If the SSL feature does not work as expected after you have configured it, you can use some common tools to access Citrix ADC resources and diagnose the problem.

Resources for troubleshooting

For best results, use the following resources to troubleshoot an SSL issue on a Citrix ADC appliance:

  • The relevant ns.log file
  • The latest ns.conf file
  • The messages file
  • The relevant newnslog file
  • Trace files
  • A copy of the certificate files, if possible
  • A copy of the key file, if possible
  • The error message, if any

In addition to the preceding resources, you can use the Wireshark application customized for the Citrix ADC trace files to expedite troubleshooting.

Troubleshooting SSL issues

To troubleshoot an SSL issue, proceed as follows:

  • Verify that the Citrix ADC appliance is licensed for SSL Offloading and load balancing.
  • Verify that SSL Offloading and load balancing features are enabled on the appliance.
  • Verify that the status of the SSL virtual server is not displayed as DOWN.
  • Verify that the status of the service bound to the virtual server is not displayed as DOWN.
  • Verify that a valid certificate is bound to the virtual server.
  • Verify that the service is using an appropriate port, preferably port 443.

Decrypting TLS1.3 traffic from packet trace

To troubleshoot protocols that run over TLS1.3, you must first decrypt the TLS1.3 traffic. To decrypt TLS 1.3 in Wireshark, the secrets must be exported in the NSS key log format. For more information about the key log format, see NSS Key Log Format.

For information about how to capture a packet trace, see Capturing SSL Session Keys During a Trace.

Note: Citrix ADC automatically logs each connection’s secrets in the appropriate format for the TLS/SSL protocol version in use.

CRL refresh does not happen on the secondary node in an HA setup

The refresh does not happen because the CRL server is accessible only to the primary node through a private network.

Workaround: Add a service on the primary node with the IP address of the CRL server. This service acts as a proxy for the CRL server. When the configuration is synchronized between the nodes, CRL refresh works for both primary and secondary nodes through the service configured on the primary node.