February 28, 2019 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | >
February 28, 2019 [01:15:05] *** braynyac <braynyac!uid6699@gateway/web/irccloud.com/x-bsqzcphmavrwtjoj> has quit IRC (Quit: Connection closed for inactivity)[01:36:07] *** SixStr <SixStr!~SixStr@pool-100-2-219-130.nycmny.fios.verizon.net> has quit IRC (Ping timeout: 240 seconds)[05:46:48] *** Stedlo <Stedlo!~IceChat9@cpe-69-23-76-23.new.res.rr.com> has quit IRC (Ping timeout: 258 seconds)[08:48:52] *** Lucasje <Lucasje!uid24226@gateway/web/irccloud.com/x-hjpnuydefscjmaqv> has joined #Citrix[11:48:21] *** Olivier83 <Olivier83!~Olivier83@31.221.4.66> has joined #Citrix[12:27:38] *** yuljk <yuljk!~yuljk@unaffiliated/yuljk> has quit IRC (Ping timeout: 255 seconds)[12:37:32] *** yuljk <yuljk!~yuljk@unaffiliated/yuljk> has joined #Citrix[12:49:13] *** kahnibus <kahnibus!~Alex@129.3.29.171> has joined #Citrix[13:51:43] *** yuljk <yuljk!~yuljk@unaffiliated/yuljk> has quit IRC (Ping timeout: 246 seconds)[13:53:35] *** yuljk <yuljk!~yuljk@unaffiliated/yuljk> has joined #Citrix[13:58:24] <Olivier83> hi[13:58:43] *** yuljk <yuljk!~yuljk@unaffiliated/yuljk> has quit IRC (Ping timeout: 244 seconds)[13:59:55] *** yuljk <yuljk!~yuljk@unaffiliated/yuljk> has joined #Citrix[14:09:44] *** braynyac <braynyac!uid6699@gateway/web/irccloud.com/x-kossnuhfflquyiqf> has joined #Citrix[14:19:30] <braynyac> morning everyone[14:19:34] *** skurz <skurz!~skurz___@cpe-108-167-6-115.neb.res.rr.com> has quit IRC (Quit: Leaving)[14:26:44] <kahnibus> morning[14:40:58] <Biny> 'morn[15:01:33] <Olivier83> I had to abandon working on Grafana/InfluxDB[15:01:47] <Olivier83> they bought OpsView instead so working on it...[15:07:19] *** currybullen <currybullen!~currybull@h-205-204.A251.priv.bahnhof.se> has joined #Citrix[15:11:32] <Biny> poor giraffes.[15:11:46] <braynyac> So....yesterday's problem with users not being able to log in - PVS image ran out of RDS grace period. Which is odd, as I see users pulling RDS licenses from the server. We had to create a completely new image, and this one is exhibiting similar problems. The RDS license server appears OK, but the XA hosts are still in grace period.[15:11:48] <currybullen> i'm having some trouble with a ~/.bash_profile which is sourced multiple times upon making a citrix connection. it seems it is first sourced upon initial login, then again by ctxsession.sh and then a third time by what i assume is a login shell spawned by ctxsession.sh. has anyone had similar issues?[15:12:04] <braynyac> Yes, we've tried deleting the RCM key per all of the recommendations, and that does not work. Upon reboot, still not licensed[15:19:12] <Olivier83> just a stupid question but is the OS properly licensed via KMS?[15:20:12] <braynyac> not a stupid question...checking[15:21:57] <braynyac> Yes, KMS licensed OK[15:22:58] <Biny> currybullen: not sure that anyone here actually runs a linux vda (which is what I assume you'er running into?)[15:25:41] <currybullen> hmm yeah i believe so[15:26:01] <tabularasa> morning peeps[15:27:56] <braynyac> morning tab[15:28:54] <Biny> |Atum| can pop in here now and say 'g'evenin m8' since he wont be here in the morning anymore![15:29:09] <tabularasa> well, his morning[15:33:43] <braynyac> Checked the license server, all users are licensed OK. It's just the XA hosts that are being stupid[15:33:55] <braynyac> wonder if it's some weird KB that got applied[15:34:09] <braynyac> I can't wait to get to 2016[15:38:52] <Olivier83> Have you tried to connect with a new user and a new user RDS licence?[15:39:14] <braynyac> not directly via RDS, only through Citrix.[15:39:18] <braynyac> one sec[15:43:03] <Biny> have you tried turning it off and on again, and stabbing it with :clippy:?[15:43:11] <braynyac> yes =([15:43:20] <braynyac> I think I need @BobFrankly's cluebat[15:43:31] <Biny> his cluebat is stuck up in floobitland[15:43:43] <braynyac> That sounds....unfortunate[15:44:26] <tabularasa> lol[15:45:25] <braynyac> Olivier83: can't connect via RDS. Error in event log is: "Non-brokered RDP Connection request denied because the user, <user>, is not in the Direct Access Users group."[15:45:54] <braynyac> Side note - EDT via UDP is _STILL_ not working. Everything looks fine! uggghhhhh[15:46:08] * braynyac goes looking for the easy button[15:48:36] <tabularasa> still not listening?[15:48:44] <tabularasa> did you check the registry to make SURE it's got the right key?[15:48:49] <tabularasa> because i've seen that be a problem[15:49:05] <braynyac> Yup, still not listening. Checking registry...uno momento[15:49:15] <braynyac> also, tab - any ideas on my RDS licensing woes?[15:49:39] * tabularasa reads up[15:50:24] <tabularasa> that is weird. RCM key? do you mean the graceperiod key?