The nsconmsg commands are helpful in identifying the real time hits on the policies and for validating whether the expression used for these policies are correct or not.
These commands are useful when troubleshooting issues with Access Gateway, rewrite and responder policies.

Run the following command from the shell prompt of the appliance, to view the real time hits on the authentication policies and session policies applied on the Access Gateway virtual server:

nsconmsg –d current –g pol_hits

(The last policy listed is the one that is applied to that user after authentication.)
Run the following command from the shell prompt of the appliance, to view the real time hits on the rewrite policy bound at a global level or to a load balancing, content switching, or Access Gateway virtual server:

nsconmsg –d current | egrep –i rewrite

Run the following command from the shell prompt of the appliance, to view the real time hits on the responder policy bound at a global level or to a load balancing, content switching, or Access Gateway virtual server:

nsconmsg –d current | egrep –i responder

Run the following command from the shell prompt of the appliance, to view the real time hits on the EPA Check:

tail -f /var/log/ns.log | grep “eval”

If you are using Netscaler 12 and above try the following:
tail -f /var/log/ns.log | grep “CLISEC_EXP_EVAL”

You can also check the EPA scans details on the client machine itself.
Just create a DWORD value named “EnableEPALogging” and set the value to 1 under…
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client.

After attempting the scan again, you’ll find the file %localappdata%\Citrix\AGEE\epaHelper_epa_plugin.txt with details for each scan expression.