ICA Sessions Getting Disconnected Immediately After Upgrade to NetScaler 11 in Dual Hop Setup

ICA Sessions Getting Disconnected Immediately After Upgrade to NetScaler 11 in Dual Hop Setup

book

Article ID: CTX202991

calendar_today

Updated On:

Description

  • After upgrading the NetScaler to 11.0, ICA sessions are disconnecting or freezing intermittently. 
  • On external NetScaler in double hop setup, nslog will show zero window counters increasing.  
    nsconmsg -K newnslog -g window -d current | more
reltime:mili second between two records Tue Nov 3 15:58:41 2015
Index rtime totalcount-val delta rate/sec symbol-name&device-no
3645 7002 24109 1 0 tcp_err_oowindow
3646 7001 24110 1 0 tcp_err_oowindow
3647 98021 24112 2 0 tcp_err_oowindow
3648 7002 24121 9 1 tcp_err_oowindow
3649 14003 24122 1 0 tcp_err_oowindow
3650 14003 24123 1 0 tcp_err_oowindow
3651 21004 24127 4 0 tcp_err_oowindow
3652 7002 24128 1 0 tcp_err_oowindow
3653 7001 24129 1 0 tcp_err_oowindow
3654 14003 24135 6 0 tcp_err_oowindow
3655 14004 24139 4 0 tcp_err_oowindow
3656 7001 24147 8 1 tcp_err_oowindow
3657 7002 24148 1 0 tcp_err_oowindow
3658 7001 24149 1 0 tcp_err_oowindow
3659 7002 24150 1 0 tcp_err_oowindow
3660 35007 24151 1 0 tcp_err_oowindow
3661 70015 24154 3 0 tcp_err_oowindow
3662 7002 24180 26 3 tcp_err_oowindow
3663 7001 24181 1 0 tcp_err_oowindow
3664 21005 24188 7 0 tcp_err_oowindow
3665 7001 24197 9 1 tcp_err_oowindow
3666 7002 24198 1 0 tcp_err_oowindow

  • ZERO window propagation from External to Internal.

Resolution

Issue is fixed in NetScaler 11.0 64.34 and 10.5 60.7.

Workaround

External NetScaler

  •  Need to create a service for next hop server IP and disable TLSv1.1 and TLSv1.2 on the service. 
  • Also disable TLSv1.1 and TLSv1.2 on NetScaler Gateway vserver on external NetScaler. 

Internal NetScaler

  • Disable TLSv1.1 and TLSv1.2 on NetScaler Gateway vserver on internal NetScaler.

Problem Cause

  • The symptoms and logs are matching with a known issue with issues ID 596278 which is fixed in NS 11.0 build 64.34nc, where If TLS1.1/1.2 protocol is used with AES/3DES ciphers, the length of the TCP window at the back end shrinks to zero. As a result, after some time, the connection is terminated.
  • In this case in double hop scenario, the problem starts with the external NetScaler which is propagated to the internal NetScaler.
  • Please refer the release notes of 11.0 B 64.x: https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_11_0_64_34.html

Issue/Introduction

ICA sessions getting disconnected immediately after upgrade to NetScaler 11 in dual hop setup.
Powered by Wolken Software