Jump to content


Photo

Random Disconnects on NS Gateway coinciding with STA Ticket not found in the ICA file, closing the connection error

Started by Luke Sonstegard , 15 March 2017 - 01:18 AM
11 replies to this topic

Best Answer Raul Gonzalez , 15 March 2017 - 11:52 AM

Are you using the TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 SSL cipher in your Gateway settings?  Others have found a random disconnect bug on 11.1 involving this cipher.  Removing the cipher until a fix comes up works around the issue.

Luke Sonstegard Members

Luke Sonstegard
  • 5 posts

Posted 15 March 2017 - 01:18 AM

I am getting some random disconnects for users on a freshly setup netscaler gateway on 11.1 vpx that's on a sdx. The disconnects seem to coincide with the following error that my NMAS is picking up off the vpx:

 

default SSLVPN Message 137888 0 : "STA Ticket not found in the ICA file, closing the connection, user: username, SSID 4b

 

Anyone else ever run into this?

 

Also, does anyone know how to enable/view STA logs on XenDesktop 7.11?

 

Thanks,

Luke



Raul Gonzalez Members

Raul Gonzalez
  • 583 posts

Posted 15 March 2017 - 11:52 AM

Are you using the TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 SSL cipher in your Gateway settings?  Others have found a random disconnect bug on 11.1 involving this cipher.  Removing the cipher until a fix comes up works around the issue.


Best Answer

Luke Sonstegard Members

Luke Sonstegard
  • 5 posts

Posted 15 March 2017 - 01:36 PM

Thanks Raul, I'll check that out. I'm assuming this bug would affect load balancers that use that cipher as well?



Aparna Sharma Citrix Employees

Aparna Sharma
  • 26 posts

Posted 15 March 2017 - 01:51 PM

Hi Luke,

 

This has been reported internally and is addressed in the latest build. Please update the NetScaler to the latest build to fix the issue.

 

Regards,

Aparna



Luke Sonstegard Members

Luke Sonstegard
  • 5 posts

Posted 15 March 2017 - 02:03 PM

I'm going to remove that cipher first and test, if that fixes the issue we'll update and re-add. I'll let you know how we get on.

 

Thanks,

Luke



Raul Gonzalez Members

Raul Gonzalez
  • 583 posts

Posted 15 March 2017 - 06:18 PM

Aparna.  This still happens in 11.1 52.13



Davy Priem Members

Davy Priem
  • 181 posts

Posted 15 March 2017 - 07:13 PM

It should be fixed in the 11.1 53.xx builds according to other sources.



Alvaro Niebuhr Members

Alvaro Niebuhr
  • 19 posts

Posted 04 April 2017 - 05:26 PM

works removing the cipher ?  i do not want to upgrade because: New version = New Problems



Scott Osborne Members

Scott Osborne
  • 137 posts

Posted 18 April 2017 - 08:09 PM

So is this for sure fixed in 11.1.53.x? @aparna or anybody else confirm for sure? Cause definitely is still issue in 11.1.52.13



Luke Sonstegard Members
  • #10

Luke Sonstegard
  • 5 posts

Posted 18 April 2017 - 08:35 PM

Sorry for the delayed response Alvaro, but it did indeed fix it for us to remove the bad cipher.



Scott Osborne Members
  • #11

Scott Osborne
  • 137 posts

Posted 18 April 2017 - 09:16 PM

ok, thanks. i did remove it from my user defined group. But now i have to most likely unbind and rebind the group for it to take effect, so will have to wait till maintenance to do so. thanks for letting me know. 



Ryan Butler Members
  • #12

Ryan Butler
  • 61 posts

Posted Yesterday, 03:39 PM

Running into this issue with 12.0. 41.16.  Removed the cipher and seems to be working.