Basic troubleshooting
This topic list some of the errors that you might come across while or after setting up Secure Private Access.
Public gateway/callback gateway failures
Secure Private Access Server not reachable
Certificate errors
Error message: Unable to get the certificates automatically from one or more gateway servers.
This error message appears when you try to add a public NetScaler Gateway address and there is an issue fetching the certificate. This issue can occur when setting up Secure Private Access or updating settings after the setup is complete.
Workaround: Update the gateway certificate the same way in which you would for Citrix Virtual Apps and Desktops.
StoreFront failures
-
Error message: Failed to create StoreFront entry for:
<Store URL>Update the StoreFront entries from the Settings tab if it is not visible. After you have set up Secure Private Access using the wizard, you can edit StoreFront entries from the Settings tab. Note down the StoreFront Store URL for which this error occurred.
Resolution:
- Click Settings and then click the Integrations tab.
- In StoreFront Store URL, add the StoreFront entry if it is not visible.
-
Error message: Failed to configure StoreFront entry for:
<Store URL>Resolution:
-
There might be a PowerShell execution policy restriction in place. Run the PowerShell script command
Get-ExecutionPolicyfor details. - If it is restricted, you must bypass this and run a StoreFront configuration script manually.
- Click Settings and then click the Integrations tab.
- In StoreFront Store URL, identify the StoreFront URL entry for which the error occurred.
- Click the Download Script button next to this Store URL and run this PowerShell script with admin privileges on the machine on which the corresponding StoreFront installation is present. This script must be run on all the StoreFront machines.
Note:
If you are retrying the installation after uninstalling, ensure that you don’t have an entry with the name “Secure Private Access” in the StoreFront configuration (StoreFront > store> Delivery Controller -> Secure Private Access). If Secure Private Access is present, delete this entry. Manually download and run the script from the Settings > Integrations page.
-
-
Error message: StoreFront configuration is not local for:
<Store URL>After you have set up Secure Private Access using the wizard, you can edit gateway entries from the Settings tab. Note down the StoreFront Store URL for which this error occurred.
Resolution:
This issue occurs if StoreFront is not installed on the same machine as Secure Private Access. You must manually run the StoreFront configuration on the machine where you have installed StoreFront.
- Click Settings and then click the Integrations tab.
- In StoreFront Store URL, identify the StoreFront URL entry for which the error occurred.
- Click the Download Script button next to this Store URL and run this PowerShell script with admin privileges on the machine on which the corresponding StoreFront installation is present. This script must be run on all the StoreFront machines.
Note:
To run the StoreFront PowerShell script, open the Windows x64 compatible PowerShell window with admin privileges and then run ConfigureStorefront.ps1. StoreFront script is not compatible with Windows PowerShell (x86).
-
Error message: “Get-STFStoreService : Exception of type ‘Citrix.DeliveryServices.Framework.Feature.Exceptions.RegistryKeyNotFoundException’ was thrown.” while running StoreFront script using PowerShell.
This error occurs when the StoreFront script is run on a x86-compatible PowerShell window.
Resolution:
To run the StoreFront PowerShell script, open the Windows x64 compatible PowerShell window with admin privileges and then run
ConfigureStorefront.ps1.
Public gateway/callback gateway failures
Error message: Failed to create Gateway entry for: <Gateway URL> OR Failed to create Callback Gateway entry for: <Callback Gateway URL>
Resolution:
Note the Public Gateway or Callback Gateway URL for which the failure occurred. After you have set up Secure Private Access using the wizard, you can edit gateway entries from the Settings tab.
- Click Settings and then click the Integrations tab.
- Update the public gateway address or the callback gateway address and the virtual IP address for which the failure occurred.
Secure Private Access Server not reachable
Error message: Failed to update IIS pool. Failed to restart IIS pool
Resolution:
Go to Application pools in Internet Information Services (IIS) and check that the following application pools have started and are running:
- Secure Private Access Runtime Pool
- Secure Private Access Admin Pool
Also check that the default IIS site "Default Web Site" is up and running.
Application enumeration failure
Application enumeration breaks if the StoreFront URL or the NetScaler Gateway URL contains a trailing slash (/).
Resolution:
Delete the trailing slash in the StoreFront store URL or the NetScaler Gateway URL. For details, see Update StoreFront or the NetScaler Gateway server details after the setup.
Create Secure Private Access diagnostics support bundle
Perform the following steps to create a Secure Private Access diagnostics support bundle:
- Open the PowerShell or the command prompt window with admin privileges.
- Change the directory to the Admin\AdminConfigTool folder under the Secure Private Access installation folder (for example, cd “C:\Program Files\Citrix\Citrix Access Security\Admin\AdminConfigTool”).
-
Run the following command:
.\AdminConfigTool.exe /SUPPORTBUNDLE <output folder>
Change log level for troubleshooting logs
Troubleshooting logs are the default error log level.
To change the log level for the troubleshooting logs, in the runtime service appsettings.json (C:\Program Files\Citrix\Citrix Access Security\Runtime\RuntimeService) update restrictedToMinimumLevel for TroubleshootingSql to one of the following values:
- Information
- Debug
- Warning
- Error
"TroubleshootingSql": {
"restrictedToMinimumLevel": "Error",
"batchPostingLimit": 50,
"batchPeriod": "00:00:05" // 5 seconds
}