[15:50:29] <braynyac> yes[15:53:21] <tabularasa> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\UDT[15:53:24] <tabularasa> if you haven't found it yet[15:53:32] <tabularasa> HDXOverUDP[15:54:33] <braynyac> Thanks - was just looking for that![15:54:38] <tabularasa> ;)[15:55:09] <braynyac> huh[15:55:11] <braynyac> that does not exist[15:55:35] <braynyac> I have HDXOverUDP under HKLM\SOFTWARE\Policies\ICAPolicies though[15:55:47] <tabularasa> oh, they may have moved it[15:55:57] <tabularasa> depends on the version, probably[15:55:59] <braynyac> What should it be?[15:56:01] <tabularasa> what's it set to?[15:56:02] <braynyac> mine is set to 2[15:57:21] <tabularasa> trying to find the settings[15:58:07] <tabularasa> 0 is off... so that's not it[15:58:41] <braynyac> cool. Now, here's something - we _are_ using Citrix Policies through Studio, not GPOs.[15:58:51] <tabularasa> 2 should be right...[15:58:58] <tabularasa> i also use citrix policies[15:59:00] <braynyac> We should probably switch one day, but we have so few policies, it's just easier in Studio[15:59:04] <tabularasa> someone didn't turn of SR on you, did they?[15:59:09] <tabularasa> because that will also break it[15:59:11] <braynyac> I hope not![15:59:13] <braynyac> checking[16:00:01] <braynyac> set to default - which is allowed[16:00:14] <tabularasa> check storefront too[16:00:19] <tabularasa> or, it doesn't work internally...[16:00:35] <braynyac> and, SR is working internally[16:00:41] <braynyac> seeing connections on TCP 2598[16:00:50] * tabularasa nods[16:00:59] <tabularasa> what version are you on?[16:03:21] <braynyac> 7.15 base[16:03:23] <braynyac> 2008 R2[16:09:04] <tabularasa> i don't see any reason it shouldn't work...[16:09:37] <braynyac> yeah, same here[16:09:40] <braynyac> it's frustrating[16:09:57] <braynyac> and the same thing with the RDS licenses[16:22:05] *** tammy <tammy!~tammy@81.4.122.111> has joined #Citrix[16:22:56] <braynyac> Image automation FTW! Only a couple small problems this morning. Had to emergency roll a new PVS image to production that had been minimally tested.[16:24:10] <braynyac> tab: do I need UDP 443 on anything internal for EDT to work? I'm just doing LB SF on the NS internally...so I don't think so (and I didn't have it last week when it worked)[16:24:59] <tammy> I'm having an issue with citrix sessions in my 6.5 farm loading really slowly. Client stays stuck at "connection in progress" for sometimes up to 45 ish seconds. event logs in my PVS and management and DB servers aren't screaming anything obvious at me. Anyone got a suggestion where I should look next?[16:25:32] <braynyac> tammy: Web Interface or StoreFront?[16:25:50] <tammy> web interface[16:26:12] <braynyac> load balancing with Netscaler? CSG? CAG?[16:26:35] <braynyac> is it all sessions?[16:26:37] <tammy> no[16:27:11] <tammy> it's most sessions. a few times it will load quick, but I've not noticed a trend there yet[16:27:25] <tammy> I'd say less than 10% load normally[16:27:30] <braynyac> single WI box?[16:28:05] <braynyac> typically connection in progress is brokering from WI to server[16:28:19] <tammy> 2 WI boxes, that are behind a netscalar load ballancer[16:28:29] <braynyac> meaning the WI box(es) is having trouble[16:28:38] <tammy> my coworker tried storefront connections and they are loading slow as well[16:28:43] <braynyac> Can you disable 1 for testing? See if the problem persists?[16:28:45] <braynyac> hmmmm[16:29:04] <braynyac> What do your ZDCs say? Is one of those having problems?[16:29:36] <braynyac> how many zones? If more than 1, are they physically separated (i.e. does the request have to travel a long ways if it is in the wrong zone)?[16:30:19] <tammy> standby[16:32:40] <tammy> 1 zdc in that farm, It was under heavy load but we rebooted it and the issue presists. 1 zone, everything is in this physical building.[16:32:41] * Biny stands on one leg[16:32:45] <tammy> lol[16:32:54] <cs-bot> <benjamin.crill> there was a known issue with 2008R2 and it hanging at connection in progress. Was related to default profile as I recall[16:33:48] <tammy> zdc event logs didn't have anything obvious in them. a few DCOM errors for a server that's offline and another single xa server that is unrelated[16:35:07] <braynyac> Biny: now close your eyes, turn around three times (still on one leg) and sneeze[16:35:15] * Biny flips over[16:35:22] <tammy> benjamin.crill: this one? https://support.citrix.com/article/CTX212877[16:37:56] <cs-bot> <benjamin.crill> no, can't find it now but it basically had to do with profile management. If you turn off UPM or roaming profiles can users log right in?