Jump to content
Welcome to our new Citrix community!

CVE-2022-27509 / CTX457836 Gateway login issues on 13.0 87.9 when using RADIUS OTP


Recommended Posts

Hi all,

 

We experience a logon loop (sort of) when upgrading to 13.0 87.9 on our RfWebUI based login theme. After entering the OTP the user is immediately redirected back to entering username and password again. There is no error message displayed on the webpage and there is no error visible in /var/log/messages or /var/log/ns.log. Basically the user can enter username/password and the following OTP again and again, he will never get redirected to StoreFront.

 

That is unless you clear the browser cache or use incoginto mode. Can anyone confirm. We are now afraid to upgrade 13.0 appliances to this build as we have thousands of external users and lots of them will file tickets for the Helpdesk instead of trying to clear their browser cache.

 

We have restored the previous snapshot (was 13.0 84.11) and even devices where the browser cache wasn't cleared immediately started working again.

 

Regards

Link to comment
Share on other sites

Hi Christoph,

 

that's currently a known issue when upgrading from older versions to a newer 13.0 Build. Set "Client Timeout" to 720 minutes in the "Client Experience" tab for your session profile (so the default global settings get overwritten), that should fix your issue.

 

Regards

Julian

Link to comment
Share on other sites

8 hours ago, Julian Jakob said:

Hi Christoph,

 

that's currently a known issue when upgrading from older versions to a newer 13.0 Build. Set "Client Timeout" to 720 minutes in the "Client Experience" tab for your session profile (so the default global settings get overwritten), that should fix your issue.

 

Regards

Julian

 

Hi Julian, thanks. Will re-attempt the upgrade today and check if the fix is working.

 

Btw. it also seems that 87.9 breaks GLSB GUI, when trying to bind a GSLB service to a GSLB vserver in a partition, no GSLB entries are shown in the GUI on a 87.9 appliance (the list when adding a service to a GLSB vserver is always empty, although the GLSB services from both sites are all there in the GUI and online), but they are still showing normally on the 84.11 appliance in the other site - like something is messed up with the filtering of the list when adding the service. Adding it is still possible via CLI though, when falling back to 84.11 everything works normally again via the GUI. We hope that this also is fixed when upgrading the remote site from 84.11 to 87.9

 

Regards

Link to comment
Share on other sites

Hi Julian,

 

The workaround for the logon loop does do the trick. Only non-default themes are affected.

 

To be precise the setting to be modified is called "Session Timeout", if anyone needs the info. There is the link to the original thread. 

 

GSLB config via GUI still broken also on non-partition Netscalers though after upgrade. So it's reproducible. https://discussions.citrix.com/topic/415950-netscaler-login-looping-back-to-login-page/page/

 

Regards

Link to comment
Share on other sites

Hi Christoph, with version 13 I also have problems, the HA replication does not work with respect to the session policy.
In your case, did you verify that the replication worked normally in relation to the session policy?

 

 

I put the link in case someone from the team has information about it:

https://discussions.citrix.com/topic/417099-ha-replication-failure-policy-session-workaround-reboot-warm-new-versions-july-august/

Link to comment
Share on other sites

Hi all,

 

FYI - According to Citrix the problem with the GSLB GUI (cannot bind any GSLB services to GSLB vservers as the list is always empty) is a bug in the recent release, internally known as NSHELP-32236. The workaround is to use the CLI.

 

bind gslb vserver <gslbServerName> -serviceName <gslbServiceName>

 

The bug will be fixed in:

13.1 30.X that will be released at August 23.
13.0 88.X that will be released October 18.

 

@Pedro: No I don't see any problem in the HA sync. After saving the config the Session Time-out (mins) setting is also set to 720 on the secondary appliance - just checked to make sure.

 

Regards

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...