ICA Session launches may fail with reason «Licensing» in Citrix Director after the controller has entered an emergency license caching mode but it still within grace period.

by admin | Apr. 15, 2026 | ALARM, ctx_adc, ctx_workspace

book

Article ID: CTX696464

calendar_today

Updated On: 04-13-2026

timeline

Article Record Type: Problem Solution

calendar_today

Created Date: 04-02-2026 20:03

Details

ICA Session launches may fail with reason «Licensing» in Citrix Director  after the controller has entered an emergency license caching mode but is still within grace period.

Event ID 1163 from Citrix Broker Service reporting «No connection license available» , indicating  launch failures is reported in the DDC application event logs.

Follow the below steps to identify if you are hitting this known issue. 

1. Log into Citrix Director and  view trends for connection failures. If you see the Failure Type as «No License Available» and Failure reason «Licensing»

2. Check the Application event logs on the Delivery controller and filter the event ID’s 1154,503,504,1163,1156 with Event Sources Citrix Broker Service, Citrix High Availability Service, Citrix ConfigSync Service as shown below. If a Citrix Site has multiple DD’s then the event sequence may be seen on one or more DDC’s that exposed this behaviour with its interaction with its Citrix High Availability Service.

3. Check if the events are logged in below sequence.

Note:

 During this process, Event IDs 503 and 504 from the Config Sync Service may or may not be observed.

The Config Sync Service can increase the likelihood of the issue occurring; however, the Citrix High Availability Service may independently detect the end of the grace period before the Citrix Broker Service. This timing difference can result in a race condition.

The key here is that Citrix High Availability Service reports that the  controller is no longer in an emergency license caching mode with event ID 1156 before Citrix broker service reports the same with event ID 1156.

1. Event ID 1154  from Citrix Broker Service indicating the  controller has entered an emergency license caching mode

2. Event ID 1154 from Citrix High Availability Service indicating the  controller has entered an emergency license caching mode

3. Event ID 503,504 from Citrix ConfigSync Service for receiving and importing the updated configuration

4. Event ID 1156 from Citrix High Availability Service reporting «The Citrix Broker Service is successfully communicating with the license server ‚xxx‘. This controller is no longer in an emergency license caching mode.»

5. Event ID 1163 from Citrix Broker Service reporting «No connection license available» , indicating  launch failures.

6. Event ID 1156 from Citrix Broker Service reporting «The Citrix Broker Service is successfully communicating with the license server ‚xxx‘. This controller is no longer in an emergency license caching mode.»

Here is the detailed event Log output for each of the event ID’s listed above:

Log Name:      Application
Source:        Citrix Broker Service
Date:          02-04-2026 06:43:44
Event ID:      1154
Task Category: None
Level:         Warning
Keywords:      
User:          NETWORK SERVICE
Computer:      yyy
Description:
This controller has entered an emergency license caching mode because it could not contact the license server ‚xxx‘. 
 
You have 716 hour(s) remaining before this controller stops providing desktop and application sessions.

Log Name:      Application
Source:        Citrix High Availability Service
Date:          02-04-2026 06:43:49
Event ID:      1154
Task Category: None
Level:         Warning
Keywords:      
User:          NETWORK SERVICE
Computer:      yyy
Description:
This controller has entered an emergency license caching mode because it could not contact the license server ‚xxx‘. 
 
You have 720 hour(s) remaining before this controller stops providing desktop and application sessions.

Log Name:      Application
Source:        Citrix ConfigSync Service
Date:          02-04-2026 06:49:08
Event ID:      503
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      yyy
Description:
The Citrix Config Sync Service received an updated configuration.

Log Name:      Application
Source:        Citrix ConfigSync Service
Date:          02-04-2026 06:50:44
Event ID:      504
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      yyy
Description:
The Citrix Config Sync Service imported an updated configuration.

Log Name:      Application
Source:        Citrix High Availability Service
Date:          02-04-2026 06:50:51
Event ID:      1156
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      yyy
Description:
The Citrix Broker Service is successfully communicating with the license server ‚xxx‘. This controller is no longer in an emergency license caching mode.

Log Name:      Application
Source:        Citrix Broker Service
Date:          02-04-2026 06:51:16
Event ID:      1163
Task Category: None
Level:         Warning
Keywords:      
User:          NETWORK SERVICE
Computer:     yyy
Description:
No connection license available. To resolve, free licenses by closing sessions that are not needed, or add more licenses. 
 
Details: 
License Server Address: ‚xxx‘ 
License Server Port: ‚27000‘ 
Site License Model: ‚Concurrent‘ 
Site Edition: ‚PLT‘ 
ProductID: ‚XDT‘ 
User:zzz
Client ID: ‚FF01753A‘ 
Session Support: ‚MultiSession‘

Log Name:      Application
Source:        Citrix Broker Service
Date:          02-04-2026 06:58:34
Event ID:      1156
Task Category: None
Level:         Information
Keywords:      
User:          NETWORK SERVICE
Computer:      yyy
Description:
The Citrix Broker Service is successfully communicating with the license server ‚xxx‘. This controller is no longer in an emergency license caching mode.

