Solved

Program Neighborhood Agent initial logon and repeated logoff issues.

Posted on 2008-06-23
6
3,894 Views
Last Modified: 2008-07-26
I'm deploying Citrix Program Neighborhood Agent Application Access to ~200 user's across 27 locations.  My project is currently on hold because 12 of our sites connect via 1.5Mbps up /1.5Mbps down VPN cable connections from which the first 2 sites have been having extensive server connection and access stability issues.  Below is the to interrelated issues I face.  I believe the connections to be as stable as physically possible do to the extensive connection testing I've done.  

I suspect routing issues to be the root of the issue or maybe GPO or Citrix settings.  Please review the user experience scanrios below and let me know where I should concentrate my efforts toward resolution.

From the remote locations when you boot up a machine then logon to Active Directory the user's shared drives will be assigned appropriately so I know AD is talking and the logon .bat file is working.

The Citrix Program Neighborhood Agent running in the lower right hand corner of the screen will report that it is "Reading Config from X.X.X.X (IP Address) or it will say from the name of the server X.X.X.org depending on how we have typed the server path in the PNA Server URL box.
 
The following error will then appear:  "Program Neighborhood Agent could not contact the server.  Please check your Network connection."
 
The user's then Right Click on the Program Neighborhood Agent and choose change server.  They Leave the info as it appears in the Server Address field then they click the Update button.
 
The Citrix Program Neighborhood Agent active directory domain logon screen then appears.  They enter their AD user name and password then the user's applications will populate on the destop and will start if clicked on.
 
If you reboot the machine shortly after doing this process you do not have to perform the change server process in Citrix.  
 
Periodically the Citrix PNA will logoff and thier application icons will disappear from off the desktop.  The user's only notice this when they minimize whatever they are currently in and attempt to load another application.  The user's may have 2 or more Citrix application sessions running and be actively using these applications with no interuptions when the PNA logs off.

In order to get access to thier other Citrix application icons the user's then perform the same change server process using the PNA interface running in the lower right hand corner of the screen.  Alternatively if the Logon option is available they are able to click on it and the icons will reappear.    

The entire Citrix farm is located within the same IP network in our data center and goes through the same switch that the AD and File servers are connected to.  Although the AD and File server's are on a different IP network.

In the initial logon scenario above it appears that the breakdown is in client's initial communication with the Web Interface Server and or the WI server to its "XML Broker" and I'll begin looking into that with our Network Administrator.  

For the periodic logoff's I'm not sure why this is occuring other then if for some reason the communications are being interupted with the Presentation servers but the question of why the sessions that are started are not being interupted. It is only the PNA's status that is changing.

The VPN is being established between the remote office and the Data Center through Cisco gear.  I can give further details on the connections once I meet with my Network Administrator.

Any insights will be greatly appreciated!

0
Comment
Question by:eskomra
  • 4
  • 2
6 Comments
 

Author Comment

by:eskomra
ID: 21854936
Succinct Questions:
1.)  Why would the PNA not find the server then after doing a "Change Server" it finds it?
2.)  Why will the PNA logoff periodically and how do I keep this from happening?
3.)  Why do the sessions keep running and working fine if the PNA has lost contact with the server?  We have the feature enabled to keep the session interface live and cache the typed input then send it to the server when the session is reestablished but the interactivity the user's have with the session and the length of period of time they are interacting seems beyond this features capability or intent.
0
 
LVL 14

Expert Comment

by:croberds
ID: 21855929
I saw this question yesterday but I don't have a concrete answer but hopefully I can at least give you some input, as this looks like it could take some work to figure out.

I think the initial logon problem is that when the system boots up PNA tries to run before the user is inside the domain/VPN.  Assuming the website is inside the VPN it cannot find it or doesn't have permission to it until the other credentials are loaded.  So when you try and reconnect the user has authenticated into the VPN/domain so it works the second time.

As far as the disconnects I have not seen that before.  I would guess it is firewall related.  Perhaps some sort of threshold is in the firewall settings and it disconnects the session(s)?  In citrix or TS, you can limit the sessions, and if the user hits those, depending on how it is setup you will either take over one of the older sessions or it won't let you in, but I have never seen it totally disconnect the PNA from the web server.
0
 

Author Comment

by:eskomra
ID: 21857860
Thanks Croberds!  I was getting lonely not hearing from anyone.  I realized I wrote a book but I'd rather give more info then less.  I did try to sum it up with the post this morning.

The user's are logging onto our AD Domain when they boot their workstations through an existing hardware based VPN tunnel that is already established.  The PNA is not set to use passthrough auth so no credentials are being sent.  Even if they were the issue is that the PNA is not able to locate the server initially until it is told try again.  Sometimes it is multiple times that the "Change Server " option must be clicked on to finally locate the server.  My guess is that there is something really hosed in our Network structure.  I'm still waiting for our Network Admin to call me.

What would be really helpful is to know what kind of network traffic is sent by the PNA at startup so I can figure out where it is failing.  I would also like to know how it keeps the PNA connection allive so I can figure out how it is failing intermittantly.

Any input is greatly appreciated!
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 14

Assisted Solution

by:croberds
croberds earned 500 total points
ID: 21857993
The keep alive sessions use port 2598.  However that shouldn't disconnect PNA.  PNA uses ports 443 and 444.

While the credentials aren't sent if PNA is in the startup folder of the client PC it tries to contact the web server either by FQDN or IP address.  

Since PNA is using a web address, it could perhaps be something with a proxy as well, if you are using one.
0
 

Author Comment

by:eskomra
ID: 21874460
No proxy in use here.

Our Applicaton Administrator has done the following:
" I made a change to the Web Interface settings that have upped the session expiration from 20 minutes to 2 hours.  This may effect people in the PNA as well that have been logged off after a while as it is calling the WI."

Are there other settings we should tweak?
0
 

Accepted Solution

by:
eskomra earned 0 total points
ID: 21919261
Anybody get a fix for this from Citrix yet?

http://support.citrix.com/forums/thread.jspa?forumID=186&threadID=103003&tstart=0

Any ideas on how to get around it or trick it to keep it alive?

From Citrix Support Forum

Re: PNAgent goes offline after network inactivity
Posted: Jun 2, 2008 11:47 AM
Rating: Not Rated    Click to rate      Reply  
 
We have traced this down to the "InternetGetConnectedState" api call to wininet.dll returning false. This check was introduced in 10.1. The PNAgent client checks this setting exactly every 3 seconds - if it returns false, it doesn't even attempt to make a connection, and immediately goes offline.

From what I am seeing/reading, this isn't the most reliable method of determining network connectivity (many developers seem to recommend attempting an actual connection instead).
 
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Citrix XenDesktop 7.6 Citrix Policies Disable Peripherals
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now