When a user tries to logon to NetScaler Access Gateway they may receive a message such as “login exceeds maximum allowed users” if the Access Gateway VIP is configured for smart access mode.
Theres several reasons why you may get this error and I’ll list a couple of them here.
Do I need smart access mode
Smart access mode enables Access Gateway features such as EPA scans which check endpoints for the presence of Anti-Virus, files and many other items. Also smart access mode allows you configure the Access Gateway as an SSL VPN which requires the client device to use the Access Gateway plugin or clientless access to back end web resources.
What do I need for smart access mode
Smart Access mode you will not be surprised to hear is a licensed feature which you will need to purchase Universal licences. Each NetScaler comes with 5 universal licenses for you to use initially. Additional licenses can be obtained either through your XenApp/XenDesktop licensing agreement or as seperate bundles. Its also important to note that when a hostname is required for licensing purposes within your MyCitrix account then the hostname Is CaSe SeNsItIvE for the NetScaler.
Anyway back to topic, all NetScalers come with 5 universal licenses as shown in the picture of my VPX below, I’ve not purchased anything extra to get those.
Its important to understand that in the licensing console of a NetScaler the universal licenses required by Smart Access mode are represented with the “Maximum NetScaler Gateway Users Allow” section and that the “Maximum ICA Users Allowed” reflects the basic mode feature set of an Access Gateway namely ICA proxy for web and native receiver clients.
You have not purchased any Smart Access licenses and no more than 5 people can log into Access Gateway at a time.
This is quite straight forward in the when an Access Gateway VIP is created by default it will always run in Smart Access mode which you can check by opening the Access Gateway VIP and in older versions checking the radio button setting depicted below.
In 10.5 this has changed a bit and is not imediately obvious but the setting is now called ICA Only. If this is set to false then the VIP is running in Smart Access mode, hit edit and change it to true and then save the config.
You are utilising Smart Access mode but users are still receiving the “Login exceeds maximum allowed users” message when you should have plenty of licenses and checking the licensing page proves you have installed the correct number.
There are two possible solutions to this one. Firstly you may have an incorrect number of “Maximum Users” specified. Open up your Access Gateway VIP and check the setting depicted below.
If that is set to anything other than 0 or over the number of universal licenses you have purchased then again edit the NetScaler Access Gateway VIP and set it to the maximum amount of licenses you have purchased.
Solution two point one
I have also seen in a couple of firmware revisions of NetScaler that a global default setting the maximum amount of users override the locally specified Maximum Users count which again results in the Login exceeds maximum allowed users message.
You can check this by logging into the NetScaler through a tool such as putty and running the command “show AAA parameter” this will print out something similar to the below.
We are interested in the MaxAAAUsers entry here and if you suspect that users receive the Login exceeds maximum allowed users message after that the MaxAAAUsers number has been reached then you can alter this by running the following commands replacing X with your number of purchased universal licenses:
set AAA parameter MaxAAAUsers X
Again make sure you save the config and then test that the correct number of users can now login to the Access Gateway VIPs.
Author: Dale Scriven
Subscribe to vhorizon
DisclaimerThis blog and any other post made by me on the internet is representative of my views only, they are not the views of my past/current/future employers.