XenMobile Android Enterprise & iOS devices failed to enroll after ADC upgrade to 13.0-82.41+ or 12.1-62.23+

Please refer to the following Citrix ADC doc to enable SSO configuration for XenMobile Gateway Virtual server.

https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/single-sign-on-types/enable-sso-for-auth-pol.html

GUI Configuration Guide:

  • Part 1: Configure a traffic policy that enabled http SSO:

5. Navigate to Security > AAA – Application Traffic > Policies > Traffic, Select Traffic Profiles tab, and click Add.

  • Part 2: After configured traffic policy, please bind it to XenMobile Gateway Virtual Server.

Navigate to Citrix Gateway> Virtual Servers, select XenMobile Gateway and Edit.

image.png

Then Scroll DOWN to the bottom to find Policies section to add binding a traffic policy:

image.png
image.png
Select the traffic policy we just created, for example named as vpn_tf_pol, then bind it with a high Priority value like 63000

image.png

CLI Configuration Guide:

Demo configuration commands follows:

//Creating traffic policy with SSO enabled

add vpn trafficaction vpn_tf_act http -SSO ON

add vpn trafficpolicy vpn_tf_pol true vpn_tf_act

//Binding traffic policy to XenMobile Gateway Virtual server

bind vpn vserver _XM_XenMobileGateway -policy vpn_tf_pol -priority 63000

Related:

  • No Related Posts

XenMobile Android Enterprise & iOS devices failed to enroll after ADC upgrade to 13.0-82.41+ or 121.1-62.23+

Please refer to the following Citrix ADC doc to enable SSO configuration for XenMobile Gateway Virtual server.

https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/single-sign-on-types/enable-sso-for-auth-pol.html

GUI Configuration Guide:

  • Part 1: Configure a traffic policy that enabled http SSO:

5. Navigate to Security > AAA – Application Traffic > Policies > Traffic, Select Traffic Profiles tab, and click Add.

  • Part 2: After configured traffic policy, please bind it to XenMobile Gateway Virtual Server.

Navigate to Citrix Gateway> Virtual Servers, select XenMobile Gateway and Edit.

image.png

Then Scroll DOWN to the bottom to find Policies section to add binding a traffic policy:

image.png
image.png
Select the traffic policy we just created, for example named as vpn_tf_pol, then bind it with a high Priority value like 63000

image.png

CLI Configuration Guide:

Demo configuration commands follows:

//Creating traffic policy with SSO enabled

add vpn trafficaction vpn_tf_act http -SSO ON

add vpn trafficpolicy vpn_tf_pol true vpn_tf_act

//Binding traffic policy to XenMobile Gateway Virtual server

bind vpn vserver _XM_XenMobileGateway -policy vpn_tf_pol -priority 63000

Related:

  • No Related Posts

XenMobile Android Enterprise & iOS devices failed to enroll after ADC upgrade to 13.0-82.41+

Please refer to the following Citrix ADC doc to enable SSO configuration for XenMobile Gateway Virtual server.

https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/single-sign-on-types/enable-sso-for-auth-pol.html

GUI Configuration Guide:

  • Part 1: Configure a traffic policy that enabled http SSO:

5. Navigate to Security > AAA – Application Traffic > Policies > Traffic, Select Traffic Profiles tab, and click Add.

  • Part 2: After configured traffic policy, please bind it to XenMobile Gateway Virtual Server.

Navigate to Citrix Gateway> Virtual Servers, select XenMobile Gateway and Edit.

image.png

Then Scroll DOWN to the bottom to find Policies section to add binding a traffic policy:

image.png
image.png
Select the traffic policy we just created, for example named as vpn_tf_pol, then bind it with a high Priority value like 63000

image.png

CLI Configuration Guide:

Demo configuration commands follows:

//Creating traffic policy with SSO enabled

add vpn trafficaction vpn_tf_act http -SSO ON

add vpn trafficpolicy vpn_tf_pol true vpn_tf_act

//Binding traffic policy to XenMobile Gateway Virtual server

bind vpn vserver _XM_XenMobileGateway -policy vpn_tf_pol -priority 63000

Related:

  • No Related Posts

XenMobile Android Enterprise & iOS devices failed to enroll after ADC upgrade to 13.0

Please refer to the following Citrix ADC doc to enable SSO configuration for XenMobile Gateway Virtual server.

https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/single-sign-on-types/enable-sso-for-auth-pol.html

GUI Configuration Guide:

  • Part 1: Configure a traffic policy that enabled http SSO:

5. Navigate to Security > AAA – Application Traffic > Policies > Traffic, Select Traffic Profiles tab, and click Add.

  • Part 2: After configured traffic policy, please bind it to XenMobile Gateway Virtual Server.

