Troubleshooting Access Gateway Policies
Last Updated: [last-modified] (UTC)
There are so many parts to an Access Gateway. This can make it difficult to troubleshoot as it can be hard to see what’s happening.
Which policies are evaluated? What is succeeding and what’s failing?
Fortunately, if you’re not afraid of the command line, there’s a little trick to help:
- Logon to the NetScaler with an SSH client
- At the NetScaler CLI, enter the shell command to change to the BSD shell
- Run nsconmsg -d current -g pol_hits
The NetScaler logs connections to newnslog (located in /var/nslog). The nsconmsg command is used to redirect connection messages to the screen in real-time.
The -d current options tells the command to only output current logs to the screen. The -g option is a pattern matcher like grep, which looks for lines containing pol_hits (any policy hits).
If you try logging on to an Access Gateway now, you will see the policies that are being evaluated.
An example of this is here:
root@NetScaler01# nsconmsg -d current -g pol_hits Displaying performance information NetScaler V20 Performance Data NetScaler NS11.1: Build 54.14.nc, Date: Jun 7 2017, 19:58:26 reltime:mili second between two records Tue Aug 29 13:13:12 2017 Index rtime totalcount-val delta rate/sec symbol-name&device-no 0 14001 50 5 0 pol_hits Policy(Pol-LDAP-AD001) 1 0 61 6 0 pol_hits Policy(Pol-LDAP-AD002) 2 0 50 5 0 pol_hits Policy(Pol-LDAP-AD003) 3 0 50 5 0 pol_hits Policy(Pol-LDAP-AD004) 4 0 7 1 0 pol_hits Policy(SETVPNPARAMS_POL) 5 0 6 1 0 pol_hits Policy(Policy-WB)
[crp]
References
Citrix Support Knowledge Center – Error: “HTTP/1.1 Internal Server Error 43554” When Logging on to NetScaler Gateway
Citrix Support Knowledge Center – NetScaler nsconmsg Commands Cheat Sheet