[16:39:01] <tammy> I don't know much about profiles, but I know that our 6.5 farm has it's own folder, XA65Profiles folder, that is beside the XA45Profiles folder. so I believe it's already seperated.[16:40:43] <cs-bot> <benjamin.crill> as I recall it had nothing to do with the share location, it was more how UPM was copying it local and dealing with conflicts. So if you turned off UPM and it just used a local profile all worked[16:43:58] <tammy> users can log in at the moment, it's just really slow to make a connection. just tested a dissconnected session and the same result of the client spending a long time on "connection in progress" happens[16:48:01] <tammy> I'm not sure we can just turn off UPM at the moment, it's kinda important.[16:53:38] <braynyac> Are you using anything like ControlUp in your environment?[16:54:01] <braynyac> Or, alternately, you can use the Guy Leech analyze logon duration script - one sec[16:54:16] <tammy> never heard of it, so I'm assuming we don't use that[16:55:08] <braynyac> Ok, check this out: https://www.citrix.com/blogs/2019/02/25/amplify-your-troubleshooting-capabilities-with-script-based-actions/[16:55:22] <tammy> I've stumbled across an trace application called CDFControl: https://support.citrix.com/article/CTX111961[16:55:24] <braynyac> does not require ControlUp. May help you find what you're looking for (queue song...)[16:55:31] <tammy> anyone know if that produces human readable output?[16:55:55] <braynyac> You will likely have to enable some auditing via GPO for the logon duration script to work correctly[16:58:51] <BobFrankly> jumbo packets for PVS, is there an "ideal" MTU?[16:59:39] <braynyac> I recall seeing an article on that several years ago...[17:00:45] <Olivier83> the standard is 9000[17:01:09] <Olivier83> but you want to know the exact packet size by adding the UDP headers etc?[17:02:11] <braynyac> from Citrix docs:[17:02:13] <braynyac> https://usercontent.irccloud-cdn.com/file/WZB6qFFA/image.png[17:02:25] <braynyac> So, looks like 8950?[17:02:25] <BobFrankly> no, I just want a number so I don't look like a complete idiot when I try to push my network admin[17:02:41] <braynyac> That's for PVS 1811[17:02:49] <braynyac> from here: https://docs.citrix.com/en-us/provisioning/current-release/configure/configure-server.html[17:03:23] <Olivier83> yes so that will be 9000 + UDP + Ethernet[17:04:31] <Olivier83> so that's 9216 in Cisco[17:05:28] <Olivier83> IPv6 is capable of a 32-bit "Jumbo Payload Length" size within a Hop-by-Hop option header. Therefore, IPv6 could support a ridiculous 4.2GB payload.[17:05:40] <Olivier83> :)[17:06:43] <BobFrankly> lol[17:06:53] <BobFrankly> I don't think my network admin would go for that[17:07:04] <braynyac> Boot PVS image from a single packet![17:08:43] <Olivier83> that's the future :)[17:10:23] <BobFrankly> you've never seen my PVS images[17:10:39] * BobFrankly waits for the 72GB packet[17:11:16] <BobFrankly> I wonder if that Windows 10 XA is better on system resources than server[17:14:45] <Olivier83> This would be surprising[17:21:54] <braynyac> is there any way to tell what switches were used during VDA silent install?[17:24:49] <BobFrankly> yes, watch the console during the install[17:24:55] * BobFrankly ducks[17:25:11] <braynyac> yeah, that's super helpful[17:25:26] * braynyac is now _really_ looking for the cluebat[17:25:35] <braynyac> lol[17:25:44] <cs-bot> <benjamin.crill> uninstall it and reinstall it? *joins Bob in ducking*[17:25:45] <BobFrankly> haha[17:26:03] <braynyac> with friends like you two, who needs enemies?[17:31:16] <tabularasa> braynyac: yes, you need UDP 443 open from outside for it to work, yes[17:31:32] <braynyac> Yeah, that I have. Just wondering about inside[17:31:57] <braynyac> this is stupid. It literally worked on Tuesday, and now it's not. Completely aggravating.[17:34:08] <tabularasa> yes. totally[17:34:25] <braynyac> Do you split your computer / user policies in Studio?[17:34:38] <braynyac> I know that used to be a problem...which has been resolved[17:35:07] <braynyac> Wondering if that may play into it[17:38:53] <tabularasa> not really, i have one big policy[17:40:10] <braynyac> Yeah, I'm just grasping at straws at this point.[17:40:24] <braynyac> I know the policy works, it disabled legacy mode, and I've verified that is working[17:44:39] <tabularasa> ticket time, buddy[17:49:01] <braynyac> blerg[17:50:03] <tammy> this analyze logon duration script is a pain in the butt, haha. but I got it to work. Things don't look like they take too long when I run it locally on the xenapp servers. I ran it on 2 servers that the application too a long time to load.[17:50:31] <tammy> times didn't take long, but 1 of the servers said that GP Scripts took -278.7 seconds. lolwat?