Users get the following error message when they try to log on through NetScaler Gateway:
"Login exceeds maximum allowed users".

Usually this issue appears after a firmware upgrade from NetScaler Gateway 9.x to NetScaler Gateway 10.5 and Universal Gateway License is allocated.

Upgrade to NetScaler Gateway 11.1 Build 49.16 or later

Complete a firmware upgrade to NetScaler Gateway 11.1 Build 49.16 or later. Citrix has added new intelligence from this release, which is  able to detect an active CCU license installed on the NetScaler and automatically change the maximum number of AAA users to match the CCU license to avoid this issue. This new CCU license detection mechanism will detect the CCU license even if the license is added after the firmware upgrade.

Obtain license file with the correct host name

This issue occurs when the hostname on the gateway does not match the hostname specified on the license. To resolve this issue, obtain a license file with the correct hostname.

Update hostname of gateway to match the hostname on license

This issue occurs when the hostname on the gateway does not match the hostname specified on the license.Complete the following steps to to change the hostname of the gateway to match the hostname specified on the license:

1. Log on to the NetScaler Gateway. Use the following commands to change the hostname of the gateway to match the hostname specified on the license:
   set ns hostName access.company.com
   save config
   
   shell
   echo hostname=\"access.company.com\" > /nsconfig/rc.conf
   reboot
   Note: In this example access.company.com is used as the name. Also it is recommended to use the Fully Qualified Domain Name (FQDN)

Change the Maximum Number of Users value to match the allocated licenses

1. Navigate to the Configuration > System > Licenses to review the license.

2. Verify the Maximum NetScaler Gateway Users Allowed to logon.

3. Navigate to NetScaler Gateway > Global Settings > Change Authentication AAA Settings.

4. Change the Maximum Number of Users value to match the allocated licenses.

    

You can also restrict the Maximum Users on the VPN Virtual Server settings too. To configure this change, complete the following steps:

1. Navigate to Configuration > NetScaler Gateway > Virtual Servers.

2. Open the required VPN Virtual Server.

   

3. Edit the Basic Settings.

4. Expand the Basic Settings by clicking More.

   

5. Type the Max Users allowed and save all changes.

Select Basic Mode or Smart Access Mode Depending on the license type

In the list of licenses displayed, the following are the two categories that pertain to NetScaler Gateway:
 

• Maximum ICA Users Allowed
• Maximum NetScaler Gateway Users Allowed

The following license types correspond to the feature set mode used in the NetScaler Gateway:

• Basic Mode
• SmartAccess Mode

 

Basic Mode signifies that the license count reported by either the Maximum ICA Users Allowed or Maximum NetScaler Gateway Users Allowed (used as a substitute when Maximum ICA Users Allowed is reported as zero) must be used.

Basic Mode means that the virtual server passes only ICA sessions, where the global settings or session profile are configured with ICA PROXY ON, and no attempt is made to use any End Point Analysis functions (for example, pre-authentication policies; session policies that query anything beyond attributes of the HTTP request). HTTP traffic to the configured Web Interface URL in global settings or the configured session profile (Web Interface or StoreFront) is allowed in this mode.

SmartAccess Mode signifies that only the license count reported by the Maximum NetScaler Gateway Users Allowed must be used. SmartAccess Mode means that the virtual server passes both ICA sessions and VPN sessions, and either of these connection types exclusively consume from this license count when using this mode.

If the NetScaler Gateway virtual server is using the license count reported by Maximum NetScaler Gateway Users Allowed, the number of allowed connections is subject to a usage governor configured within Global Authentication Settings.

If the virtual server is configured with Basic Mode, but the value reported by Maximum ICA Users Allowed is zero, the ICA session connections depend on the license count reported by Maximum NetScaler Gateway Users Allowed.

Refer to CTX202107 - Enable Basic Mode and Smart Access Mode in NetScaler Gateway for more information.

This article provides a resolution to the error "Login exceeds maximum allowed users." on NetScaler Gateway.

• For license issues, always examine the /var/log/license.log.
• Occasionally, there is an issue with having two entries of the hostname in the /nsconfig/rc.conf file. You should have this entry only once. For example, hostname=\"access.company.com\"

Citrix Documentation - NetScaler Licensing Overview
CTX126049 - How to License a NetScaler Gateway Appliance
CTX121062 - How to License NetScaler Appliances Using Manage Licenses Tool
CTX133147 - How to Allocate NetScaler VPX Licenses