Navigate to Citrix Gateway> Virtual Servers, select XenMobile Gateway and Edit.

image.png

Then Scroll DOWN to the bottom to find Policies section to add binding a traffic policy:

image.png
image.png
Select the traffic policy we just created, for example named as vpn_tf_pol, then bind it with a high Priority value like 63000

image.png

CLI Configuration Guide:

Demo configuration commands follows:

//Creating traffic policy with SSO enabled

add vpn trafficaction vpn_tf_act http -SSO ON

add vpn trafficpolicy vpn_tf_pol true vpn_tf_act

//Binding traffic policy to XenMobile Gateway Virtual server

bind vpn vserver _XM_XenMobileGateway -policy vpn_tf_pol -priority 63000

Related:

  • No Related Posts

Cisco SD-WAN Software Information Disclosure Vulnerability

A vulnerability in the Multiprotocol Label Switching (MPLS) packet handling function of Cisco SD-WAN Software could allow an unauthenticated, remote attacker to gain access to information stored in MPLS buffer memory.

This vulnerability is due to insufficient handling of malformed MPLS packets that are processed by a device that is running Cisco SD-WAN Software. An attacker could exploit this vulnerability by sending a crafted MPLS packet to an affected device that is running Cisco SD-WAN Software or Cisco SD-WAN vManage Software. A successful exploit could allow the attacker to gain unauthorized access to sensitive information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdw-mpls-infodisclos-MSSRFkZq

Security Impact Rating: Medium

CVE: CVE-2021-1614

Related:

  • No Related Posts

Radius server test connectivity fails : Error: 1812/udp’ is not a valid Radius authentication port or Radius client is not configured properly in the Radius server.

We have seen certain cases where a PBR is configured for the management IP (NSIP) pointing to a next hop gateway.

In case the ADC does not have a SNIP in the same subnet as the next hop configured, then the packet might never leave the ADC and hence it would fail.

No SNIP causes the Radius packet from Freebsd to Virtual server to be not sent to the actual server.

Related:

  • No Related Posts

Cisco Small Business RV132W and RV134W Routers Management Interface Remote Command Execution and Denial of Service Vulnerability

A vulnerability in the web-based management interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the device to restart unexpectedly.

The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial of service (DoS) condition on the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-132w134w-overflow-Pptt4H2p

Security Impact Rating: High

CVE: CVE-2021-1287

Related:

  • No Related Posts

Data Collection Procedure to Troubleshoot NetScaler Related Issues

This article contains information that you must collect for troubleshooting an issue with the NetScaler appliance.

Overview

You must collect the following information to troubleshoot any issues with the NetScaler appliance:

  • NetScaler hardware model – (from FreeBSD, runsysctl -a netscaler).

  • NetScaler software version including the build – (from NetScaler CLI, runshow version).

  • Serial number of the appliance – (from FreeBSD, run sysctl -a netscaler).

  • Production setup or new installation.

  • Whether an application/service that was working is now broken or the user wants to configure an application/service.

  • Network topology information.

  • Any change(s) performed on the NetScaler appliance prior to the issue.

  • Any change(s) performed on the connected switches, upstream router, or back end server prior to the issue.

  • Collect the “ns.conf” file after saving the configuration – (from NetScaler CLI, run save configuration).

    Notes:

    • If the appliance is installed with NetScaler software release 6.x or 7.x, then the configuration and license files are located in the /flash/nsconfig directory.
    • If the appliance is installed with NetScaler software release 8.x or 9.x, then the configuration file is located in the /flash/nsconfig directory and the license file(s) are located in the /flash/nsconfig/license directory.

Additional Information Required for Specific Issues

The following is a list of specific categories of issues for which you must collect additional information:

Unable to Access NetScaler for Management Purposes

High Availability (HA) Issues

Load Balancing Issues

Global Server Load Balancing (GSLB) Issues

Content Switching Issues

Caching Issues

SSL Related Issues

SSL VPN Related Issues

Web Logging Related Issues

Hardware Related Issues

Performance Related Issues

Unable to Access NetScaler for Management Purposes

Command Line Interface Access

  • Network tool used for access (PuTTY, TeraTerm Pro).

  • Mode of access (SSH or telnet).

  • Version, if you use SSH.

GUI and Dashboard Access

  • Web browser used.

  • Version of Java Runtime Environment (JRE) installed.

