Jump to content
Welcome to our new Citrix community!

Question

Hello,

 

I have set a VServer on a Netscaler gateway, to reach a very classic 7.15CU6 farm.

- It works flawlessly, application launch is ok using this vserver.

- It works also correctly from an internal VIP set on the F5 (used to simulate an external access).

- But using a VPN (see below) : Failed to launch session "session_name". Error code: 2519 on Citrix Workspace App During App/Desktop Launch

 

win2k16 / 7.15CU6 / Netscaler ADC 13.0.67.39

Connection :

Not OK (error 2519)  : VPN --> FW -->  F5 front VIP--> FW --> NS Gateway --> FW --> NS Load Balancer --> SF/DDC/VDAs

OK                                   :  F5 back VIP --> FW --> NS Gateway --> FW --> NS Load Balancer --> SF/DDC/VDAs

OK                                   :  NS Gateway --> FW --> NS Load Balancer --> SF/DDC/VDAs

 

- STA are seen up from the NS, 

- F5 is doing nothing except a NAT.

- Nothing in any logs,

 

 I can't find any reason that coming from a VPN, to reach the F5 + Citrix infra, it failed, as the STA check is still done internally, no matter vpn or not (or I'm totally wrong?)

 

Hard to debug, as the VPN is set for an external customer, not really happy/available to help us to troubleshoot anything (can't even ask for an .ica file...)     

So if you have any clues or things to check in mind, I really appreciate your help or any advices :)

 

 

Regarding this , I've some questions in mind I can't find definitive answer :

1) Can you set STA using : https://IP on the NS and http://FQDN on the SF ? (I suppose you can, as it works without the VPN in the loop!)

2) Do you need to deploy the server cert with correct SAN on the whole chain (even on the F5 that is doing nothing) ? (not present on the F5, but it works using F5 back VIP...)

 

 

Hope someone has some good tips than can help me to solve this !

(I can obviously provide more details, but initial post is already a bit long)

 

 

Nicolas.

Link to comment

3 answers to this question

Recommended Posts

  • 0

Hi Nicolas,

Quite the complex setup you got there :).

1.a  You can set STA using either FQDN or IP, I would recommend being consistent with using either of those.
1.b I noticed you mention both HTTPS and HTTP for your STA servers, again; I would recommend being consistent even though I understand you might not feel the same urge for 443 behind your second firewall. 
1.c If you use https on the NS with the IP, you are probably missing the proper certificate as it would be bound to the hostname, not the IP (this is what I assume though). 

2. It depends on what the device does,  I am not very familiar with F5 devices, but as far as I know they are quite like Netscalers.
2.a  I would recommend to review what the devices do, if they just reroute traffic I do not think you need those certificates on there, but that is highly dependent on how you route it.

Also, wouldn't a VPN eliminate the need for an external gateway authentication?
You would be able to make a second gateway just for 'internal' users. 

Let me know if I understood wrongly, or you need more help,

Mick Hilhorst

 

Edited by Mick Hilhorst
spell check
Link to comment
  • 0

Hello Mick,

 

Thanks for your answer, yes, some heavy constraints... not really logical, but that the way it is ;)

 

I found the reason of that issue just a few minute ago !

Nothing regarding my previous questions was in fact the root cause of the pb.  It was due to a misconfiguration in the optimal HDX Routing configuration.

 

We have one store, and two Gateway set G1, G2). And G1 was set with the 'external only' tick, and the listed DDCs.

image.thumb.png.52e9c6881e30a65ad934368a40221bc6.png

So when using G2 that has nothing set, it goes to G1. Making it works internally, but not externally (don't really understand at this time why ! being able to resolve both url used, ? I've to test that part later)

Using G2, Downloading an ICA file shown a SSLProxyHost line with G1 information.

 

Unticking the 'external only' and unselect the DDC and adding the callback for both Gateways solved the issue : 

image.thumb.png.474589ae6f50e65692b34ddfac3f39cf.pngimage.thumb.png.7712c88cab2856a1569eac63dfb645e3.png 

 

Anyway, still a good review to do on this optimal gateway thing, and certainly optimize a bit my conf. !

 

So having it works, I also tested my initial points too, trying with IP, FQDN, http or https, mixing everything, it works all the time !

So it was really caused by this optimal HDX Routing configuration and not at all by some STAs conf (but I keep in mind the good point you mention to be more consistent in my setup!)

 

Thanks again Mick to take time to answer.

Have a good day.

Link to comment
  • 0
12 minutes ago, Nicolas MASERATI1709156590 said:

Hello Mick,

 

Thanks for your answer, yes, some heavy constraints... not really logical, but that the way it is ;)

 

I found the reason of that issue just a few minute ago !

Nothing regarding my previous questions was in fact the root cause of the pb.  It was due to a misconfiguration in the optimal HDX Routing configuration.

 

We have one store, and two Gateway set G1, G2). And G1 was set with the 'external only' tick, and the listed DDCs.

image.thumb.png.52e9c6881e30a65ad934368a40221bc6.png

So when using G2 that has nothing set, it goes to G1. Making it works internally, but not externally (don't really understand at this time why ! being able to resolve both url used, ? I've to test that part later)

Using G2, Downloading an ICA file shown a SSLProxyHost line with G1 information.

 

Unticking the 'external only' and unselect the DDC and adding the callback for both Gateways solved the issue : 

image.thumb.png.474589ae6f50e65692b34ddfac3f39cf.pngimage.thumb.png.7712c88cab2856a1569eac63dfb645e3.png 

 

Anyway, still a good review to do on this optimal gateway thing, and certainly optimize a bit my conf. !

 

So having it works, I also tested my initial points too, trying with IP, FQDN, http or https, mixing everything, it works all the time !

So it was really caused by this optimal HDX Routing configuration and not at all by some STAs conf (but I keep in mind the good point you mention to be more consistent in my setup!)

 

Thanks again Mick to take time to answer.

Have a good day.


Well done, glad you found it!
Most welcome :).








 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...