How to collect data for ADC Gateway VPN issues

How to collect data for ADC Gateway VPN issues

book

Article ID: CTX284765

calendar_today

Updated On:

Description

To provide a comprehensive guide on how to properly collect data for issues with ADC when these issues are related to Full VPN.

Instructions

These steps should be followed in the order provided to ensure the necessary date is captured. Additional information is provided for some steps marked by "**".

Test PC refers to the PC (or thin client) used to replicate issues.
  1. On the Test PC, Enable VPN Plugin Debug logging or Citrix SSO Logging. Open the VPN plugin on the PC (see https://support.citrix.com/article/CTX138155 if the icon is hidden) then navigate to 3-bar menu->Configuration->Check Enable debug logging. If using Citrix SSO app see debug logging guide here. If using Citrix SSO app, also clear the logs so irrelevant data will be removed.
  2. On the Test PC, Install Wireshark and the WinPcap add-on that Wireshark requests to also install. 
  3. On the Test PC Log off the VPN Plugin/Citrix SSO and ensure it is NOT waiting for credential entry; if it is, close it to ensure the trace does not miss the Client Hello. If you alternatively use a browser to login, ensure it is Not at the login page. If it is, close it. Preferably open a new Incognito window and do Not go to the Gateway URL yet.
  4. If requested and using Browser to login, open browser window's Developer tools, Select the Network tab, and enable the "Preserve Log" option.
  5. On the ADC, Ensure Debug logging is enabled at System->Auditing->Change Auditing Syslog Settings->Set Log Levels to ALL->Click Ok.
  6. On the ADC, Ensure Debug logging for Auth is enabled at Gateway->Global Settings->Under Authentication Settings click Change authentication AAA Settings->For BOTH "AAA Session Log Levels" and "AAAD Log Level", set both to DEBUG -> Click Ok.
  7. On the ADC, Ensure Session Reuse is Disabled on the relevant Gateway at Gateway -> Vservers -> Edit Vserver -> SSL Parameters -> Uncheck “Enable Session Reuse”.
    **This should not cause service interruptions and ensures traces will decrypt**
  8. On the ADC, Go to System->Diagnostics->Start a trace, start the trace using the settings in the image; be sure to change all highlighted items.
    **NOTE: Preference is that the trace is unfiltered, however if you absolutely must filter the capture, ensure you capture all these items: CONNECTION.IP.EQ(Client_IP) || CONNECTION.IP.EQ(Client_IIP) || CONNECTION.IP.EQ(VIP_VserverIPs)|| CONNECTION.IP.EQ(Backend_Server_IPs)|| CONNECTION.PORT.EQ(514) || CONNECTION.PORT.EQ(8766)

    **SSL Master Keys are not your private keys; they are session keys while will only decrypt this trace. This does Not work with FIPS ADCs as the SSL Session Keys cannot be captured from the FIPS HSM.**
  9. Ensure the trace is running and you acknowledge the decryption message prior to proceeding.
  10. On the Test PC, Open Wireshark, select the proper Network Interface, and start capturing.
  11. On the Test PC, Open the Gateway Plugin (or Browser Login page) and connect to the VPN.
  12. Replicate the issue you are experiencing.
  13. Take note of the exact time when the issue is replicated and provide it to your support representative via Email.
  14. Capture the IP address of the backend server being connected to using ping or nslookup on the Client PC and provide it to your support representative via Email.
  15. On the Test PC, capture the Internal IP (ipconfig) and External IP (whatsmyip.org) and provide them to your support representative via Email.
  16. On the Test PC, disconnect from the VPN.
  17. On the Test PC, stop the trace in Wireshark and save the capture as ClientTrace.
  18. On the Test PC, if using the VPN Client, navigate to 3-bar menu->Logging->Collect Log files. Allow this to complete. The file "vpnlogs DateOfCollection.zip" will be created on your desktop. If using Citrix SSO app, Email the logs to yourself.
  19. On the Browser Developer Tools pane, right click the data and select "Save all as HAR with content". 
  20. On the ADC, stop the trace and Download the .cap files and the .sslkeys session keys files.
  21. On the ADC, Generate a support file at Diagnostics->Generate support file, Select NODE. This will take some time to complete; be sure to download the generated file and provide it at step 22 below.
    **The support file can also be manually collected using CLI command "show techsupport". Then download the file using WinSCP and locate the file at /var/tmp/support/collector_P_IPADDR_DateAndTimeCaptured.tar.gz**
  22. Upload all files listed below to https://cis.citrix.com - If you cannot access the link from within your company, utilize a different internet connection or PC to upload the files.
    Client VPN or SSO app Logs
    Client Trace 
    HAR file, If requested
    ADC Traces
    ADC SSLKEYS
    ADC Support File downloaded
  23. Do not forget to email the information from steps 13, 14, and 15.

Issue/Introduction

A comprehensive guide on how to properly collect data for issues with ADC when these issues are related to Gateway, Storefront, or VDA connectivity issues.
Powered by Wolken Software