XMS GSLB Active/Active MVPN issue and solution

NetScaler Xenmobile

Working for a customer on a Worldwide configuration, the customer want to provide access to “local” NetScaler for mvpn in Secure Hub.

After a while on debugging the infrastructure, we finally got it working.

The configuration was this one:

Physical NetScaler in US on 2 sites with Active/Passive GSLB configuration for XMS servers (4 node cluster with 2 on each site).

Virtual NetScaler in Europe and APAC for NetScaler Gateway (VPN) access in Secure Hub as Active/Active based on GSLB Static Proximity configuration.

The problem was that the MAM enrollment was not working in Europe and APAC.

I will not explain here all the tests we did, but it took us more than 2 weeks with Citrix Support.

At the end, the solution was to have 2048 bits certificates on XMS and NetScaler, in fact VPX does not support 4096 bits certificate on back-end.

So just keep in mind if you use VPX with XenMobile to not use 4096 bits certificates!

 

Note: Those information are provided based on my own experience.