NetScaler Console service

Troubleshoot Gateway Insight issues

If the Gateway Insight solution is not functioning as expected, the issue might be with one of the following. Refer to the checklists in the respective sections for troubleshooting.

  • Gateway Insight configuration.
  • Connectivity issue between NetScaler and NetScaler Console.
  • Record generation in NetScaler.
  • Validations in NetScaler Console.

Gateway Insight configuration checklist

  • Make sure that the AppFlow feature is enabled in NetScaler. For details, see Enabling AppFlow.

  • Check Gateway Insight configuration in the NetScaler running configuration.

    Run the show running | grep -i <appflow_policy> command to check the Gateway Insight configuration. Make sure that the bind type is REQUEST. For example;

    bind vpn vserver afsanity -policy afp -priority 100 -type REQUEST

  • For single-hop, Access Gateway, or Unified Gateway deployment, make sure that Gateway Insight AppFlow policy is bound to the VPN virtual server, where VPN traffic is flowing. For details, see Enabling HDX Insight data collection.
  • Check appflowlog parameter in NetScaler Gateway/VPN virtual server. For details, see Enabling AppFlow for Virtual Servers.

Connectivity between NetScaler and NetScaler Console checklist

  • Check AppFlow collector status in NetScaler. For details, see How to check the status of connectivity between NetScaler and AppFlow Collector.
  • Check Gateway Insight AppFlow policy hits.

    Run the command show appflow policy <policy_name> to check the AppFlow policy hits.

    You can also navigate to System > AppFlow > Policies in the GUI to check the AppFlow policy hits.

  • Validate any firewall blocking AppFlow ports 4739 or 5557.

Record generation in NetScaler checklist

  • Run the nsconmsg -d stats -g ai_tot command and check for the stats increments in NetScaler.
  • Capture nstrace logs and check for CFLOW packets to confirm NetScaler exports AppFlow records.

Validations in NetScaler Console

  • Run the tail -f /var/mps/log/mps_afdecoder.log | grep -i "Data Record: vpn_" command to check the logs to confirm NetScaler Console is receiving AppFlow records.
  • Make sure that the NetScaler instance is added to NetScaler Console.
  • Make sure that the NetScaler Gateway/VPN virtual server is licensed in NetScaler Console.

Gateway Insight stats

The following Gateway Insight stats are available.

  • ai_tot_preauth_epa_export
  • ai_tot_auth_export
  • ai_tot_auth_session_id_update_export
  • ai_tot_postauth_epa_export
  • ai_tot_vpn_update_export
  • ai_tot_ica_fileinfo_export
  • ai_tot_app_launch_failure
  • ai_tot_logout_export
  • ai_tot_skip_appflow_export
  • ai_tot_sso_appflow_export
  • ai_tot_authz_appflow_export
  • ai_tot_appflow_pol_eval_failure
  • ai_tot_vpn_export_state_mismatch
  • ai_tot_appflow_disabled

Contact Citrix technical support

For a speedy resolution, make sure that you have the following information before contacting Citrix technical support:

  • Details of the deployment and network topology.
  • NetScaler and NetScaler Console versions.
  • Tech support bundle for NetScaler and NetScaler Console.
  • nstrace capture during the issue.

Known Issues

Refer NetScaler release notes for known issues on Gateway Insight.

Troubleshoot Gateway Insight issues