[17:50:35] <tammy> https://gist.github.com/farmertammy/0f434b8f23840c1bcae2135093ec5f3c[17:51:50] <tabularasa> disabling logon scripts is almost the first place i go when troubleshooting stuff[17:51:50] <Biny> awww, tammy is a farmer.[17:52:00] <tammy> lol, I used to be, yes :)[17:52:09] <Biny> now she works on xenapp farms[17:52:12] <Biny> irony[17:52:14] <tammy> ha[17:52:31] <tammy> currently my application are loading about as fast as the corn grows[17:53:50] <tammy> my coworker things it might be related to the base image (pvs vdisk) as the problem seems to only occure for applications that are connecting to the servers using the general vdisk. our admin vdisk image is not affected.[17:55:11] <braynyac> I would start with what @tabularasa said above: disable logon scripts for test user[17:58:05] <tammy> I don't think that is going to help, It's stalling before it even gets to the presentation server. It seems to be slow in the initial connection from WI to the ZDC, before it even passes the connection off to the actual application server[17:59:47] <braynyac> methinks it might be time to build a new XA 7.15 LTSR environment, and just use SF =D[18:01:59] <tammy> we have a farm at that version already[18:02:06] <tammy> but these applications are not in it yet[18:02:39] <tammy> some application might never be in it due to the application being old and, you know how it goes[18:02:57] <tammy> fuck, we still have a 4.5 farm because stupid reasons :([18:03:53] <braynyac> so, let's start at the beginning: does this affect the same users each time? Or random users? How many backend servers? If it's random users, do they hit the same backend server? Can you recreate the problem with a test user?[18:05:47] <braynyac> Does the problem occur if you RDP directly to a server?[18:08:57] <tammy> seems to affect all users most of the time. My own admin account is affected. PVS says there are 17 servers running the vdisk that seems to be affected. I can re-create this issue with any user so I'm just using my own account to test[18:09:27] <braynyac> Ok. If you can recreate with admin account - what happens when you RDP with that account to an affected server?[18:09:31] <tabularasa> what braynyac said... RDP[18:10:07] <tammy> RDP connects in a normal amount of time[18:10:37] <braynyac> interesting[18:10:52] <tabularasa> that makes no sense[18:10:56] <tabularasa> with the login script enabled?[18:12:03] <tammy> I have not disabled it[18:12:26] <braynyac> definitely sounds like an issue with WI and ZDC, or load balancing[18:12:39] <braynyac> is this an app or desktop[18:12:40] <braynyac> ?[18:12:41] <tammy> so, interesting to note, the PVS image for these servers is hosted in our 7.15 farm PVS servers[18:12:46] <tabularasa> ZDC wouldn't come into play if it's already in the login cycle[18:12:59] <braynyac> Yeah, but it's not[18:13:05] <tabularasa> ah[18:13:11] <braynyac> it's that time between hitting the icon to connect, and actually starting the desktop[18:13:14] <tammy> app and desktop applications are affected[18:13:14] <tabularasa> then yes, likely ZDC problem[18:13:17] <braynyac> (from what I can tell)[18:13:25] <tabularasa> dedicate a ZDC with no users on it...[18:13:32] <braynyac> ^^^[18:13:33] <tabularasa> at least just to test[18:14:00] <braynyac> In our 6.5 farm, that's how we have it - both ZDCs are non-user systems. Only do ZDC work.[18:14:25] <tammy> so our ZDC does host some applictions for the farm, and i was under heavy load when we first started troubleshooting, but we logged them off and rebooted the ZDC and right after reboot the issue was still occurring[18:15:03] <tammy> so the ZDC wan't under load at that point in time[18:15:14] <tabularasa> did you validate it was still the ZDC? when you rebooted it, another system likely took the ZDC role[18:15:20] <tabularasa> which was likely still overloaded[18:15:51] <tammy> in the 6.5 farm there is 1 ZDC and 1 management servers. all 3 are not super busy looking[18:16:05] <tammy> like CPU is't throught the roof and memory is not full[18:16:56] <Biny> have you tried rebooting it? i dont believe it would disconnect any users; just prevent connections while it restarts[18:18:48] <tammy> how do I find who has won the ZDC election?[18:19:41] <braynyac> I think a qfarm will show you[18:20:07] <tammy> qfarm /zone days the datacollector is currently management2 server[18:20:11] <tammy> *says[18:20:18] <braynyac> just do qfarm[18:20:39] <tammy> the star is on management1[18:21:01] <braynyac> Is that the one that it should be?[18:21:24] <tammy> both management1 and zdc1 are marked as prefered[18:21:57] <tammy> management1 is not very busy, resource wise.