ADM and Director Intergration missing Network HDX data: Error “No details are available” or blank page

Running Citrix ADM 13.0 (latest) and attempting to integrated the network function into our Citrix Director 1912.

Attempted to use both HTTP and HTTPS.

WIth HTTP the network tab on director is blank.

With HTTPS it say no details are available.

The following guide was used: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/director/hdx-insight.html

Using HTTPS ::

Using HTTPS

Network capture trace shows Director Servers sends a FIN and interrupt TLS Handshake with ADM Server.

TLS flow Request from ADM Server

==========================

Transport Layer Security

TLSv1.2 Record Layer: Handshake Protocol: New Session Ticket

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 170

Handshake Protocol: New Session Ticket

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

Content Type: Change Cipher Spec (20)

Version: TLS 1.2 (0x0303)

Length: 1

Change Cipher Spec Message

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 96

Handshake Protocol: Encrypted Handshake Message

Response TLS from Director Server

==========================

Transmission Control Protocol, Src Port: 52282, Dst Port: 443, Seq: 342, Ack: 4300, Len: 0

Source Port: 52282

Destination Port: 443

[Stream index: 0]

[TCP Segment Len: 0]

Sequence Number: 342 (relative sequence number)

Sequence Number (raw): 1163837986

[Next Sequence Number: 343 (relative sequence number)]

Acknowledgment Number: 4300 (relative ack number)

Acknowledgment number (raw): 1444382645

0101 …. = Header Length: 20 bytes (5)

Flags: 0x011 (FIN, ACK)

Window: 512

[Calculated window size: 131072]

[Window size scaling factor: 256]

Checksum: 0xb928 [unverified]

[Checksum Status: Unverified]

Urgent Pointer: 0

[SEQ/ACK analysis]

[Timestamps]

When using HTTP :: Browser shows a blank page, no errors or details.

Related:

  • No Related Posts

ADM and Director Intergration missing Network HDX data :: Error “No details are available” or blank page

Running Citrix ADM 13.0 (latest) and attempting to integrated the network function into our Citrix Director 1912.

Attempted to use both HTTP and HTTPS.

WIth HTTP the network tab on director is blank.

With HTTPS it say no details are available.

The following guide was used: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/director/hdx-insight.html

Using HTTPS ::

Using HTTPS

Network capture trace shows Director Servers sends a FIN and interrupt TLS Handshake with ADM Server.

TLS flow Request from ADM Server

==========================

Transport Layer Security

TLSv1.2 Record Layer: Handshake Protocol: New Session Ticket

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 170

Handshake Protocol: New Session Ticket

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

Content Type: Change Cipher Spec (20)

Version: TLS 1.2 (0x0303)

Length: 1

Change Cipher Spec Message

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 96

Handshake Protocol: Encrypted Handshake Message

Response TLS from Director Server

==========================

Transmission Control Protocol, Src Port: 52282, Dst Port: 443, Seq: 342, Ack: 4300, Len: 0

Source Port: 52282

Destination Port: 443

[Stream index: 0]

[TCP Segment Len: 0]

Sequence Number: 342 (relative sequence number)

Sequence Number (raw): 1163837986

[Next Sequence Number: 343 (relative sequence number)]

Acknowledgment Number: 4300 (relative ack number)

Acknowledgment number (raw): 1444382645

0101 …. = Header Length: 20 bytes (5)

Flags: 0x011 (FIN, ACK)

Window: 512

[Calculated window size: 131072]

[Window size scaling factor: 256]

Checksum: 0xb928 [unverified]

[Checksum Status: Unverified]

Urgent Pointer: 0

[SEQ/ACK analysis]

[Timestamps]

When using HTTP :: Browser shows a blank page, no errors or details.

Related:

  • No Related Posts

SSL connection toward explicit forward proxy

I need a solution

Hi all,

We are currently using an explicit forward proxy using HTTP basic auth. The goal is to at least secure the transmitted credentials.

