Jump to content
Welcome to our new Citrix community!

Upgrade to CVAD 1912 CU5 has broken SSLVPN/Storefront HTML5 Connections to desktops

Recommended Posts


We recently upgraded from 7.15 CU9 LTSR  to CVAD 1912 CU5 LTSR on our way through to CVAD 2203 CU1 LTSR


 Post upgrade, things tested ok except for the HTML connection to desktops through our NetScaler.


From in the network, we can connect to desktops via the receiver or HTML with no issue ( we have set the exception up in edge to allow the HTML connection)


From externally through the ADC we can connect using Workspace.  When we try connecting through the HTML client, it sits at connecting, and nothing else happens. (i.e. it gets through to the storefront with no issue) 


If I have brokered a connection internally, then try to connect to it through the HTML client from external, the old session ends, as expected, but the new one doesn't start.  This is the HTML client only, through Workspace works fine.


 On the ADC appliance console, I see default SSLVPN Message xxxxx : blahblah STA ticket validation failed


I have checked the STA monitor on the ADC, and it says it is up and shows the Auth ID, and I can remove/re-add and it comes back with no issue.  I also confirmed it was still correct on the storefront server.  


We are a small shop so have it all on one machine and have done for many years. 
We are on ADC version NS13.0 87.9.nc  CVAD 1912 CU5, Server OS, is 2019.  The VDAs are running on 2203 CU1 in preparation for teh next DDC upgrade.  


It was all working until we upgraded the CVAD version, and I am at a loss as to what to check next as I am not super confident with the ADC to check logs. 


I have logged a support request with Citrix, but that was a week ago and we haven't had any luck with them so far.

Link to comment
Share on other sites

From Citrix support which fixed it for us

Upon checking this further, I do see that there is a similar issue which is already reported and the cause of the issue is that The latest HTML5 receiver has introduced certain Javascript code that is breaking the legacy CVPN (cvpn V1) And this is expected behavior of cvpnV1. 


The solution is to use Advanced cvpn in the setup. In order to enable advanced CVPN, Please follow the steps


Navigate to the session profile configurations mapped to the Gateway Vserver and navigate to the Client Experience tab, from the Clientless Access list, click On.

On the Client Experience tab, from the Advanced Clientless VPN Mode list, click Enabled



We had it set to disabled, once enabled it worked just as before

  • Like 2
Link to comment
Share on other sites

On 10/5/2022 at 12:49 AM, Julian Jakob said:

Hi Jason,


having the same issue - no solution yet. Is it also working when using Internet Explorer 11 in your setup? I think it also was working with Safari on iOS or iPadOS - very very strange.


Best Regards


 Yep, entered in the thread.  I imagine some older clients that people use at home are still using I.E 11.  We don't use it internally any longer

Link to comment
Share on other sites

  • 2 months later...

I've been dealing with this issue since attempting to upgrade to from 1912 CU2 to 1912 CU3, 4, 5 and now 6.   I see that this has fixed it for others:  https://support.citrix.com/article/CTX469186/html5-app-launch-doesnt-work-via-netscaler-after-upgrading-the-cvad-setup - It did not fix it for me.   Has anyone else ran into this and if so happen to have solved it?

Link to comment
Share on other sites

  • 3 weeks later...

we just went through this.  it was a nice surprise not mentioned in the documentation for storefront, or workspace for html5.  only in the support article if you happened to find it.


just flicking the switch to turn on advanced clientless vpn (cvpn v2) might not work if you haven't met the requirements, which are in the citrix gateway documentation.  you need a specific wildcard certificate and matching wildcard dns entry.


what we're doing for now is downgrading to an older version of the html5 client (2103).  just copying the files for the old version into c:\Program Files\Citrix\Receiver StoreFront\HTML5Client does the trick.


the downside is we're stuck on an old version of the html5 client until we decide to pay for the wildcard certificate.

edited: oops, had the wrong version.  we went all the way back to 2103.

Edited by Aaron Curtis
oops, had the wrong version.
Link to comment
Share on other sites

to be more clear: checking the advanced clientless vpn did work to get the html5 workspace client working, however since we dont have the right wildcard certificates automatic client detection stopped working.  and the browser just downloads the .ica files if you have the full client selected, instead of launching.


the wildcard certificates can be a bit expensive if you're using an external cert authority like entrust.  so it wasn't great to have this as a surprise, and then have to spend money trying to fix it.

Edited by Aaron Curtis
forums work strangle, thought i was editing the existing post
Link to comment
Share on other sites

  • 7 months later...

Hello, I'm wondering if there has been any further developments on this.  I have been unable to update our storefronts past 1912 CU2.  1912 CU3, CU4, CU5 and CU6 have all been tried and 2203 CU2 (but not CU3 yet).  The session profile is set as described in:  https://support.citrix.com/article/CTX469186/html5-app-launch-doesnt-work-via-netscaler-after-upgrading-the-cvad-setup



The ADC version is NS13.49.13 nc and the issue existed on earlier versions too.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...