Citrix Virtual Apps and Desktops

Troubleshooting

To confirm that HDX Direct successfully established a direct connection, you can use the CtxSession.exe utility on the VDA machine.

To use the CtxSession.exe utility, launch a Command Prompt or PowerShell within the session and run ctxsession.exe -v. If the HDX Direct connection is successfully established, HDX Direct Status is Connected.

HDX Direct Troubleshooting

You can also look at the session host’s event logs for information on whether the HDX Direct connection was established successfully or failed. See the Event Logs section for details.

Note:

Depending on the environment and the number of IP addresses available to the session hosts, it can take up to 5 minutes for the HDX Direct connection to be established.

When HDX Direct fails to establish a direct connection

If HDX Direct is failing to establish a direct connection, review the following steps:

  1. Ensure that the VDA version and Workspace app version in use support the feature per the system requirements.
  2. Confirm that you have a policy applied to the VDA that enables HDX Direct and that there are no other policies with higher priority disabling the feature.
  3. Confirm that you have a policy applied to the VDA that sets the desired HDX Direct mode and that there are no other policies with higher priority overwriting the configuration.
  4. Ensure that the Citrix ClxMtp Service is running on the session host.
  5. Ensure that the Citrix Certificate Manager Service is running on the session host. If it’s not running, try to start it manually. The service automatically stops if HDX Direct is disabled.
  6. Check if the session host has its self-signed Root CA certificate:
    1. Issued to: CA-<hostname> (For example, CA-FTLW11-001)
    2. Issued by: CA-<hostname> (For example, CA-FTLW11-001)
    3. Issuer details: The organization is Citrix Systems, Inc.
  7. Check if the session host has its self-signed server certificate:
    1. Issued to: <host FQDN> (For example, FTLW11-001.ctxlab.net)
    2. Issued by: CA-<hostname> (For example, CA-FTLW11-001)
    3. Issuer details: The organization is Citrix Systems, Inc.
  8. If the certificates are missing, contact Citrix Tech Support.
  9. If the certificates are present:
    1. Stop the Citrix Certificate Manager Service on the session host.
    2. Delete both the self-signed Root CA certificate and the self-signed server certificate.
    3. Start the Citrix Certificate Manager Service on the session host. The service creates new certificates once it starts.
  10. For internal users:
    1. Ensure the session host’s firewall is not blocking inbound traffic on UDP 443 or TCP 443, for HDX over EDT and HDX over TCP, respectively.
    2. Ensure that your network firewall is not blocking traffic on UDP 443 and TCP 443 between your clients’ network and session hosts’ network.
  11. For external users:
    1. Check the NAT type for the client and the session host, and ensure that the combination is expected to work. See the NAT Compatibility section for details.
    2. If the NAT test fails on either the client or the session host:
      1. If there is a firewall running on the system, ensure it is not blocking outbound traffic on UDP 3478.
      2. Ensure that your network firewalls are not blocking outbound traffic on UDP 3478.
      3. Ensure the firewalls are not blocking the STUN server’s response.
    3. Ensure that your network firewalls have the appropriate rules configured to allow all necessary traffic. See the Network Requirements section for details.
    4. If you change the default port range using the HDX Direct port range policy setting, ensure that your firewall rules are set for the custom port range.

Event logs

The following events are logged in the VDA machine’s event log:

Log ID Source Level Description
Applications and Services Logs > Citrix-HostCore-HDX Direct/Operational 1 HDX Direct Information HDX Direct connection for internal user <username> established.
Applications and Services Logs > Citrix-HostCore-HDX Direct/Operational 2 HDX Direct Information HDX Direct connection for external user <username> established.
Applications and Services Logs > Citrix-HostCore-HDX Direct/Operational 3 HDX Direct Information HDX Direct connection for user <username> failed.

Known issues

HDX Direct might stop working after performing an in-place upgrade of the VDA on a machine that already has HDX Direct enabled. To resolve the issue, complete the following steps:

  1. Stop the Citrix Certificate Manager Service on the session host.
  2. Delete the self-signed Root CA certificate and the self-signed server certificate.
  3. Open the registry.
  4. Delete the HKLM\Software\Citrix\HDX-Direct key.
  5. Go to HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Wds\icawd.
  6. Set the SSLEnabled value to 0.
  7. Delete the contents of the SSLThumbprint value.
  8. Start the Citrix Certificate Manager Service.
Troubleshooting