What we had set up before:

  1. client —– http —–> proxysg:80 —-> http://internet.site/
  2. client —– http —–> proxysg:80 —-> https://internet.site/… (uses HTTP CONNECT)

What we would like to do now is the same as above, except the first step which should preferably become https:

  1. client —– https —–> proxysg:443 —-> http://internet.site/
  2. client —– https —–> proxysg:443 —-> https://internet.site/

That last part required setting up a proxy service listening on proxysg:443 and selecting “HTTPS reverse proxy”. I hope that is correct!

Currently accessing a site using HTTP on the internet works:

# curl -vv --proxy https://192.168.1.12:443 --proxy-insecure --insecure http://www.site.com/
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Connected to 192.168.1.12 (192.168.1.12) port 443 (#0)
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Proxy certificate:
*  subject: C=US; ST=CA; O=Blue Coat Systems, Inc.; OU=Blue Coat SG-S200 Series; CN=xxx
*  start date: Jan  1 10:46:49 2020 GMT
*  expire date: Jan  1 10:46:49 2025 GMT
*  issuer: C=US; ST=California; L=Sunnyvale; O=Blue Coat Systems, Inc.; OU=Blue Coat, ABRCA; CN=abrca.bluecoat.com; emailAddress=sysadmin@bluecoat.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET http://www.site.com/ HTTP/1.1
> Host: www.site.com
> User-Agent: curl/7.60.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Server: nginx/1.10.3
< Date: Wed, 29 Jan 2020 15:46:24 GMT
< Content-Type: text/html
< Content-Length: 226
< Last-Modified: Mon, 22 Sep 2014 17:55:21 GMT
< ETag: "e2-503ab2786f440"
< Accept-Ranges: bytes
< Vary: Accept-Encoding
< Proxy-Connection: Keep-Alive
< Connection: Keep-Alive
< Age: 0
<
<HTML>
<HEAD>
<TITLE>Welcome!</TITLE>

Accessing a site using HTTPS does NOT work, however I don’t understand why. It shouldn’t depend on the outer layer of the connection which has now become HTTPs instaead of HTTP…

# curl -vv --proxy https://192.168.1.12:443 --proxy-insecure --insecure https://www.site.com/
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Connected to 192.168.1.12 (192.168.1.12) port 443 (#0)
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Proxy certificate:
*  subject: C=US; ST=CA; O=Blue Coat Systems, Inc.; OU=Blue Coat SG-S200 Series; CN=xxx
*  start date: Jan  1 10:46:49 2020 GMT
*  expire date: Jan  1 10:46:49 2025 GMT
*  issuer: C=US; ST=California; L=Sunnyvale; O=Blue Coat Systems, Inc.; OU=Blue Coat, ABRCA; CN=abrca.bluecoat.com; emailAddress=sysadmin@bluecoat.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.site.com:443
> CONNECT www.site.com:443 HTTP/1.1
> Host: www.site.com:443
> User-Agent: curl/7.60.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.site.com:443
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.site.com:443

The remote end shows this (no data is transmitted)

   98 16:47:41.913409959 1.1.1.1 → 2.2.2.2 TCP 74 53656 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1380 SACK_PERM=1 TSval=4144667785 TSecr=0 WS=64
   99 16:47:41.913463623 2.2.2.2 → 1.1.1.1 TCP 74 443 → 53656 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=3089349285 TSecr=4144667785 WS=128
  100 16:47:41.925293814 1.1.1.1 → 2.2.2.2 TCP 66 53656 → 443 [ACK] Seq=1 Ack=1 Win=262848 Len=0 TSval=4144667797 TSecr=3089349285
  101 16:47:41.925490666 1.1.1.1 → 2.2.2.2 TCP 66 53656 → 443 [FIN, ACK] Seq=1 Ack=1 Win=262848 Len=0 TSval=4144667797 TSecr=3089349285
  102 16:47:41.925529264 2.2.2.2 → 1.1.1.1 TCP 66 443 → 53656 [FIN, ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=3089349288 TSecr=4144667797
  103 16:47:41.937479029 1.1.1.1 → 2.2.2.2 TCP 66 53656 → 443 [ACK] Seq=2 Ack=2 Win=262848 Len=0 TSval=4144667809 TSecr=3089349288

