You are previewing Troubleshooting NetScaler.
O'Reilly logo
Troubleshooting NetScaler

Book Description

Gain essential knowledge and keep your NetScaler environment in top form

About This Book

  • Learn how the main features - Load Balancing, Content Switching, GSLB, SSL offloading, AAA, AppFirewall, and Gateway work under the hood using vividly explained flows and traces

  • Explore the NetScaler layout and the various logs, tools and methods available to help you when it’s time to debug

  • An easy-to-follow guide, which will walk you through troubleshooting common issues in your NetScaler environment

  • Who This Book Is For

    This book is aimed at NetScaler administrators who have a basic understanding of the product but are looking for deeper exposure and guidance in identifying and fixing issues to keep their application environment performing optimally.

    What You Will Learn

  • Troubleshoot traffic management features such as load balancing, SSL, GSLB and content switching

  • Identify issues with caching and compression

  • Deal with authentication issues when using LDAP, RADIUS, certificates, Kerberos and SAML

  • Diagnose NetScaler high availability and networking issues

  • Explore how application firewall protections work and how to avoid false positives

  • Learn about NetScaler Gateway integration issues with XenApp, XenDesktop, and XenMobile

  • Deal with NetScaler system-level issues

  • Discover the NetScaler troubleshooting tools

  • In Detail

    NetScaler is a high performance Application Delivery Controller (ADC). Making the most of it requires knowledge that straddles the application and networking worlds.

    As an ADC owner you will also likely be the first person to be solicited when your business applications fail. You will need to be quick in identifying if the problem is with the application, the server, the network, or NetScaler itself.

    This book provides you with the vital troubleshooting knowledge needed to act fast when issues happen. It gives you a thorough understanding of the NetScaler layout, how it integrates with the network, and what issues to expect when working with the traffic management, authentication, NetScaler Gateway and application firewall features. We will also look at what information to seek out in the logs, how to use tracing, and explore utilities that exist on NetScaler to help you find the root cause of your issues.

    Style and approach

    This helpful guide to troubleshooting NetScaler is delivered in a comprehensive and easy-to-follow manner. The topics in the book adopt a step-by-step approach.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at If you purchased this book elsewhere, you can visit and register to have the code file.

