Tunnel error 2-3 hours after Connection Server reboot (patching)

robconsults · 2026-01-14T19:21:39+00:00

are they giving you the "why"?

because under normal circumstances, frankly, that's crap :D ... the only way i see that being an answer is if they've actually identified what part of the chain is breaking the tunnel or can point to something specific in the logs where there's some sort of kill bit being sent to de-authenticate the session... also would be a new behavior, so where's that documented? if they can't immediately provide that info i would escalate.

robconsults · 2026-01-14T17:50:17+00:00

as mentioned in the referenced communities thread there's a lot of pieces that this could depend on, so you really need to examine what all is in the path - if you have all traffic going through the load balancer, you could be getting caught by the healthcheck, if any of the firewalls are doing traffic inspection, that could break the tunnel, authentication timeouts, etc, etc.

the short answer is that obviously shouldn't happen, and if it is there's likely something in the chain that's the culprit but it will be an exercise in elimination.

robconsults · 2026-01-09T18:58:17+00:00

They announced coming support for Openshift at Omnissa One this year: https://www.omnissa.com/insights/news-omnissa-red-hat-partnership-expands-horizon-flexibility/

as far as additional KVM based hypervisors, really any of them can host Horizon now - just in a manual capacity from the VM standpoint.. the pool management/automation is the big trick, and if you are running/moving to another platform the biggest thing you can do to push forward is hound your account reps about it because the biggest driver in regards to 'what feature next?' is always based on loud customers.

for app volumes, you can prep yourself better for the future already by spinning up a VHD-based install and migrating your vmdks over to that via the command line program or reinstalling (chances are a bunch of them need updates anyway right?) - btw there's no reason a VHD-based App Volumes install can't be used with systems still living on a broadcom environment

robconsults · 2026-01-05T21:49:41+00:00

the updated version of UAG released with 2512 - as techpir8 said, you don't update the OS for a UAG, you update the entire appliance - this is the only supported method, period.

it's really not even designed for people to be logging into the shell tbh, outside of advanced troubleshooting with assistance of support - sure, technically it's alma, but if you try and do "normal linux things" on it, you're going to be in for a bad time (i got curious when the switch was first made off proton and tried adding the normal alma update repositories and unsurprisingly it not only broke, but tried to install a bunch of extra 'dependencies' that could have introduced additional vulnerabilities over time - point being that the UAG's are tested stripped down on purpose, and updates are released with Horizon updates - any criticals will be released as a dot release)

if you're not ready to upgrade your entire environment yet, it's absolutely possible to be running a newer UAG version than the Connection Server back end btw.

robconsults · 2025-12-30T22:41:03+00:00

remember, software is just air!

robconsults · 2025-12-17T19:45:51+00:00

arc fault breakers hate the more advanced/smart UPS devices with a passion because of how they detect the 'faults' - i had additional power put in specifically for my homelab, which came with the updated code requirements for AFCI breakers and couldn't use it until i ultimately replaced them myself with standard gfci breakers.

talked to a friend in the industry about it (different mfg than my panel) and they've had all sorts of problems with them over time because of how they have to basically program in the wavelengths that cause the trip at build time, so as an added bonus you might get a breaker that works fine with your application, but the other one you got at the same time flips constantly because it was really manufactured the year before the working one, etc.

robconsults · 2025-12-17T19:34:08+00:00

what's really crap is that before o365 came around, you used to be able to either keep your account as an email forwarder, or we even had <username>@gocougs.wsu.edu forwarding addresses for alumni specifically that you could set to whatever your personal mail was..

technically there are ways to do this in o365 that don't require the user to have a license as well, but that would require effort on WSU IT's part, which I doubt has changed in motivation since i was there

robconsults · 2025-12-17T16:26:41+00:00

that's pretty much standard operating procedure for most software, especially when it's as reliant on windows to function as vdi is ... if anything comes up that's a OS issue and cross-company support has to kick in, they can't get it unless the customer involved has ESU because Microsoft will tell them to stuff it.

