NetScaler Gateway is configured with client and device certificate authentication as described in https://support.citrix.com/article/CTX200290

With this configuration, once user connects to VPN and admin performs a "show aaa session" it shows an anonymous user is connected. We are not looking at the CN of the Certificate issued to the User.

> show aaa session
                 ClientIp (ClientPort)  ->  ServerIp(ServerPort)
                -----------------------    -----------------------
PE id : 0
User name: anonymous                     Session Type: VPN               Intranet IP: 9.9.9.2
 
                10.100.4.114    (60421) -> 10.107.98.81    (443  ) PE 0
 Done

This happens as we fail to extract the username from the certificate.

root@Primary# cat ns.log | grep -i extract
Mar  4 14:07:16 <local0.debug> 10.107.98.76 03/04/2018:14:07:16 GMT Primary 0-PPE-0 : default SSLVPN Message 17416 0 :  "TCU_DHT : Username is in SAN format; username extracted: anonymous, domain extracted: "
Mar  4 14:08:11 <local0.debug> 10.107.98.76 03/04/2018:14:08:11 GMT Primary 0-PPE-0 : default SSLVPN Message 17533 0 :  "TCU_DHT : Username is in SAN format; username extracted: anonymous, domain extracted: "
Mar  4 14:08:58 <local0.debug> 10.107.98.76 03/04/2018:14:08:58 GMT Primary 0-PPE-0 : default SSLVPN Message 17583 0 :  "TCU_DHT : Username is in SAN format; username extracted: anonymous, domain extracted: "
Mar  4 14:09:14 <local0.debug> 10.107.98.76 03/04/2018:14:09:10 GMT Primary 0-PPE-0 : default SSLVPN Message 17663 0 :  "TCU_DHT : Username is in SAN format; username extracted: anonymous, domain extracted: "
Mar  4 14:10:26 <local0.debug> 10.107.98.76 03/04/2018:14:10:26 GMT Primary 0-PPE-0 : default SSLVPN Message 17713 0 :  "TCU_DHT : Username is in SAN format; username extracted: anonymous, domain extracted: "
Mar  4 14:11:38 <local0.debug> 10.107.98.76 03/04/2018:14:11:38 GMT Primary 0-PPE-0 : default SSLVPN Message 18135 0 :  "TCU_DHT : Username is in SAN format; username extracted: anonymous, domain extracted: "

Now if a 2nd user with a different certificate tries to connect to NetScaler, then it consider this as anonymous and prompts user to Transfer the Session and 1st user is kicked out of VPN.

Complete the following steps to resolve this issue:

1. Enable authentication on the Vserver should as shown in the following screen shot:

   

2. Add the following Policy and Action to NetScaler and bind it to the VPN Vserver:
   add authentication certAction CertAction -userNameField Subject:CN
   add authentication certPolicy CertActionPolicy ns_true CertAction
   bind vpn vserver <VPNVserverName> -policy CertActionPolicy -priority 100

For more information refer to Citrix Documentation - Configuring Client Certificate or Client Certificate and Domain Authentication.

Problem Cause

This is a configuration issue. The authentication on the NetScaler Gateway Vserver is not enabled and user certificate based action policy to extract the username from CN of the SSL Certificate is required.