    Table of Contents

    1. Troubleshooting NetScaler
      1. Table of Contents
      2. Troubleshooting NetScaler
      3. Credits
      4. Notice
      5. About the Author
      6. About the Reviewers
        1. eBooks, discount offers, and more
          1. Why subscribe?
      8. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Errata
          2. Piracy
          3. Questions
      9. 1. NetScaler Concepts at a Glance
        1. The NetScaler filesystem
          1. Folders on /flash
          2. Folders on /var
        2. A brief look at NetScaler address types
          1. NetScaler IP
          2. Virtual IP
          3. Mapped IP
          4. Subnet IP
          5. GSLB Site IP
        3. Request Switching and Connection Multiplexing
        4. User interface options
          1. GUI
          2. CLI
          3. Console
          4. Shell
          5. Nitro
          6. SFTP
        5. NetScaler modes
          1. Endpoint and Nonend point mode
          2. ANY, L4, or L7 modes
        6. The mode switches on the NetScaler
          1. Modes that are enabled by default
            1. Fast Ramp
            2. Edge Configuration
            3. Using Subnet IP
            4. The Layer 3 mode
            5. Path MTU Discovery
          2. Modes that are disabled by default
        7. Summary
      10. 2. Traffic Management Features
        1. Load balancing
          1. Considerations
            1. Startup RR factor
            2. To USIP or not to USIP
            3. Choosing a VIP type
          2. Special considerations for load balancing Firewalls or CloudBridge appliances
            1. Prefer Direct Route
            2. vServer specific MAC – when daisy chaining FW VIPs or CloudBridge appliances
          3. Services or ServiceGroups
          4. Common LB issues
            1. Troubleshooting – unable to access a newly created VIP
          5. Troubleshooting application failures where VIP is UP
            1. Troubleshooting VIP performance issues
            2. Troubleshooting VIP distribution issues
              1. Why is the table empty when I configure cookie persistency?
              2. What is the difference between established and open established?
            3. Troubleshooting intermittent issues
        2. SSL
          1. SSL deployment considerations
            1. Certificates
          2. Using Wireshark to examine the handshake
            1. SSL handshake
            2. A session-reused handshake
          3. Session reuse and troubleshooting
            1. Decrypting a trace using Wireshark
            2. What if I needed to share this key with the Citrix tech support for troubleshooting?
          4. Troubleshooting SSL issues
            1. Wireshark troubleshooting for SSL failures
            2. SSL card failures
            3. SSL security concerns
          5. Engaging with Citrix
        3. Content switching
          1. Troubleshooting service unavailable errors
          2. Content switching timeout errors
        4. Global Server Load Balancing
          1. GSLB flow
          2. Metric Exchange Protocol
            1. MEP versus monitors
            2. RPC considerations
          3. Troubleshooting GSLB
            1. DNS caching and GSLB
            2. MEP down issues
            3. RPC related issues
          4. Troubleshooting proximity-based methods
        5. Summary
      11. 3. Integrated Caching and Compression
        1. Integrated Caching
          1. Understanding HTTP headers as they relate to caching
          2. Evaluating cache policies
          3. A sample cache response
          4. What kind of content should I cache and not cache?
          5. NetScaler's default caching behavior
            1. Handling dynamic content
              1. Considerations for caching dynamic content
              2. How's my cache doing?
              3. Getting a closer look at objects in the cache
              4. Flushing versus expiring an object
              5. Flash cache
              6. Troubleshooting caching issues
        2. Compression
          1. The NetScaler's default compression behavior
          2. Impact of using Compression
          3. Verifying and monitoring Compression
          4. Understanding the packet flow
          5. Troubleshooting considerations
        3. Summary
      12. 4. AAA for Traffic Management
        1. Lightweight Directory Access Protocol
          1. Authentication flow
          2. Troubleshooting LDAP
        2. RADIUS protocol
          1. Authentication flow
          2. Troubleshooting RADIUS authentication
        3. Client Certificate Based Authentication protocol
          1. Client versus Server Certificates
          2. Authentication Flow when using Client Certificates
        4. NTLM SSO (401 Based Authentication)
          1. NTLM Authentication flow
          2. Troubleshooting NTLM
        5. Form-based Authentication
          1. Authentication flow
        6. Kerberos authentication
          1. Kerberos parties
        7. Configuration checklist
          1. Kerberos deployment options
          2. Authentication flow
        8. Kerberos authentication with Protocol Transition
          1. Troubleshooting Kerberos
        9. Security Assertion Markup Language
          1. Certificates in SAML
          2. Canonicalization in SAML
          3. SP Initiated SSO
          4. IDP initiated SSO
        10. Verifying a successful exchange using counters
          1. Troubleshooting
        11. Summary
      13. 5. High Availability and Networking
        1. High Availability
