NetScaler login shows HTTP 500 Internal Error

[Tim Hodge]

Hi Guys,

 

I was wondering if you could help me out.

 

I have a new NS device (second one) and am trying to set up an  SSL VPN using the access gateway options.

 

I have successfully installed and applied the SSL VPN certificate to a VServer. I have used AD authentication similar to my first device and am able to connect to AD.

 

When I login, I immediately get an IE error - HTTP 500 Internal Server Error. The working NS device, allows me to download and install the AG plugin. This one however, does nothing.

 

I have the shell window open monitoring the AD debug file.

 

And I see the following:

 

/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1466]:send_accept sending accept to kernel for : timhsending accept to kernel for timh

 

iwagent.c[1107]:main EV_DEBUG: handle time out

 

And the 'iwagent.c' line repears every 1 minute.

 

Any ideas what is going on here please and how I can resolve it?

 

Thanks

 

 

 

 

 

 

 

[CarlStalhood]

What home page is configured in your session policy? Can you post your session policy config?

[Sanjith Abraham1709153204]

Hi Tim ,

 

receiving ' iwagent.c[1107]:main EV_DEBUG: handle time out  ' is  normal when using aaad.debug .

And based on line " /usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1466]:send_accept sending accept to kernel for : timhsending accept to kernel for timh "

It looks like user 'timh' is verified by Ldap server . That means the user is now provided with an auth cookie " NSC_AAAC" and the site URL on which it should return to get applications published .

Questions for you :

- What is the URL at which you get 500 server error .

- Is the Netscaler's SNIP able to communicate with backend storefront / Webinterface servers on the ports you configured ?

[Tim Hodge]

If i define a session policy (that has the homepage set to our intranet homepage) - same error.

 

If I unbind the session policy and leave it with just the authentication policy - same error.

 

Is this a cert issue?

 

The setup:

 

NS has 1 cable connected from 0/1 to a port on the DMZ CORE SWITCH.

 

The Serup:

 

INTERNET > FIREWALL1 > NETSCALER > DMZ CORE SWITCH > FIREWALL2 >LAN

 

AD User hits FIREWALL1 (rule configure for anything from outside to communicate with Netscaler on 443)

AD User hits Netscaler that has a default route to go to DMZ-CORE-SWITCH

AD User hits FIREWALL2 (rule configured for NetScaler to speak to DC1 (domain controller) on ANY PORT.

 

From the AAAD.DEBUG log it seems like the AD Authentication is working fine.

 

The same error occurs if I try and log in with a LOCAL Netscaler user.

 

The URL that is showing the internal server error is https://testtgpvpn.guinness.org.uk/cgi/login which has an SSL cert applied and installed for it.

[Tim Hodge]

There are no Storefront servers in the mix. We are simply trying to get the SSL VPN sorted out.

 

There is no ICA PROXY or WEBINTERFACE servers configured.

 

There is no MIP or SNIP configured on the device.

 

The network IPs on the device are as follows@

 

172.22.13 (NSIP)

172.221.14 (VIP)

 

The routes on the device are as follows:

 

0.0.0.0           0.0.0.0               172.22.1.254     (dmz core switch) UP

127.0.0.0       255.0.0.0           127.0.0.01 UP

172.22.1.0     255.255.255.0    172.22.1.13 UP

[CarlStalhood]

You need a SNIP. NetScaler uses SNIP to communicate with back end machines.

[Tim Hodge]

We have USIP enabled and are therefore using the clients true source IP. Do we need to have a SNIP for this setup?

[Tim Hodge]

Carl  -  I have a few questions please.

 

1. At the moment we are using one interface on the netscaler that is connected between the port on the NS and DMZ Core Switch. Are we able to configure a SNIP on the same interface or will a separate interface be needed?

 

2. At the moment we have USIP (use source IP) enabled and USNIP (use subnet IP) enabled.Will this cause a problem or should we configure a pool on intranet IPs for clients?

 

3. If we used a SNIP as per your suggestion, we would need to create one for each Subnet - 10.1.x.x, 10.2.x.x, 10.3.x.x etc. Can we have one address to communicate to all backend networks? Is that the purpsoe of a MIP?

 

4. We are trying to get users/clients to communicate with servers on the 10.2.x.x network. Am I right in saying that I need to create a SNIP as follows - 10.2.0.99 255.255.0.0 SNIP. Is that is all that is required or do I need to add a route on the NS?

 

Thank you

[CarlStalhood]

Only one SNIP per interface. If only one interface then you only need one SNIP. It will use the routing table to figure out how to communicate with other subnets.

 

Intranet IPs are another option.

[Tim Hodge]

Thanks Carl.

 

So we have one interface (0/1) in use that as previously mentioned, connects to the DMZ core switch. This one connection allows us to manage the NS device on 172.21.1.13. In the config we have a VServer configured with an address of 172.21.1.14. The users can hit the login page and log in but are then unable to access any of systems in the LAN over any protocol.

 

If i wanted to have the users be able to communicate with the 10.2.x.x network, would I simply create a SNIP of 10.2.0.99 with a subnet mask of 255.25.0.0?

 

Once the SNIP is created, does it need to be binded?

[CarlStalhood]

No. The SNIP is essentially an interface IP. If your one interface is connected to the 172.21.1.0 subnet then you need a SNIP address in that subnet. 

 

NetScaler will use the SNIP as the Source IP when connecting to machines on other subnets. This traffic will probably go through your default gateway or any other gateway (router) as configured in static routes. The other machines will then respond to the SNIP.

 

Here's a good blog post on NetScaler fundamentals - http://blogs.citrix.com/2014/03/31/acquiring-netscaler-skills-where-to-start-and-how-to-continue/

[Jan Andersen]

Check the Domain setting (below port and IP address) of the AAA Server - if this is not equal to your domain, then you can get error 500 in reply

[Sanjith Abraham1709153204]

Hi Tim

 

Might be similar issue as mentioned in release notes of 10.1 129.11 :

Issue ID 488015: If the hostname that sends an incoming request does not match the domain configured on the authentication virtual server, the NetScaler ADC returns an HTTP 500 error. As a workaround, configure an authentication profile and include the hostname.

[Eric Karas]

Hey guys,

 

I know I'm late to the game here, but in our case, this turned out to be a client-side problem. We literally tried everything, sifted through multiple packet captures at both ends of the communications line, had tickets open with Citrix support; nothing.

 

What ultimately solved the problem: IE reset (from Internet Options>Advanced). Make sure you check the box to clear everything out. Also, the same procedure worked for Chrome.

 

Our environment:

 

Gateway: NS 12.0 56.20nc

Clients: Windows 10 1709 w/ IE 11 & Chrome 57

 

Problem was intermittent in nature for some users, and not existent for others. We believe that when the affected users had their Windows profiles migrated from Win7 to Win10 using USMT, it is bringing over problems.

 

What I'm trying to say here is don't get hung up on diagnosing the Netscaler side only... 

[Alex Jordan]

Another possible solution: 

In the Authentication LDAP Server (Which contains info like Base DN, the Bind account, etc) There is the 'Default Authentication Group' parameter. This is a free text field, so it's possible to mess up the value. In my case I had this value set to a AAA group that didn't actually exist.