Jump to content
Welcome to our new Citrix community!

Citrix Gateway err_connection_refused


Recommended Posts

Hi guys,

 

I have been working on a Citrix ADC VPX (to be licensed as a Citrix Gateway) for a client for the last week and have an error that I cannot resolve. I have setup and configured the Citrix Gateway using the setup guide as my template. The Gateway is setup to be a frontend for StoreFront. However, whenever I go to connect to the CAG using either the FQDN or the VIP assigned for this service, I get an error stating that the site cannot be reached (ERR_CONNECTION_RESET). I have checked the firewall in front of the Gateway and there are no restrictions on the VIP (we have an F5 ADC we are replacing in the same network) and I have checked the static routes to confirm that data is not being misrouted. Ping tests to the VIP using the IP address and the FQDN have been successful with responses.

 

To eliminate any license errors, I have changed the product from a Gateway license to an ADC Premium Trial license (to eliminate the license being an issue) and this did not make a difference. I have changed versions of ADC OS Images (Currently using the latest build - 13.0.71.44.nc) and even running older builds, I am having this issue. I have also checked the logs but could not see anything that stands out to say that there is an error.

 

If anyone can help, it will be most appreciated.

 

Regards,

 

Glen Scaglione

Deployus IT

 

Link to comment
Share on other sites

Do you have features licensed:  LB, SSL, VPN Vserver (Gateway) and do you see either ICA Proxy, Gateway user licenses or both?

show ns license

 

Are the features enabled:  LB, SSL, VPN Vserver (Citrix Gateway)

show ns feature

 

On your vpn vserver, do you have a cert bound and other the vpn vserver properties (main properties > more or advanced settings).  What is the ICA Proxy setting and/or the DTLS setting state?

show vpn vserver <vserver name>

 

Do you have any ACLs defined on the ADC. In gui under System > Network > ACLs or ACL6s?

These may be filtering traffic in addition to your firewall rules.

 

You may want to check syslog or nslog for additional warnings.

There might be an issue with ciphers/protocols/certs settings as well.  A network trace using nstrace may have some insight, but I would start with the simple stuff first.

 

 

 

 

Link to comment
Share on other sites

Hi Rhonda,

 

The current license is a trial license (ADC Platinum 25). Official license is a Netscaler Gateway License. Using the trial license:

 

Show NS Features:
        Feature                        Acronym              Status
        -------                        -------              ------
 1)     Web Logging                    WL                   ON
 2)     Surge Protection               SP                   OFF
 3)     Load Balancing                 LB                   OFF
 4)     Content Switching              CS                   OFF
 5)     Cache Redirection              CR                   OFF
 6)     Sure Connect                   SC                   OFF
 7)     Compression Control            CMP                  OFF
 8)     Priority Queuing               PQ                   OFF
 9)     SSL Offloading                 SSL                  ON
 10)    Global Server Load Balancing   GSLB                 OFF
 11)    Http DoS Protection            HDOSP                OFF
 12)    Content Filtering              CF                   OFF
 13)    Integrated Caching             IC                   OFF
 14)    SSL VPN                        SSLVPN               ON
 15)    AAA                            AAA                  OFF
 16)    OSPF Routing                   OSPF                 OFF
 17)    RIP Routing                    RIP                  OFF
 18)    BGP Routing                    BGP                  OFF
 19)    Rewrite                        REWRITE              OFF
 20)    IPv6 protocol translation      IPv6PT               OFF
 21)    Application Firewall           AppFw                OFF
 22)    Responder                      RESPONDER            OFF
 23)    HTML Injection                 HTMLInjection        OFF
 24)    NetScaler Push                 push                 OFF
 25)    AppFlow                        AppFlow              OFF
 26)    CloudBridge                    CloudBridge          OFF
 27)    ISIS Routing                   ISIS                 OFF
 28)    CallHome                       CH                   ON
 29)    AppQoE                         AppQoE               OFF
 30)    Content Accelerator            ContentAccelerator   OFF
 31)    Front End Optimization         FEO                  OFF
 32)    Large Scale NAT                LSN                  OFF
 33)    RDP Proxy                      RDPProxy             OFF
 34)    Reputation                     Rep                  OFF
 35)    URL Filtering                  URLFiltering         OFF
 36)    Video Optimization             VideoOptimization    OFF
 37)    Forward Proxy                  ForwardProxy         OFF
 38)    SSL Interception               SSLInterception      OFF
 39)    Adaptive TCP                   AdaptiveTCP          OFF
 40)    Connection Quality Analytics   CQA                  OFF
 41)    ContentInspection              CI                   OFF
 42)    Bot Management                 Bot                  OFF
 43)    API Gateway                    APIGateway           OFF
 Done
 

