Citrix NetScaler – Concurrent SSLVPN Sessions

Reading Time: < 1 minute

Table of Contents

Overview

When configuring Citrix Gateway as a SSLVPN with assigned Intranet IP-Pools (IIP), it’s not possible to use more than one active session from the same user on a different device, per default.

There is an old article showing two options, but both isn’t todays state of the art.

First, I’m always assigning IIP-Pools to AAA Groups, never to AAA Users.

Second, Spillover isn’t a real-world option, as the SNIP acts as the Users source IP.

Configuration

There is a simple hidden command which will extend concurrent sessions to a maximum of 10. Every session gets assigned with an IIP. I’ve tested successfully with 13.0 and 13.1 Firmware. The command hits globally.

The cli for increasing up to 3 is set vpn parameter -maxIIPperUser 3

To make that command persistent, also during a reboot of the NetScaler, edit the /nsconfig/rc.netscaler file as follows:

nscli -U 127.0.0.1:Systemuser:Password "set vpn parameter -maxIIPperUser 3"

#Example nscli -U 127.0.0.1:nsroot:nsroot "set vpn parameter -maxIIPperUser 3"

Summary

I hope this Quickpost will save you some time when trying to achieve concurrent SSLVPN sessions from the same users on different devices.

4 comments

  1. Good Day Julian
    Hope you can provide some insight,
    On a SSL VPN only gateway, user sessions aren’t always completely removed in the event the user log’s off even in some instances, a single session gets cached on the gateway, so as example the user gets an IP and can utilize resources as per normal, we are using IP pool assignment. This is done on the gateway itself but at some point the user connects again and does not receive an IP, and the connection is made but no traffic traverses over the gateway, then the only way is to manually kill the user session on the netscaler, user reconnects and receives a Pooled IP address.
    firmware is 13.1.54.29, session timeout is set, idle timeout is set and then force connection close is also set after a period of time.
    Is there anyway to mitigate this behavior?

      1. Hello Jurie, hello Marcel,

        finally I was able to reproduce that issue at one of my customers and found a fix, too. When clicking “Logoff” at the CSA Client, or shutdown the Notebook – we would expect NetScaler to delete / logoff the AAA session and also give back the used Intranet IP to the pool. But that’s not the case and the cause is the integrated WAF. Do you both having enabled the integrated WAF for VPN and AAA? I’ve found the WAF is BLOCKING the /cgi/logout Page, what CSA Client is using to logoff the session. Don’t ask me why, I’ve already reported that to NetScaler. When you disable WAF you will see the issue is gone. I’ve created an exception for “https://vpn.customer.com/cgi/logout” in the WAF Profile and now all sessions are closed clean. Hope this helps!

        Best Regards
        Julian

Leave a Reply

Your email address will not be published. Required fields are marked *