Troubleshoot Secure Private Access issues

Use this topic to troubleshoot some of the app configuration, authentication and SSO, or app access-related issues. Copy the info code from the ‘Info Code’ column within the Secure Private Access diagnostic logs and then search for that code on this page to find the corresponding troubleshooting steps. The following are some FAQs to help you use this topic better.

FAQs?

What are Secure Private Access diagnostic logs?

Where do I find Secure Private Access logs?

What details can I find in the Secure Private Access diagnostic logs?

What events are captured in the Secure Private Access diagnostic logs?

How do I use the Secure Private Access troubleshooting topic to resolve a failure that I have encountered?

What is an info code? Where do I find them?

What is a transaction ID? How do I use it?

What are all the Secure Private Access PoP locations?

What do I do if I am unable to resolve my failure using the info code and the error lookup table?

Info code lookup table

The following error lookup table provides a comprehensive overview of the various errors that users can possibly run into when using the Secure Private Access service.

Info code	Description	Resolution
0x180006	App FQDN length exceeded	App FQDN length exceeded
0x180022	Authentication server down	Authentication server down
0x180001, 0x18001A, 0x18001B, 0x1800EF, 0x18008A, 0x1800A9, 0x1800AA, 0x1800AB, 0x1800AC, 0x1800AD, 0x1800AE, 0x1800AF, 0x1800B0, 0x1800B1, 0x1800B2, 0x1800B3, 0x180048	Single sign-on errors, Connection establishment failure between Citrix Cloud and on-premises connectors, SAML SSO failure, Invalid app FQDN	App access is denied
0x18009D	DNS lookup/Connection errors	Secure Browser Service - DNS lookup/connection errors
0x1800A0, 0x1800A2, 0x1800A3	DNS lookup/connection errors	CWA Web - DNS lookup/connection errors for Web apps
0x1800A6	DNS lookup/connection errors	CWA Web - DNS lookup/connection errors for SaaS apps
0x1800B7	App FQDN length exceeded	App FQDN length exceeded
0x1800BC, 0x1800BF	User not subscribed to the application, Misconfigured as WebApp	User not subscribed to the application
0x1800BD	Disabled for clients other than Citrix Workspace	Direct access disabled for clients other than Citrix Workspace
0x1800C3, 0x18006D, 0x180091	Contextual policy rule is likely conflicting with the Secure Browser Settings, Enhanced security policies are likely misconfigured	Secure Browser Service misconfiguration
0x1800D0	Config exceeds max allowed length	Configuration exceeds max allowed length
0x1800CD, 0x1800CE, 0x1800D6, 0x1800EA	Malformed client requests	Malformed client requests
0x1800DE	No routing domain entry for given FQDN	No routing domain entry for a given FQDN
0x180055, 0x1800DF, 0x1800E3	Apps restricted by contextual policy, Access denied due to policy configuration	One or more apps not listed in the user dashboard
0x1800EB	IPv6 unsupported	IPV6 not supported
0x1800EC, 0x1800ED	Access denied due to invalid IP	Invalid IP addresses
0x100508	User context does not match the access rule conditions	No matching policy condition
0x100509	Access policy not associated with the application	No access policy associated with the application
0x10050C	Policy evaluation results of multiple applications that the user might be entitled to	App enumeration information

Contact Citrix support

For information on the following info codes, contact Citrix Support.

