-
-
-
View recommendations and manage your ADCs and applications efficiently
-
-
Use ADM log messages for managing and monitoring your infrastructure
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Troubleshoot Gateway Insight issues
If the Gateway Insight solution is not functioning as expected, the issue might be with one of the following. Refer to the checklists in the respective sections for troubleshooting.
- Gateway Insight configuration.
- Connectivity issue between NetScaler and NetScaler ADM.
- Record generation in NetScaler.
- Validations in NetScaler ADM.
Gateway Insight configuration checklist
-
Make sure that the AppFlow feature is enabled in the NetScaler appliance. For details, see Enabling AppFlow.
-
Check the Gateway Insight configuration in the NetScaler running configuration.
Run the
show running | grep -i <appflow_policy>
command to check the Gateway Insight configuration. Make sure that the bind type is REQUEST. For example;bind vpn vserver afsanity -policy afp -priority 100 -type REQUEST <!--NeedCopy-->
Bind type OTHERTCP_REQUEST is also required for Gateway Insight.
bind vpn vserver afsanity -policy afp -priority 100 -type OTHERTCP_REQUEST <!--NeedCopy-->
- For single-hop, Access Gateway, or Unified Gateway deployment, make sure that Gateway Insight AppFlow policy is bound to the VPN virtual server, where VPN traffic is flowing. For details, see Enabling HDX Insight data collection.
- For double-hop, Gateway Insight must be configured on both the hops.
- Check
appflowlog
parameter in NetScaler Gateway/VPN virtual server. For details, see Enabling AppFlow for Virtual Servers.
Connectivity between NetScaler and NetScaler ADM checklist
-
Check AppFlow collector status in NetScaler. For details, see How to check the status of connectivity between NetScaler and AppFlow Collector.
-
Check Gateway Insight AppFlow policy hits.
Run the command
show appflow policy <policy_name>
to check the AppFlow policy hits.You can also navigate to Settings > AppFlow > Policies in the GUI to check the AppFlow policy hits.
-
Validate any firewall blocking AppFlow ports 4739 or 5557.
Record generation in NetScaler checklist
- Run the
nsconmsg -d stats -g ai_tot
command and check for the stats increments in NetScaler. - Capture
nstrace logs
and check for CFLOW packets to confirm NetScaler exports AppFlow records.Note:
The
nstrace logs
are required only for IPFIX. For Logstream, nstrace logs do not confirm if the ADC appliance exported the AppFlow records.
Validation of records in NetScaler ADM
- Run the
tail -f /var/mps/log/mps_afdecoder.log | grep -i "Data Record: vpn_"
command to check the logs to confirm NetScaler ADM is receiving AppFlow records. - Make sure that the NetScaler instance is added to the NetScaler ADM.
- Make sure that the NetScaler Gateway/VPN virtual server is licensed in NetScaler ADM.
Validation of Logstream logs in NetScaler ADM
Validation of Logstream data received by NetScaler ADM can be done using the following methods:
-
Enabling data record logging in NetScaler ADM
Once enabled, the logs can be seen in the /var/mps/log/mps_afdecoder.log
-
Enabling ULFD library logging
Run the command
/mps/decoder_enable_debug
The logs are captured in
/var/ulflog/libulfd.log
You can disable logging by using the command
/mps/decoder_disable_debug
Gateway Insight counters
The following Gateway Insight counters are available.
- ai_tot_preauth_epa_export
- ai_tot_auth_export
- ai_tot_auth_session_id_update_export
- ai_tot_postauth_epa_export
- ai_tot_vpn_update_export
- ai_tot_ica_fileinfo_export
- ai_tot_app_launch_failure
- ai_tot_logout_export
- ai_tot_skip_appflow_export
- ai_tot_sso_appflow_export
- ai_tot_authz_appflow_export
- ai_tot_appflow_pol_eval_failure
- ai_tot_vpn_export_state_mismatch
- ai_tot_appflow_disabled
- ai_tot_appflow_pol_eval_in_gwinsight
- ai_tot_app_launch_success
AppFlow records in NetScaler log
Starting from release 13.0 build 71.x, you can check the NetScaler logs to confirm if the AppFlow records are exported. The default log level of syslogparams
captures all the error and information logs. In case you do not find a clue about the errors, enable all log levels including DEBUG in syslogparams
to capture even the DEBUG logs.
