Jump to content


Photo

Enabling EDT for XenApp 7.13 makes connecting hit or miss

Started by Raul Gonzalez , 15 March 2017 - 11:27 AM
23 replies to this topic

Raul Gonzalez Members

Raul Gonzalez
  • 582 posts

Posted 15 March 2017 - 11:27 AM

I followed the requirements for enabling EDT but when I do, the client takes longer than normal to connect and randomly throws a connection error 1110 or 0.  However when it does connect it works fine and shows up as HDX UDP in Director.

 

I have XenApp 7.13, Storefront 3.9, Netscaler 11.1 52.13 and Citrix Receiver 4.7 installed with the HDX Adaptive Transport Policy enabled.

 

Turning off the Adaptive Transport policy results in reliable connections.

 

I also removed the TLS1.2-ECDHE-RSA-AES256-GCM-SHA384  SSL cipher from Netscaler Gateway because I experienced random disconnections/crashes when I migrated from Netscaller 11 to 11.1 with either Recever 4.6 or 4.7.



Kishore Kunisetty Citrix Employees

Kishore Kunisetty
  • 411 posts

Posted 15 March 2017 - 02:54 PM

I followed the requirements for enabling EDT but when I do, the client takes longer than normal to connect and randomly throws a connection error 1110 or 0.  However when it does connect it works fine and shows up as HDX UDP in Director.

 

I have XenApp 7.13, Storefront 3.9, Netscaler 11.1 52.13 and Citrix Receiver 4.7 installed with the HDX Adaptive Transport Policy enabled.

 

Turning off the Adaptive Transport policy results in reliable connections.

 

I also removed the TLS1.2-ECDHE-RSA-AES256-GCM-SHA384  SSL cipher from Netscaler Gateway because I experienced random disconnections/crashes when I migrated from Netscaller 11 to 11.1 with either Recever 4.6 or 4.7.

 

Are you saying you see the session launch via NSG with HDX UDP occasionally only working instead of all the time?

 

If yes you might have to get the traces from your client, nsg and vda along with wireshark to see when this fails. Please work with Citrix Support to assist you further.

 

Please share the case id once you log.

 

Thanks

Kishore



Raul Gonzalez Members

Raul Gonzalez
  • 582 posts

Posted 16 March 2017 - 11:31 AM

When I have EDT enabled, the client has trouble connecting.  However when it does make a successful connection, it does show up as HDX UDP in Director to verify I configured everything properly.

 

My one theory is my CA certificate chain certs from InCommon or COMODO all use SHA384.  I assume EDT support on Netscaler 11.1 is sensitive to this.  I assume Netscaler 12 will be out in time for Synergy with proper SHA384 support.



Kishore Kunisetty Citrix Employees

Kishore Kunisetty
  • 411 posts

Posted 16 March 2017 - 03:40 PM

Thanks for the details. So you are only seeing the issue with SHA384 in your setup.

have you seen the enclosed link already referring what frontend and backend support of these in netscaler with different models... I am not sure what model your device is.

https://docs.citrix....ort_matrix.html

 

Thanks

Kishore



Raul Gonzalez Members

Raul Gonzalez
  • 582 posts

Posted 17 March 2017 - 09:17 PM

They're Netscaler MPX 8005's



Kishore Kunisetty Citrix Employees

Kishore Kunisetty
  • 411 posts

Posted 20 March 2017 - 05:54 PM

They're Netscaler MPX 8005's

 

Thanks for the info. I have asked the team who may have idea about this to see if there is any known issue. If I hear back I will let you know. I would suggest you log a support case and get this looked by the relevant SME's from your setup if possible.

 

Please share your case/bug id when you hear from Citrix support team once you log this with them.

 

Thanks

Kishore



Aitor Pizarro Reyes Members

Aitor Pizarro Reyes
  • 3 posts

Posted 20 March 2017 - 06:39 PM

Hello Raul,

Did you check if IPv6 is disabled in the VDAs¿ I had a similar problem before I disable all components of IPv6.



Raul Gonzalez Members

Raul Gonzalez
  • 582 posts

Posted 21 March 2017 - 11:38 AM

I checked. I do have IPv6 disabled already.



Aitor Pizarro Reyes Members

Aitor Pizarro Reyes
  • 3 posts

Posted 21 March 2017 - 02:57 PM

in this way?
http://www.thewindow...cond-boot-delay



Phil Groenenberg Members
  • #10

Phil Groenenberg
  • 2 posts

Posted 17 April 2017 - 10:46 PM

I have an issue with HDX Adaptive Transport Policy enabled as well.

Everything is fine until I tried to turn on a template WAN-optimized-Legacy policy for a couple users and it then prevents ANY users from creating new connections.

Disabling the WAN-optimized policy make new connections functional again.



Raul Gonzalez Members
  • #11

Raul Gonzalez
  • 582 posts

Posted 29 April 2017 - 06:07 AM

I just tried upgrading to Netscaler 12 today.  It did fix a bunch of SSL SHA384 related issues but not the HDX EDT bug I have been experiencing.  Will have to contact Citrix next week.



