3 Comments

Stop guessing: "Registered, but LAS endpoint is unreachable".

We have all seen this error in the Citrix Cloud Console (see 2nd image). It claims the endpoint is unreachable, yet the firewall logs say everything is fine.

The problem is rarely just the network. It is often a combination of outdated software versions, stopped services, time drift, or missing TLS 1.2 registry keys. Standard tests like Test-NetConnection are insufficient because they miss the application layer context.

 

I wrote a PowerShell Diagnostics Tool to solve this once and for all.

What it does (Version 2.23):

  • Version Check: Verifies if your License Server meets the minimum requirement (11.17.2.0) for Cloud LAS.

  • Service Watchdog: Checks if critical services (Citrix Licensing, Web Services) are running and attempts to auto-start them if stopped.

  • Time Sync: Detects time drift between your server and the Cloud (vital for OAuth tokens).

  • True Connectivity Check: Correctly interprets HTTP 403/404 as a successful technical connection (Green/OK).

  • SSL Verification: Confirms the handshake is secure and valid.

If this tool shows "Green", your infrastructure is fine, and you can focus on the real issue.

IMPORTANT:Make sure, you press the "Migration" button in Studio!

Download: Citrix-LAS-Tool.ps1

Write comments...
or post as a guest
People in conversation:
Loading comment... The comment will be refreshed after 00:00.
  • This commment is unpublished.
    Bill · 5 days ago
    Thank you so much for this script.  After everything green, it looks like our firewall may be adding SSL Inspection to the traffic which might be causing our SSL failures reaching Citrix Cloud to get a registration code.  Wireshark shows TKLS dropping after the negotiation phase, and we also see this in one of the log files:

    04/03/2026 15:52:24.210 [Error] : Operations::DoInternetCheck : operations.cpp : 467 : Operations::HandlePopUpRequest while pinging KRS endpoint trust.citrixnetworkapi.net:443/root/trust/v1/ping failed with following error
    OpenConnectionSSL(trust.citrixnetworkapi.net,443) failed: SSLOpen() failed! doClientHandshake() failed! SSL_STATUS_ALERT_HANDSHAKE_FAILED a handshake failure alert was received
    An unclassified SSL network error occurred. (error code: error:00000000:lib(0):func(0):reason(0))doHandshake() failed! An unclassified SSL network error occurred. (error code: error:00000000:lib(0):func(0):reason(0))

    We have a case open with Citrix, but can anyone confirm that Citrix LAS doesn't work with SSL Inspection?
    Our NetScalers didn't have any issues, but those are using NetScaler Agents to communicate with cloud NetScaler Console.

    • This commment is unpublished.
      Thomas Kötzing · 4 days ago
      @Bill Your finding is absolutely correct. While the script shows 'Green' because the OS trusts your firewall's CA, the native Citrix LAS service often fails during the TLS handshake when the certificate is intercepted (SSL Inspection). I will add a certificate issuer check to the next version of the script to alert users when a non-Citrix certificate is detected.
  • This commment is unpublished.
    Mike · 14 days ago
    Maybe worth an explainer on the TLS settings and why they are so important?

    PHASE 3: SYSTEM HEALTH (CRYPTO & TLS)
    -------------------------------------
    Analyzing Crypto Settings... |/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\DONE
    Strong Crypto (64-Bit) : [ MISSING ]
    Strong Crypto (32-Bit) : [ MISSING ]

    [!] REGISTRY STATUS REPORT:
    - 'SchUseStrongCrypto' is MISSING. This is CRITICAL.
    • This commment is unpublished.
      Thomas Kötzing · 13 days ago
      @Mike Citrix Cloud strictly enforces TLS 1.2. Older .NET Frameworks (pre-4.7) default to older protocols like TLS 1.0/1.1 for web requests. Without the SchUseStrongCrypto key, the Citrix Licensing service tries to connect using outdated protocols and gets blocked. The Cloud console then simply throws the misleading "unreachable" error.
  • This commment is unpublished.
    Vic · 28 days ago
    Hi, Just checking if this script to be run on license server? 
Copyright © 2026 koetzingI it - Thomas Kötzing -- Freiberufler, Analyst - Former Microsoft MVP , Former Citrix CTP 2006-2017