Info code	Info code	Info code	Info code	Info code	Info code
0x1800A4	0x1800A8	0x1800B5	0x180002	0x180003	0x180004
0x180005	0x180033	0x180034	0x180037	0x180035	0x18000F
0x18001D	0x18001E	0x18001F	0x180020	0x18006E	0x18000C
0x18000D	0x180010	0x180029	0x18002A	0x180036	0x18004E
0x180016	0x180044	0x180045	0x180017	0x180018	0x180007
0x180011	0x180012	0x180013	0x180014	0x180015	0x180019
0x180021	0x180025	0x180028	0x18002B	0x18002D	0x18002E
0x18003F	0x180040	0x180047	0x180063	0x180064	0x180065
0x180066	0x180067	0x180068	0x18006A	0x18001C	0x180087
0x180021	0x180022	0x180023	0x180024	0x180026	0x180027
0x180039	0x18003A	0x18003B	0x18003C	0x18003D	0x180042
0x180043	0x180046	0x180049	0x18006B	0x180083	0x180084
0x180085	0x180086	0x180041	0x180069	0x1800C2	0x1800C4
0x1800CC	0x1800CF	0x1800D1	0x1800D2	0x1800D3	0x1800D4
0x1800D5	0x1800D7	0x1800D8	0x1800D9	0x1800DA	0x1800E1
0x1800E2	0x1800E4	0x1800E5	0x1800DC	0x1800DD	0x1800C0
0x1800C6	0x1800C6	0x1800C8	0x1800C9	0x1800CA	0x180079
0x18007A	0x18007B	0x18007C	0x18007D	0x18007E	0x18007F
0x180080	0x180081	0x180082	0x180088	0x180089	0x18006F
0x180070	0x180071	0x180072	0x180073	0x180074	0x180075
0x180076	0x180077	0x180078	0x18008B	0x18008C	0x18008D
0x18008E	0x18008F	0x180090	0x180092	0x180093	0x180094
0x180095	0x180096	0x180097	0x180098	0x180099	0x18009A
0x18009B	0x18009C	0x18009D	0x18009E	0x18009F	0x1800C1
0x1800C3	0x1800C4	0x1800CA	0x1800E6	0x1800E7	0x1800E8
0x1800E9	0x1800EE	0x1800B6	0x1800B8	0x1800B9	0x1800B8
0x1800B9	0x1800BA	0x1800BB	0x100501	0x100502	0x100503
0x100504	0x100505	0x100506	0x100507	0x10050B

Resolution steps

The following sections provide resolution steps for most of the info codes. For the codes that do not have the resolution steps captured, contact Citrix Support.

One or more apps not listed in the user dashboard

Info code: 0x180055, 0x1800DF, 0x1800E3

Due to the contextual policy settings, apps might not be seen for some users or devices. Parameters like trust factors (device posture or risk score) can affect the accessibility of the applications.

1. Copy the transaction ID from the reasons column for error code 0x18005C in the Diagnostic Logs csv file.
2. Modify the prod column filter in the csv file to show events from the component called SWA.PSE or SWA.PSE.EVENTS. This filter shows logs related to policy evaluation only.
3. Search for the evaluated policy payload in the reason column. This payload shows the evaluated policy for the user’s context for all apps that the user is subscribed to.
4. If the policy evaluation indicates as app denied for the user, the possible reasons can be:
   • Incorrect matching conditions in policy - check App policy configuration in Citrix Cloud
   • Incorrect matching rules in policy - check App policy configuration in Citrix Cloud
   • Incorrect matching default rule in policy - this is a fall-through case. Adjust the conditions accordingly.

User not subscribed to the application

Info code: 0x1800BC, 0x1800BF

User might have clicked the app link for which the user might not be subscribed.

Make sure that the user has subscriptions to the applications.

1. Go to the application in the management portal.
2. Edit the app and go to the Subscription tab.
3. Make sure that the targeted user has an entry in the subscription list.

Slow back-end app performance

Info code:0x18000F

There are cases where the customer network is flaky due to the connectors in a resource location that can be down or the back-end server itself might not be responding.

1. Make sure that the connector appliance is positioned geographically close to the back-end server to rule out network latencies.
2. Check if the back-end server’s firewall is not blocking the connector appliance.

3. Check if the client is connecting to the nearest cloud POP.

   For example, nslookup nssvc.dnsdiag.net on the client, the canonical name in the answer indicates the geo-specific server such as aws-us-w.g.nssvc.net.

App FQDN length exceeded

Info code: 0x180006, 0x1800B7

App FQDNs must not exceed 512 characters in length. Check the application FQDN in the app configuration page. Make sure that the length does not exceed 512 bytes in size.

