Jump to content
Welcome to our new Citrix community!

License Error

Recommended Posts

Hi Team, 


End-user is not able to authenticate on Secure Hub (Initially only) and  redirected back to the same credential page (without getting any error or message),


At backend..We are also not seeing any Authentication Packet (checked with #cat aaad.debug). Captured the NS TRACE ...where we noticed that Citrix Gateway IP is returning "HTTP /1.1 480 VPN License Error" to end-user IP..  however ADC do have all required licenses in place. 


Not Sure, What we are missing in configuration or while Tshooting the issue, Requesting suggestion for fixing the problem.




Link to comment
Share on other sites

Secure Hub sounds like you are doing Mobility/XenMobile stuff (which usually requires VPN and ICA Proxy capabilities and not just ICA Proxy requirements).  


To aid in troubleshooting, please include your firmware version (in case it is version specific), include model type mpx <model #> vpx (and hypervisor) or if you are dealing with vpx on SDX (and version).


Did you make a change that resulted in this going from working to not working (such as upgrade or network change) or is this a new implementation?


Gateway licensing is dependent on the feature/platform license and in some cases on additional universal/vpn ccu licenses (but this varies)?

Are you deploying the vpn vserver in full vpn mode or in ica proxy mode (for access to cvad/xd only)?  

While Secure Hub implies you are doing full vpn/securebrowse and ICA Proxy (its always good to confirm).


From cli:

show ns license

>> Note whether SSL SSLVPN features are licensed AND if the ICA Proxy Users is unlimited or other and if the VPN Users (or Universal User) licenses have a limited count or are also listed as unlimited. If the ICA Proxy only option is set, you are prevented from conusming vpn connection licenses which could be preventing the secure hub connection.



On your vpn vserver, under its properties (Basic > More), see if the vpn vserver is or is not restricted to ICA Only (this will depend on which type of connections you are making whether it should be on or off). The vpn vserver can also have a limited number of logons allowed.



If appliance doesn't appear properly licensed, there are other things that can be reviewed.  If applying a new license, license doesn't go into effect until after a reboot (a warm reboot is possible). But save config first.




Link to comment
Share on other sites

Hi Rhonda , 


ADC is VPX-1000 , Firmware is : NS13.0 67.39.nc


This is migration case, we have migrated from Old DC to New DC (using new ADC). We used the working configuration (which was there on Old DC, ADC).


> show ns license | grep VPN
                               SSL VPN: YES  (Maximum users = Unlimited)  (Maximum ICA users = Unlimited)

In GUI, For Citrix Gateway Vserver under Basic -> More . ICA Only is unchecked.

Could You please help for The vpn vserver can also have a limited number of logons allowed.  > I am not getting option to check this logons limit


Note : We don't have access of Old DC ADC, We only have backup configurations for the same.


Link to comment
Share on other sites

Within the vpn vserver properties (Basic settings > More) where you found ICA only setting, look below there is a Max Logins or Max Users count that could limit total logons to this vpn vserver.


If the config worked before and its not working now on migration, you may have to go with support.

Your licensing is showing up enabled, so its unlikely the license file.


Check syslog for spsecific gateway errors:


cd /var/log

tail -f ns.log | grep -v CMD_EXECUTED


And you can check the dmsg.boot and nslog under System > Diagnostics

View Console messages

View Console Events

View boot dmsg <something>


In the lower pane you should see these options.   And see if anything looks related to a gateway event during boot.


This article, but your licensing seems correct. So Support may be the best option.


Or try this and check the rc.conf has the correct hostfile name (may not be needed any more depends on license file). You can view the license file to see if it is tied to a specific hostname or not. Affects universal licenses only and not the platform license file.



But Support might be your best option.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...