ICA Sessions Getting Disconnected Immediately After Upgrade to NetScaler 11 in Dual Hop Setup

book

Article ID: CTX202991

calendar_today

Updated On:

Description

  • After upgrading the NetScaler to 11.0, ICA sessions are disconnecting or freezing intermittently. 
  • On external NetScaler in double hop setup, nslog will show zero window counters increasing.  
    nsconmsg -K newnslog -g window -d current | more
reltime:mili second between two records Tue Nov 3 15:58:41 2015
Index rtime totalcount-val delta rate/sec symbol-name&device-no
3645 7002 24109 1 0 tcp_err_oowindow
3646 7001 24110 1 0 tcp_err_oowindow
3647 98021 24112 2 0 tcp_err_oowindow
3648 7002 24121 9 1 tcp_err_oowindow
3649 14003 24122 1 0 tcp_err_oowindow
3650 14003 24123 1 0 tcp_err_oowindow
3651 21004 24127 4 0 tcp_err_oowindow
3652 7002 24128 1 0 tcp_err_oowindow
3653 7001 24129 1 0 tcp_err_oowindow
3654 14003 24135 6 0 tcp_err_oowindow
3655 14004 24139 4 0 tcp_err_oowindow
3656 7001 24147 8 1 tcp_err_oowindow
3657 7002 24148 1 0 tcp_err_oowindow
3658 7001 24149 1 0 tcp_err_oowindow
3659 7002 24150 1 0 tcp_err_oowindow
3660 35007 24151 1 0 tcp_err_oowindow
3661 70015 24154 3 0 tcp_err_oowindow
3662 7002 24180 26 3 tcp_err_oowindow
3663 7001 24181 1 0 tcp_err_oowindow
3664 21005 24188 7 0 tcp_err_oowindow
3665 7001 24197 9 1 tcp_err_oowindow
3666 7002 24198 1 0 tcp_err_oowindow

  • ZERO window propagation from External to Internal.

Resolution

Issue is fixed in NetScaler 11.0 64.34 and 10.5 60.7.

Workaround

External NetScaler

  •  Need to create a service for next hop server IP and disable TLSv1.1 and TLSv1.2 on the service. 
  • Also disable TLSv1.1 and TLSv1.2 on NetScaler Gateway vserver on external NetScaler. 

Internal NetScaler

  • Disable TLSv1.1 and TLSv1.2 on NetScaler Gateway vserver on internal NetScaler.

Problem Cause

  • The symptoms and logs are matching with a known issue with issues ID 596278 which is fixed in NS 11.0 build 64.34nc, where If TLS1.1/1.2 protocol is used with AES/3DES ciphers, the length of the TCP window at the back end shrinks to zero. As a result, after some time, the connection is terminated.
  • In this case in double hop scenario, the problem starts with the external NetScaler which is propagated to the internal NetScaler.
  • Please refer the release notes of 11.0 B 64.x: https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_11_0_64_34.html

Issue/Introduction

ICA sessions getting disconnected immediately after upgrade to NetScaler 11 in dual hop setup.
Powered by Wolken Software