1. Go to the Applications tab on the management console.
2. Look for the application whose FQDN exceeds 512 characters.
3. Edit the application and fix the app FQDN length.

App details length exceeded

Info code: 0x18000E

Check the policies if they are blocking the app access.

1. Go to Access Policies.
2. Look for the policies where the app has entitlement.
3. Review the policy rules and conditions for the end user.

App access is denied

Info code: 0x180001, 0x18001A, 0x18001B, 0x1800EF, 0x18008A, 0x1800A9, 0x1800AA, 0x1800AB, 0x1800AC, 0x1800AD, 0x1800AE, 0x1800AF, 0x1800B0, 0x1800B1, 0x1800B2, 0x1800B3, 0x180048

This is related to contextual policy, where policies are denying the app for a given user.

Check the policies if they are blocking the app access

1. Go to Access Policies.
2. Look for the policies where the app has entitlement.
3. Review the policy rules and conditions for the end user.

Applications not enumerated

Applications can be missing from the enumerated list because of policy denials or if the Secure Private Access integration is not enabled.

• If access must be enabled for some of the apps but you see zero apps, try enabling the Secure Private Access integration.

  • Sign into Citrix Cloud.
  • Select Workspace Configuration from the hamburger menu, and then click Service Integrations.
  • Click the ellipsis button in Secure Private Access, and then click Enable.

• If the Secure Private Access integration is already enabled, disable it, and then enable it again to see if you have any apps.

Connection establishment failure between Citrix Cloud and on-premises connectors

Info code: 0x1800EF

App routing fails because of non-availability of TCP connections with on-premises connectors.

Review events from the controller component

1. Look up the transaction ID for error code 0x1800EF in the diagnostic logs csv file.
2. Filter all events matching the transaction ID in the csv file.

3. Also, filter the prod column in the csv file that match SWA.GOCTRL.

   If you see events with the connectType message multiconnect::success? then;

   • This indicates that the tunnel establishment request was relayed to the controller successfully.
   • Check if the Resource Location in the log message is correct. If it is incorrect, fix the resource location in the app configuration section on the Citrix management portal.
   • Check if the VDA Ip and Port in the log message is correct. The VDA IP and port indicates the back-end application IP and port. If it is incorrect, fix the app FQDN or IP address in the app configuration section on the Citrix management portal.
   • Proceed to review the Connector events if you don’t find any earlier mentioned issues.

   If you see events with the connectType message connect::failure or multiconnect::success, then;

   • Check if the recommended fix for this log message states - Check if connector is still connected to same pop. This indicates that the connector at the resource location might have gone down. Proceed to review the Connector events.
   • Contact Citrix Customer support if the earlier mentioned messages are not seen.

   If you see events with the connectType message IntraAll::failure, then contact Citrix customer support.

Review events from the connector component

1. Look up the transaction ID for error code 0x1800EF in the Diagnostic Logs csv file.
2. Filter all events matching the transaction ID in the csv file.
3. Also filter the prod column in the csv file that match SWA.ConnectorAppliance.WebApps.
4. If you see events with status as failure, then;
   • Review the reason message for each of these failure events.
   • UnableToRegister indicates that the connector wasn’t able to register to Citrix Cloud successfully. Contact Citrix Support.
   • IsProxyRequiredCheckError or ProxyDialFailed or ProxyConnectionFailed or ProxyAuthenticationFailure or ProxiesUnReachable indicates that the connector wasn’t able to resolve the back-end URL through the proxy configuration. Check the proxy configuration for correctness.
   • For further debugging see Connector SSO events.

Single sign-on errors

For single sign-on, different SSO attributes from the app configuration are extracted and applied during app launch. If that particular user doesn’t have the attributes or if the attributes are incorrect, the single sign-on might fail. Make sure that the configuration looks correct.

1. Go to Access Policies.
2. Look for the policies where the app has entitlement.
3. Review the policy rules and conditions for the end user.

SSO methods such as Form SSO, Kerberos, and NTLM are performed by the on-premises connector. Review the following diagnostic logs from the connector.

