Connectivity Issues on NSG with DTLS (EDT) Enabled

[Bob Geisler]

Netscaler Platform: SDX 11500 11.1.51.26

 

Netscaler firmware version: 11.1.51.26

 

Citrix Platform: XenDesktop 7.15 on Windows Server 2016

 

I'm currently investigating an issue with DTLS connectivity over the Netscaler Gateway. An active session will randomly freeze and while observing "nsconmsg -d current -g ssl_err" the following SSL error messages will generate at the exact same time the session is frozen:

 

ssl_err_dtls_hvr_mismatch

ssl_err_dht_deserialize

ssl_err_dht_deserialize_failure

ssl_err_mcmx_clone_session_vipsvc_not_found

 

I'm wondering if anyone has a similar issue or has any information regarding the above SSL errors. I was unable to find any information regarding the above errors via search engine.

 

Thanks in advance!

 

Bob G.

 

 

[Andrzej Starmach1709152599]

Hi Bob,

Do you have "Hello Verify Request" enabled on your DTLS profile ?

[IT Ops1709155964]

Be very careful of your memory usage while having DTLS enabled. We just ran into an issue/bug where these particular counter failures are not being flushed out properly and cause a memory leak with the Netscaler. I can tell you, when it runs out of memory, bad things happen. We observed this with 11.1 53.11. We're told by support that 11.1 56.x and 12.0 52.x fixes this, but it hasn't been released yet.

[Derek Black]

We are still seeing sessions freeze or users experience sub-optimal/degraded performance and other odd behavior such as duplicate/stale sessions that appear to be similar to port exhaustion DOS.

We do have the 'Hello Verify Request' enabled 

 

7.15 CU4 / ADC 12.1.52.15