using the advanced features I noted above, then the vpn ccu licenses would be needed.

 

Regarding license entitlements for the vpn connections:

 

Older licensed products, had only 5 or 15 vpn licenses included. And therefore the universal licenses would have to be purchased separately.

Newer versions of the ADC firmware licensed editions have increased the entitlement from the beginning, make it less of an issue (hard to find citrix articles on the included limits though).    (But 11.1.49.x and later, I think:  standard edition had 500 ccu entitlement for vpn, Enterprise had 1000 ccu, and Platinum was unlimited)  up to the limit of users the appliance can actually handle).  Also, if you had access to CVAD Platinum, then it came with a vpn gateway entitlement as well -- so its complicated.

Noted in this article (but not citrix, just clearest summary I could find):  https://www.kraftkennedy.com/universal-license-entitlement-included-netscaler/

Check with Customer Care for confirmation of what vpn license counts are or aren't available to you.  If you need them, that is.

 

Explanations of Gateway Licensing

https://docs.citrix.com/en-us/citrix-gateway/current-release/citrix-gateway-licensing/citrix-gateway-licensing-faq.html

https://docs.citrix.com/en-us/citrix-gateway/current-release/citrix-gateway-licensing.html

https://support.citrix.com/article/CTX113028

 

 

 

 

 

Link to comment
Share on other sites

59 minutes ago, BCSNHF said:

The Gateway isn't using any of these. So do you think now that I've got the ICA Only set to True, will I also need to increase "Maximum Citrix Gateway Users Allowed" by buying a new gateway license or by setting ICA Only to True should help with my issue?

 

And just to directly answer this: 

1) You said you weren't using any of the dependent features, so only the ICA Proxy licenses are needed. So fix the vpn vserver property to ICA Only: true and this should fix the license consumption issue.  The vpn vserver also has a max logins allowed but this is also 0 (and therefore not limited).

 

2) If you do end up needing the gateway features, you would need appropriate number of Gateway Universal licenses (which are gateway ccu licenses).  However, whether you have an entitlement due to existing product purchase or whether you would have to purchase more licenses would be best answered by customer care as they could look at the version of CVAD/XD you have as well.  But the ADC licensing included fewer entitlements on older systems, then on newer systems.

Link to comment
Share on other sites

  • 2 weeks later...

Hi Rhonda,

 

Firstly I would like to apologise for the delay in my reply as I was temporarily put onto another project. Secondly I would like to thank you for taking the time to reply to my initial query. So far, the advice given by both you and Carl has been successful, none of the users are getting this "Login exceeds maximum allowed user" anymore.

 

I do hope we see the last of this as I've been scratching my head for months and got no where with Citrix support... 

 

Thanks again for your help, response and patients with my query.

 

Kind regards

GMSS

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...