NetScaler Login exceeds maximum allowed users after 10.1 upgrade

Shortly after our recent NetScaler upgrade from 9.3 -> 10.1, users reported getting the error “Login exceeds maximum allowed users” in their browsers when attempting to log in to the Access Gateway (NetScaler Gateway).  A remote session with a Citrix technician revealed that we had indeed hit our license limit as seen under NetScaler Gateway / Active User Sessions. We did see that some users were logged in two or more times, and it’s possible that the way licenses are consumed under 10.1 is different from 9.3, which might be why we never hit the licensing limit before.  The options presented by the Citrix tech were:

  1. Ask users to deliberately log out of the Access Gateway when they are done (vs. just allowing their sessions to time out) in order to free up their license.  This would, of course, require user education.
  2. Switch our Access Gateway Virtual Server from SmartAccess Mode (includes VPN access) to Basic Mode (ICA proxy-only).  Without taking additional steps such as allowing VPN for just a subset of our users, this option would remove VPN ability for all users from the gateway but allow unlimited connections through the gateway to our apps.
  3. Lower the timeout value for our Access Gateway, forcing users to re-authenticate to the gateway during the workday.

If memory serves, the technician also mentioned that the 10.5 version of NetScaler would allow a user who logged into the Access Gateway more than once to “assume” the license from his/her previous session.  An immediate upgrade to 10.5 was not an option in our case.

After a quick review of our environment, the technician suggested we switch to Basic Mode on our Virtual Server under NetScaler Gateway / Virtual Servers as no VPN was required in our environment.

By Robert Blissitt


3 replies on “NetScaler Login exceeds maximum allowed users after 10.1 upgrade”

I run in a similar case, upgrading from 10.0 to 10.5.

You talk about a feature in 10.5 that user will consume only 1 license even they open their browser and logon into Netscaler without logging of.

I notice that the feature (in my environment) still no work…
Did you notice difference upgrading to 10.5 ?

Many thanks,


Hello Roberto. I’m afraid I can’t speak to your question because we changed our NetScaler Gateway from SmartAccess Mode (includes VPN access) to Basic Mode (ICA proxy-only), so now we have unlimited ICA connection licenses. If you do not need the VPN feature, you can make the same change on your NetScaler Gateway.

I realize this is an old thread, but there are potentially a couple of things going on here that you should address.

First, the software architecture changed from 9.3 -> 10.1 to where the ICA connections USED TO BE licensed and they no longer are. In order to achieve this UNLIMITED option in the license, the platform license for the NetScaler needs to be re-allocated from the MyCitrix portal.

Second, be sure you set the option for ICA ONLY on the vServer so that it does not attempt to consume licenses.

Leave a Reply

Your email address will not be published. Required fields are marked *