1

Under macOS version 10.15.3, the extensions used by Citrix Netscaler Gateway could be allowed in the Security settings under System Preferences, as suggested in this serverfault answer.

However, macOS 10.15.4 does not offer such a possibility, making the latest version of Netscaler Gateway not work.

This can be seen in the log files. Specifically, in /var/log/cagplugin_install.log I can see this:

2020-04-02 16:10:00 Install: Starting up Citrix Access Gateway client services.
/Library/Extensions/CitrixDNERegistry.kext failed to load - (libkern/kext) system policy prevents loading; check the system/kernel logs for errors or try kextutil(8).
2020-04-02 16:10:00 Install: /bin/launchctl load  /Library/LaunchDaemons/com.citrix.daemon.dneregsvr.plist
2020-04-02 16:10:00 Install: Started dneregsvr.
/Library/Extensions/CitrixDNE.kext failed to load - (libkern/kext) system policy prevents loading; check the system/kernel logs for errors or try kextutil(8).
/Library/Extensions/CitrixSSLVpn.kext failed to load - (libkern/kext) system policy prevents loading; check the system/kernel logs for errors or try kextutil(8).

Also, in /var/log/cagplugin.log I can see this:

{03-04-20:16h56m37s}:4084:{WARNING}:{AGAS/AGKEXTInterface:-[AGKEXTInterface createCtlSocket] ioctl(to com.citrix.kernel.sslvpn.control) failed with error 2.}:
{03-04-20:16h56m37s}:4084:{WARNING}:{AGAS/AGKEXTInterface:-[AGKEXTInterface createIoctlSocket] ioctl(ioctl_info.com.citrix.kernel.sslvpn) failed with error 2.}:
{03-04-20:16h56m37s}:4084:{WARNING}:{AGAS/Failed to initialize sslvpnPlugin}:
{03-04-20:16h56m37s}:4084:{INFO}:{AGAS/Packet Filter Service Ready.}:
{03-04-20:16h56m37s}:4084:{INFO}:{AGAS/AGKEXTInterface:-[AGKEXTInterface sendIoctl:withData:] No IOCTL socket yet.}:

The result is that the connection is apparently successful, but then no communication takes place (zero bytes sent and zero bytes received, as seen in the Netscaler Gateway status window).

I tested with Citrix Netscaler Gateway 4.4.4 and 4.4.8, with the same results.

Is there any way to make it work?

noe
  • 113
  • 9
  • 0 Same problem on my ARM-based M1 Mac. It seems that the system extensions are not available for ARM. – Jarzka Jun 10 '21 at 12:02

2 Answers2

3

I had the same issue and contacted Citrix support, and they advised to use the Citrix SSO app for MacOS instead. It must be downloaded from the MacOS app store. So far it seems to be working OK for me. Hope that helps! David

DMC
  • 46
  • 1
  • In my case, my company uses [Okta](https://www.okta.com/) for SSO and Citrix SSO does not launch when the Okta portal tries to open the VPN. Before uninstalling it, the old netscaler plugin was launched by the Okta portal, but Citrix SSO is not. – noe Apr 14 '20 at 14:32
  • works like a charm!! Follows my OS info: `$ uname -a Darwin mesonb.local 20.5.0 Darwin Kernel Version 20.5.0: Sat May 8 05:10:31 PDT 2021; root:xnu-7195.121.3~9/RELEASE_ARM64_T8101 arm64 ` thank you very much – Paulo Henrique Lellis Gonalves Sep 03 '21 at 14:36
0

I had same issue in MacOS Catalina 10.15.6 and with the Citrix Gateway 4.4.8 (518). The solution was uninstall all Citrix Applications I had (with Finder, moving each one to Trash). Then, I've installed last version available of Citrix Gateway 4.4.8. You must see in Settings icon, inside Security & Privacy icon, to allow the changes performed by Citrix app. After that it requires restart the Mac. Finally, in my case I can't connect by first time using the Citrix Gateway app (maybe you can) but I've login using my company web access, then the App has detect this login and the VPN access is working! by browsers or by CLI. Now, from 2nd time and another, I can login directly from App pushing "Connect". Good luck!

Sebastian Diaz
  • 1
  • 1