Pages

Monday, December 14, 2020

Citrix ADC / NetScaler monitors for Exchange 2019 fails with: "Failure - Time out during SSL handshake stage"

Problem

You’re attempting to publish / load balance your on-premise Exchange 2019 servers behind a Citrix ADC / NetScaler but notice that the health monitors created to check the health of the services (e.g. https://172.16.1.81/owa/healthcheck.htm) fail with the following error:

Failure - Time out during SSL handshake stage

image

The rest of the monitors are all reporting the same error:

image

Further troubleshooting reveals that this is due to the fact that the following server hardening registry keys are added to the Exchange 2019 servers:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

AllowInsecureRenegoClients
REG_DWORD
0

AllowInsecureRenegoServers
REG_DWORD
0

image

Removing these entries one of the Exchange servers will correct the error allowing the probe to report that the server is up (note that it is partial because the other server still has the registry key):

image

Various forum discussions on Citrix points adjusting Deny SSL Renegotiation but none of the configuration settings corrected the issue for the environment I worked with:

https://discussions.citrix.com/topic/388325-netscaler-12-rfc-5746-on-backend-bug-limitation/#comment-1975755

https://discussions.citrix.com/topic/401441-basic-load-balancing-for-owa-exchange-2019/page/3/

image

Solution

After performing extensive troubleshooting but not able to come to a resolution, I decided to upgrade the Citrix ADC / NetScaler from NS13.0 52.24.nc to the latest build available at the time, which was NS13.0 67.39.nc:

NS13.0 52.24.nc

image

NS13.0 67.39.nc

image

This ended up resolving the issue with the services being correctly determined as UP:

image

Hope this helps anyone who might be facing this same issue as there isn’t much material available and the available solutions did not work for me.

4 comments:

Anonymous said...

For what it's worth, we are experiencing the exact same scenario you've laid out. We will be attempting an ADC FW update in the next week and hope to see the issue resolved as you reported!

Almon Packard said...

Thank you Terence for your very helpful posts. The registry keys you noted regarding Renegotiation is the key! By default, the NetScaler is configured to DENY ALL renegotiation. The solution for me was to modify the default backend SSL profile (or create a new one) and select FRONTEND_CLIENT in the Deny SSL Renegotiation field, then and specify the SSL profile in the monitor.

Anonymous said...

Yes! Thank You. Was banging me head trying to figure out why the monitors on my ADC / Netscaler were not working for this one Exchange server. Removing those registry entries and restarting the IIS service fixed it.

Unknown said...

I followed Almon's suggestion for the SSL profile and everything is working now. Thank you so much.