If the SSL feature does not work as expected after you have configured it, you can use some common tools to access Citrix ADC resources and diagnose the problem.
Resources for troubleshooting
For best results, use the following resources to troubleshoot an SSL issue on a Citrix ADC appliance:
- The relevant ns.log file
- The latest ns.conf file
- The messages file
- The relevant newnslog file
- Trace files
- A copy of the certificate files, if possible
- A copy of the key file, if possible
- The error message, if any
In addition to the above resources, you can use the Wireshark application customized for the Citrix ADC trace files to expedite troubleshooting.
Troubleshooting SSL issues
To troubleshoot an SSL issue, proceed as follows:
- Verify that the Citrix ADC appliance is licensed for SSL Offloading and load balancing.
- Verify that SSL Offloading and load balancing features are enabled on the appliance.
- Verify that the status of the SSL virtual server is not displayed as DOWN.
- Verify that the status of the service bound to the virtual server is not displayed as DOWN.
- Verify that a valid certificate is bound to the virtual server.
- Verify that the service is using an appropriate port, preferably port 443.
Decrypting TLS1.3 traffic from packet trace
To troubleshoot protocols that run over TLS1.3, you must first decrypt the TLS1.3 traffic. To decrypt TLS 1.3 in Wireshark, the secrets must be exported in the NSS key log format. For more information about the key log format, see NSS Key Log Format.
For information about how to capture a packet trace, see Capturing SSL Session Keys During a Trace.
Note: Citrix ADC automatically logs each connection’s secrets in the appropriate format for the TLS/SSL protocol version in use.