Proxy Policy trace is inconclusive:

connection: service.name=Explicit HTTPS client.address=192.168.2.226 proxy.port=443 client.interface=0:0.44 routing-domain=default
  location-id=0 access_type=unknown
time: 2020-01-29 15:19:07 UTC
CONNECT tcp://www.site.com:443/
  DNS lookup was unrestricted
User-Agent: curl/7.60.0
user: unauthenticated
authentication status='not_attempted' authorization status='not_attempted'
  url.category: none@Policy;none@Blue Coat
    total categorization time: 0
    static categorization time: 0
server.response.code: 0
client.response.code: 200
application.name: none
application.operation: none
application.group: none
DSCP client outbound: 65
DSCP server outbound: 65

What could be the problem?

Am I doing this correctly? Or is there a more correct approach to secure the connection toward the proxy itself?

Thanks,

Jim

0

Related:

  • No Related Posts

TLS support

I need a solution

We have one client using secured email service, which requires TSL excrypted messaging, but after enabling TLS for this domain, the TLSSTART command is still unrecognized..  Of course the SMG server at this point don’t even know about the destination domain, and it’s settings. So does the Messaging Gateway support TLS handshaking or not, and what might be the problem here?   
 

 telnet qntsrv9.qnet.fi 25

Trying 62.142.220.9…

Connected to qntsrv9.qnet.fi.

Escape character is ‘^]’.

220 qntsrv9.qnet.fi ESMTP Q-Net Spamcontrol ehlo turvaposti.fi 250-qntsrv9.qnet.fi says EHLO to 212.68.18.130:35317 250-8BITMIME 250-PIPELINING 250-SIZE 110000000

250 ENHANCEDSTATUSCODES

STARTTLS

500 5.5.2 unrecognized command

Jukka

0

Related:

Scheduled reports mail delivery falling over TLS1.2

I need a solution

Hello,

Recently we’ve noticed that after our local SMTP servers moved from TLSv1 and TLS1.1 over TLS1.2 scheduled reports from SEPM stops working. From debug logs I can see this:

2019-01-30 11:55:36.551 THREAD 203 SEVERE: com.sygate.scm.util.mail.EmailException: javax.mail.MessagingException: Could not convert socket to TLS;

  nested exception is:

               javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

Right now I ended up upgrading from 14.0.3929.1200 to latest 14.2.1031.0100 but I’m getting the same results and the funniest part is that sending a test email from Mail Server configuration works fine … but again all scheduled reports falling. Sending emails directly from PowerShell with -usessl works perfectly 

Wireshark says that connection was reset due to handshake failure. For test email handshake was successful 🙂 

Does anyone face the same issues?

Best regards.PG

0

1548939906

Related:

Re: ESRS Network Connectivity (NAT)

Hi,

Sometimes the network check is reporting incorrect results. A meaningful test from the VM itself would be a

curl -v -k https://esrs3.emc.com

curl -v -k https://esrs3-core.emc.com

if these two work (the second will probably end in a SSL handshake failure, but SSL handshake will at least be started), please follow fix 1 in KB article 503235 to be able to skip the network check. There will be an option in the GUI to skip the network check in a future version, unfortunately not in 3.32 yet.

If provisioning does not work, indicating a real issue with the network connectivity, please open a SR with support to get assistance.