Review SSO events from the connector component

1. Filter the component name in the csv file that match SWA.ConnectorAppliance.WebApps.
2. Do you see events with status as “failure”?
   • Review the message for each of these failure events.
   • IsProxyRequiredCheckError or ProxyDialFailed or ProxyConnectionFailed or ProxyAuthenticationFailure or ProxiesUnReachable indicates that the connector wasn’t able to resolve the back-end URL through the proxy configuration. Check the proxy configuration for correctness.
   • FailedToReadRequest or RequestReceivedForNonSecureBrowse or UnableToRetrieveUserCredentials or CCSPolicyIsNotLoaded or FailedToLoadBaseClient or ProcessConnectionFailure or WebAppUnSupportedAuthType indicates tunneling failure. Contact Citrix Support.
   • UnableToConnectTargetServer indicates that the back-end server is unreachable from the connector. Check the back-end configuration again.
   • IncorrectFormAppConfiguration or NoLoginFormFound or FailedToConstructForLoginActionURL or FailedToLoginViaFormBasedAuth indicates form-based authentication failure. Check the form SSO configuration section in App configuration in the Citrix management portal.
   • NTLMAuthNotFound indicates NTLM based authentication failure. Check the NTLM SSO configuration section in the app configuration in the Citrix management portal.
   • For further debugging, see Connector events.

Authentication server down

Info code: 0x180022

Secure Private Access allows admins to configure a third-party authentication service such as the traditional active directory, AAD, Okta, or SAML. Outages in these authentication services can this issue.

Check if the third-party servers are up and reachable.

SAML SSO failure

Info code: 0x18008A, 0x1800A9, 0x1800AA, 0x1800AB, 0x1800AC, 0x1800AD, 0x1800AE, 0x1800AF, 0x1800B0, 0x1800B1, 0x1800B2, 0x1800B3

Users face an authentication failure during app launch when it is IdP initiated or might see inaccessible links when it is SP initiated. Check the SAML app configuration at the Secure Private Access service side and service provider configuration as well.

Secure Private Access configuration:

1. Goto the Applications tab.
2. Look for the problematic SAML app.
3. Edit the application and go to the Single Sign On tab.
4. Check the following fields.
   • Assertion URL
   • Relay State
   • Audience
   • Name Id format, Name Id, and other attributes

Service provider configuration:

1. Log in to the service provider.
2. Go to SAML settings.
3. Check the IdP certificate, audience, and IdP login URL.

If the configuration looks correct, contact Citrix support.

Invalid app FQDN

Info code: 0x180048

Customer admin might have provided an invalid FQDN or an FQDN where DNS resolve fails at the back-end server.

In this case, the end user sees an error on the webpage. Check the application settings.

SaaS App validation

Check if the app can be accessed from the network.

Web app validation

1. Go to the Applications tab.
2. Edit the problematic application.
3. Go to App Details page.
4. Check the URL. The URL must be accessible either in intranet or internet.

Secure Browser Service - DNS lookup/connection errors

Info code: 0x18009D

Broken browsing experience via Secure Browser Service. Check the back-end server that the end user is trying to connect.

1. Go to the back-end server and check if it is up and running, and is able to receive the requests.
2. Check for proxy settings if it is stopping the connection to the back-end server.

CWA Web - DNS lookup/connection errors for Web apps

Info code: 0x1800A0, 0x1800A2, 0x1800A3

Broken browsing experience of web applications running inside corporate network.

1. Filter through the diagnostic logs for the FQDNs that are not resolvable.
2. Check for reachability of the back-end server from inside the corporate network.
3. Check the proxy settings to see if the connector is blocked from reaching the back-end server.

CWA Web - DNS lookup/connection errors for SaaS apps

Info code: 0x1800A6

Broken browsing experience of SaaS applications running on public cloud.

1. Filter through the diagnostic logs for the FQDNs that are not resolvable.
2. Check for reachability of the back-end server.

Direct Access - Misconfigured as Web app

Because Web app traffic is always routed via the connector, configuring direct access on them results in an app access error.