Sample logs
<local0.info> … GMT 0-PPE-0 : default SSLVPN Message 147 0 : "GwInsight: Sent auth record Func=ns_sslvpn_export_auth_data Username=<name> Clientip=<ip>:<port> Destip=0:80 SessSeq=0 Sessid=<sessid> Gwip=<ip>:443 StatusCode=0 CSappid=0 CSAppname=(null) VPNfqdn=<vpnfqdn> Authtype=3 EPAid=(null) AuthStage=1 AuthDuration=309 AuthAgent=<auth_server_ip> Groupname= Policyname=<name> CurfactorPolname=<name> NextfactorPolname= CSecExpr= Devicetype=16777219 Deviceid=0 email="
<local0.err> … GMT 0-PPE-0 : default SSLVPN Message 143 0 : "GwInsight: Func=ns_aaa_copy_email_id_to_vpn_record input hash_attrs_len is zero"
<local0.err> … GMT 0-PPE-0 : default SSLVPN Message 148 0 : "GwInsight: Func=update_session_appflow_collector pcb or session is NULL"
<local0.info> … GMT 0-PPE-0 : default SSLVPN Message 165 0 : "GwInsight: Sent session update record Func=ns_sslvpn_send_update_record Username=<> Clientip=<ip>:<port> Destip=<ip>:80 SessSeq=1 Sessid=<sessid> Gwip=<ip>:443 StatusCode=0 CSappid=0 CSAppname=(null) VPNfqdn=<fqdn> SSOAuthMethod=0 SessState=2 SessMode=2 IIP=0 AppByteCount=0 ReqURL=/Citrix/Store
Web BackendServername= SSOurl= email="
SSO logs:
<!--NeedCopy-->
<local0.info> … GMT 0-PPE-0 : default SSLVPN Message 463 0 : "GwInsight: Sent session update record Func=ns_sslvpn_send_update_record Username=<name> Clientip=<ip>:<port> Destip=<ip>:80 SessSeq=2 Sessid=<sessid> Gwip=<ip>:443 StatusCode=150 CSappid=0 CSAppname=(null) VPNfqdn=<fqdn> SSOAuthMethod=1 SessState=4 SessMode=3 IIP=0 AppByteCount=0 ReqURL= BackendServername=<> SSOurl= email="
<!--NeedCopy-->
<local0.info> … GMT 0-PPE-0 : default SSLVPN Message 582 0 : "GwInsight: Sent session update record Func=ns_sslvpn_send_update_record Username=<name> Clientip=<ip>:<port> Destip=<ip>:80 SessSeq=2 Sessid=<sessid> Gwip=<ip>:443 StatusCode=150 CSappid=0 CSAppname=(null) VPNfqdn=<fqdn> SSOAuthMethod=3 SessState=4 SessMode=3 IIP=0 AppByteCount=0 ReqURL= BackendServername=<> SSOurl= email="
<!--NeedCopy-->
<local0.info> … GMT 0-PPE-0 : default SSLVPN Message 513 0 : "GwInsight: Sent session update record Func=ns_sslvpn_send_update_record Username=<name> Clientip=<ip>:<port> Destip=<ip>:80 SessSeq=2 Sessid=<sessid> Gwip=<ip>:443 StatusCode=150 CSappid=0 CSAppname=(null) VPNfqdn=<fqdn> SSOAuthMethod=2 SessState=4 SessMode=3 IIP=0 AppByteCount=0 ReqURL= BackendServername=<> SSOurl= email="
<!--NeedCopy-->
<local0.info> … GMT 0-PPE-0 : default SSLVPN Message 29796 0 : "GwInsight: Sent session update record Func=ns_sslvpn_send_update_record Username=<name> Clientip=<ip>:<port> Destip=<ip>:443 SessSeq=c Sessid=<sessid> Gwip=<ip>:443 StatusCode=155 CSappid=0 CSAppname=(null) VPNfqdn=<fqdn> SSOAuthMethod=6 SessState=4 SessMode=3 IIP=0 AppByteCount=0 ReqURL= BackendServername=<> SSOurl= email="
<!--NeedCopy-->
Contact Citrix technical support
For a speedy resolution, make sure that you have the following information before contacting Citrix technical support:
- Details of the deployment and network topology.
- NetScaler and NetScaler ADM versions.
- Tech support bundle for NetScaler and NetScaler ADM.
-
nstrace
capture during the issue.
Known Issues
Refer ADC release notes for known issues on Gateway Insight.
Share
Share
In this article
- Gateway Insight configuration checklist
- Connectivity between NetScaler and NetScaler ADM checklist
- Record generation in NetScaler checklist
- Validation of records in NetScaler ADM
- Validation of Logstream logs in NetScaler ADM
- Gateway Insight counters
- AppFlow records in NetScaler log
- Contact Citrix technical support
- Known Issues
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.