Jump to content
Welcome to our new Citrix community!

Listen Polices / vservers broken after NS13.1 Build 27.59


FUNDY MUTUAL

Recommended Posts

After upgrading from NS13.1 Build 24.38 to NS13.1 Build 27.59, I found that one of our Citrix Gateway Virtual Servers was missing...  Basically we have two vservers define, both on the same IP, with different listen policies.  The vservers are identical except for the listen policies and the authentication policies.  Basically the first vserver has all internal vlan and VPN subnets defined (in the listen policy) and the other vserver has nothing defined for listen policies. 

 

•    add vpn vserver _XD_192.168.99.40_443 SSL 192.168.99.40 443 -dtls OFF -Listenpolicy "CLIENT.IP.SRC.IN_SUBNET(192.168.11.0/24)||CLIENT.IP.SRC.IN_SUBNET(192.168.12.0/24)||CLIENT.IP.SRC.IN_SUBNET(192.168.13.0/24)||CLIENT.IP.SRC.IN_SUBNET(192.168.14.0/24)||CLIENT.IP.SRC.IN_SUBNET(192.168.15.0/24)||CLIENT.IP.SRC.IN_SUBNET(192.168.16.0/24)||CLIENT.IP.SRC.IN_SUBNET(192.168.99.0/24)" -Listenpriority 1 -deploymentType ICA_STOREFRONT -vserverFqdn CAG02.FQDN.LOCAL

•    add vpn vserver _XD_192.168.99.40_443_EXT SSL 192.168.99.40 443 -Listenpolicy NONE -deploymentType ICA_STOREFRONT

 

The one with all the internal subnets defined is enumerated first, and if the source IP was coming from a defined subnet, it would authenticate the user using an LDAP lookup directly with Active Directory.  If the source IP was not coming from a defined internal subnet, then the second policy would utilize a AAA profile for our MFA provider for authentication.

 

With NS13.1 Build 27.59, the 2nd vserver isn't present after reboot.  Attempting manually define it via CLI (add vpn vserver _XD_192.168.99.40_443_EXT SSL 192.168.99.40 443 -Listenpolicy NONE -deploymentType ICA_STOREFRONT) results in "ERROR: Address already in use".

 

I don't see anything in the release notes detailing this behavior or change…

 

Does anyone have any thoughts or ideas on how to get this operational again?

 

dcc

Link to comment
Share on other sites

Hi Dean,

 

So I'm guessing here you are not seeing that 2nd vpn vserver in the GUI? This is a known issue on 13.1 (being that objects are not properly displayed in GUI). The vserver probably still exists though in the config which is why you're getting that error when you try to add it again.

 

If this is the issue, there's not much you can do here apart from opening a ticket with Citrix I'm afraid. I already have a couple open regarding similar issues, but these cases seem to be making slow progress. I did however get some feedback that some things might be fixed in next 13.1 release.

 

Cheers,

G.

Link to comment
Share on other sites

Unfortunately, it's not a GUI issue.   "show vserver" shows it is not there.  "show run" shows it is completely missing.  I've had a severity level 2 ticket open with support for almost 48 hours and they haven't even responded yet (I'm less than impressed with support at this point).

 

I've been able to duplicate this issue on every single ADC we manage, including my own NFR.  I basically had to restore everyone that I had upgraded to 27.59 back to 24.38 from backup.

 

dcc

Link to comment
Share on other sites

Oh okay ... that's worrying to be honest ... I'm avoiding 13.1 as much as I can right now due to the various issues (basically only have one node in my lab with 13.1 :)). Regarding support, if you have a case number, just call the hotline and reference your case, they will be forced to pick it up immediately like this. Also clicking the 'Request manager attention' button can work wonders in response times.

Link to comment
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...