Check for the conflicting configuration between the routing domain table and the app configuration.

1. Go to the application in the management portal.
2. Edit the app and check if direct access is enabled.
3. Cross-check the app FQDN inside the routing domain table if it has been marked as internal.

Direct access disabled for clients other than Citrix Workspace

Info code: 0x1800BD

App configuration disables direct access for traffic that originates from browser-based clients.

Make sure that the user has subscriptions to the applications.

1. Go to the application in the management portal.
2. Edit the app and check the agentless access configuration.

Enhanced security policies - Secure Browser Service misconfiguration

Info code: 0x1800C3, 0x18006D, 0x180091

Incorrect behavior seen than what was intended by the policy rules. Check contextual access policies.

1. Go to the Policies tab.
2. Check the policies associated with the application.
3. Check the rules for those policies.

Enhanced security policies - policy misconfiguration

Incorrect behavior seen than what was intended by the policy rules. Check the enhanced security settings.

1. Go to the application.
2. Click the Access Policies tab.
3. Check the settings in the Available security restrictions: section.

TCP/UDP apps - Configuration exceeds max allowed length

Info code: 0x1800D0

Citrix Secure Access app fails to successfully establish a full tunnel to Citrix Cloud.

1. Review the routing domain configuration for the TCP/UDP apps.
2. Make sure that the maximum number of entries is well within the 16k limit.

TCP/UDP apps - Malformed client requests

Info code: 0x1800CD, 0x1800CE, 0x1800D6, 0x1800EA

Either the VPN tunnel is not established or certain FQDNs might not be tunneled.

1. Make sure that the requests are not being fabricated or reconstructed by proxies in the middle.
2. Suspected Man-in-Middle attacks.

TCP/UDP apps - Enhanced security policy misconfiguration

Info code: 0x180091

Enhanced Security controls can only be applied for the Web apps and not TCP/UDP apps. Review the app configuration in the Secure Private Access service GUI.

TCP/UDP Apps - Secure Browser Service redirect misconfiguration

Info code: 0x1800DD

Secure Browser Service redirects can only be applied for Web apps and not TCP/UDP apps. Review the app configuration in the Secure Private Access service GUI.

TCP/UDP Apps - No routing domain entry for a given FQDN

Info code: 0x1800DE

Make sure that all the internal FQDNs that are to be tunneled by the Citrix Secure Access client have a corresponding entry in the routing domain table.

TCP/UDP Apps - IPV6 not supported

Info code: 0x1800EB

Review the routing domain entries. Make sure that there are no IPV6 entries in the table.

TCP/UDP Apps - Invalid IP addresses

Info code:0x1800EC, 0x1800ED

Review the routing domain entries. Make sure that the IP addresses are valid and are pointing to the correct back end.

No matching policy condition

Info code: 0x100508

The user context does not match the access rule conditions defined in the policies assigned to the app.

Update the policy configuration to match the user’s context.

No access policy associated with the application

Info code: 0x100509

1. In the Citrix Secure Private Access service GUI, click Access Policies on left navigation.
2. Ensure that an access policy is associated with the respective app.

3. If an access policy is not associated with the app, create an access policy for the app. For details, see Create access policies.

4. If this does not resolve the issue, contact Citrix Support.

App enumeration information

Info code: 0x10050C

This code captures policy evaluation results of multiple applications that the user might be entitled to. App access might be denied for the following reasons:

• The user context does not match the access rule conditions defined in the policies assigned to the app – For details, see No matching policy condition.
• No access policy is associated with the application – For details, see No access policy associated with the application.
• Policy associated with the application is configured to deny access – In this case, no action required as this is intended.
• Unexpected Internal error in enforcing access policy. For details, contact Citrix Support.

Answers to FAQs

What are Secure Private Access diagnostic logs?

Secure Private Access diagnostic logs capture all events that occur when a user accesses any application (Web/SaaS/TCP/UDP). These logs capture device posture, app authentication, app enumeration, and app access logs.

Where do I find Secure Private Access logs?

