Home > Access Gateway, All, Citrix, NetScaler, Receiver, StoreFront > How to check which #NetScaler policy that your #Citrix #Receiver or web browser hits?

How to check which #NetScaler policy that your #Citrix #Receiver or web browser hits?

Ok, this is a common issue that you’ll end up in when setting up Access Gateway access scenarios:

How do you know which policy that is hit when your different Receivers are logging in?

Well, there are a couple of nice commands that can help you troubleshooting your access scenario! I guess that most of you have a simple scenario where you have one domain to authenticate against and some simple PNA, CVPN and potentially SSL VPN policies and profiles to deal with, and they are all linked to the virtual server like something like this simple example:


But in more complex scenarios you may end up controlling which browser the user is accessing with (for giving nice error messages instead of Citrix default messages when users may use an unsupported browser etc.), or when you have multiple AD domains and AD groups to link different policies to etc. Then it may be complex and you have multiple policies and profiles for the same config with minor changes like the SSO domain name etc. So how do you then troubleshoot that easily?

First we have the must know command that hooks into the auth process of the NetScaler and gives you a view of the authentication process:

cat /tmp/aaad.debug

When you run that and you authenticate you’ll see the result of your auth process agains for instance LDAP and RADIUS sources like the result here when I logged in to our little environment:


At the top of the output you see all the AD groups that I’m a member of that needs to match the group that you like to use on the NetScaler side, and last you see that accept from AD for my authentication request.

Then you know that you’re authentication ok, but which of the session polices are we hitting? Then you need to have a look at this great command:

nsconmsg -d current -g pol_hits

This is the output when I access using my Receiver on OS X:


As you can see this is helpful, then I for instance know that I’m using a Receiver that is passing  CitrixReceiver in the User-Agent string and also X-Citrix-Gateway in the header! And if I had multiple policies and a more complex setup then I would see if more policies where hit (linked to virtual server, group or user) and then can see where things can go wrong.

And if you need more great tips about nsconmsg examples then have a look at this great post!

That’s it for now! Happy NetScaler’ing! 😉


  1. September 25, 2013 at 08:51

    Hi Richard, Thanks for this article really helped me out!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: