In our case the main issue is, that newer Citrix Workspace Apps now use port 443 instead of 2598 to connect to the vda:

Citrix Workspaceapp Linux 2503 works by using port 2598:
Sep 25 12:32:50 <local0.info> 123.123.123.123  09/25/2025:10:32:50 GMT NETSCALERNAME 0-PPE-1 : default SSLVPN ICASTART 624703 0 :  [TECHSUPPORT][LAUNCH][TCP][CGP][ICAUUID=0001c17c-1a52-18d5-9678-00e0ed86e2dd] Source 111.222.333.444:56060 - Destination TERMINALSERVER:2598- customername  - username:domainname USERNAME:DOMAIN - applicationName Desktop $S4-5 - startTime "09/25/2025:10:32:50 GMT" - connectionId 1058960

Citrix Workspaceapp Windows 2503.10 does not work by using port 443:

Sep 25 13:14:02 <local0.info> 123.123.123.123 09/25/2025:11:14:02 GMT NETSCALERNAME 0-PPE-0 : default SSLVPN ICASTART 2965635 0 :  [TECHSUPPORT][LAUNCH][TCP][CGP][ICAUUID=000c1972-23fa-18d5-9678-00e0ed86e2dd] Source 111.222.333.444:61950 - Destination TERMINALSERVER:443 - customername  - username:domainname USERNAME:DOMAIN - applicationName IT $S55-80 - startTime "09/25/2025:11:14:02 GMT" - connectionId 6135506

So we need to enable SSL on our VDAs.

Is there any other way to restore "old" 2598/Session reability option through Netscaler without configure our whole VDAs to work with SSL ?

Best regards
Jens

Noticed that in Citrix Monitor there was a recommendation of activating Network telemetry to gather L7 client Latency, L7 server latency, and throughput.

I activated the policy on a device or two and we are seeing that on-prem NetScaler 14.1 Gateway connections fail “Gateway authentication failed because VDA refused connection. Error code 2091.2524.” If access is through 13.1 the connection is successful. I have tested with EDT\UDP and TCP which does not appear to be a factor. Connections work when not going through a Gateway.

I have had a ticket open with Citrix support and having a working session has been an issue for the last few weeks.

This feels like a bug that I just want to report but it is such a struggle to get this to Citrix.

We use nFactor (the new one) configuration. Short:
login schema with username, password and drop-down for decision which site to use -> two decision factors noschema depending on which site the user has selected in the drop-down -> ldap noschema noauth group extraction and set default authorization group -> radius noschma authentication

It works fine for windows devices and most of the time for mac devices, but it never works on iOS. Safari works sometimes, chrome and edge work always. After entering sms code it stops working with a spinning wheel.

I presume it's related to nfactor.

Since the latest Netscaler Update (14.1 Build 56.74 from 11.11.), our users receive conenction timeouts in 10-15 seconds. The published app or desktop is disconnecting, getting greyed out and after a second it is reconnected. That´s impossible to work with. This happens only, if the ressources are startet in an existing Citrix session. As example: Our IT-Admins start a published Desktop, open an internal Citrix Gateway (same Controllers, separate Netscaler) and then start some published Apps. Then the Apps are getting constantly disconnected.

Are there any issues with ica-in-ica or something else? two version before, everything worked fine.

Greets, Thomas

I'm right now in the process to get rid of the cookie configuration and use the new nFactor in Authentication Virtual Server.

loginschema with drop-down for the 2 domains is bound to the auth vserver.

1st factor: ldap group and attributes extraction no authn with true

2nd factor: noSchema, RADIUS policy with true

As long as I use e.g. true in the test session profile, which is bound to the gateway vserver it works.

If I try something like HTTP.REQ.BODY(4096).CONTAINS("domain=DOMA") it doesn't work. I assume it's because of the 2nd factor and the body changes.

How can I configure this in a good way?

example:

username

password

domain drop-down with DOMA & DOMB

-> save the "domain=" somewhere the browser / Session policy is able to get it after the 2nd factor.

In the loginschema maybe?

I'm not sure if this is normal, but since the upgrade to the latest version from November 11th, 14.1 56.74, the /dev/md0 ram disk is running full.

If you do a df -h you can see it:

Filesystem Size Used Avail Capacity Mounted on

/dev/md0 395M 389M -2.1M 101% /

The cause seems to be a cache folder in /tmp which is not being deleted.

