Error : "Unable to launch application" when Optimal Gateway Routing is enabled
Article ID: CTX233853
Updated On:
Description
When trying to launch application through NetScaler Gateway, one of the following error messages are received :
Resolution
The reason for the issue is that the NetScaler is not contacting the STA servers to get the information for the VDA even after receiving the STA ID and token from the client and displays the following error messages :
Mar 1 11:31:16 <local0.debug> 10.225.20.30 03/01/2018:00:31:16 GMT NS1 0-PPE-0 : default SSLVPN Message 163677 0 : " ns_vpn_handle_cgp, STA ticket received = 9F43E536E8DA27C3F747E34B2525B6,from client pcb_fip = 10.225.16.220, pcb_fport = 64543 "
Mar 1 11:31:16 <local0.debug> 10.225.20.30 03/01/2018:00:31:16 GMT NS1 0-PPE-0 : default SSLVPN Message 163678 0 : "ICADHT STA ticket 9F43E536E8DA27C3F747E34B2525B6 not found locally, pcb_fip = 10.225.16.220, pcb_fport = 64543 "
Mar 1 11:31:16 <local0.debug> 10.225.20.30 03/01/2018:00:31:16 GMT NS1 0-PPE-0 : default SSLVPN Message 163679 0 : " ns_vpn_icaconn_session_dht_resumeNotification: *************** sess_req->pcb_devno = 1654956, pcbdevno = 1654956 ********** "
Mar 1 11:31:16 <local0.err> 10.225.20.30 03/01/2018:00:31:16 GMT NS1 0-PPE-0 : default SSLVPN Message 163680 0 : "ICADHT resumeNotification; entry :9F43E536E8DA27C3F747E34B2525B6 not found, fatal error! pcb_fip = 10.225.16.220, pcb_fport = 64543"
If we further check the counter logs on the NetScaler, we can see that the “csg_tot_sta_dht_get_fail” counter is increasing, which defines the total number of times the dht fetch for sta ticket fails.
After checking the configuration we can see that the “-icaSessionTimeout” is set to ON in the non-working scenario:
Non-Working Configuration:
set vpn parameter -proxy OFF -forceCleanup none -clientConfiguration trace -UITHEME DEFAULT -icaSessionTimeout ON
Explanation:
The authentication gateway in this case is the Storefront server itself as the authentication is not happening on the NetScaler Gateway VIP. The icaSessionTimeout shouldn’t be ON for cases when authentication doesn't happen on ICA gateway. This is used to link AAA session with ICA connections so that when AAA session times out, all associated ICA connections are closed. In our case there is no AAA session so it shouldn't be set to ON, otherwise the NetScaler tries to find the respective AAA session and closes the connection if it doesn't find any. This is the reason why NetScaler doesn't initiate the connection to the STA server to get the VDA information.
Solution:
Please set -icaSessionTimout parameter to OFF if authentication is not happening on the NetScaler Gateway itself.
Mar 1 11:31:16 <local0.debug> 10.225.20.30 03/01/2018:00:31:16 GMT NS1 0-PPE-0 : default SSLVPN Message 163677 0 : " ns_vpn_handle_cgp, STA ticket received = 9F43E536E8DA27C3F747E34B2525B6,from client pcb_fip = 10.225.16.220, pcb_fport = 64543 "
Mar 1 11:31:16 <local0.debug> 10.225.20.30 03/01/2018:00:31:16 GMT NS1 0-PPE-0 : default SSLVPN Message 163678 0 : "ICADHT STA ticket 9F43E536E8DA27C3F747E34B2525B6 not found locally, pcb_fip = 10.225.16.220, pcb_fport = 64543 "
Mar 1 11:31:16 <local0.debug> 10.225.20.30 03/01/2018:00:31:16 GMT NS1 0-PPE-0 : default SSLVPN Message 163679 0 : " ns_vpn_icaconn_session_dht_resumeNotification: *************** sess_req->pcb_devno = 1654956, pcbdevno = 1654956 ********** "
Mar 1 11:31:16 <local0.err> 10.225.20.30 03/01/2018:00:31:16 GMT NS1 0-PPE-0 : default SSLVPN Message 163680 0 : "ICADHT resumeNotification; entry :9F43E536E8DA27C3F747E34B2525B6 not found, fatal error! pcb_fip = 10.225.16.220, pcb_fport = 64543"
If we further check the counter logs on the NetScaler, we can see that the “csg_tot_sta_dht_get_fail” counter is increasing, which defines the total number of times the dht fetch for sta ticket fails.
After checking the configuration we can see that the “-icaSessionTimeout” is set to ON in the non-working scenario:
Non-Working Configuration:
set vpn parameter -proxy OFF -forceCleanup none -clientConfiguration trace -UITHEME DEFAULT -icaSessionTimeout ON
Explanation:
The authentication gateway in this case is the Storefront server itself as the authentication is not happening on the NetScaler Gateway VIP. The icaSessionTimeout shouldn’t be ON for cases when authentication doesn't happen on ICA gateway. This is used to link AAA session with ICA connections so that when AAA session times out, all associated ICA connections are closed. In our case there is no AAA session so it shouldn't be set to ON, otherwise the NetScaler tries to find the respective AAA session and closes the connection if it doesn't find any. This is the reason why NetScaler doesn't initiate the connection to the STA server to get the VDA information.
Solution:
Please set -icaSessionTimout parameter to OFF if authentication is not happening on the NetScaler Gateway itself.
Problem Cause
-icaSessionTimout parameter should be OFF if authentication is not happening on the NetScaler Gateway itself.
Was this article helpful?
Yes
No
Powered by
