Session Reliability (CGP) Issue

For some reason, Session Reliability was not working on a bunch of 32-bit Windows Server 2003 servers running XenApp 5.0. When you tried to connect to a published desktop with Session Reliability switched on, you would get a generic 1030 error.

The 'Citrix XTE Server' service was started and running correctly and it was listening as expected on port 2598.

So what gives? Upon digging deeper, found some interesting information in the XTE error log file. The log file is located at: C:\Program Files\Citrix\XTE\logs\error.log

[Tue Jan 14 14:55:33 2014] [error] [client 10.2.2.25] client denied by server configuration: 127.0.0.1:1494
[Tue Jan 14 14:55:33 2014] [error] CH 0: ACCESS DENIED to destination address 127.0.0.1:1494

Why was access denied? A bit more digging revealed this Citrix article:

http://support.citrix.com/article/ctx106531

Cracked open: C:\Program Files\Citrix\XTE\conf\httpd.conf

In the CGP Configuration section, I noticed the line Allow to 10.8.2.135:1494. Full section below.

<VirtualHost *:2598>

      #CGP Protocol State
      CgpProtocol  On

      #Max TCP Channels Per Session
      CgpTcpChannelsPerSession 50

      #Disconnected Sessions Timeout (msec)
      CgpInterruptedSessionTimeout 180000
      CgpHandshakeTimeout 100000
      CgpInterruptedSessionsThreadWakeupInterval 60000
      <Location /destination/cgp>
      Order Allow,Deny
      Allow to 10.8.2.135:1494
      </Location>

</VirtualHost>  

On a working server, that line read Allow to 127.0.0.1:1494. It was quite clear that this was causing the Access Denied error. The next step was to find out why this line was different on some servers and not others.

After a bit of digging, we figured out that this was caused by the Network Adapter binding in the ICA-tcp Terminal Services Connection.

As you can see in the screenshot, the protocol is bound to the adapter 'vmxnet3 Ethernet Adapter'. On the working server, this was set to 'All network adapters configured with this protocol'.

Switched it back and a reboot later, the httpd.conf file was looking as it should.

<VirtualHost *:2598>

      #CGP Protocol State
      CgpProtocol  On

      #Max TCP Channels Per Session
      CgpTcpChannelsPerSession 50

      #Disconnected Sessions Timeout (msec)
      CgpInterruptedSessionTimeout 180000
      CgpHandshakeTimeout 100000
      CgpInterruptedSessionsThreadWakeupInterval 60000
      <Location /destination/cgp>
      Order Allow,Deny
      Allow to 127.0.0.1:1494
      </Location>

</VirtualHost>  

And CGP was working again!