The case of the unexplained! NetScaler Gateway ICA SSL error 29

So I had a friend reach out to me earlier today, because he was having some troubles with a NetScaler Gateway setup where he was unable to launch ICA sessions after setting up the Gateway and Storefront. All certs were in place, and authentication worked as it should, and STA was configured properly.

No events appeared in Storefront, and after a while he sent me a trace file which I could do some more digging.

X ALL THE THINGS - Troubleshoot! all the trace files!

After doing some digging and we gpt information about a VDA agent which the NetScaler was trying to contact, I noticed this error message in WireShark

I did a filter search in Wireshark, when I filtered based upon the SNIP address which was used in this case and the VDA agent, and I came out with this

image

So this basically that the SNIP address is trying to establish a TCP handshake with the VDA agent but It does not receive any reply from the destination address. So it was basically an Firewall ACL that was missing for the ports against the particular subnet!

So make sure that the firewall rules are in place before doing a setup! Smilefjes So is there any way that I can confirm that a particular NetScaler SNIP is unable to communicate with the VDA before blaming the networking team ?

Setup a service check using TCP against any VDA server on that particular subnet

image

Just remember to specify a NetProfile if you have multiple SNIP’s which are able to reach the server in the backend. NetScaler can round-robin use SNIP’s if there are multiple available which can reach the server network.