  • Operating system on the client from which you are accessing the GUI along with the service pack/patch level on the client.

High Availability (HA) Issues

Examples of such issues include:

  • HA synchronization failing.

  • Both appliances appear as primary or both appliances appear as secondary.

  • Continuous change of state between the nodes.

  • You run a command on the primary appliance which fails on the secondary appliance (command propagation failure).

The data required to troubleshoot these issues include:

  • show node – (from NetScaler CLI on both nodes).

  • show interface <interface ID> – (from NetScaler CLI on both nodes).

  • “ns.conf” file from both the NetScaler appliances.

  • Latest newnslog files from both the NetScaler appliances.

Load Balancing Issues

Examples of such issues include:

  • Services flapping up and down.

  • Virtual IP address flapping up and down.

  • Uneven load balancing.

  • Slow response when accessing applications through a virtual IP address.

The data required to troubleshoot these issues include:

  • newnslog file.

  • show lb vserver <vservername> for issues where virtual IP address is flapping up or down.

  • show service <servicename> for issues where a service is flapping up or down.

  • nstracefor issues related to packet flow and handling. Refer to Additional Resources section of this article to collect an nstrace.

  • If the problem site is publicly accessible, then the URL for the site and any logon credentials required for access.

Global Server Load Balancing (GSLB) Issues

Examples of such issues include:

  • Network traffic does not reach the intended site.

  • Metric Exchange Protocol (MEP) not being formed.

  • Remote site not coming up.

  • Proximity not working.

The data required to troubleshoot these issues include:

  • The “ns.conf” file from all the sites participating in GSLB along with basic information listed in the Overview section for all the sites.

  • show ns license output from the NetScaler CLI to verify if you have purchased proximity based GSLB license.

  • Latest newnslog files from all the NetScaler appliances.

  • show gslb site output from each NetScaler appliance participating in GSLB.

  • show gslb runningconfig output from each NetScaler appliance participating in GSLB.

Content Switching Issues

Examples of such issues include:

  • Network traffic does not reach the intended Load Balancing virtual server (under Content Switching virtual server).

  • Policy does not match properly.

  • No content served.

The data required to troubleshoot these issues include:

  • The newnslog file.

  • If the problem site is publicly accessible, then the URL for the site and any logon credentials required for access.

Caching Issues

Examples of such issues include:

  • Required content not cached.

  • Expired content served.

  • Cache expiry causing network traffic surge to the back end.

The data required to troubleshoot these issues include:

  • The newnslog file.

  • If the problem site is publicly accessible, then the URL for the site and any logon credentials required for access.

  • stat cache output from the NetScaler CLI.

  • date (from FreeBSD shell) output for the NetScaler appliance and back end server.

SSL Related Issues

Examples of such issues include:

  • Access to SSL virtual server failing.

  • Users receiving certificate related warnings when accessing HTTPS site.

  • Unable to bind certificate to SSL virtual server.

The data required to troubleshoot these issues include:

  • The newnslog file.

  • A copy of the certificate if the issue is related to SSL certificate installation/binding.

  • An nstrace for problems related to packet flow and handling. Refer to Additional Resources section of this article to collect an nstrace.

  • If the problem site is publicly accessible, then the URL for the site and any logon credentials required for access.

  • show ssl stats output from the NetScaler CLI.

SSL VPN Related Issues

Examples of such issues include:

  • Unable to access the server through the SSL VPN.

  • FTP or data transfer through the SSL VPN fails.

  • SSL VPN authentication related issues.

The data required to troubleshoot these issues include:

  • The “sslvpn.txt” file (for Windows platform) or “mpSSLVpn” and “Netscaler.log” files (for MAC platform) from the client computer if issues are related to the SSL VPN.

  • An nstrace for problems related to packet flow and handling. Refer to Additional Resources section of this article to collect an nstrace.

  • If the problem site is publicly accessible, then the URL for the site and any logon credentials required for access.

Web Logging Related Issues

Examples of such issues include:

  • Web logging does not occur.

  • Web logging stops intermittently.

  • Required details are not logged.

  • Irrelevant IP addresses or domains are logged.

The data required to troubleshoot these issues include:

  • Details of the server on which the Web Logging service is installed and the version of the Web Logging client installed.

    >nswl –version Version: Netscaler Weblogging Application(nswl) NS9.2: Build 47.11, Date: Aug 10 2010, 21:55:57 (release) [Linux] Done !!
  • The “log.conf” file and debug (file name: nswl.log-ddmmyyyyHHMM) file if the issue is related to Web Logging. These files reside on the Web Logging server in the /etc and /bin folders respectively (if Web Logging is installed as a Windows service, debug files are created in the WINDOWSsystem32 folder).