[18:22:30] <tammy> management2 has a D after it's IP address, I'm unsure what that denotes[18:22:47] <braynyac> 2 is the current ZDC[18:23:02] <braynyac> same as what your qfarm /zone showed[18:23:24] <braynyac> we have ours pinned to the static ZDCs[18:23:42] <braynyac> crap, I forget how to do so[18:23:44] <braynyac> looking[18:23:59] <tammy> management2 is super busy looking either... 0-20% cpu load, under half of it's memory in use[18:24:06] <braynyac> Ah, set it to Most Preferred, and everything else to n/a[18:24:58] <tammy> oh snap, so m1 and zdc1 are prefered, and m2 is most prefered.[18:25:18] <tammy> so I guess it's right where it's set to be at least[18:27:37] <braynyac> Good to know =)[18:28:20] <braynyac> If you run qfarm /load, nothing jumps out?[18:28:27] *** Olivier83 <Olivier83!~Olivier83@31.221.4.66> has quit IRC (Read error: Connection reset by peer)[18:29:47] <tammy> average numbers of 1400-1700 with load throttling at 5000 on 2/25ish machines.[18:30:02] <tabularasa> that's fine[18:30:11] <tammy> 2 servers set to prohibit, nothing special[18:30:39] <tammy> I have to jump on a call. I appreciate the help. I'll let you know when I get back to this[18:36:40] <braynyac> back to EDT...[18:36:59] <tabularasa> braynyac: do you have a testbox doing the same thing?[18:37:03] <tabularasa> is it all servers int he DG? or just one?[18:37:06] <braynyac> disable policy, gpupdate /force; enable policy, gpupdate /force, and *poof* it works again[18:37:18] <tabularasa> shit, i hate to say i've seen that.... :-/[18:37:19] <braynyac> Thank you Citrix[18:37:36] <tabularasa> you can also just switch that HDXoverUDP to 0 and back again. :-/[18:37:58] <braynyac> still having RDS licensing problems as well...that is more important, but the EDT thing was bothering me more[18:41:15] <Biny> EDT is tabularasa's fav.[18:41:30] <tabularasa> with my VDIs it was a nightmare. for XA, it's been fine[18:43:51] <braynyac> It was pretty straight forward to get up and running...[18:43:59] <braynyac> just odd that it suddenly stopped working one day[18:47:31] <braynyac> only problem with EDT for us is shaping it. It's hard to shape UDP...[18:49:04] <tabularasa> what do you mean?[18:50:08] <braynyac> We have some packetshapers in our DC to shape our traffic (small WAN pipes), and they won't do UDP by default - TCP only. So, we have to either do it by IP (horrible), or find another way to do so. Fortunately, we are moving to SD-WAN shortly, so should be able to get rid of the packetshapers.[18:50:25] <braynyac> although, I don't think we need EDT internally over SD-WAN (I think they discourage it, actually).[18:50:30] <braynyac> so, should be interesting[18:51:38] <tabularasa> thats... dumb...[18:51:46] <tabularasa> you can shape outbound, ANY traffic[18:52:01] <tabularasa> what kind of packetshaper?[18:52:19] <braynyac> BlueCoat / Packeteer (now Symantec)[18:52:35] <braynyac> yeah, they have plugins for UDP, but can't create our own custom[18:52:49] <braynyac> so there are _some_ for Citrix over UDP, but not the EDT stuff[18:54:00] <braynyac> so, we get dumped into the default bucket, along with all the garbage traffic. Right now, my ICA RTT is ~500 ms. It's still usable, though =)[18:54:12] <braynyac> if I was on TCP, and shaped, it is around 20ms[18:55:38] <tabularasa> heh[18:55:45] <tabularasa> god, what a POS, that sucks[18:55:53] <tabularasa> wish i could play with some sd-wan[18:55:58] <tabularasa> i like networky stuff[18:56:23] <braynyac> I do too...even though it frustrates the crap out of me[18:56:31] * braynyac eyes his Netscalers suspiciously[18:57:47] <tabularasa> heh[19:06:33] <Biny> braynyac: netstat shows 1494/2498 are both open for udp for me, but edt doesnt work at all :o[19:06:37] <Biny> i just kinda gave up[19:07:09] <tabularasa> weak[19:07:21] <Biny> if i had to guess; it's a netscaler firmware issue[19:07:34] <tabularasa> did you turn on DTLS on the vServer, then rebind the cert?[19:07:35] <Biny> our model wasn't DTLS capable until recently[19:08:11] <tabularasa> that's probably it then[19:08:16] <tabularasa> and some firewalll rules[19:10:07] <Biny> yeah dunno, i'm going directly to our internal only vserver, so no firewall[19:10:29] <tabularasa> odd.. newer receiver? what VDA? do you have SR enabled?[19:10:34] <Biny> NS12.1 50.28.nc[19:10:36] <tabularasa> do you have it turned on? :p[19:10:44] <Biny> this workstations runnig latest workspace version[19:10:52] <Biny> vda is 2016, running 1810[19:11:19] <Biny> it is a NSMPX-5900 which from release notes, just had gotten DTLS capabilities ~2ish months ago[19:11:29] <tabularasa> if it's not working internal, that's odd[19:11:42] <tabularasa> check for SR disabled[19:12:11] <braynyac> Biny: do you have the EDT policy enabled? Do what I did - disable it, push it out via gpupdate, then re-enable and gpupdate.