"Http/1.1 Internal Server Error 43531" when accessing Citrix Gateway after upgrading to version 13.0

"Http/1.1 Internal Server Error 43531" when accessing Citrix Gateway after upgrading to version 13.0

book

Article ID: CTX291268

calendar_today

Updated On:

Description

Users will get the error "Http/1.1 Internal Server Error 43531"



The ns.log will give error as below:

Dec 23 14:52:26 <local0.infoXXX.XXX.X.XXX 12/23/2020:19:52:26 GMT QWERTY 0-PPE-0 : default SSLVPN Message 15268 0 :  "get_session user: <username>, aaa_info flags 11 flags2 0, new webview 0, sess flags2 0, flags3 0 flags4 400 ssoDomain <abc>, ssoUsername: <username>, ssoUsername2: <username>"
Dec 23 14:52:26 <local0.warn> XXX.XXX.X.XXX 12/23/2020:19:52:26 GMT QWERTY1 0-PPE-0 : default SSLVPN Message 15269 0 :  "Ica mode status is not okay"
Dec 23 14:52:26 <local0.info> XXX.XXX.X.XXX 12/23/2020:19:52:26 GMT QWERTY 0-PPE-0 : default SSLVPN Message 15270 0 :  "Cannot complete login for user: <username>sessionid <xx>, session state <xx>, reason: <unknown>"

Resolution

Customer have the below expression for the Session policy

"REQ.HTTP.HEADER User-Agent NOTCONTAINS Citrix-Receiver && REQ.HTTP.HEADER Referer EXISTS"
 

Follow the below steps if customer wanted to use the Advanced Policy:

  1. Change the classical expression to advanced expression. Refer to article https://support.citrix.com/article/CTX131024
  2. Use below expressions in session policies
    • Expression for Browser: HTTP.REQ.HEADER("User-Agent").CONTAINS("Citrix-Receiver").NOT 
    • Expression for Workspace: HTTP.REQ.HEADER("User-Agent").CONTAINS("Citrix-Receiver")
Below steps if customer wanted to continue to use the Classic Policy in 13.0 version. 
  1. Use below expressions in session policies
    • Expression for Browser: REQ.HTTP.HEADER User-Agent NOTCONTAINS Citrix-Receiver 
    • Expression for Workspace: REQ.HTTP.HEADER User-Agent CONTAINS Citrix-Receiver

The second part of Referer Header is not required for the session policy for storefront. 

Configure NetScaler Gateway session policies for StoreFront - https://docs.netscaler.com/en-us/citrix-gateway/current-release/vpn-user-config/configure-gateway-session-policies-for-storefront.html


Problem Cause

In earlier version of 13.0/12.1 the Referer header was requested and now not in new versions of 13.0/13/1. So incoming HTTP packets towards the Citrix Gateway does not have Referer header. Because of it the session policy was not getting hit.