Regards

Frank

Related:

Re: Failed initial handshake, trying again

2018-10-31 10:23:21 avtar Info <6555>: Initializing connection (Avamar Deduplication Engine v2.0.0)

2018-10-31 10:23:22 avtar Info <5552>: Connecting to Avamar Server (avamarserver1.company.com)

2018-10-31 10:23:22 avtar Info <5554>: Connecting to one node in each datacenter

2018-10-31 10:23:22 avtar Info <5694>: – Failed initial handshake, trying again

2018-10-31 10:23:22 avtar Info <5694>: – Failed initial handshake, trying again

2018-10-31 10:23:22 avtar Info <5694>: – Failed initial handshake, trying again

2018-10-31 10:23:22 avtar Info <6063>: – Communication error: Could not create connection to Server

2018-10-31 10:23:22 avtar Info <5557>: No connections available

2018-10-31 10:23:22 avtar FATAL <8604>: Fatal server connection problem, aborting initialization. Verify correct server address and login credentials.

2018-10-31 10:23:22 avtar FATAL <8941>: Fatal server connection problem, aborting initialization. Verify correct server address and login credentials.

2018-10-31 10:23:22 avtar Info <6149>: Error summary: 2 errors: 8604, 8941

2018-10-31 10:23:22 avtar Info <8468>: Sending wrapup message to parent

2018-10-31 10:23:22 avtar Info <5314>: Command failed (2 errors, exit code 10008: cannot establish connection with server (possible network or DNS failure))

Related:

  • No Related Posts

How to configure TCP HALF OPEN Monitoring on NetScaler

Following is the mechanism of “TCP” or “TCP-Default” monitoring in NetScaler :

1. We send “Syn” to backend server

2. We get/expect “Syn, Ack” from backend server

3. We send “Fin, Ack” to server

4. We get/expect “Rst” from backend

So, in third step, we inform the backend server that we will close the connection. Then server Reset the connection and releases Socket.

Explaining that with the help of snapshot below, that I took from my lab setup.

User-added image

This is a TCP FULL HANDSHAKE Monitoring method. However, we can also setup TCP HALF OPEN Monitoring in NetScaler.

Following is TCP HALF OPEN Monitoring mechanism

1. We send “Syn” to backend server

2. We get/expect “Syn, Ack” from backend server

3. We send “Rst” to server

For TCP HALF OPEN Monitor, on the respetive Service on NetScaler, we need to set the “Monitoring Connection Close Bit” to RESET.

User-added image

Result of that can be understood from the snapshot added below:

User-added image

Related:

Vproxy “vproxy-name” is unavailable

Article Number: 521751 Article Version: 3 Article Type: Break Fix



NetWorker

Alert on NMC: vproxy <vproxy_name> is unavailable.

Errors from daemon.log:

NSR info libCURL: function “curl_easy_perform” returned error 28: “Connection timed out after 90531 milliseconds”

NSR info VM proxy event cleared: vProxy ‘itbonn01b212.main01.intern.adns’ is unavailable.

ERRORS from vmware.log:

2018-05-11T19:09:28.807Z| vmx| I120: GuestRpcSendTimedOut: message to toolbox-dnd timed out.

2018-05-11T19:09:57.121Z| vmx| I120: GuestRpcSendTimedOut: message to toolbox-dnd timed out.

2018-05-11T19:10:10.837Z| vmx| I120: GuestRpcSendTimedOut: message to toolbox-dnd timed out.

2018-05-11T19:10:28.808Z| vmx| I120: GuestRpcSendTimedOut: message to toolbox-dnd timed out.

Errors from vrapid.log :

2018/04/17 11:53:38 http: TLS handshake error from 172.xx.xx.xxx:52042: read tcp 172.xx.xx.xxx:9090->172.xx.xx.xxx:52042: read: connection reset by peer

2018/04/17 11:58:40 http: TLS handshake error from 172.xx.xx.xxx:53314: read tcp 172.xx.xx.xxx:9090->172.xx.xx.xxx:53314: read: connection reset by peer

In one instance it was seen that the customer’s Network-Switches had a special feature: After 5 Minutes they clear their ARP-Table from Devices which doesn’t show activities for the last 5 Minutes. So the vProxy-Devices left the ARP-Table after 5 Minutes and weren’t pingable/accessible anymore.

Create a Cron-Task on the vProxies which starts every 5 Minutes and does a Ping to the Networker server. In this way there will be no entires deleted from the ARP table.

Related:

  • No Related Posts