Hardware Related Issues

Examples of such issues include:

  • The interface is not detected.

  • The interface is always flapping.

  • Continuous console messages referring to a hardware component.

The data required to troubleshoot these issues include:

  • The newnslog file.

  • dmesg(from the FreeBSD shell) output if it is a hardware related issue. For example, if the interface is not detected or disk related issues.

  • show node output from the NetScaler CLI if the issue is related to SSL card failures.

Performance Related Issues

Examples of such issues include:

  • High CPU usage.

  • Slow responses when accessing through the NetScaler appliance.

To troubleshoot these issues collect the newnslog file.After the preliminary analysis is complete, you might require additional information and logs based on the nature of the problem. For instance:

  • Caching related issue:icstats and nscachemgroutput.

  • High CPU utilization: nsprofmonoutput.

  • NetScaler crashes: vmcore, kernel, nslog.log, ns.reboots files.

  • “ns.conf.x” file if you are not sure of the recent changes done on the NetScaler appliance or if you want to verify the changes yourself.

File name

Remark

Location in NetScaler Software Release 8.x/9.x/10.x

ns.conf

configuration file

/flash/nsconfig

ns.conf.x

older configuration file

/flash/nsconfig

newnslog

main log file (data format)

/var/nslog

newnslog.xx.gz

archived newnslog file

/var/nslog

ns.lic

license file

/flash/nsconfig/license

nstrace.sh

script to collect nstrace

/netscaler

nstcpdump.sh

script to collect tcpdump

/netscaler

nstrace.x

packet trace

/var/nstrace

vmcore.x.gz

core dump during a crash

/var/crash

kernel.x

kernel dump during a crash

/var/crash

process-pid

user process core file

/var/core

savecore.log

core dump log file

/tmp

pitboss.debug

open pipe for debug info

/tmp

aaad.debug

open pipe for debug info

/tmp

ns.log

system syslog file

/var/log

messages

all logged entries

/var/log

auth.log

authentication/authorization

/var/log

dmesg.*

hardware error/boot sequence

/var/nslog

Additional Resources

How to Obtain Performance Statistics and Event Logs from NetScaler Appliance

To record a network packet trace on a NetScaler appliance, complete the following procedure:

  1. Run the following command from the shell prompt of the appliance:

    /netscaler/nstrace.sh -sz 0

    Note: The trace file is stored in the /var/nstrace directory with the name nstrace.x, where “x” is a number.

  2. Reproduce the problem scenario.

  3. Press CTRL+C to end the trace.

You must collect the trace file along with details such as source IP address, destination IP address, and virtual IP address.

Network trace collected can be decrypted using Wireshark tool. Refer to the following links:

How to Decrypt SSL and TLS Traffic Using Wireshark

Filter Expressions for Wireshark When Using NetScaler Appliance

How to Extract an SSL Certificate from a Network Packet Trace File in Wireshark

NetScaler Packet Trace Format in NetScaler 11.0 Release

Related:

  • No Related Posts

Error: “Gateway is not Reachable” or Connection Goes Down After the VPN Tunnel is Established

  • Citrix Virtual Adapter is registered as an Ethernet adapter. Starting with Windows 8, the WCMSVC (Windows Connection Manager) disconnects low speed connections because an Ethernet Adapter is seen as more reliable and provides better performance compared to other adapters. That’s the reason, Wi-Fi, 3G/4G adapters get disconnected. But those connections are needed for actual communication with VPN gateway, VPN plugin shows “Gateway is not reachable”.

  • Related:

    • No Related Posts

    How to create responder policy allow/block a set of ip's

    • We need to first create a data set under AppExpert>Dataset
    • We need to put all the IP that we want to block/allow

    User-added image

    • After creating the data set create the following responder policy

    CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(“data_set”)

    In the above expression I have called the data set in the expression

    For subnet range the policy will be as follows:

    CLIENT.IP.SRC.IN_SUBNET(x.x.x.x/32)

    Now if we want to evaluate single Ip and subnet we need to create the following expression:

    CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(“data_set”) && CLIENT.IP.SRC.IN_SUBNET(x.x.x.x/32)

    >You can use other subnets using && operator. Take assistance of expression editor to configure the policy.

    >And create a action (in this case I am creating a action as redirect)

    User-added image

    >Bind the responder to the virtual server

    Since the above expression is true for ip 1.1.1.1 you will get redirected to https://citrix.com

    Related:

    • No Related Posts