Hendrik Klinge
-
Posts
2 -
Joined
-
Last visited
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Hendrik Klinge
-
-
Hi everyone.
I just spent a few hours tackling a weird and annoying problem. And I'd be happy about your input.
I was on site with a customer on Friday to do some network related stuff.
Now on this Monday he called me: External XenDesktop access was not working anymore. Login was fine, application enumeration was fine, ICA-file download was fine, but session establishment failed with "Error 1110".
We found that the STA servers were DOWN in the NetScaler GUI. Well, if no STA, then no XenDesktop. Makes sense.
The STAs were entered like this:
https://ctx7cont01.example.local DOWN (Red light icon)
https://ctx7cont02.example.local DOWN (Red light icon)
But: When we entered them as IPs they were UP:
https://172.16.1.1 UP (Green light icon)
https://172.16.1.2 UP (Green light icon)
https://ctx7cont01.example.local DOWN (Red light icon)https://ctx7cont02.example.local DOWN (Red light icon)
So I said: AHA! Must be a name resolution thing!
-> Nope. While indeed these names did NOT resolve on the NSCLI (but did on the BSDCLI), fixing that did NOT solve this.
What did solve this?!?
-> Reboot.
-> Then things looked like this:
https://172.16.1.1 UP (Green light icon)
https://172.16.1.2 UP (Green light icon)
https://ctx7cont01.example.local UP (Green light icon)We managed to reliably REPRODUCE a problem here:Step 1: From the 4 entries I threw out the IPs. Then I threw out the cont01 FQDN and immediately readded it -> RED LIGHT! (Even after waiting several seconds.)Step 2: THEN I added the IP for that controller -> Green light for the IP AND the FQDN. -> What?!?Step 3: Then I was able the throw out that IP again -> Green light for FQDN remains.Questions:* Why is the FQDN entry DOWN after I first add it?* Why does the FQDN entry come UP after I add a corresponding IP entry?* Why does the FQDN entry STAY UP after I remove the corresponding IP entry?Bonus questions:* Why can we reproduce this now after reboot? Why did this NOT work before we rebooted? (Then the FQDN entry did not come UP ever.)* How can I determine when the FQDN STA servers first changed to DOWN? nslog? nsconmsg?Further details:* Hardware appliances as HA pair.* Firmware NS11.0 64.34.ncFurther reading:There have been multiple entries STA status here on the forums. None with a satisfying answer.* 2016-03-09, http://discussions.citrix.com/topic/376155-ns-gateway-virtual-servers-sta-dns-problem/ -> no replies, unsolved.* 2013-06-07, http://discussions.citrix.com/topic/331190-netscaler-gateway-virtual-srever-sta-down/ -> FQDN down, IP down. Reboot fixed it. Deeper reason unknown.* 2016-03-15, http://discussions.citrix.com/topic/370955-ns-110-build-62-10-sta-fqdn-appears-down-bug/ -> FQDN down, IP up. Several replies. Unsolved.* http://support.citrix.com/article/CTX132334/, Secure Ticket Authority (STA) Status is Marked DOWN for NetScaler Gateway Virtual Server -> did not completely work through that one.Hope I'm making sense here. Looking forward to your replies,Hendrik
Weird thing: STA servers down, reboot fixed it. FQDN-STAs wonky.
in Core ADC use cases
Posted
@Carl:
Thanks. I looked through the release notes but I only found one entry that seems to point in the general direction. And I don't think that's what's wrong in my case.
Is this the Bug you meant? -> Bug#560476:
Release Notes for Build 49.16 of NetScaler 11.1 Release.html:
The STA and nextHop VPN parameters can now be configured using FQDN instead of just the IP address.
The STA server is used for authorizing ICA connections and NextHop is used for specifying the second-hop in a "double-hop" Gateway deployment.
[From Build 47.14] [# 560476, 566511]
That's not the one for me.
The 11.1 man page says this:
man addvpnnextHopServer:
And this does not apply for us. Since we were using SINGLE hop. And we require FQDN because we use HTTPS to access the STA. (And inside the cert, I think, we only have the FQDN and not the IP.)