Kishore Kunisetty Citrix Employees
  • #12

Kishore Kunisetty
  • 411 posts

Posted 10 May 2017 - 08:48 AM

I just tried upgrading to Netscaler 12 today.  It did fix a bunch of SSL SHA384 related issues but not the HDX EDT bug I have been experiencing.  Will have to contact Citrix next week.

So as of now you have NS 12 and you still see HDX EDT issue in your setup. Can you please also share if you are using TLS to VDA (http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/secure/tls.html?_ga=1.12668721.786433497.1487772459

or not ?

 

Can you please share sh hardware on your netscaler MPX box, as I did not see the mention of 8005 in the page just want to be sure.- http://docs.citrix.com/en-us/netscaler/12/ssl/cipher_protocl_support_matrix.html

 

Please share the case number once you log.

 

Thanks

Kishore



Kishore Kunisetty Citrix Employees
  • #13

Kishore Kunisetty
  • 411 posts

Posted 10 May 2017 - 01:42 PM

Would you be able to provide the nstraces from your setup along with the ip address details of your setup...
 

The steps are as follows :

1.       Login to the vpn.

2.       Once the WI screen appear, from NS command prompt run the command “ start nstrace -size 0 -traceformat PCAP”

3.       Launch the application. check the session is using tcp/udp transport (in director or in netscaler or in vda).

4.       Capture the output of the ctxsession -v command on the vda (if possible).

5.       Run the command “stop nstrace” from NS command prompt once there is a failure.

6.       The trace file will be generated in the path /var/nstrace/<latest dir. (The directory name contain the date) >

 

 

Thanks

Kishore



Raul Gonzalez Members
  • #14

Raul Gonzalez
  • 582 posts

Posted 22 May 2017 - 09:57 AM

I did some more testing.  It seems like EDT has trouble connecting with multiple VDA's in a farm.  If I put all but one into maintenance mode, it connects just fine all the time.  If I enable 2 VDA's then I have trouble.  



Kishore Kunisetty Citrix Employees
  • #15

Kishore Kunisetty
  • 411 posts

Posted 22 May 2017 - 10:27 AM

I did some more testing.  It seems like EDT has trouble connecting with multiple VDA's in a farm.  If I put all but one into maintenance mode, it connects just fine all the time.  If I enable 2 VDA's then I have trouble.  

 

Are you applying HDX Adaptive transport policy for the whole site or per delivery group or per machine tag (for example)?

 

Thanks

Kishore



Raul Gonzalez Members
  • #16

Raul Gonzalez
  • 582 posts

Posted 22 May 2017 - 02:24 PM

I just have one monolithic farm.  I have no filters applied to the policy with HDX Adaptive Transport set.  When it does work, Director registers new sessions as UDP not TCP.



Kishore Kunisetty Citrix Employees
  • #17

Kishore Kunisetty
  • 411 posts

Posted 22 May 2017 - 03:14 PM

I just have one monolithic farm.  I have no filters applied to the policy with HDX Adaptive Transport set.  When it does work, Director registers new sessions as UDP not TCP.

 

I assume you are seeing this issue only when connecting via NSG -correct me if I miss understood. Are you seeing this failing only for one machine all the time? Do you see the policy being applied to the desktop? If you see this failing despite that policy is applied then we might need traces. Please capture these and share or work with Citrix support team if you need help further.

 

Thanks

Kishore



Martin Hanspeter Members
  • #18

Martin Hanspeter
  • 44 posts

Posted 23 May 2017 - 05:56 AM

I ´ve the same problem. When i try to connect me via the Netscaler (Firmware 11.53) the start of the connection took aprox 40 - 60 seconds. 

I ´ve EDT enabled for all of my VDA´s.

 

If I try to connect me via the HTML5 Client or a Receiver for IOS the start of the connection took 5 seconds. On both clients EDT is not supported an the connections will be made via TCP.



Raul Gonzalez Members
  • #19

Raul Gonzalez
  • 582 posts

Posted 23 May 2017 - 10:47 AM

I noticed that XenDesktop/XenApp 7.14 just came out.  Seems to be a bugfix release this time around.  However I noticed this under "known issues".

 



 

After the adaptive transport policy is changed, some Delivery Group sessions might be disconnected. The user can successfully reconnect but might be disconnected again if the adaptive transport policy changes.
 
[#HDX-8812]

 

 



Kishore Kunisetty Citrix Employees
  • #20

Kishore Kunisetty
  • 411 posts

Posted 23 May 2017 - 11:27 AM

 

I noticed that XenDesktop/XenApp 7.14 just came out.  Seems to be a bugfix release this time around.  However I noticed this under "known issues".

 

 

 

In your case it should not be the reason for the failure if I understand correctly as you have already applied the policy and seeing this not working occasionally - the above one is just when the policy changes happened. I suggest you open a support case and get this looked if you cannot share the traces.

 

Thanks

Kishore