Citrix Gateway - After login 'No apps or desktops available at this time' - refresh browser / receiver and it's fine

[Liam Miller1709160425]

Hi All,

 

I've been through the forums in relation to this error but still can't seem to find a solution.

 

ADC v 13.0
Storefront 1906.2
Virtual apps / Desktops 1906.2

I am configuring a new Citrix Access Gateway that will be used for remote access, however i get the 'No apps or desktops available at this time' message after logging in, what is strange is if I refresh the browser or receiver it's fine and shows all my apps / desktops - launches fine everything works for the remainder of the session. This happens via multiple browsers,endpoints,  native receiver, different users etc.. If I browse internally to the Storefront store it loads perfect first time after login. It's only via the Netscaler Gateway this happens. 

 

Any Ideas ? I've tried recreating the storefront store and gateway, to no avail.

Thanks,

 

Liam


 

 

 

[Sam Jacobs]

Are you using a load-balancing vServer for StoreFront?

Do you have persistence (SOURCEIP) set for it?

What happen if you disable/remove one server for the LB vServer?

Do you see the same behavior?

[Rhonda Rowland1709152125]

Persistence is my first thought, but also do you have the configuration on the storefront server group Propagated to all participating storefront servers. (I update the config on storefront and forgot to push the change to the other servers all the time and I know better.

 

IF you are still having issues, look at your stats/syslog on the NS to see if the issue is maybe on a specific storefront server

Then check the event viewer on all storefront servers to see if the issue is on a specific one OR if there is an issue with the xml broker requests being intermittent. Then we can see what else might be going on.

 

IF this isn't in production yet, you could also try to isolate all transactions to one storefront and one xml broker at a time and cycle through until you find if a specific system is at risk (but the events and syslog should give you some indication if this is a likely scenario.)

[Liam Miller1709160425]

Thanks guys

 

Yes, I am using a Load balanced VIP for Storefront and it does have Source IP persistence set.. 

 

I have isolated both the storefront servers used by this VIP with the same result, and have been propagating changes. I also tried isolating the delivery controllers as suggested with no difference in behavior event logs on the storefront servers don't seem to show anything in relation to this either.

 

The interesting thing is after the initial refresh it works fine for the remainder of the time you are logged in, it's also consistent in the fact it happens every single time without fail after the initial logon regardless of where, how or who you login with as long as it's through the CAG ( which isn't production yet ).

 

Direct via the Storefront LB works fine ( this component has been in production for some time without issue ).

 

Regards,

 

Liam

 

 

[Rhonda Rowland1709152125]

You said CAG (which is the old net6 appliance), so I assume you meant Gateway (Netscaler/ADC based) :)

 

Flush your cache (browser) and make sure the browser isn't serving stale content (disable browser caching and force it to check every visit to page, if possible).  Check to see if integrated caching is enabled on the NS and disable it AND flush cache on the ADC, just in case.

 

The no apps/desktops available message occurs during the resource enumeration phase. And can be affected by 1) lack of available resources, 2) maintenance mode, etc.

If your still not seeing any "smoking gun" events, try looking in Citrix Director to see if it sees the "lack of resources" as an error and gives you an failure and reason message that might give you some extra information to go on.  If director isn't registering an error, then that means the controllers aren't registering the problem (in all likelihood) and the issue is probably storefront or gateway based.

 

First, you really, need to break down the config to see if there is something unexpected or a more complicated scenario that what we're assuming.

 

On StoreFront:

- In the store configuration, does it have one CVAD Site or multiple sites defined?  Does each site list 2 or more controllers from its site only?  (I had a customer once configure Site A with xml brokers from SiteA and Site B and wonder why it failed every other request.)

- in the Gateway settings for storefront, do you have the correct Gateway FQDN, callback address, and source IP set to the gateway VIP or blank (instead of snip, if the gateway is also load balancing your storefront traffic).  Is a callback address specified (if needed). Can can this be resolved from all the participating storefront servers to the gateway?

- Are 2 or more STA's configured

- Is the store you are using properly setup for both internal and gateway configuration?

- Finally, is there a storefront base url properly set and are the beacons configured to detect external vs internal users.

- Have you confirmed all config is properly propagated to all participating storefront servers.

 

Is there anything exotic about your config:

- same fqdn for internal and external users, but internal users get to storefront VIP and external users get to gateway vip (this can cause problems if not done right).

- routing all internal and external users through gateway, but then having to treat interanl vs external users differently (usually for hdx insight), but can also come with its own set of problems.

- Using gslb for the gateway or storefront fqdns (which if not defined right can lead to bonus hard to track problems)

 

On the Controllers/CVAD Site:

- When publishing resources (apps or desktops), do you have any smartaccess settings that would restrict access to external users vs internal users?