/tmp/par-726f6f74/cache-2da1179f0f323155b445015df38e981e9e1fb94b.

These contain all .pm files and one file nsgslbautosync. So I assume it has something to with sync. It's only around 9M large, but enough to fill the drive to 101%.

When doing show ha node sync is stuck 'in progress' so it probably has to do something with it. Rebooting doesn't solve it. Deleting the file doesn't either. It's always the active node that's out of space.

We have 4 HA pairs on the new version, all with the same problem.

Any idea?

i have installed the new Version of the Netscaler 14.1 and there is a new Theme called WStheme. It look like the Cloud Theme.

In the GUI i can change the Background and Center Logo.

But there is no Option to change the Color of the Logon Button.

Does somebody know if there a CSS Code to change the COlor from the Buttons?

And where i must insert the CSS code? In the custom.css file inside the theme Folder?

Thanks for help.

Regards

Uwe

Thoroughly confused here…

We are designing an Azure based architecture for using Netscaler VPXs to perform these functions:

1. Handle Internet sourced clients via a VPN Gateway with all the good stuff - SSO etc.

2. Load balance the requests to multiple backend Storefront servers (on a different subnet).

3. Also allow internal connectivity to be load balanced to same Storefront servers.

The Netscalers are in a HA pair.

So, and bear with me…

We’ve currently done this:

1. Created a public Azure standard load balancer for the VPN Gateway connection. The front end IP shares the same public IP as the VPX VIP.

2. Created an internal Azure standard load balancer for balancing Storefront. Again, the frontend private IP is shared with the VPX Storefront load balancing VIP (private IP on front end subnet).

Stopping here for a recap: yes, two Azure LBs are pointing to the same VPX.

3. In the Session Profile setting where you define the Storefront store/URL - we have defined the internal VIP, i.e. the one mentioned above.

The front end and back end VPX SNIPs are on different subnets.

The public flow is then like this:

Client -> Public Azure LB -> VPX Gateway VIP —> hairpin back around via internal Azure LB to VPX storefront VIP -> Storefront.

The internal flow is like this:

Client -> internal Azure LB to VPX storefront VIP -> Storefront

It actually works. Although currently we can only test with a single Storefront server.

I consulted my best mate, let’s call him Mr GPT, wait that too obvious - Mr Chat.

It highlighted concerns with this deployment that the hairpin method may cause issues. It recommend to use the VPXs internal routing mechanism instead of the hairpin. This is what it specifically says:

*1. A user connects to the NetScaler Gateway VServer (public-facing).

2. The user authenticates.

3. The Session Profile instructs the Gateway component to send the user to https://10.0.0.100 (the StoreFront LB vServer VIP).

4. Because the IP 10.0.0.100 is an address owned and hosted by the NetScaler itself, the request is processed by the local networking stack and immediately passed to the StoreFront LB vServer component.

5. The StoreFront LB vServer then processes the request and proxies it to the actual backend StoreFront servers using the Backend SNIP, completing the successful loopback.*

My question to you patient people is: is AI right? Is this internal routing possible as I cannot find any documentation supporting this?

Still. Thoroughly confused.

Thank you for taking the time to get to the end!

After updating from version 14.1-47.48 to 14.1-56.71, all SSL and CA certificates disappeared and can no longer be installed.

We have an official certificate from Geo Trust for a Netscaler instance.

However, I was unable to reinstall the SSL certificate in this case.

A message appeared stating that only certificates up to RSA512 and DSA512 are compatible.

However, the certificate is within these guidelines.

I’m building out a new FIPS VPX using the latest FIPS-approved firmware: Build 13.1-37.247. Unfortunately, FIPS mode does not allow UDP as the transport protocol for RADIUS authentication servers. When I try to add a RADIUS server, I get the following error:

Operation not permitted [Invalid transport mode in RadiusAction. FIPS devices only support TLS transport mode]

Our RSA server does not support TLS, so I need to route authentication through ISE instead. Our older MPX appliances use RSA over RADIUS (UDP), which worked fine.

So, I rebuilt my services and LB vServer according to the NetScaler documentation, which states:

If transport mode is TLS, specify the name of a LB vServer to associate. The LB vServer needs to be of type TCP, and the associated service must be SSL_TCP.