Problem Cause

Issue identified in the product.

Resolution

Refer to the below links to access the Hotfixes for different LAS compatible Delivery Controller versions:

2203 LTSR CU7 Update 1

2402 LTSR CU3 Update 1

2507 LTSR Update 1

2507 LTSR CU1 Update 2

2511 Update 2

Workaround:

The below workaround can be followed if you are unable to implement the Hotfixfix for any reason on the delivery controllers.

Note:

1. This workaround should be applied only after the issue occurs. It ensures that sessions launch successfully when the controller enters emergency license caching mode; however, a side effect is that Local Host Cache (LHC) will be disabled.
2. Once connectivity is restored and the primary Broker is confirmed to be out of the grace period (for example, by verifying Event ID 1156 in the Citrix Broker Service logs), you can restart the Citrix Config Sync Service and the Citrix High Availability Service to restore LHC functionality. However, If the controller enters emergency license caching mode again, these steps will need to be repeated.

Follow the below steps on one of the Delivery Controller:

Step 1: Stop these services:

Citrix ConfigSync Service

Citrix High Availability Service

Citrix Broker Service

In powershell, run:

Stop-Service CitrixConfigSyncService

Stop-Service CitrixHighAvailabilityService

Stop-Service CitrixBrokerService

Step 2: Start Citrix Broker Service In powershell, run: Start-Service CitrixBrokerService

Step 3: Wait 5-10min. Run powershell to check connection: Test-BrokerLicenseServer -ComputerName <license server address> -Port 8083 –CheckLasPE $true

If the result is Compatible, it means the connection to LAS is ok. If the result is NotCompatible/Inaccessible/InternalError, it means the connection to LAS is down.

Step 4: In event log, confirm Citrix Broker Service reports 1154 event again:

Summary

ICA Session launches may fail with reason «Licensing» in Citrix Director  after the controller has entered an emergency license caching mode but is still within grace period.

Event ID 1163 from Citrix Broker Service reporting «No connection license available» , indicating  launch failures is reported in the DDC application event logs.

This impacts Sites Migrated to LAS.

This issue can impact different CVAD versions supporting LAS, listed in https://docs.citrix.com/en-us/licensing/licensing-guide-for-citrix-virtual-apps-desktops.html

Install the Fix 

Caution! This release may require you to edit the registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. 

This Update is for Version 2511 of the Citrix Virtual Apps and Desktops. Any known issues in Version 2511, except for the specific issues resolved in this release, still apply. 

Where to Find Documentation 

This document describes the issue(s) resolved by this Update and includes installation instructions. For additional product information, including supported operating systems and system requirements, see Citrix Virtual Apps and Desktops 2511 on the Citrix Product Documentation site. 

Symptoms 

ICA Session launches may fail with reason «Licensing» in Citrix Director after the controller has entered an emergency license caching mode but is still within grace period. 

or 

When LAS connection is lost, end users fail to launch desktop or application sessions with error in event log with event id 1163 

New Fixes in This Release 

 This release includes bug fixes for the License Activation Service (LAS) to improve high-availability (HA) performance and ensure accurate licensing status reporting, and to address the symptoms mentioned above. 

Key Improvements 

Race condition during licensing state transitions could lead to incorrect license caching mode period calculations. This prevents session launches (CVADHELP-31920). 

Fixes from Replaced Updates 

No Updates were replaced by this release. 

Installing and Uninstalling this Release 

Notes: 

Maintenance Window Recommendation: Citrix recommends scheduling a maintenance window to minimize user impact during the update process.  

Caution: Citrix recommends that you back up your database before installing this hotfix. Doing so allows you to manually restore your database to the backed-up version. Any changes made between backup and restore will be lost. For information about backing up and restoring your database, see: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/upgrade-migrate 

To Install This Update: 

Use the following steps to apply this update: 

1. Stop the Citrix Broker Service and Citrix High Availability Service.  
2. Rename the files NetLicwrapper.dll, Citrix.Licensing.LasPolEng.dll under C:\Program Files\Citrix\Broker\Service to NetLicwrapper_Backup.dll, Citrix.Licensing.LasPolEng_Backup.dll. 
3. Extract the downloaded ZIP file and copy the extracted files to C:\Program Files\Citrix\Broker\Service. 
4. Restart the Citrix Broker Service and Citrix High Availability Service. 

To Uninstall This Update 

Use the following steps to remove this update: 

1. Stop the Citrix Broker Service and Citrix High Availability Service. 
2. Rename the files NetLicwrapper.dll, Citrix.Licensing.LasPolEng.dll under C:\Program Files\Citrix\Broker\Service to NetLicwrapper_Update1.dll, Citrix.Licensing.LasPolEng_Update1.dll. 
3. Rename the files NetLicwrapper_Backup.dll, Citrix.Licensing.LasPolEng_Backup.dll under C:\Program Files\Citrix\Broker\Service to NetLicwrapper.dll, Citrix.Licensing.LasPolEng.dll. 
4. Restart the Citrix Broker Service and Citrix High Availability Service. 

