2

I'm working at a site that ask me to connect to certain in-house systems via Citrix AppGate over public internet.

Sometimes it happens that I get disconnected from the session and when I try to reconnect I get this message: Citrix AppGate

I'm on the same device all the time.

When I call the internal help desk the answer is to wait. "Just wait 10-15 minutes and you'll be able to connect back to your original session.". This is actually true, but I do not have time to wait 10-15 minutes every time this happens.

Question: What is it in Citrix AppGate that makes it confused so that I cannot re-connect initially? Why is it helps to wait 10-15 minutes? How does it decide that this is an attempt for a new session, rather an attempt for a re-connect to an existing session?

(Side note: everybody here seems to accept that this is just the way software works, but I for one really doubt that Citrix deliberately designs software this poorly. I'm very frustrated :-))

peterh
  • 257
  • 2
  • 6

2 Answers2

1

I can explain why you get in after 10-15 minutes:

  • Your IP address fixed when session starts.

  • After you dropped session set your IP is invalid and don't allow you to connect to this session for next 15 minutes.

About Citrix dunno how you can fix it, probably might help changing IP.

Net Runner
  • 5,626
  • 11
  • 29
  • 1
    "New session timeout probably run in 15 minutes so you are welcome." Don't understand: after 15 minutes it lets me reconnect to the *existing* session, so this is not a *new* session. Something in your wording seems strange. – peterh Jan 11 '17 at 09:36
0

Internal session state not updating

Note: I have no solution to this problem. So this might not be exactly helpful to you but here's the technical background, as far as I understand it:

This sounds like I problem I've had in the past.

If session reconnect does not work then the server tries to start a new terminal server session. And you're usually not allowed to start more than one. (This is usually manually configured by the admin.) So you get that popup. (And I don't know of way to tell my client to FORCE reconnect. You just tell your client to "connect" and then some backend logic, that I do not understand, decides if you wind up with a reconnected or a new session.)

Now why does reconnect not work?

There are 2 states for a Terminal server session: "active" and "disconnected". (See screenshot.)

And my Citrix installation would not allow reconnect to active sessions. Reconnect to disconnected sessions worked fine.

Now NORMALLY the terminal server SHOULD detect a session interruption and change session state from "active" to disconnected" automatically. It's just that it did not do this in my case.

Also NORMALLY reconnect-to-active-sessions SHOULD work just as well as reconnect-to-disconnected-sessions. But didn't.

Now there are some stupid workarounds that I know of:

  • Wait until the server finally notices on its own. And places the session in "disconnected state".
  • Call an admin. Have them start task manager and make them do right click and then "disconnect" on your username. (Note that this will NOT actually end your session. Just place it the "no screen or keyboard are currently attached to that session" state.)
  • Configure terminal server ICA protocol options to have an "idle timeout" of 15 minutes or say. And then select "disconnect" as the idle timeout action. (So basically: when somebody does not move their move their mouse for 15 minutes, this applies.) (You can do the same for Microsoft RDP. There the GPO setting is called Set time limit for active but idle Terminal Services sessions.)

The result of each of these workarounds is the same: session state changes from "active" to "disconnected". And a reconnect-to-disconnected-session USUALLY works.

If anyone finds out how to fix this, then I'd love to know.

Further info: CAG and SR.

But there's many moving parts and I don't understand them all. For example it gets more difficult if you introduce a Citrix-Access-Gateway (CAG) Encryption/Loadbalancing-Gateway into the mix and if you introduce "Citrix Session Reliability" (SR) into the mix.

CAG: I think there might be an issue where the frontend connection from the user to the CAG is gone but the backend connection from the CAG to the terminalserver is still considered good.

SR: And with SR the Terminal server basically accepts a connection on port 2598 and then talks TO ITSELF on port 1498. So even if the client connection to 2598 is gone, then the internal connection (from localhost) to 1494 will still be considered good. Now it SHOULD notice at some point, but I don't know when.

Further info: Citrix blog

Here's an official Citrix blog post that goes into the backend configuration and lists the Citrix Terminology:

Community
  • 1
StackzOfZtuff
  • 1,754
  • 12
  • 21
  • Good explanation. But this points to a serious flaw in the ping mechanism between the client and the server. There's really no excuse that a broken network connection shouldn't be detected in something like 30 secs or less ... assuming the two parties actually do exchange some kind of ping. And if the case is as you describe then the error message text from Citrix could use a review by an adult. And Citrix could let me choose if I wanted to reconnect to that session ...even if at that point the server believes that it is still connected to a client. – peterh Jan 11 '17 at 11:45
  • @peterh: I agree. Very frustrating. See longer answer above in new *Addtional info* section. – StackzOfZtuff Jan 11 '17 at 11:57