        2. Ports used for High Availability
        3. Configurations kept independent in High Availability
        4. HA pairing requirements
        5. Setting up and verifying High Availability
        6. Troubleshooting HA Failovers
          1. HA Node state issues
          2. Heartbeats not being seen
            1. Identifying Failovers in events
            2. VLAN issues causing heartbeat failures
            3. New primary doesn't take over traffic after Failover
              1. ARP issues
              2. Stay secondary being set
              3. Both nodes unhealthy
              4. Split brain issues
          3. Synchronization and propagation issues
          4. Networking issues
            1. NetScaler packet handling
            2. Error conditions that contribute to packet drops
            3. NIC buffer issues
            4. Network loops
            5. VLAN issues
            6. Unsupported SFPs
            7. Link aggregation issues
            8. USIP networking issues
            9. Network issues from blocked source IPs
        7. Summary
      14. 6. Application Firewall
        1. Deployment considerations
        2. HTTP changes that occur when using AppFirewall
        3. Configuring logging
        4. Application attacks and AppFirewall protections
          1. Cross-site scripting
            1. To protect against XSS attacks
          2. SQL injection
            1. To protect against SQL injection attacks
          3. Forceful browsing attacks
            1. To protect against forceful browsing
          4. Attacks based on Parameter tampering
            1. Cookie tampering
              1. To protect against cookie tampering
          5. Hidden field tampering
            1. To protect against hidden field tampering
          6. Buffer overflow attacks via long URLs and queries
            1. To protect against buffer overflow attacks
          7. Cross Site Request Forgery
            1. To protect against CSRF attacks
          8. XML protections
          9. Signatures
        5. Troubleshooting
          1. Identifying application Firewall blocks
          2. Users reporting XXXX patterns in web pages
        6. Performance issues when enabling AppFirewall
          1. Ruling out AppFirewall as a potential cause
        7. Summary
      15. 7. NetScaler Gateway™
        1. Basic and Smart Access Modes
          1. Basic mode
          2. Smart Access mode
        2. NetScaler Gateway™ VPNs
          1. Examining VPN session launch using Wireshark
            1. Phase 1 – The EPA exchange
            2. Phase 2 – The authentication exchange
            3. Phase 3 – Post-login exchange
          2. Troubleshooting NetScaler Gateway™ VPNs
          3. Collecting debug logs from the client's PC
            1. Diagnosing EPA failures
          4. Using aaad.debug for authentication issues
          5. Using ns.log to see authorization and session information
          6. Using the pol_hits counter to examine policy hits
          7. Seeing and managing the users who are logged in
          8. Capturing traces for troubleshooting
        3. NetScaler Gateway™ Integration with XenApp® and XenDesktop®
          1. Published application/desktop launch process
            1. Phase 1 – steps involved in desktop enumeration
            2. Phase 2 – Steps leading to the launch of the published desktop
          2. Troubleshooting XenApp® and XenDesktop® launch issues
        4. NetScaler Gateway™ integration with XenMobile®
          1. XenMobile components
          2. XenMobile launch process with NetScaler Gateway
            1. Phase 1 – Authentication and discovery
            2. Phase 2 – App enumeration and Launch
        5. Troubleshooting XenMobile® and NetScaler integration
          1. Using the wizard for configuration
          2. Using the connectivity checks
            1. Knowing where the logs are
          3. Common integration issue areas
            1. Licenses
            2. Network settings for the application
            3. Account services address
              1. Persistence issues when Load Balancing XenMobile servers
              2. ShareFile SSO issues
        6. Summary
      16. 8. System-Level Issues
        1. Licensing issues
        2. NTP issues
          1. Troubleshooting NTP synchronization
        3. SNMP issues
          1. Troubleshooting SNMP on a NetScaler
        4. CPU and memory issues
          1. Types of NetScaler CPU
          2. Exploring high memory issues
          3. Troubleshooting high memory issues
        5. Disk issues
        6. Crash and hang issues
          1. Understanding crashes
          2. Working with crashes
          3. Working with hang issues
            1. Dumping a core on a VPX/MPX when console is available
            2. Dumping a core when NetScaler is completely unresponsive
          4. Understanding NetScaler Build names
        7. Summary
      17. 9. Troubleshooting Tools
        1. The nsconmsg utility
          1. nsconmsg syntax and options
        2. Using nstrace to capture a packet trace
          1. Steps to run a trace
        3. The Showtechsupport utility
          1. Running the utility
          2. What does it contain?
            1. The shell directory
            2. The var directory
            3. The nsconfig directory
        4. Dashboard and Reporting tabs
        5. Web-based analysis with Citrix Insight® Services
        6. Citrix Command Center
          1. Troubleshooting tips
        7. Insight center
          1. Troubleshooting insight center
        8. Summary
      18. Index