In Citrix Virtual Apps and Desktops environment with EDT enabled and DTLS enabled on the Citrix Gateway VPN vServer, an error may occur when trying to launch an application or desktop.Depending on the scenario, errors message may be :

• "Cannot connect to the Citrix XenApp Server. Protocol Driver Error."
• "Cannot connect to the Citrix XenApp Server. The Network is down."
• "The connection to "Desktop/App Name" failed with status (Unknown client error 1110)"

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance.

Troubleshooting tips

• Citrix Receiver/Citrix Workspace will not try to establish a DTLS connection unless both HDX Adaptive Transport and Allow Session Reliability is configured on CVAD and there is a Citrix Gateway. If DTLS feature is not enabled on Citrix Gateway frontend VPN vServer, and the Citrix Receiver does not have the EDT/TCP in parallel feature (RfWin 4.10, RfMac 12.8 and RfiOS 7.5 are the first Receivers to have it), then a 10sec DTLS time-out is expected on the connection time. After those 10sec, a TCP connection will be attempted. The connection time will not be impacted with the aforementioned Receivers since they are also attempting TCP in parallel, so even though DTLS took 10sec to time-out, TCP already succeeded and the ICA connection was established.
• If there is a security device, like a firewall, between your Receiver/Workspace and your Citrix Gateway who block UDP 443 (in a working scenario), app/desktop will launch without any problem, with TCP only (unless HDX Adaptive Transport policy is set to Diagnostic mode, which only allows EDT then).
• If the UDP connection succeeds between Receiver/Wokspace and Citrix Gateway, but then fails on the back-end between Gateway and VDA (firewall issues), then Receiver/Workspace will assume that the EDT connection was successful and will not fall back to TCP. This might cause a launch failure.
• Validate that EDT works well internally (without Citrix Gateway). It will help to confirm that HDX Adaptive Transport is correctly configured on XenDesktop and that the UDP ICA Listeners are active.
• Check if DTLS/EDT works well when the client machine is located just behind the ADC(same subnet/switch).
• If using a VPN (like Cisco AnyConnect or similar), be aware that the MTU will not be 1500 and that might cause an EDT failure. Calculate what is the additional overhead introduced by the VPN solution and then edit the ICA file with the new MTU values. See Article CTX231821 .
• In case you want to take a trace, be aware that :
  • ADC is currently not able to manage SSLMASTERKEYS for DTLS traffic. You will need to get the Citrix Gateway private key to decrypt the DTLS traffic.
  • You need to use the development edition of WireShark to be able to read DTLS traffic (or, at least, WireShark version 2.4). You can at least use the 'Decode As' feature in Wireshark to decode 'QUIC' as DTLS.
  • Having said that, there should not be a need to decrypt DTLS traffic most of the time. A simple trace showing packets arriving/leaving the frontend and backend vServer is generally enough
  • check firewall logs to ensure that QUIC traffic is not being dropped.

Non-Working scenarios