[19:12:24] <Biny> https://docs.citrix.com/en-us/netscaler/12/ssl/support-for-mpx-5900-8900-platforms.html[19:12:27] <braynyac> Also have to have a receiver that is 4.10+[19:12:28] <tabularasa> but his IS listening on UDP ports[19:12:33] <braynyac> right[19:12:44] <Biny> Limitations:[19:12:46] <Biny> DTLS is not supported.[19:12:48] <Biny> DH 512 cipher is not supported.[19:12:50] <Biny> SSLv3 protocol is not supported.[19:12:52] <braynyac> could be firewall - that's what mine was last time[19:12:52] <Biny> GnuTLS is not supported.[19:12:54] <Biny> neat[19:12:54] <braynyac> on the VDA[19:12:59] <Biny> > sh hardware[19:13:00] <Biny> Platform: NSMPX-5900 8*CPU+6*E1K+2*IX+1*E1K+1*COL 8925 30130[19:14:31] <Biny> ah i misread the release notes[19:14:36] <Biny> Support for DTLSv1.0 protocol on additional Citrix ADC MPX appliances[19:14:38] <Biny> DTLSv1.0 protocol is now supported on the following additional MPX appliances.[19:14:40] <Biny> Note: Enlightened Data Transport (EDT) is not supported on these platforms.[19:14:45] <Biny> dtls is supported, but not edt[19:14:49] <Biny> lol[19:15:02] <braynyac> that's dumb[19:25:51] <Biny> Transport Protocols: UDP -> CGP -> ICA[19:25:54] <Biny> if i bypass netscaler[19:27:35] <Biny> think i'll just not use netscaler's direct vserver for internal traffic[19:38:31] <tammy> and I'm back and I've learned more things about these 2 (7.15 and 6.5) citrix farms than I ever cared to know, lol[19:39:37] <tammy> so _some_ of the xenapp presentation servers use an image from the 7.15 pvs servers, and _some_ use the pvs 6.5 farm.[19:39:58] <tammy> the 6.5 farm servers seem to work and load correctly as far as we can tell in limited testing.[19:40:15] <tammy> so current plan is to do 1 of 2 things...[19:41:09] <tammy> ...import a fresh copy of the vdisk from the 6.5 farm into the 7.15 farm or move those xenapp vm's out of the 7.15 farm and into the 6.5 farm[19:42:15] <tammy> and with any luck, 1 of those sheds some light on the actual root cause[19:47:15] <tammy> what a disaster these environments are...[19:49:05] <tabularasa> and such is the world of IT[19:49:20] <tammy> dumpster_fire.gif[19:50:44] <tammy> you know you're a dork when you are excited to see your pvs vdisk version roll over from double to triple digits :)[19:51:04] <tabularasa> heh[20:01:25] <tammy> I have to create a new application to launch off a maintenance device so that the server can maintain changes through reboots because this users application isn't working right with their local scanner... Cows were so much easier than this...[20:04:08] <tabularasa> lolol!![20:18:04] <Biny> ceo helpdesk ticket..[20:18:11] <Biny> External EMail taking 4+ MINUTES TO LOAD!!! NOT ACCEPTABLE![20:19:30] <tabularasa> external email? what?[20:21:41] * Biny facepalm[20:21:54] <Biny> we have ATP safe attachments on, with it holding the mail till scanning completes (versus reattaching)[20:22:05] <Biny> an acocuntant sent him an email and he got mad it took 4 min to show up[20:22:24] <tabularasa> LOLOL[20:22:37] <tabularasa> email is NOT a real-time protocol[20:22:39] <tabularasa> i hate people[20:22:41] <Biny> demands we improve it because it's unacceptable to take that long[20:22:57] <Biny> and send out communication to the entire company explaining that theres an issue that we are working on fixing.[20:23:06] <Biny> i checked the headers on some recent emails that came in, taking ~4s[20:23:40] <tabularasa> i still don't know why you don't look for another job.[20:25:15] <uncon> um, also...[20:25:31] <uncon> email is horrible as a file sharing platform...[20:25:52] <uncon> literally probably one of the worst ways to share files[20:25:58] <tabularasa> that it is[20:26:10] <tabularasa> rfc 1149 is the most secure though..[20:26:32] <Biny> i'll be sure to suggest that we procure a fleet of birds[20:32:58] <|Atum|> hi ho hi ho[20:32:59] <|Atum|> good morning :p[20:33:09] <|Atum|> [03:28:54] Biny |Atum| can pop in here now and say 'g'evenin m8' since he wont be here in the morning anymore! <-- ITS FRIDAYYYYYYYYY[20:33:09] <Biny> good AFTERNOON[20:33:16] <|Atum|> suckerssssssssss :p[20:36:28] <tabularasa> hahaha, nice[20:37:59] <braynyac> so |Atum| - you and MasterXen carpooling to Synergy this year? =D[20:39:07] <cs-bot> <masterxen> he's just gotten out of the US, not sure they'll let him back in now[20:39:15] <braynyac> lol[20:39:26] <cs-bot> <masterxen> we can have Synergy down here maybe, just the two of us[20:40:17] <braynyac> ummmmm....[20:40:27] * braynyac tries to gauge his eyes out[20:41:00] <braynyac> hmmm...gauge? gouge? spelling nerds?[20:41:07] <cs-bot> <masterxen> not sure we can be seen together either, we work for rival companies :slightly_smiling_face:[20:42:03] <Biny> gouge.