Virtual Apps and Desktops (XenApp) can’t connect through Citrix Gateway (NetScaler)?

By Johannes Norz
17 November 2019
3 Min read
In NetScaler Gateway, Tricks
Add comment
V

It’s a problem coming up every now and then: I can’t connect to a certain Citrix VDA, but can connect to all/some others. If your problem is a more general one, continue reading here

My first guess would always be a L4 problem, but “I opened up all firewalls”. Never open too much, and maybe it’s not an issue about firewalls.

First of all, it’s not the STA (believe me, or not, the STA is never guilty for an issue like that. If it works, it works for all VDAs, if it fails, it will fail for all VDAs).

How to trouble shoot?

Well, I already told you. it’s the Citrix (NetScaler) Gateway not being able to connect to the VDA. So it has to be a layer 3/4 problem. A TCP/IP problem. There are several methods to narrow down issues like that.

You could do a network trace. But network traces are based on ICMP and will very likely not be able to pass your firewall.

So what to do?

Easy like that: I create a “fake service” in my ADC, type TCP, port 2598, pointing to the VDA.

What is this good for? It’s not needed, you are right. But there will be a health monitor attached to it, type TCP.
add service 2delete_ICA_dummy 10.0.0.15 TCP 2598

This service will be down, if my thoughts have been right: No connection possible.

If it’s not up, click at 1 Service to Load Balancing Monitor Binding.

This will gibe you a reason for this service being down:

There are 2 main reasons.

  • Failure: Probe failed means, Citrix ADC sent a SYN packed, but didn’t receive a SYN/ACK. It’s a Layer 3/4 problem. Either you got a firewall blocking the communication, or there is a lack of routes on the VDA. You will have to check the network!
  • Last Response: Failure – No MIP/SNIP available to send the monitor probe means, Citrix ADC had no route to the destination IP.
    If you would have watched communication using a network monitor, you would have seen not a single packet, just because Citrix ADC (NetScaler) didn’t know from which IP to send its probe. You’ll have to connect Citrix ADC to this network by creating a SNIP, or add a route into this network. You’ll than see this service going up immediately. Try using Citrix Workspace App (Plug-In for published applications, ICA client) in most cases your problem will be gone.
FacebookXEmailLinkedInWhatsAppPinterest

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (https://www.youtube.com/watch?v=UvdF145Lf2I)

View all posts

Add comment

Read more

By Johannes Norz 17 November 2019
Add comment

Recent Posts

Recent Comments