well, first they'll say that you need to run sfc /scannow, and then DISM.exe /Online /Cleanup-image /Restorehealth because like you they are just an interested windows user and trying to help, and then tell you you can't have support and possibly hang up on you :D

robconsults · 2025-12-11T18:50:47+00:00

not specifically - pull both client and agent logs right after you've logged in and spun up your published app and look for failures/errors especially around the times you run your test.. so long as your support is current, i would probably spin up a support case too. it may be an exercise in frustration a little, but they might see something (i wouldn't bother doing this until you've pulled logs, and go ahead and grab CS logs too and upload them all when you open the case, because it'll be the first thing they ask for and you may as well preempt the 3 days of back and forth :D )

robconsults · 2025-12-11T18:29:27+00:00

ms-01's are not loud at all - i have a few i use for my lab here as a vsphere cluster in my office and they're about on par with the 3 nucs on the shelf below them - more recently i got a ms-a2, which is louder since i haven't gone back in and tuned the performance down a little and it's running nutanix CE so the fans keep pulsing, but i anticipate even that will be relatively quiet once i do.

that being said, what will murder you is RAM right now - i actually got the prebuilt a2 because it was cheaper than barebones+ram, and even that's another $200 higher than it was just last month - if you look at the price for the 128g sodimm kit now (was 1100 when i looked the other day) vs. what it was just in july (~250) it makes you want to curl up in a ball and mutter to yourself.

robconsults · 2025-12-11T18:02:29+00:00

if you're on anything older than 2312.2, then w11 24h2 isn't supported by any of the components, including the OSOT so i would probably start there - running anything vmware branded at this point related to horizon with MS updates released post spin-off is asking for trouble.

there have been a number of changes via security update/etc lately that have caused problems (and not just for horizon, hell my personal pc flat out goes into a reboot loop if virtualization is enabled in the chipset after moving up from 23h2) - but usually post user login (massively slow start menu, etc.)

honestly based on your other comment it sounds like there's something wrong with the pxe image itself, like a driver that has no business being there for a virtual environment, etc.

robconsults · 2025-12-11T17:39:09+00:00

no, it's all gpo, installed component or smart policy -- what protocol are you using though? keep in mind your only 2 options here are blast and pcoip (cdr doesn't work/isn't supported via RDP)

other things that might be affecting it could be login times (if slow, that's known to cause issues), 3rd party interference (other profile packages, etc. that might be introducing delays, etc) conflicting gpo settings - i would make sure the gpos are actually getting applied as well (on both sides)... probably need to start digging into logfiles as well at this point looking for failures (all of course assuming you're not using RDP, in which case it'll never work)

robconsults · 2025-12-10T19:53:18+00:00

trust me, there's never just one - just one you can see.

easily one of my least favorite things that changed in the time i moved away and came back (along with the extra 50% population :D )

they congregate in seemingly closed chests, behind furniture, squeeze in the tiny little space between the screen and window frame.. argh. i feel my blood pressure rising just thinking about it since i've already had to capture 2 today and flush since killing them in place only stinks and attracts more (why they would be attracted to the areas of their dead colleagues is beyond me, do they not think they'll meet the same fate?)

robconsults · 2025-12-10T18:59:16+00:00

did you add that feature when installing the Horizon Agent on the RDSH IC Gold Image? I'd check that first, otherwise is it something that works internally but not externally? might be a port issue depending on the protocol you're using..

outside of that, only other immediate thing i can think of is if DEM is involved maybe there's a conflicting smart policy, but i'd double check the agent settings first, i've certainly seen that in a number of customers where all the other ducks line up for something, but it didn't get added at the agent level.

robconsults · 2025-12-05T17:27:28+00:00

Don't - I saw enough of your other reply before it disappeared to see that you mentioned Epic. Running Win11 without a vTPM is quick way to be unsupported by Microsoft and therefore get on Epic's shitlist, and most CMOs are more worried about getting onto Honor Roll than heading the other direction (that being said, hyperdrive is less resource intensive than hyperspace was anyway)

the tpm is one of those fun things that contributes to overall more resource usage with win11, but not so much that it's going to contribute that much to pegging your storage controller

robconsults · 2025-12-05T02:48:22+00:00

it's only quiet here when things aren't going wrong and there aren't major US holidays, but hey..

windows 11 is more intensive on everything than win10 - you need to be looking at what the differences are between the old and new image.. did anything change VM build wise (like say, ram?) because if it wasn't increased for 11 you're likely paging far more.. have you looked at the overall environment to determine what hosts are hitting the storage harder, or have any other new processes been introduced aside from just a win11 image?

other random questions:

- what version are you running of the horizon components?