[20:45:03] <braynyac> Still fighting this stupid RDS licensing problem. I think there must be something wrong with my licensing server[20:45:49] <braynyac> even though users are checking out licenses, the RDS boxes refuse to admit that everything is OK[20:47:42] <braynyac> That time when a vendor changed their registry setting FOR THEIR MOST IMPORTANT KEY from REG_SZ to REG_MULTI_SZ, and FORGOT TO UPDATE THE ADMX. ggggggrrrrrrr[20:47:49] <braynyac> it's been quite the crappy week over here[20:48:25] <braynyac> Hey Tab - looking for a good voice engineer, if you want to do network(y) things XD[21:03:21] <|Atum|> we can make it if we try[21:03:23] <|Atum|> *sings*[21:06:09] *** Lucasje <Lucasje!uid24226@gateway/web/irccloud.com/x-hjpnuydefscjmaqv> has quit IRC (Quit: Connection closed for inactivity)[21:21:38] <tammy> today in quotes from my coworkers: "Well it hasn't changed into a red X yet"[21:23:21] <tammy> today in quotes from Mr Vendor: "Can you Disable Data Execution Prevention on those servers? It's not really needed."[21:23:28] <tammy> I told him his software is not really needed[21:29:16] <cs-bot> <benjamin.crill> BOOM![21:38:58] <Biny> registered for .NEXT, woo i guess![21:41:47] <tabularasa> pinch alba's butt for me. squirt[21:41:52] <Biny> lol[21:42:01] <Biny> instructions unclear; pinched mark hamill[21:42:31] <tabularasa> i'd be ok with that too[21:42:34] <tabularasa> hahaha[21:42:38] <Biny> CDW sent me a registration code for the conference, which they say includes hotel. The main page says it includes hotel ,but then when searching for hotel it prompts you to select a hotel, and what the nightly rate is.[21:42:51] <tammy> tried to google .next got java query .nextint instead[21:42:57] <Biny> lol[21:42:59] <tammy> what is .next?[21:43:09] <Biny> Nutanix conference[21:43:15] <Biny> https://www.nutanix.com/next/[21:43:56] <tammy> why is Mike's face twice as big as everyone else?[21:45:16] <Biny> HES HUGE![21:46:25] <cs-bot> <kbaggerman> See you there Biny :)[21:46:47] <Biny> our 8500's? or 8800's come tomorrow[21:47:49] <Biny> tabularasa: rfc5841 is friendlier than avian carriers.[21:48:34] <tammy> lololololol[21:48:44] <tammy> more today in quotes from my coworkers: "Can clouds catch on fire?" *proceeds to google it* "Oh, right, they are made of water."[21:50:02] <tabularasa> packet mood... lol[22:09:52] <uncon> tabularasa: rfc5841 seems useful... instead of firewalls and IPS / IDS, you could simply block packets that are "evil"[22:19:15] *** hardlock <hardlock!~hl@81.6.37.6> has quit IRC (Ping timeout: 257 seconds)[22:20:47] *** kahnibus <kahnibus!~Alex@129.3.29.171> has quit IRC (Quit: Leaving)[22:24:43] <braynyac> but if you want to sneak by, just say you're bored! the outer layer of the network will let you pass, as it doesn't care. hahahaha[22:26:01] <Biny> 0/buffer 12[22:26:41] <|Atum|> thats right up there with being surprised a flame doesn't cast a shadow....[22:30:29] <braynyac> Biny is pasting his passwords again! =)[22:31:16] <uncon> nah, i changed it for him[22:31:24] <|Atum|> mm[22:31:30] <Biny> lol[22:31:31] <|Atum|> uncon...[22:31:42] <uncon> |Atum|...[22:31:47] <Biny> |Kiwi|[22:31:50] <|Atum|> sorry for a basic question, but my lab is brutalizing my HDD due to lack of memory atm[22:31:53] <|Atum|> but...[22:32:20] <|Atum|> Suppose i have 3 security groups, A, B, C. I create RDP profile. if I don't specify an RDP server in the profile they can just go anywhere, right? and if I do specify an address, only to that one address?[22:32:24] <|Atum|> (RDP proxy)[22:33:06] <|Atum|> As configured from docs in lab i could get into cvpn and just type in whatever address as a bookmark and they could get to anything that had open RDP. Im trying to boot it to test it on my own, but you're awake and here and oh so helpful :D[22:33:06] *** hardlock <hardlock!~hl@81.6.37.6> has joined #Citrix[22:36:31] <uncon> |Atum|: i thought that just enforced a specific client profile if the rdp listener matched...[22:37:07] <uncon> enforcing security groups might get interesting[22:37:22] <|Atum|> let me rephrase[22:37:38] <|Atum|> Scenario customer wants: I log into NS as membe r of group A, I want group A only to be able to RDP to (1 or more resources)[22:37:46] <|Atum|> not arbitrary 3389 across the network[22:37:49] <uncon> uhhuh[22:38:11] <|Atum|> atm the current thought was firewall inbetween, but there was huge pushback against that instead wanting to try to push the security layer to the netscaler[22:38:19] <uncon> uh, yeah[22:38:35] <uncon> simple responder pol on the NS[22:39:05] <|Atum|> go on?