Jump to content
Welcome to our new Citrix community!
  • 0

"Connection interrupted" in the minutes after the logon on CVAD 2203 CU1


Gunther Imbrechts1709152498

Question

Hello,

 

We are encountering the following issue:

Every user that logs on to a new CVAD 2203 CU1 environment receives multiple times "connection interrupted" while the session is freezing. After a few minutes, it gets stabilized and the users can work.
A bit more information about the behaviour:

- it happens 95% of the time. With every user. And the interruption always starts at the same moment.

- it only happens when connecting over the netscaler

- VDA OS is Server 2019

 

What we already checked and tested:

- No packet inspection is done on the traffic. We temporarily disabled HSM or whatever other technology on the firewall that might interfere with the SSL traffic

- No antivirus for the moment

- Windows Defender antivirus is disabled

- We tested with VDA version 1912 CU5 and 2203 CU1

- Workspace versions tested: 1912 LTSR and 2203 LTSR

- Tested with two versions of the Netscaler 13.1 firmware (latest firmware not working either)

- CDF trace shows that it's the VDA that is disconnecting the session:

0,picadd,stack.cpp,1602,IcaWaitForMultipleObjects,5,TC_STACKTRACE,"PICADD: IcaWaitForMultipleObjects, 30000 (enter)",""
4522641,4,2022-09-23 12:13:04:94006,44364,2412,svchost.exe(TermService),0,Rpm,CommandChannel.cpp,246,ctx::CCommandChannel::ProcessCommandChannelCommand,9,Warning,"SR suspended the connection for user localdomain\username, session 20",""
4522642,4,2022-09-23 12:13:04:94006,44364,2412,svchost.exe(TermService),0,Rpm,CtxLog.cpp,38,ctx::AppList::~AppList,13,EntryExit,"EXIT ---- ctx::CCommandChannel::ProcessCommandChannelCommand",""
- it works when connecting to the storefront site

- same behaviour with the workspace service 

- no Netscaler HA, no loadbalancing

- default SSL Cypher suites on the netscaler. When putting only the best practice cypher suites and removing the TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 as mentioned in Citrix Receiver - "Connection Interrupted" on Windows 10 Devices - Page 2 - XenApp 6.5 for Windows Server 2008 R2 - General - Discussions logon isn't working anymore.

- no suspicious event log messages on the vda nor on the ddc.

 

I'm still thinking about this cypher suite, because if you remove it, it means it's used. so if there's an issue with it, it could still be the cause.
But I don't understand why the VDA is breaking the connection. We've setup a brand new VM in server 2019 with nothing on it, only fslogix and vda 2230 CU1. Same result.
Thanks a lot for your help.

 

Günther

Link to comment

6 answers to this question

Recommended Posts

  • 0

Hello Carl,

 

I did install a fresh VM with only the VDA agent and the FSLogix plugin installed on it. Still the same behaviour.
We tested different OS versions (2016 and 2019 and different VDA agent versions (1912 CU5 and 2203 CU1) Still the same behaviour.

There is no security software installed on these test VM's.

 

But then I followed the procedure from this article: https://support.citrix.com/article/CTX221206/connection-interrupted-error-message-displayed-while-logging-off-ica-session

The first part with the TDx.sys files doesn't apply, there are no files like that. Some .sys drivers from below the page appear in the System32 folder, but they seem to have come with the OS installation.

The second part, with uninstallation of the SVGA driver, did succeed, but ONLY on Windows Server 2016 (our test server)

On our production servers running Server 2019, we are still facing the issue after removing the SVGA driver in the Vmware tools installation.

 

On our production servers we are running Sentinel One with all the exclusions as stated in the best practices site of Citrix.

I am now going to test again with a fresh VM in Server 2019 to be sure the issue is not a combination of S1 and the SVGA server.
Thanks for your help

 

Günther

Link to comment
  • 0

Hi Gunther,

 

Do you mean that opening the firewall can solve this issue?

Rule: VDA-->Internet (UDP) (no specified port number)

 

Our users also said that it's more often to see "Connection Interrupted" and DesktopViewer didn't responsed...something similar to the disconnected status.

And also we have WinSrv2019 + 2203 CU1 VDA.

But it seems fine while we use WinSrv2019 + 1912 CU5 VDA. 

 

Kitty

Link to comment
  • 0

Hi Gunther,

 

Thank you for your reply!

Would you mind if you shared the support case number with me?

 

BTW, do you enable DTLS on NetScaler Gateway? Is this configuration related?

 

We must follow the security rules that users on VDA must go to proxy first before they can go to internet, so I'm afraid that security team won't allow to open UDP 443 port on firewall.

It seems that we'd better investigate more detailed for the suitable way in our environment.

 

Kitty

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...