I followed this setup, but the bound monitor (TCP_default) shows as down. I tried switching the monitor to plain TCP, but the result is the same. I’ve verified:

• Network connectivity is up

• No firewall blocks

• Valid certificates are in place

Audit logs show that the connection times out after LDAP authentication completes.

I’ve spent several hours on support calls with Citrix, submitted logs and screenshots, but haven’t received helpful guidance yet.

Any suggestions or insights would be greatly appreciated!

I want to create a login that only requires the second factor if the user is in a group (let's say 2FA).

My idea is that the user enters their username and password and then the check is performed.

If they are in the group, the next window will only ask for the 2FA token.

If they are not in the group, the login should be successful.

At first, I thought I would have to build a new login scheme for this, but it should actually be possible to implement it with the existing ones in Netscaler.

Does anyone here have any experience with this idea?

I’m running into the following issue: Our users access Citrix published desktops via NetScaler Access Gateway. Authentication is handled via nFlow with AD and RADIUS, using only ICA Proxy.

The goal is for the NetScaler/StoreFront session to disconnect after 5 minutes of inactivity—without affecting the desktop sessions themselves.

This works perfectly when logging in through the web interface (browser). After 5 minutes of inactivity, users are prompted to re-authenticate at the NetScaler, as expected.

The problem occurs when using the Citrix Workspace App. Users authenticate once at the NetScaler, and then they can leave it idle indefinitely—the desktop session continues, and starting the Citrix Workspace App reconnects them all the way to the desktop without requiring re-authentication at the NetScaler.

Ideally, we want the NetScaler to require re-authentication after 5 minutes of inactivity, regardless of which client is used. I’ve already set all timers to 5 minutes, but with the Workspace App, the connection from NetScaler to StoreFront either stays open or automatically re-authenticates.

Has anyone encountered this before or know how to enforce the 5-minute re-authentication for Workspace App users?

We are having an issue when trying to access our Citrix deployment via Netscalar Gateway using the Citrix Workspace Linux client on Ubuntu 24 and were wondering if anyone has come across anything similar?

We are seeing the following flow:

1. Enter Netscalar Gateway domain into Add Account dialog and click Add Account.

2. The Netscalar Gateway login page is displayed. We enter username and password and click Login.

3. The login page closes and we are presented with a white screen, which hangs forever.

Connecting to the same infrastructure using the Windows Citrix client and the Android Citrix client works correctly, but for some reason on Linux it hangs like this.

If we connect to the storefront directly without going via Netscalar, things also work fine.

We cannot see any logs at ~/.ICAClient/logs/ whilst hanging on the white screen. There are logs for the Netscalar login page, but as soon as you get to the white screen the logs just stop (set to verbose).

All we can see is that the "PrimaryAuthManager" process gets stuck at 100% CPU usage.

Any help would be much appreciated,

Thanks!

Latest version of StoreFront/VDA 2402.

I've noticed, when I play a YouTube video, or do anything really bandwidth-intensive in a single Citrix session, I run into the issue that my NetScaler Gateway refuses/drops connections (ERR_CONNECTION_REFUSED) for other clients trying to connect:

If I stop playing a video, the problem "fixes" itself after a few moments.

When looking at Wireshark logs, I see RST, ACK when this happens (blurred out a line, that wasn't related to the client-NetScaler traffic):

10.61.1.93 - client
172.28.28.22 - NetScaler Gateway VS

My NetScaler does not exceed 20Mbps throughput (the error logs under the "System Log" tab were me experimenting with Exchange Server + NetScaler load balancing; I only have ICA Proxy traffic going through my NetScaler; I'm not really using any other features at the moment):

:

In fact, I even tried setting a bandwidth limit policy in Citrix Studio to no avail:

:

Anyone have any idea what could be causing this? This is in a lab environment, so I don't have active Citrix licensing for this deployment (VPX Express/30 day trial)

Thanks in advance!

Simple question, but I cannot figure out how to find out what version(s) of SNMP are installed on my NetScaler ADC. I have a pair of MPX-5900 NetScaler's running firmware version 13.1.59.19.

I appreciate any help here that I can get.

Thank you,

Shane

One customer have reported VPN connection issue when some of the user have upgraded to Windows 11 24H2. I see there are Windows forums where they say this version have issues with multiple VPN vendors. Is there any Secure access client upgrade to overcome this issue?

