Jump to content
Welcome to our new Citrix community!

No session policy for some user after upgrade to 85.15


Youenn ALLAIN

Recommended Posts

Bonjour,

Perhaps the same issue here https://discussions.citrix.com/topic/415950-netscaler-login-looping-back-to-login-page/

Upgrade from NS13.0-82.45 to NS13.0-85.15. Only one gateway configured as USG (basic one). 2 sessions policies configured on the vserver (web & os).

Some people can connect, some not. aaad.debug does not show any problem (login successful all the time). We see a "sending accept kernel" to both working and non working users.

Non working users are looping back to the login page.

We are still on the old LDAP authentication, not a AAA one.

We find a difference between working and non working users. Non working user does not have Allowed policies / Denied policies and logout is immediately send just after the login (timeout reason).

Apr  6 11:35:17 <local0.info> <#nsip#> 04/06/2022:09:35:17 GMT  0-PPE-0 : default SSLVPN LOGOUT 5927 0 : 
  Context <#nonworkinguser#>@<#userip#> - SessionId: 115 - User <#nonworkinguser#> - Client_ip <#userip#> - Nat_ip "Mapped Ip" - 
  Vserver <#NSGvserverip#>:443 - Start_time "04/06/2022:09:35:17 GMT" - End_time "04/06/2022:09:35:17 GMT" - Duration 00:00:00  - 
  Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 0 - Total_UDP_flows 0 - Total_policies_allowed 0 - 
  Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - 
  Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "TimedOut" - Group(s) "None"

Total_policies_allowed 0 - Total_policies_denied 0 in this example. Changing the session policy expression bound to the vserver by "true" (UG_VPN_SPol_<#VIP#>) does nothing.

We found a way, only for some user, to workaround the issue by setting the same session policy inside a Group (non working user must be member of).

 

It seems that non working user like working user match the session policy but nothing append after that.

On nsconmsg, we can see that the corresponding policy are hits when a non working user try to connect

497       0            108          2        0 action_tot_Hits Action(<#VIP#>_LDAP)  
498       0           3526         12        1 action_tot_Hits Action(UG_CSACT_UnifiedGateway)  
499       0           2835          8        1 pol_hits Policy(<#VIP#>_LDAP_pol)  
500       0           3526         12        1 pcp_hits cspolicy(UG_CSPOL_UnifiedGateway)  
501       0              9          2        0 pcp_hits vpnsession(UG_VPN_SPol_<#VIP#>)  
502       0            115          2        0 pcp_hits vpnsession(PL_WB_<#VIP#>)  
503       0             71          2        0 pcp_hits syslog(SETSYSLOGPARAMS_ADV_POL)  
504       0             71          2        0 pcp_hits nslog(SETNSLOGPARAMS_ADV_POL)  
505       0           3526         12        1 pcb_hits cs_pol(UG_CSPOL_UnifiedGateway)(UnifiedGateway)  
506       0             15          2        0 pcb_hits policyBinding_25_1011_<#group#>_110(PL_WB_<#VIP#>)  
507       0              9          2        0 pcb_hits policyBinding_25_1021_UG_VPN_UnifiedGateway_90(UG_VPN_SPol_<#VIP#>)  
508       0             71          2        0 pcb_hits policyBinding_28_1001081_GLOBAL REQ_DEFAULT_2000000000(SETSYSLOGPARAMS_ADV_POL)  
509       0             71          2        0 pcb_hits policyBinding_29_1001081_GLOBAL REQ_DEFAULT_2000000000(SETNSLOGPARAMS_ADV_POL)  

The non working user match and "read" the policy / action but for an unknown reason, nothing append.

The current policy configuration :

add vpn sessionAction UG_VPN_SAct_<#VIP#> -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ClientChoices ON -clientlessVpnMode ON
add vpn sessionAction AC_OS_<#VIP#> -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "http://<#storefront#>/Citrix/StoreWeb" -ClientChoices OFF -ntDomain NOC.LOCAL -clientlessVpnMode OFF -storefronturl "http://<#storefront#>"
add vpn sessionAction AC_WB_<#VIP#> -splitTunnel OFF -localLanAccess OFF -rfc1918 OFF -transparentInterception ON -defaultAuthorizationAction ALLOW -clientConfiguration none -SSO ON -ssoCredential PRIMARY -useMIP NS -useIIP OFF -icaProxy OFF -wihome "http://<#storefront#>/Citrix/StoreWeb" -wiPortalMode NORMAL -ClientChoices OFF -ntDomain <#domain#> -clientlessVpnMode ON -rdpClientProfileName defaultRDP -iconWithReceiver OFF

add vpn sessionPolicy UG_VPN_SPol_<#VIP#> true AC_WB_<#VIP#>
add vpn sessionPolicy PL_OS_<#VIP#> "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixVPN\").NOT && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"NSGiOSplugin\").NOT" AC_OS_<#VIP#>
add vpn sessionPolicy PL_WB_<#VIP#> "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_<#VIP#>


bind aaa group "<#group#>" -policy PL_WB_<#VIP#> -priority 90 -gotoPriorityExpression NEXT
bind aaa group "<#group#>" -policy PL_OS_<#VIP#> -priority 100 -gotoPriorityExpression NEXT
bind vpn vserver UG_VPN_UnifiedGateway -policy UG_VPN_SPol_<#VIP#> -priority 100 -gotoPriorityExpression NEXT -type REQUEST

I'm browsing the topics to find a match with someone else. We did not found a correct fix at this time. If someone have any clue, we will appreciate

 

Regards,

Youenn

Link to comment
Share on other sites

  • 3 weeks later...
  • 5 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...