Citrix SD-WAN WANOP

CIFS and MAPI

  • Issue: A domain controller is removed from the network. However, the Citrix SD-WAN WANOP appliance is not able to leave the domain.

    Cause: This is a known issue with the appliance.

    Workaround: From the Windows Domain page, change the DNS to the one through which you can resolve the intended domain. Next, use the Rejoin Domain option to make the Citrix SD-WAN WANOP appliance join that domain. Now try leaving from the domain.

  • Issue: MAPI connections are not optimized and the following error message appears:

    non-default setting in outlook is not supported

    Cause: This is a known issue with release 6.2.3 and earlier releases.

    Resolution: Upgrade the appliance to the latest release.

  • Issue: The appliance optimized the MAPI connections. However, the monitoring pages display the number of send and received bytes as zero.

    Cause: This is a known issue with the appliance.

    Resolution: This is a benign issue and does not affect the functionality of the appliance. You can ignore it.

  • Issue: Unable to establish secure peering between Citrix SD-WAN WANOP appliances.

    Cause: Secure peering with the partner appliance is not properly configured.

    Resolution: Do the following:

    1. Verify that you have uploaded appropriate combination of CA and server certificates to the appliance.

    2. Navigate to the Citrix SD-WAN WANOP > Configuration > SSL Settings > Secure Partners page.

    3. In the Partner Security section, under Certificate Verification, select None - allow all requests option to make sure that certificate never expires.

    4. Verify that the appliance can establish secure peering with the partner appliance.

    5. Verify that the Listen On section has an entry for the IP address of the intended Citrix SD-WAN WANOP appliance.

  • Issue: When connecting to an Exchange cluster, Outlook users with optimized connections are occasionally bypassed or prompted for logon credentials.

    Cause: MAPI optimization requires that each node in the Exchange cluster be associated with the exchangeMDB service principal name (SPN). Over time, as you need more capacity, you add additional nodes to the cluster. However, sometimes, the configuration task might not be completed, leaving some nodes in cluster without SPN settings. This issue is most prevalent in Exchange clusters with Exchange Server 2003 or Exchange Server 2007.

    Resolution: Do the following on each Exchange servers in the set up:

    1. Access the domain controller.

    2. Open the command prompt.

    3. Run the following commands:

      pre codeblock setspn -A exchangeMDB/Exchange1 Exchange1 setspn -A exchangeMDB/Exchange1.example.com Exchange1 <!--NeedCopy-->

  • Issue: When attempting to connect to Outlook, the Trying to connect message is displayed and then the connection is terminated.

    Cause: The client-side Citrix SD-WAN WANOP appliance has blacklist entries that do not exist on the server-side appliance.

    Resolution: Remove the blacklist entries from both appliances, or (recommended) upgrade the software of the appliances to release 6.2.5 or later.

  • Issue: The appliance fails to join the domain even after passing the pre domain checks.

    Cause: This is a known issue.

    Resolution: Do the following:

    1. Access the appliance by using an SSH utility.

    2. Log on to the appliance by using the root credentials.

    3. Run the following command:

      /opt/likewise/bin/domainjoin-cli join \<Domain\_Name\> administrator

  • Issue: The LdapError error message appears when you add a delegate user to the Citrix SD-WAN WANOP appliance.

    Resolution: Do one of the following:

    • On the Citrix SD-WAN WANOP appliance’s DNS server, verify that a reverse lookup zone is configured for every domain-controller IP address.

    • Verify that the system clock of the client machine is synchronized with the system clock of the Active Directory server. When using Kerberos, these clocks must be synchronized.

    • Update the delegate user on the Windows Domain page by providing the password for the delegate user once again.

  • Issue: The Time skew error message appears when you add a delegate user to the Citrix SD-WAN WANOP appliance.

    Resolution: Verify that the appliance is joined to the domain. If not, join the appliance to the domain. This synchronizes the appliance time with the domain-server time and resolves the issue.

  • Issue: The Client is temporarily excluded for acceleration. Last Error (Kerberos error.) error message appears when you add a delegate user to the Citrix SD-WAN WANOP appliance.

    Cause: The delegate user is configured for the Use Kerberos only authentication.

    Resolution: Verify that, on the domain controller, the delegate user’s authentication setting is Use any authentication protocol.

  • Issue: The Delegate user not ready error message appears when you add a delegate user to the Citrix SD-WAN WANOP appliance.

    Resolution: If the message appears only on the client-side appliance, ignore it. However, if the message is displayed on the server-side appliance, run the delegate user precheck tool, available on the Windows Domain page, and then configure the delegate user on the server-side appliance.

  • Issue: The Last Error (The Server is not delegated for Kerberos authentication. Please add delegate user, check list for services and server allowed for delegation.) UR:4 error message appears when you add a delegate user to the Citrix SD-WAN WANOP appliance.

    Resolution: Verify that the delegate user is correctly configured on the domain controller and that you have added appropriate services to the domain controller.

  • Issue: The appliance is not able to join the domain.

    Resolution: Run the domain precheck tool, available on the Windows Domain page, and resolve the issues, if any. If the domain precheck tool does not report any issues, contact Citrix Technical Support for further assistance in resolving the issue.

CIFS and MAPI