Getting " Your account cannot be added using this server address" error when VPN Session policy is configured with CLASSIC EXPRESSION and bound under AAA User/Group

Getting " Your account cannot be added using this server address" error when VPN Session policy is configured with CLASSIC EXPRESSION and bound under AAA User/Group

book

Article ID: CTX296814

calendar_today

Updated On:

Description

User tries to connect to Citrix Gateway Vserver from Citrix Workspace will be getting " Your account cannot be added using this server address" when VPN Session policy  for Citrix Receiver is configured with CLASSIC EXPRESSION and bound under AAA User/Group a shown below. No issue occurs through Web browser.

NOTE: The below error message gets displayed once after submitting the login credentials. 

image.png



/var/ns.log:

We could see the below error in the ns.log:



Jan 13 03:36:07 <local0.info> YY.YY.YY.YY 01/13/2021:03:36:07 GMT jioapps-internet-sec 0-PPE-3 : default SSLVPN Message 36403 0 : "SeamlessSSO-EPA-Done or WebView-Done-forms-resumed, continuing to session policy eval for user <USER NAME/ID>"
Jan 13 03:36:07 <local0.warn> YY.YY.YY.YY 01/13/2021:03:36:07 GMT jioapps-internet-sec 0-PPE-3 : default SSLVPN Message 36404 0 : "Ica mode status is not okay"
Jan 13 03:36:07 <local0.info> YY.YY.YY.YY 01/13/2021:03:36:07 GMT jioapps-internet-sec 0-PPE-3 : default SSLVPN Message 36405 0 : "Cannot complete login for user <USER NAME/ID>: sessionid <6b2>, session state <15>, reason: <unknown>"
Jan 13 03:36:07 <local0.info> YY.YY.YY.YY 01/13/2021:03:36:07 GMT jioapps-internet-sec 0-PPE-3 : default SSLVPN LOGOUT 36406 0 : User ,<USER NAME/ID> - Client_ip xx.xx.xx.xx - Nat_ip "Mapped Ip" - Vserver 10.77.55.84:8443 - Start_time "01/13/2021:03:36:07 GMT" - End_time "01/13/2021:03:36:07 GMT" - Duration 00:00:00 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 0 - Total_UDP_flows 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "InternalError" - Group(s) "N/A"

 

Resolution


This issue has got fixed in 12.1 build 59 + version and 13.0 build 67 + version.

As a workaround change the VPN session policy configured for CITRIX RECEIVER from CLASSIC to ADVANCED SESSION POLICY using the below mentioned steps:


STEPS TO CONVERT CLASSIC TO ADVANCED SESSION POLICY:
----------------------------------------------------------------------------------------------


Go to Citrix Gateway > Session > Policies > Select the session policy configured for CITRIX RECEIVER ) > Click Edit > Select Advanced policy > Replace (ns_true) expression either with TRUE or Click on Expression Editor to configure a required expression > Save the changes.

If the above steps doesn't work, Unbind the existing VPN Session policy configured for Citrix Receiver  and Create a new VPN Session policy for Citrix Receiver > Select Advanced policy > TRUE Click on Expression Editor to configure a required expression > Save the changes.> Bind it to AAA USER or AAA GROUP

Problem Cause

Its a known Bug. The CLASSIC VPN SESSION POLICY (ns_true) bound to AAA User/Group is not getting evaluated by Citrix Access Gateway.
Powered by Wolken Software