[22:39:06] <uncon> you can evaluate the users's group membership(s) and the remote IP (via URL)[22:39:18] <uncon> i have a customer doing this[22:39:44] <uncon> it's also possible to use an http callout to keep access lists off the NS itself[22:41:17] <|Atum|> so, where is the user/group exposed? http.req.user.groups?[22:41:31] <|Atum|> thats not http auth but will represent nsgw auth or something else?[22:42:15] <|Atum|> I imagine I could do like a dataset, key groupname value ip, drop anything not in dataset?[22:42:20] <uncon> http doesn't have users/groups (:[22:42:34] <|Atum|> wut? Im looking in the expression editor[22:42:36] <|Atum|> :|[22:42:44] <uncon> (yes, that is aaa groups)[22:42:50] <Biny> :| that was your expression.[22:42:59] <uncon> "thats not http auth"[22:43:07] <uncon> right, because that's not a thing[22:43:48] <uncon> Biny: heh, yeah... he just needs to pull up the sides of his mouth so that it's smile... using the expression editor[22:43:52] <|Atum|> Now I'm just really confused at what you're getting at, NSGW would in fact be AAA?[22:44:01] <uncon> dude, wut!?[22:44:10] <uncon> you use aaa as a part of Gateway[22:44:14] <uncon> rrrrrrrrrright?[22:44:38] <Biny> triple a probably doesnt exist over in new zealand.[22:45:05] <|Atum|> AAA happens as part of gateway, yes. Hence why I asked about http.req.user (which returns Returns aaa_user_t - Represents the AAA User Information.)[22:45:19] <uncon> you're right[22:46:03] <|Atum|> But you said "uncon http doesn't have users/groups (:" -- Which I understood you responding as "http expressions on the netscaler do not have users/groups"[22:47:01] <uncon> you misunderstood me... i was commenting on your "thats not http auth" - this is accurate since http (the protocol) has no auth[22:47:22] <|Atum|> oh :D[22:47:41] <uncon> "you misunderstood me" is kinda like "i'm sorry for not being more clear"[22:47:52] <uncon> but, the former makes me seem more right[22:48:02] <|Atum|> Sorry, I suffer from severe engrish sometimes[22:48:11] <uncon> haha[22:48:20] <uncon> not nearly as bad as half the folks i work with[22:48:21] <Biny> *serere[22:50:29] <|Atum|> Well, in any event, I think you're understanding what I'm looking to do - if you have an example I coould see (or give me some pseudocode expression quickly to set me on the path) that would be lovely. As always I appreciate the help.[22:50:41] <|Atum|> Since you have customers doing this :D[22:59:34] <uncon> |Atum|: "HTTP.REQ.USER.IS_MEMBER_OF(\"myGroup\") && HTTP.REQ.URL.PATH.WTFEVER()"[23:04:03] <uncon> then you respond with a redirect to nope.html or something[23:06:49] <|Atum|> Ok I'm familiar with doing that, but the question was more on the path as it relates to RDP / rdp proxy. its via CVPN and all that...[23:09:14] <uncon> your URL.PATH will be your rdp URL[23:10:27] <uncon> |Atum|: "[with CVPN,] they could get to anything that had open RDP."[23:11:06] <uncon> that's correct. so, you restrict it in CVPN[23:14:27] <|Atum|> Ok, so I'll lookfor option to do that. I havent done much CVPN other than turning it on before :p[23:14:29] <|Atum|> Thanks[23:21:43] <|Atum|> so... "https://<VPN-VIP>/rdpproxy/<TargetIP:Port>/<ListenerIP:Port>" is the URL in the portal, so theoretically something like "HTTP.REQ.USER.IS_MEMBER_OF("contractor1") && HTTP.REQ.URL.PATH.CONTAINS_ANY("contractor1_allowedRDPServers").NOT -> DROP would work[23:21:46] <|Atum|> trying this now[23:31:16] <|Atum|> Apparently not :\[23:32:22] <|Atum|> ...idiot, i didnt bind it xD[23:34:11] <|Atum|> ...yeah thats not going to work :o[23:41:58] <BobFrankly> \o/[23:50:59] <|Atum|> *scratches head*[23:51:09] <|Atum|> bound policy "HTTP.REQ.URL.PATH.CONTAINS("/rdpproxy/") " -> Drop...[23:51:15] <|Atum|> doesnt hit at all[23:51:21] <|Atum|> that doesnt match the rdp proxy documentation at all :\[23:52:38] <|Atum|> hell even manually putting in https://nsgw/rdpproxy/ip doesnt hit it wtf[23:55:30] <BobFrankly> try setting the priority lower?[23:55:40] <BobFrankly> I ran into that dealing with my OWA load-balancer[23:56:20] <BobFrankly> should have hit my policy, didnt, couldn't find anything lower even with tracing, but when I set the priority lower, it started working[23:57:25] <|Atum|> at priority 1 it doesnt hit[23:57:40] <BobFrankly> wow[23:57:49] <|Atum|> lol changed it toTRUE and it doesnt hit[23:57:52] <|Atum|> i must be losing my mind[23:58:14] <BobFrankly> case sensitivty in the path?[23:58:28] <|Atum|> I set the policy to simpyl "true"->drop[23:58:33] <BobFrankly> oh[23:58:46] <BobFrankly> so not the "contains" part anymore[23:59:00] <|Atum|> its gotta be caching[23:59:07] <|Atum|> new incognito window and it is dropping now[23:59:13] <BobFrankly> is this context filtering?[23:59:15] * |Atum| unbinds the builtin caching crap