From memory, no LB license is included in ADC Gateway component, so I haven't set it up.

 

The Cert bound to the VPN and web service is a wildcard cert for the company. It is publicly trusted and I have installed the complete certificate chain.

 

 show vpn vserver
1)      _XD_10.1.8.142_443 (10.1.8.142:443) - SSL       Type: CONTENT
        State: UP
        Down state flush: ENABLED
        Loginonce: OFF
        Disable Primary Vserver On Down : DISABLED
        TCP profile name: nstcp_default_XA_XD_profile
        HTTP profile name: nshttp_default_strict_validation
        Appflow logging: ENABLED
        Authentication : ON
        DeploymentType : ICA_STOREFRONT
        Device Certificate Check: OFF
        CGInfra Homepage Redirect : ENABLED
        Current AAA Sessions: 0
        Total Connected Users: 0
        Icaonlylicense : OFF    IcaProxySessionMigration : OFF
        DoubleHop : DISABLED    Dtls : OFF      L2Conn: OFF
        Max Login Attempts: 0    Failed Login Timeout 0
        Fully qualified domain name: citrix.thecompanythatIamdoingworkfor.com
        Listen Policy: NONE
        IcmpResponse: PASSIVE
        RHIstate:  PASSIVE
        Traffic Domain: 0
2)      _XD_10.1.8.142_443_DTLS (10.1.8.142:443) - DTLS Type: CONTENT
        State: UP
        Down state flush: ENABLED
        Loginonce: OFF
        Disable Primary Vserver On Down : DISABLED
        Appflow logging: ENABLED
        Authentication : ON
        Device Certificate Check: OFF
        CGInfra Homepage Redirect : DISABLED
        Current AAA Sessions: 0
        Total Connected Users: 0
        Icaonlylicense : OFF    IcaProxySessionMigration : OFF
        DoubleHop : DISABLED    Dtls : OFF      L2Conn: OFF
        Max Login Attempts: 0    Failed Login Timeout 0
        Listen Policy: NONE
        IcmpResponse: PASSIVE
        RHIstate:  PASSIVE
        Traffic Domain: 0
 Done
 

There are no ACL's aside from the default rules generated by the wizard and the default cyphers are installed. I have not modified anything from stock (except to disable SSL3 authentication)

 

I hope this helps.

 

Regards,

 

Glen Scaglione

Deployus IT

 

Link to comment
Share on other sites

1) show ns license confirms which features and license quantities you have.  The feature on/off state is useful but not as important.

2) show vpn vserver <vserver name> to confirm things like policy bindings and  cert bindings which can't be seen from the summary view

Or do a 

show ns runningconfig | grep <vpn vservername> -i

 

It looks like you 've made separate SSL and DTLS vservers.  You might try temporarily working with the SSL one only.

Try changing vpn vserver to ICAOnly (under basic settings > More)

Check cert bindings, ciphers, and protocol settings.  

Confirm global vpn authorization settings and confirm authentication policies.

View syslog to see if there are any overt events. 

shell

cd /var/log

tail -f ns.log | grep -v CMD_EXECUTED

 

If you can't even connect, run a trace to confirm its not something between you and the ADC.

 

 

Link to comment
Share on other sites

Thanks for your help Rhonda.

 

Turns out that some joker decided to add an incorrect route in our DC that was bypassing the firewall that contains all of the public rules for the client. 

 

Gateway is now working and your instructions allowed me to confirm that the gateway was alive, functioning and that it wasn't that the site was down (as the site was not getting any web traffic) but that the firewall was bypassed.

 

Glen

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...