Citrix ADC - EPA Scans failing after library upgrade for CWA version check

Citrix ADC - EPA Scans failing after library upgrade for CWA version check

book

Article ID: CTX616974

calendar_today

Updated On:

Description

  • EPA libraries from Jan 18 (OPSWAT version 4.3.3906.0) failing EPA checks for CWA version. 
  • If the EPA library version is downgraded to the Nov 2023 libraries (OPSWAT version 4.3.3801.0), EPA check is working as expected.

Resolution

Follow the below steps to resolve the issue:
  • Flush the ADC cache for inappropriate caching the plugin executables (which involves epaPackage.exe). Use the command to flush the content group. Even if the 'Integrated Caching" feature is disabled, this still applies:
> flush cache contentGroup loginstaticobjects
  • Create a no-cache policy on ADC, so that the issue is not observed again
> add cache policy bypass_epa_plugin_cache -rule "HTTP.REQ.URL.ENDSWITH(\".dmg\") || HTTP.REQ.URL.ENDSWITH(\".exe\") || HTTP.REQ.URL.ENDSWITH(\".deb\")" -action NOCACHE
> bind vpn vserver -policy bypass_epa_plugin_cache -priority 5 -gotoPriorityExpression END    -type REQUEST
> bind authentication vserver -policy bypass_epa_plugin_cache -priority 5 -gotoPriorityExpression END -type REQUEST
  • The error seen in the nsepa.txt file usually when the epaPackage.exe downloaded from NetScaler isn't proper (Complete package isn't downloaded). You can confirm the same by comparing the epaPackage.exe size on client and NetScaler.
Client location :- C:\Users\'Username'\AppData\Local\Citrix\AGEE\
Netscaler location :- var/netscaler/gui/epa/scripts/win/

Problem Cause

Endpoint Analysis (EPA) failing after library upgrade. Getting the below error logs in the epa.txt


2024-01-30 07:28:12.711 | Tid: 12364 | ERROR  | ns_verifyTrustedCert | 162 | WinVerifyTrust failed -2146762496, err -2146762496

2024-01-30 07:28:12.711 | Tid: 12364 | ERROR  | downloadEpaLib | 382 | Failed to verify downloaded EPA library

2024-01-30 07:28:12.711 | Tid: 12364 | DEBUG  | ns_verifyfile: called

2024-01-30 07:28:12.715 | Tid: 12364 | ERROR  | ns_verifyTrustedCert | 162 | WinVerifyTrust failed -2146762496, err -2146762496

2024-01-30 07:28:12.715 | Tid: 12364 | ERROR  | checkAndLoadEPALib | 604 | Failed to verify EPA DLL

2024-01-30 07:28:12.715 | Tid: 12364 | ERROR  | initEPAlib | 796 | Failed to load EPA library 

2024-01-30 07:28:12.715 | Tid: 12364 | ERROR  | epaLibScan | 889 | Failed to initialize EPA library 

2024-01-30 07:28:12.715 | Tid: 12364 | DEBUG  | ns_EvalPolicy: REG-NUM_PATH_==_HKEY\_LOCAL\_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CitrixOnlinePluginPackWeb\\DisplayVersion_REDIR-64_==_TRUE_VALUE_>=_22.3.2000.2105 returns 2003 (Config Issue)

Issue/Introduction

The article contains the steps to resolve the issue with EPA library failing to initialize after the library upgrade.

Additional Information

https://support.citrix.com/article/CTX464137/epa-failure-access-denied
Powered by Wolken Software