 

On NetScaler

Verify your Gateway config:

- Does it have the right authentication/group extraction settings?

- Do you have any session or authorization policies that could be denying access?

- Does your session policy actually include the correct storefront fqdn and store path information?

- Do the STA's listed in gateway match the sta's listed in storefront (but we shouldn't be having errors from this, as your not that far into the process.)

 

Again, start with syslog for any events that jump out during the communication flow.

Then look in nslog at console messages and events.

You want to look to see if there are any "internal" service failures for StoreFront FQDN (not your vserver), but the call NS makes to see if your storefront is working or not. 

And then if anything else seems to be occurring.

 

I would run an nstrace here as well which should get you the gateway to storefront communication.

 

But at this point, if you've verified your config. You've tested the load balanced components in isolation. And the trace and other debugging hasn't shown anything and you still don't see events indicating apossible error on NS, Storefront, or the site controllers, and director.  You might need support or  a debug trace.

 

 

 

[Liam Miller1709160425]

Yeah - The issues is definitely not backend resource based, as mentioned internally it's fine direct to SF.  Like I said it actually works perfectly fine once I have hit refresh after logging in effectively ruling out resource contention beyond SF, i've tried multiple browers, laptops, cleared caches, differnet user accounts etc..so we can rule all that out . It enumerates the apps and desktops and lets me launch without problem after refreshing the page. The issue isn't hat it doesn't work per se, it's that I get the no apps or desktop error one time only on first login which is rectified by simply refreshing the page / receiver.

 

On StoreFront:

- two sites defined and yes the correct controllers are defined for each

- 2 STA's are configured and UP

- The store in question is configured for remote access

- Propagation has been working fine

 

There is nothing exotic, there is a separate URL at play for remote access that uses a seperate store and no GSLB. The only thing shared by internal and external users is the Load Balanced VIP for storefront and the backend sites.

 

On the netscaler: At this stage it's a very basic setup created by the wizard with single factor auth at this stage

 

I'll continue on through the syslog and log a support case, I've built these before so i'm not entirely sure, I was wondering if there is a possible bug with the 13.0 wizard or something. The fact it actually works like a dream after 1 refresh has me puzzled a little and points to NS or SF config.

 

Thanks for your assistance,

 

Liam

[Rhonda Rowland1709152125]

You said the gateway is pointing to a separate store...and that's the one you are confirming settings on?

Is the ADC appliance running gateway the SAME one running the storefront Load Balancer or is the load balancing on a different system?  As this could cause some confusiong about gateway vs internal traffic.

 

Otherwise, there might be a bug or just a config thing we haven't thought of yet..but at least its probably not an obvious issue.  :)

You could try a downgrade to 12.1, but you've checked all the easy stuff...support might be the way to go. Or at least try the autosupport insight services for a quick diagnostic to check for overt issues.

 

Best of luck.

[Liam Miller1709160425]

Yeah it's definitely the right store i've confirmed settings n. I've even tried reconfiging the gateway to use other stores the results are the same. It is the same ADC appliance that has the Load Balancer. I'm still lost as to why this behavior is occuring, I have logged a support ticket see if they can shed any light on this.

 

Thanks for your assistance,

[Gianpaolo PAGLIUSO]

I have the same issue. Any solution?

 

Thanks

 

 

[Liam Miller1709160425]

Hi,

 

Yes for me in the end it turned out to be issues with some corruption of the in built Portal themes by old customization method on the existing Gateway. Because an old custom applied theme was in place even ( old school netscaler customization ) it seemed to cause some havoc with a couple of the Default portal themes I was trying to use on the newer gateway, causing this strange refresh issue. In our case we had a script in the rc.netsclaer copying the customizations on reboot for our original netscaler portal, to test I disabled the startup script that copied some of the /var customizations breaking our existing gateway rebooted our HA pair and found that the new gateway no longer had the issue. So if you have an older gateway on the netscalers that might have older style customization's maybe look there. 

 

Liam

[Suzanna Martanti]

I tried to read all the answers, and my head was dizzy. I couldnt understand most of the words. 
 

And then I tried just the simplest way. Unsure it's gonna work for you, but it worked for me. 

 

When the message appear : no desktop available bla.. bla.. bla..

Just click on your name on the right up corner and click the arrow and click 'log off'

It will take you to the log off page. Untick the box of "remember my logon method" and refresh the page. 
It will take you either to the logon page straight away or to another page that asking you to go to the logon page. 

 

Just login with your username & password as per normal. 

 

I hope it'll help you guys.