Last week, I was working on my first NetScaler in a while, replacing a Citrix Secure Gateway with an Access Gateway site. I had just completed the setup, had test users connecting and everything working great…until the 6th user tried to login and just as I was about to bite into a Chic-fil-a sandwich, I got an email saying that users were receiving the following error message when they attempted to access published applications:

Cannot connect to Citrix metaframe server, ssl error 38

There were a couple problems contributing to my dilemma which I’ll go over here.

1. Licensing setup

Whether or not its technically correct to say this, the NetScaler came with two licenses. One was a license for the appliance itself and the other was the Citrix Access Gateway Platform License. Turns out, I allocated both licenses using the MAC or HostID of the appliance. What I should have done, based on conversations with Citrix support engineers is license the appliance using the MAC and then licensed the Access Gateway Platform license using the Hostname of the appliance.

The first clue that something was wrong, a clue that I looked over, was the Maximum ICA Users Allowed option in the Licenses pane of the NetScaler GUI read 0 as shown below:

The first thing I had to do was return the Citrix Access Gateway Platform license and reallocate it based on the appliance’s hostname “netscaler”:

Once I had reallocated the license based on the hostname and uploaded it to the NetScaler, the Maximum ICA Users Allowed option in the Licenses pane of the NetScaler GUI read 10000, which means the Citrix Access Gateway Platform license is applied successfully.

2. Change the Access Mode of the Access Gateway Virtual Server

I had one additional problem on my Access Gateway virtual server, it’s access mode was set to SmartAccess Mode and needed to be set to Basic Mode to use my “10000” connections.

Once these changes were made, the users could login and I went back to eating my Chic-Fil-A sandwich.

Happy New Year!!