Troubleshooting common Citrix SSO issues

DNS resolution issues

  • If the device goes to sleep or is inactive for long, then it might take around 30–60 seconds for the VPN to resume. During this time, users might see some DNS requests failing. DNS requests automatically resolve after a short period. If DNS queries are not resolving, it is possible that an advanced authorization policy is blocking the DNS traffic. See to fix this issue.
  • Always check the DNS resolution from browsers. DNS queries using the nslookup command from the terminal might not be accurate. If you have to use the nslookup command, then you have to include the client IP address in the command. For example, nslookup website_name

EPA issues

  • Gatekeeper is considered as an antivirus. If there is a scan that checks for “any antivirus” (MAC-ANTIVIR_0_0), the scan always passes even if the user has not installed any antivirus from other vendors.


  • Enable client security logging to get debug logs for EPA. You can enable client security logging by setting the VPN parameter clientsecurityLog to ON.
  • The built-in patch management software from Apple is “Software Update”. It corresponds to the “App Store” app on the device. The version of the “Software Update” must be like "MAC-PATCH_100011_100076_VERSION_==_3.0[COMMENT: Software Update]"
  • Always keep the EPA libraries on NetScaler up to date. The latest libraries can be found at

nFactor issues

  • Citrix SSO app opens the Citrix SSO auth window for nFactor authentication. It is similar to a browser. If there are errors on this page, it can be cross verified by trying authentication on a web browser.
  • If the transfer logon fails when nFactor is enabled, then change the portal theme to “RFWebUI”.
  • If you get an error “Secure connection to NetScaler Gateway cannot be established because the certificate chain does not contain any of the required certificates. Please contact your administrator”, or “Gateway not reachable”, then either the gateway server certificate has expired or the server certificate is bound with SNI enabled. Citrix SSO does not support SNI yet. Bind the server certificate without SNI enabled. The error can also be due to certificate pinning configured in the MDM VPN profile and the certificate presented by NetScaler Gateway not matching the pinned certificate.
  • When trying to connect to the gateway, if the Citrix SSO auth window opens but is blank, then check if the ECC curve (ALL) is bound to the default cipher group. The ECC curve (ALL) must be bound to the default cipher group.

Network Access Control (NAC) check

NAC authentication policy is supported only in classic authentication. It is not supported as part of nFactor authentication.

Troubleshooting common Citrix SSO issues