Program Neighborhood Agent initial logon and repeated logoff issues.

I'm deploying Citrix Program Neighborhood Agent Application Access to ~200 user's across 27 locations.  My project is currently on hold because 12 of our sites connect via 1.5Mbps up /1.5Mbps down VPN cable connections from which the first 2 sites have been having extensive server connection and access stability issues.  Below is the to interrelated issues I face.  I believe the connections to be as stable as physically possible do to the extensive connection testing I've done.  

I suspect routing issues to be the root of the issue or maybe GPO or Citrix settings.  Please review the user experience scanrios below and let me know where I should concentrate my efforts toward resolution.

From the remote locations when you boot up a machine then logon to Active Directory the user's shared drives will be assigned appropriately so I know AD is talking and the logon .bat file is working.

The Citrix Program Neighborhood Agent running in the lower right hand corner of the screen will report that it is "Reading Config from X.X.X.X (IP Address) or it will say from the name of the server depending on how we have typed the server path in the PNA Server URL box.
The following error will then appear:  "Program Neighborhood Agent could not contact the server.  Please check your Network connection."
The user's then Right Click on the Program Neighborhood Agent and choose change server.  They Leave the info as it appears in the Server Address field then they click the Update button.
The Citrix Program Neighborhood Agent active directory domain logon screen then appears.  They enter their AD user name and password then the user's applications will populate on the destop and will start if clicked on.
If you reboot the machine shortly after doing this process you do not have to perform the change server process in Citrix.  
Periodically the Citrix PNA will logoff and thier application icons will disappear from off the desktop.  The user's only notice this when they minimize whatever they are currently in and attempt to load another application.  The user's may have 2 or more Citrix application sessions running and be actively using these applications with no interuptions when the PNA logs off.

In order to get access to thier other Citrix application icons the user's then perform the same change server process using the PNA interface running in the lower right hand corner of the screen.  Alternatively if the Logon option is available they are able to click on it and the icons will reappear.    

The entire Citrix farm is located within the same IP network in our data center and goes through the same switch that the AD and File servers are connected to.  Although the AD and File server's are on a different IP network.

In the initial logon scenario above it appears that the breakdown is in client's initial communication with the Web Interface Server and or the WI server to its "XML Broker" and I'll begin looking into that with our Network Administrator.  

For the periodic logoff's I'm not sure why this is occuring other then if for some reason the communications are being interupted with the Presentation servers but the question of why the sessions that are started are not being interupted. It is only the PNA's status that is changing.

The VPN is being established between the remote office and the Data Center through Cisco gear.  I can give further details on the connections once I meet with my Network Administrator.

Any insights will be greatly appreciated!

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

eskomraAuthor Commented:
Succinct Questions:
1.)  Why would the PNA not find the server then after doing a "Change Server" it finds it?
2.)  Why will the PNA logoff periodically and how do I keep this from happening?
3.)  Why do the sessions keep running and working fine if the PNA has lost contact with the server?  We have the feature enabled to keep the session interface live and cache the typed input then send it to the server when the session is reestablished but the interactivity the user's have with the session and the length of period of time they are interacting seems beyond this features capability or intent.
Craig RoberdsMISCommented:
I saw this question yesterday but I don't have a concrete answer but hopefully I can at least give you some input, as this looks like it could take some work to figure out.

I think the initial logon problem is that when the system boots up PNA tries to run before the user is inside the domain/VPN.  Assuming the website is inside the VPN it cannot find it or doesn't have permission to it until the other credentials are loaded.  So when you try and reconnect the user has authenticated into the VPN/domain so it works the second time.

As far as the disconnects I have not seen that before.  I would guess it is firewall related.  Perhaps some sort of threshold is in the firewall settings and it disconnects the session(s)?  In citrix or TS, you can limit the sessions, and if the user hits those, depending on how it is setup you will either take over one of the older sessions or it won't let you in, but I have never seen it totally disconnect the PNA from the web server.
eskomraAuthor Commented:
Thanks Croberds!  I was getting lonely not hearing from anyone.  I realized I wrote a book but I'd rather give more info then less.  I did try to sum it up with the post this morning.

The user's are logging onto our AD Domain when they boot their workstations through an existing hardware based VPN tunnel that is already established.  The PNA is not set to use passthrough auth so no credentials are being sent.  Even if they were the issue is that the PNA is not able to locate the server initially until it is told try again.  Sometimes it is multiple times that the "Change Server " option must be clicked on to finally locate the server.  My guess is that there is something really hosed in our Network structure.  I'm still waiting for our Network Admin to call me.

What would be really helpful is to know what kind of network traffic is sent by the PNA at startup so I can figure out where it is failing.  I would also like to know how it keeps the PNA connection allive so I can figure out how it is failing intermittantly.

Any input is greatly appreciated!
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Craig RoberdsMISCommented:
The keep alive sessions use port 2598.  However that shouldn't disconnect PNA.  PNA uses ports 443 and 444.

While the credentials aren't sent if PNA is in the startup folder of the client PC it tries to contact the web server either by FQDN or IP address.  

Since PNA is using a web address, it could perhaps be something with a proxy as well, if you are using one.
eskomraAuthor Commented:
No proxy in use here.

Our Applicaton Administrator has done the following:
" I made a change to the Web Interface settings that have upped the session expiration from 20 minutes to 2 hours.  This may effect people in the PNA as well that have been logged off after a while as it is calling the WI."

Are there other settings we should tweak?
eskomraAuthor Commented:
Anybody get a fix for this from Citrix yet?

Any ideas on how to get around it or trick it to keep it alive?

From Citrix Support Forum

Re: PNAgent goes offline after network inactivity
Posted: Jun 2, 2008 11:47 AM
Rating: Not Rated    Click to rate      Reply  
We have traced this down to the "InternetGetConnectedState" api call to wininet.dll returning false. This check was introduced in 10.1. The PNAgent client checks this setting exactly every 3 seconds - if it returns false, it doesn't even attempt to make a connection, and immediately goes offline.

From what I am seeing/reading, this isn't the most reliable method of determining network connectivity (many developers seem to recommend attempting an actual connection instead).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.