Application Delivery Management

Troubleshoot Gateway Insight issues

If the Gateway Insight solution is not functioning as expected, the issue might be with one of the following. Refer to the checklists in the respective sections for troubleshooting.

  • Gateway Insight configuration.
  • Connectivity issue between Citrix ADC and Citrix ADM.
  • Record generation in Citrix ADC.
  • Validations in Citrix ADM.

Gateway Insight configuration checklist

  • Make sure that the AppFlow feature is enabled in Citrix ADC. For details, see Enabling AppFlow.

  • Check Gateway Insight configuration in the Citrix ADC running configuration.

    Execute the show running | grep -i <appflow_policy> command to check the Gateway Insight configuration. Make sure that the bind type is REQUEST. For example;

    bind vpn vserver afsanity -policy afp -priority 100 -type REQUEST

  • For single-hop, Access Gateway, or Unified Gateway deployment, make sure that Gateway Insight AppFlow policy is bound to the VPN virtual server, where VPN traffic is flowing. For details, see Enabling HDX Insight data collection.
  • Check “appflowlog” parameter in Citrix Gateway/VPN virtual server. For details, see Enabling AppFlow for Virtual Servers.

Connectivity between Citrix ADC and Citrix ADM checklist

  • Check AppFlow collector status in Citrix ADC. For details, see How to check the status of connectivity between Citrix ADC and AppFlow Collector.
  • Check Gateway Insight AppFlow policy hits.

    Execute the command show appflow policy <policy_name> to check the AppFlow policy hits.

    You can also navigate to System > AppFlow > Policies in the GUI to check the AppFlow policy hits.

  • Validate any firewall blocking AppFlow ports 4739 or 5557.

Record generation in Citrix ADC checklist

  • Execute the nsconmsg -d stats -g ai_tot command and check for the stats increments in Citrix ADC.
  • Capture nstrace logs and check for CFLOW packets to confirm Citrix ADC exports AppFlow records.

Validations in Citrix ADM

  • Execute the tail -f /var/mps/log/mps_afdecoder.log | grep -i "Data Record: vpn_" command to check the logs to confirm Citrix ADM is receiving AppFlow records.
  • Make sure that the Citrix ADC instance is added to Citrix ADM.
  • Make sure that the Citrix Gateway/VPN virtual server is licensed in Citrix ADM.

Gateway Insight stats

The following Gateway Insight stats are available.

  • ai_tot_preauth_epa_export
  • ai_tot_auth_export
  • ai_tot_auth_session_id_update_export
  • ai_tot_postauth_epa_export
  • ai_tot_vpn_update_export
  • ai_tot_ica_fileinfo_export
  • ai_tot_app_launch_failure
  • ai_tot_logout_export
  • ai_tot_skip_appflow_export
  • ai_tot_sso_appflow_export
  • ai_tot_authz_appflow_export
  • ai_tot_appflow_pol_eval_failure
  • ai_tot_vpn_export_state_mismatch
  • ai_tot_appflow_disabled

Contact Citrix technical support

For a speedy resolution, make sure that you have the following information before contacting Citrix technical support:

  • Details of the deployment and network topology.
  • Citrix ADC and Citrix ADM versions.
  • Tech support bundle for Citrix ADC and Citrix ADM.
  • nstrace capture during the issue.

Known Issues

Refer Citrix ADC release notes for known issues on Gateway Insight.

Troubleshoot Gateway Insight issues