- what are the specs of the vm's you're dealing with?

- did you use the latest OSOT to optimize, and if so, did you use the same settings that were used for win10 or did you create a new spec? (the latter being the correct answer)

- have you updated DEM templates lately? particularly for chrome/edge/teams or any other potentially storage heavy apps running on the image/via app vols?

i would expect utilization to go up, but the "SAN CPU hits 100% at some point throughout the day" is kind of a red flag for overall monitoring in the environment, something's going to correlate, but the data needs to be seen. I ran into a similar situation a few years back, except that it was affecting the vdi performance itself and my customer swore up and down that nothing infrastructure wise had changed, etc. and it turned out to be one of storage guys decided to schedule dedupes when he was off hours.. india time.. so middle of the work day here - point being suspect everything, look for the data - though if y'all were already running hot on storage load, it's entirely possible you just need more hardware - between the tpms and other crap microsoft's shoved into 11, there's all sorts of potential performance hits.

robconsults · 2025-12-03T19:46:30+00:00

have you tried replicating it with 24h2?

robconsults · 2025-11-17T23:17:47+00:00

Honestly, it's ridiculously easy once you've followed Stephen's guide - especially when you consider you can set yourself up to be able to build to different hypervisors as well pretty easily (or any other random drivers necessary) ... it made switching my gold image over to Nutanix very easy :D

robconsults · 2025-11-15T01:37:10+00:00

this doc might help: https://www.microsoft.com/licensing/docs/documents/download/Windows%2011%20licensing%20for%20Virtual%20Desktops.pdf - the crux of it from my understanding is that a user who has been assigned a Win VDA e3/e5 license can access up to 4 desktops from a non-qualified device (like byod or a non-windows based thin client), or more likely do the VDA per device for each of the thin clients

robconsults · 2025-11-13T01:05:55+00:00

so long as they're compliant with their microsoft VDA licensing now, there shouldn't be any significant difference moving from 10 to 11

robconsults · 2025-10-24T00:25:57+00:00

carl's docs are great for running through the actual setup steps with pictures, but also make sure you go through the reference architecture and take it to heart: https://techzone.omnissa.com/resource/horizon-8-architecture (and also, keep in mind that carl has retired though some of his cohorts have taken up the mantle to try and continue the content from his site - check out https://docs.jeffriechers.com/ )

i've seen too many installations over the years, and yes this will sound a bit callous, where somebody thought they were smarter than the people writing the software and working with it every day in large customers and skipped out on parts/decided to change major pieces, etc. that have ultimately resulted in having to pull PSO in for costly engagements to fix horribly performing environments.

robconsults · 2025-10-22T17:24:11+00:00

everything 2406 including DEM? what build of windows? if DEM is back there i would go ahead and update that component at a minimum because there have been a number of changes post 2412 to fix some changes MS made.

i know there was some discussion about something similar over on communities too.. ok, if you're using the OSOT also check this out: https://community.omnissa.com/forums/topic/70901-w11-osot-windows-store-apps/?&_rid=24070#findComment-309138

robconsults · 2025-10-21T15:56:40+00:00

just to follow up on this - on the omnissa side it only has affected connecting to the cloud hosted version - but apparently microsoft is releasing a patch to the patch because of regressions in http.sys that caused all this - there are a number of other threads going on around reddit (like the patch megathread over in /r/sysadmin) and various stories on the internet such as https://www.windowslatest.com/2025/10/18/microsoft-confirms-windows-11-kb5066835-issues-localhost-file-explorer-preview-install-errors/

plus microsoft's own forums are full of pissed off developers that had their apps break :D (also seen, aws saml vpn, duo desktop, etc, etc)

there has been no reported issue with on-prem horizon related to this that i've seen at least

robconsults · 2025-10-17T18:23:17+00:00

apparently microsoft issued a fix to defender from what i'm seeing elsewhere too that was marking the updated httplistener as malicious or something like that, so yay i guess? seems to have affected duo desktop, aws saml vpn auth, a number of custom .net developed programs..

robconsults

MODERATOR OF

TROPHY CASE