1. Log on to Citrix Cloud.
2. On the Secure Private Access service tile, click Manage.
3. Click Dashboard on the left navigation in the admin user interface.
4. In the Diagnostic Logs chart, click the See more link.

What details can I find in the Secure Private Access diagnostic logs?

The Secure Private Access user logs dashboard provides the following details, by default.

• Timestamp - Time of the event in UTC.
• Username - User name of the end-user accessing the app.
• App Name - Name of the app/apps that were accessed.
• Policy Info - Displays the name of the access policy or policies that were triggered during the event.
• Status - Displays the status of the event, success, or failure.
• Info Code - See more information on info code.
• Description - Displays the reason for the failure or more details about the event.
• APP FQDN: FQDN of the application accessed
• Event type - Displays the event type associated with the operation performed.
• Operation type - Displays the operation for which the log is generated.
• Category - Three categories are available depending on the type of event. That is app authentication, app enumeration, or app access. These options are also available as filter options. You can use these options to filter logs depending on the type of issue that you are facing.
• Transaction ID - Learn how to use a transaction ID The following details can be fetched by clicking the + button on the rightmost side of the dashboard:
• SPA PoP Location - Displays the name/ID of the Secure Private Access service PoP location that was used during app access. See Secure Private Access PoP Locations

What events are captured in the Secure Private Access diagnostic logs?

The Secure Private Access diagnostic logs capture the following events:

• Device Posture: End-user device status. These logs capture information about the device posture results. Whether the device was deemed compliant, non-compliant, or denied access based on your device posture policy.
• Login/Logoff: Events about end-user logon or logoff status to the Citrix Secure Access client and authentication to workspace (internal or external providers).
• App Enumeration: In Secure Private Access service, access policies configured by admins decide which user gets to access which app. Denied applications are not visible (not enumerated) to end-users within Citrix Workspace App. These events help you know which applications were allowed or denied Access to a user based on the access policies configured within Secure Private Access service.
• App Access: Events of end-user application/endpoint access, allow/deny status, single sign-on status, and connectivity status as per the configured access policies for the selected time interval.

How do I use the Secure Private Access troubleshooting topic to resolve a failure that I have encountered?

1. Fetch the info code for the failure that you are trying to resolve.
2. Find the info code in Error lookup table.
3. Follow the resolution steps provided for that info code.

What is an info code? Where do I find them?

Some log events such as failures have an associated info code. Search for this info code within the Error lookup table to find the resolution steps or more information about that event.

What is a transaction ID? How do I use it?

Transaction ID correlates all Secure Private Access logs for an access request. One app access request can have multiple logs generated, starting from authentication, then app enumeration within the workspace app, and then app access itself. All these events generate their own logs. Transaction ID is used to correlate all of these logs. You can filter the diagnostic logs using the transaction ID to find all logs related to a particular app access request.

What are all the Secure Private Access PoP locations?

The following is the list of Secure Private Access PoP locations.

PoP name	Zone	Region
az-us-e	Azure eastus	Virginia
az-us-w	Azure westus	California
az-us-sc	Azure southcentralus	Texas
az-aus-e	Azure australiaeast	New South Wales
az-eu-n	Azure northeurope	Ireland
az-eu-w	Azure westeurope	Netherlands
az-jp-e	Azure japaneast	Tokyo, Saitama
az-bz-s	Azure brazilsouth	Sao Paulo State
az-asia-se	Azure southeastasia
az-uae-n	Azure uaenorth	Dubai
az-in-s	Azure southindia	Chennai
az-asia-hk	Azure eastasia	Hong Kong

What do I do if I am unable to resolve my failure using the info code and the error lookup table?

Contact Citrix Support.

References

• Add a Web app
  • Support for Enterprise web apps
  • Configure direct access to Web apps
• Add a SaaS app
  • Support for Software as a Service app
  • SaaS app server-specific configuration
• Configure client-server apps
  • Support for client-server apps
• Create access policies
  • Create access policies
• Route tables
  • Route tables Review the routing domain entries. Make sure that the IP addresses are valid and are pointing to the correct back end.