Thank you an best regards

We updated our Gateway appliance from NS14.1: Build 12.35.nc to NS14.1: Build 47.46.nc and noticed that the structure of loglines has changed.

Loglines of SSLVPN events don't contain Context and SessionId fields in the NS14.1: Build 47.46.nc . Events with AAA LOGIN_FAILED also disappeared. Unfortunately, I couldn't find any information in the release notes changes.
https://docs.netscaler.com/en-us/updates?product=NetScaler%2520Console%2520on-prem%2520%28ADM%29&version=14.1&build=47.46 .

Could someone please provide some information about these changes?

Example of NS14.1: Build 12.35.nc
<190> 02/21/2024:15:49:46 GMT netscaler-14 0-PPE-0 : default SSLVPN LOGIN 4349 0 : Context vpnuser-1@9X.X.X.252 - SessionId: 17 - User vpnuser-1 - Client_ip 9X.X.X.252 - Nat_ip 192.168.199.2 - Vserver 10.52.0.154:5443 - Browser_type "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0" - SSLVPN_client_type Agent - Group(s) "N/A"

Example of NS14.1: Build 47.46.nc
<190> 07/22/2025:08:45:14 GMT netscaler-14 0-PPE-0 : default SSLVPN LOGIN 564 0 : User vpnuser-1 - Client_ip 9X.X.X.252 - Nat_ip 192.168.199.1 - Vserver 10.52.0.154:5443 - Browser_type "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0" - SSLVPN_client_type Clientless - Group(s) "N/A"

Can you help me with Citrix Certification exam 1Y0-241  preparation.

Looking for material and topics to pass the exam.

we are unable to search  actual VPN logs which are shown below 

Nov 28 12:17:01 <local0.info> 10.x.x.x 11/28/2019:17:17:01 GMT ns 0-PPE-0 : default SSLVPN LOGIN 217333 0 : Context sjacobs@100.x.x.x - SessionId: 75- User sjacobs - Client_ip 100.x.x.x - Nat_ip "Mapped Ip" - Vserver 10.x.x.x:443 - Browser_type "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.171" 

We are using below commands for vpn logs which are not detailed about vpn logs.

cd /var/log 

tail -f ns.log | grep -i vpn

Mar 29 10:10:41 <local0.info> xxx.xx.xxx.xx 03/29/2025:04:40:41 GMT NS-VPX-01 0-PPE-2 : default SSLVPN Message 786674983 0 :  "GwInsight: Sent App launch record, StatusCode=254 VPNexportState=6 Func=ns_sslvpn_send_app_launch_record Username=xxx@yyy.com SessSeq=996 Clientip=78456ce6a:78945 Destip=5be8a9c0:50 Gwip=78fa675a:443 CSappid=0 CSAppname=(null) VPNfqdn=yyy.com SSOAuthMethod=0 BackendServername=xx.xx.xxx.x SSOurl= SSOduration=0 email=xxx@yyy.COM" 

Thought I would post here... We do an ALwaysOn connection currently, post User logon. We do not do the pre-machine tunnel connection, only after User Auth to Windows.

In Win10 there are no issues, it all works as expected, user logs into device, client starts up, has their credentials and logs them into the VPN service, all Happy.

However, with Windows 11 24h2 this is not working. The client opens as expected, but does not remember the client credentials, and prompts for password. Once that it does it connects, no issues...

Anyone got the User Tunnel auto Logon working with Win11 24h2 at all?

Are ADC still at 13.1.XXX secure access client is the latest one available we are testing with.

Auth Policies on the ADC are NOT nFactor set up yet, we need to migrate at some point prior to 14 upgrades.

We think it might be something around new LSA lockdowns and policies in Win11, preventing the password from being stored as it usually is for the user? but no logs are really showing us anything of value.

Any assistance? surely we cannot be the only ones facing this issue? And yeah we have a support case, but trying to reach out to wider community to see if others have also had the same issues??

we are using netscaler gateway as remote login via storefront and LDAP.  We have noted that after a password change,  the old password still work for some minutes.

Google says that this comes from an usage of NTLM  Authentication.  

Where Can i deactivate this NTLM Fallback in Netscaler ?

regards

Robert