Users will get the error "Http/1.1 Internal Server Error 43531"



The ns.log will give error as below:

Dec 23 14:52:26 <local0.infoXXX.XXX.X.XXX 12/23/2020:19:52:26 GMT QWERTY 0-PPE-0 : default SSLVPN Message 15268 0 :  "get_session user: <username>, aaa_info flags 11 flags2 0, new webview 0, sess flags2 0, flags3 0 flags4 400 ssoDomain <abc>, ssoUsername: <username>, ssoUsername2: <username>"
Dec 23 14:52:26 <local0.warn> XXX.XXX.X.XXX 12/23/2020:19:52:26 GMT QWERTY1 0-PPE-0 : default SSLVPN Message 15269 0 :  "Ica mode status is not okay"
Dec 23 14:52:26 <local0.info> XXX.XXX.X.XXX 12/23/2020:19:52:26 GMT QWERTY 0-PPE-0 : default SSLVPN Message 15270 0 :  "Cannot complete login for user: <username>sessionid <xx>, session state <xx>, reason: <unknown>"

Customer have the below expression for the Session policy

"REQ.HTTP.HEADER User-Agent NOTCONTAINS Citrix-Receiver && REQ.HTTP.HEADER Referer EXISTS"
 

Follow the below steps if customer wanted to use the Advanced Policy:

1. Change the classical expression to advanced expression. Refer to article https://support.citrix.com/article/CTX131024
2. Use below expressions in session policies
   • Expression for Browser: HTTP.REQ.HEADER("User-Agent").CONTAINS("Citrix-Receiver").NOT 
   • Expression for Workspace: HTTP.REQ.HEADER("User-Agent").CONTAINS("Citrix-Receiver")

1. Use below expressions in session policies
   • Expression for Browser: REQ.HTTP.HEADER User-Agent NOTCONTAINS Citrix-Receiver 
   • Expression for Workspace: REQ.HTTP.HEADER User-Agent CONTAINS Citrix-Receiver

The second part of Referer Header is not required for the session policy for storefront. 

Configure NetScaler Gateway session policies for StoreFront - https://docs.netscaler.com/en-us/citrix-gateway/current-release/vpn-user-config/configure-gateway-session-policies-for-storefront.html

Problem Cause