NetScaler-13.1-EPA scan failed with "Error while parsing client security configuration"

NetScaler-13.1-EPA scan failed with "Error while parsing client security configuration"

book

Article ID: CTX692804

calendar_today

Updated On:

Description

EPA scan failed with "Error while parsing client security configuration" in EPA log. 

 

----------------------------

2025-02-19 09:03:50.706 | 21708 |   DEBUG | D | PRE AUTH EPA | token: <sys_0_MAC_ADDR_anyof_F8BXXXXXX28A> |^M
2025-02-19 09:03:50.706 | 21708 |   DEBUG | D | PRE AUTH EPA | Policy MAC_ADDR_anyof_F8BXXXXXX28A returned 2004 |^M
2025-02-19 09:03:50.706 | 21708 | VERBOSE | D | PRE AUTH EPA | ns_EvalPolicy returns 2004 |^M
2025-02-19 09:03:50.706 | 21708 | VERBOSE | D | PRE AUTH EPA | ns_free_dependspol:num_mallocPolicyBuffer=0 |^M

=>The above is an example of good EPA expression

2025-02-19 09:03:50.706 | 21708 |   DEBUG | D | PRE AUTH EPA | token: <sys_0_MAC_ADDR_anyof_C0EXXXXXX6CF[COMMENT:> |^M
2025-02-19 09:03:50.706 | 21708 |   DEBUG | D | PRE AUTH EPA | token: <1XX-XXX407> |^M
2025-02-19 09:03:50.706 | 21708 |   ERROR | S | PRE AUTH EPA | The client security configuration [1XX-XXX407] is not correct. |^M
2025-02-19 09:03:50.706 | 21708 |   DEBUG | D | PRE AUTH EPA | Wrong configuration! Invalid token: <1XX-XXX407> |^M
2025-02-19 09:03:50.706 | 21708 |   ERROR | S | PRE AUTH EPA | Error while parsing client security configuration |^M
2025-02-19 09:03:50.707 | 21708 | VERBOSE | D | PRE AUTH EPA | ns_free_dependspol:num_mallocPolicyBuffer=0 |^M 

=>The above is an example of bad EPA expression.

----------------------------

Resolution

The issue is solved after correcting the expression.

The following link showed a correct example for EPA scan with MAC address. 

https://support.citrix.com/s/article/CTX220961-how-to-configure-netscaler-gateway-preauthentication-epa-scan-for-domain-check?language=en_US

Problem Cause

Error while parsing client security configuration" means the EPA expression has some issue.

The comment for the EPA expression should be added with square brackets "[]". However, the customer wrongly configured the following expression in this case. The later half part of square brackets ("]") is missed in the expression, which further caused the EPA scan failure. 

---------------------------------------

CLIENT.SYSTEM(\'MAC_ADDR_anyof_C0EXXXXXX6CF[COMMENT: 1XX-XXX407\') EXISTS

---------------------------------------

 

The correct expression should be as below:

---------------------------------------

CLIENT.SYSTEM(\'MAC_ADDR_anyof_C0EXXXXXX6CF[COMMENT: 1XX-XXX407]\') EXISTS

---------------------------------------

 

Powered by Wolken Software