Jump to content

MacOS Sequoia sslvpn issues, can't connect, epa/vpn dropouts observations


Go to solution Solved by kwm300,

MacOS/citrix never stable, frustrated userbase  

  1. 1. MacOS/citrix never stable, frustrated userbase

    • is the sky blue...
      0
    • what are you smokin man...
      0


Recommended Posts

Posted

Good afternoon all, i find it hard to beleive the min amount of reported macos issues here in the community.

We have an open case with citrix for over a year now going nowhere and as its not p1/p2 cannot be esculated (i've tried) to get any real focus on it.

After a year of uploading oodles amounts of logs they have assigned to yet another support engineer (oxymoron if ever there was) to review the case...and the 1st this guy asked....more logs please...

Whilst in the above case i have come to expect very poor support for their product in this regard, i've spoken to other support guys who support real customers for an IT companies and most of them, when asked how are mac's with citrix, they all roll their eyes and say "welcome to the club mate....we've got jackets..."

Our installation was comissioned for over 5 years and around 2k-2k5 sessions daily, most are windows, no issues, its only macs experiancing the issue.  With the relase of Sequoia we are having no end of issues with sso sslvpn client operation.

Our ADC's running 13.1.N-1 revision of firmware, mac clients running 24.09.1+ revision...

I've raised a case with citrix in regard to Sequoia release as we are in poc deployment for operational fitness within the business, but one does not expect any real support from citrix support personal in this respect.

So am opening up to the community that must see/deal with these issues day in/day out that can comment freely.

Are there any poc deployments in the works for Sequoia where one have ADC's (HA and non HA deployments) on which this just doesn't work?

Regards

al

 

 

Posted

Good morning Jeff, thanks for your review of my rant above.

We have two issues(one new, 1 old), outlined below..

1. Sequoia 15.x fails on EPA process.

This is a new/recent issue, pre 15 releases no issues (at least EPA wise), EPA action has not changed for years, only v15.x upgraded clients failing EPA, hence cannot login to vpn (sso/sslvpn) 

snipit from client logs showing versions of relevent os/client/libraries info<

 <Debug>: NSGUtility getting user agent string as: CitrixSSO/24.10.1 (Macintosh; Intel Mac OS X 15_1_0) VpnCapable AuthV3Capable AGMacClient/794 CitrixSecureAccess/24.10.1 NAC/1.0 plugin

<Debug>: Trying to load Opswat OESIS library version : 4.3.3750.0, EPA library version : 24.09.1.0
>

2. Mac clients experiancing frequent disconnects from ssslvpn. 3 x ha pairs, each ADC's GSLB service with "-sitepersistence" enabled with a single gslb domain. Only ocurs on Mac clients v14.x, no issues with win clients.

It does not matter whether client conenction is wireless/wired/otherwise. Its this case that my 1st paragraph addresses.

Regards

 

 

Posted (edited)

update.....response from vendor...

<I have found an internal ticket with same issue.
Post upgrade of MacOS to 15.1, EPA is getting failed.

The root cause for the issue on MacOS 15+ is because of some sort of permission settings updated in MacOS due to which the OPSWAT library that we are using to scan the Mac device is unable to get the details about the Firewall from the machine.
The possible workaround here is to disable the Firewall scan for MacOS 15 and above. (Adding an AND condition with MacOS version would help here)
Internal Team is working with OPSWAT Team for permanent fix.

>

So interim fix, remove AV/FW scan, add a >15.0 OS check, some other checks to resolve. I've not tried tried this yet, wil try this arvo.

Regards

 

 

Edited by kwm300
  • Solution
Posted

---update...above works...see below...

sys.client_expr("sys_0_MAC-OS_VERSION_>_14.7.0[COMMENT: MAC OS greater than 14.7.0]") && (sys.client_expr("file_0_/var/log/filecheck.txt"))

was using generic AV/FW checks, trying specific MacOS FW, vendor AV check. 

Regards

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...