Download by AXACOM: Citrix Virtual Apps and Desktops FIX

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-12101

by admin | Nov. 12, 2025 | ALARM, ctx_adc, ctx_workspace

Attention! Please note the following regarding to this update:

Netscaler customers who are not yet using Flex licensing (CITRIX HMC) or Fixed Term licenses must download the installed license file again from the www.citrix.com portal (License) with the correct MAC address and replace it on the Netscaler. These newly created license files will then only be valid until April 2026. If the file is not replaced, the Netscaler will start up with a freemium license after a reboot!
AXACOM AG recommends installing this patch (medium with a score of 5.9) only when the Netscaler can be converted to the new LAS licensing.

License Activation Service

Important:

File-based licensing system (also referred to as manually managed entitlements), traditionally used for activating various on-premises components, will be End of Life (EOL) on April 15, 2026. License Activation Service (LAS) is the next generation technology for product activations across the suite of Citrix products. LAS will be the only way to activate and license NetScaler instances after April 15, 2026, supporting NetScaler Flexed licenses (CPL/UHMC), legacy NetScaler Pooled licenses, and NetScaler Fixed term Bandwidth licenses. To remain supported, your NetScaler and NetScaler Console deployments must be on a LAS compatible version.

The minimum required NetScaler^® versions that are LAS compatible are:

• NetScaler ADCs: 14.1-51.80, 13.1-60.29, 13.1-37.247 (FIPS)
• NetScaler SVM: 14.1-51.83, 13.1-60.30
• NetScaler Console Service: Supported from early September 2025
• NetScaler Console on-prem: 14.1-51.83Note: LAS support for Console on-prem is from release 14.1-51.83 onwards. However, file-based licensing is deprecated from Console on-prem releases 14.1-51.83 onwards and 13.1-60.26 onwards, and goes EOL on April 15th, 2026. That is, even if you upgrade to Console on-prem release 14.1-51.83 or release 13.1-60.26 or later, you can continue using file-based licensing. However you must upgrade to Console on-prem release 14.1-51.83 or later, and switch to LAS before 15th April 2026 because file-based licensing reaches EOL.

All the other forms of legacy NetScaler licenses such as Pooled vCPU, CICO, perpetual will not be supported with LAS. NetScaler instances leveraging perpetual licenses without an active maintenance will become unlicensed upon upgrade to the above mentioned software versions.

LAS based licenses may not be available to customers where prohibited by law or regulations.

If you have questions or concerns, contact Customer Care. Citrix^® may limit or suspend your Citrix Maintenance for non-compliance with these requirements without liability in addition to any other remedies Citrix may have at law or equity. These requirements don’t apply where prohibited by law or regulation.

License Activation Service | NetScaler 14.1

Article Id : CTX695486

Last Modified Date : 11-11-2025 12:40

Created Date : 11-11-2025 10:19

Article Record Type : Security BulletinSeverity :

 Medium

Summary

Severity – Medium

Description of Problem

A vulnerability has been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.

Affected Versions

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

• NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-56.73
• NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-60.32
• NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.250-FIPS and NDcPP
• NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.333-FIPS and NDcPP

Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and are vulnerable. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities. 

Additional Note: Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Customers need to upgrade these NetScaler instances to the recommended NetScaler builds to address the vulnerabilities. 

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades the Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates.

Disclaimer

The information on this page is being provided to you on an «AS IS» and «AS-AVAILABLE» basis. The issues described on this page may or may not impact your system(s). Cloud Software Group, Inc. and its subsidiaries (collectively, «Cloud SG») make no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE ARE HEREBY DISCLAIMED. BY ACCESSING THIS PAGE, YOU ACKNOWLEDGE THAT CLOUD SG SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. Cloud SG reserves the right to change or update the information on this page at any time. We accordingly recommend that you always view the latest version of this page. The information contained herein is being provided to you under the terms of your applicable customer agreement with Cloud SG, and may be used only for the purposes contemplated by such agreement. If you do not have such an agreement with Cloud SG, this information is provided under the cloud.com Terms of Use, and may be used only for the purposes contemplated by such Terms of Use.

Details

NetScaler ADC and NetScaler Gateway are affected by the vulnerability mentioned below:

What Customers Should Do

Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible. 

• NetScaler ADC and NetScaler Gateway 14.1-56.73 and later releases
• NetScaler ADC and NetScaler Gateway 13.1-60.32 and later releases of 13.1
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.250 and later releases of 13.1-FIPS and 13.1-NDcPP
• NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.333 and later releases of 12.1-FIPS and 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities. 

CVE-2025-12101 : 

Customers can determine if they have an appliance configured as one of the following by inspecting their NetScaler Configuration for the specified strings

• An Auth Server (AAA Vserver):
  add authentication vserver .*
• A Gateway (VPN Vserver,  ICA Proxy, CVPN, RDP Proxy) :
  add vpn vserver .*