Category Archives: Citrix

NetScaler ADC – Hidden vServer for HTTPS redirect

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Starting with release 11.1, NetScaler ADC offers an easy way to redirect traffic from HTTP to HTTPS within the configuration of a load-balanced vServer. With 11.1, Citrix introduced the paramter  -redirectFromPort and -redirectURL.

While playing with a NetScaler ADC in my lab, I discovered a strange error message as I tried to configure the redirect.

NetScaler HTTP Redirect Error Message

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Internal vserver couldn’t be set?! Okay, there was already a vServer, that was listening on port 80. After removing the vServer, I was able to setup the redirection and it was working as expected.

A hidden vServer

Later, I was really suprised to find a hidden vServer in the output of the “stat lb vserver” command.

> stat lb vserver lb_vsrv_https_httpredir_31 -fullValues

Virtual Server Summary
                                          vsvrIP  port     Protocol
lb_vsrv_https_httpredir_31       192.168.200.146    80         HTTP

                                                           State
lb_vsrv_https_httpredir_31                                  DOWN

                                              Health              actSvcs
lb_vsrv_https_httpredir_31                         0                    0

                                           inactSvcs
lb_vsrv_https_httpredir_31                         0

Virtual Server Statistics
                                          Rate (/s)                Total
Vserver hits                                       0                    0
Requests                                           0                    0
Responses                                          0                    0
Request bytes                                    108                 1131
Response bytes                                    66                  690
Total Packets rcvd                                 1                   15
Total Packets sent                                 1                   12
Current client connections                        --                    3
Current Client Est connections                    --                    0
Current server connections                        --                    0
Requests in surge queue                           --                    0
Requests in vserver's surgeQ                      --                    0
Requests in service's surgeQs                     --                    0
Spill Over Threshold                              --                    0
Spill Over Hits                                   --                    0
Labeled Connection                                --                    0
Push Labeled Connection                           --                    0
Deferred Request                                   0                    0
Invalid Request/Response                          --                    0
Invalid Request/Response Dropped                  --                    0
Vserver Down Backup Hits                          --                    3
Current Multipath TCP sessions                    --                    0
Current Multipath TCP subflows                    --                    0
 Done

The name of the vServer is always the same (name of the vServer plus suffix _httpredir_##). Sometimes, the vServer has an other ending number after a reboot. There is no hint to this vServer in the config of the NetScaler. The behaviour is the same for NetScaler ADC 11.1 and 12.0.

I don’t think that this some kind of a hack or an issue. But I think that’s something you should know when working with HTTPS redirection, or for troubleshooting purposes.

VMware ESXi 5.5.0 U2 patches break Citrix NetScaler network connectivity

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

This is not a brand new issue and it’s well discussed in the VMTN. After applying the ESXi 5.5.0 U2 patches from 15. October 2014, you may notice the following symptoms:

  • Some Citrix NetScaler VMs with e1000 vNICs loses network connectivity
  • You can’t access the VM console after applying the patches

VMware has released a couple of patches in October:

  • ESXi550-201410101-SG (esx-base)
  • ESXi550-201410401-BG (esx-base)
  • ESXi550-201410402-BG (misc-drivers)
  • ESXi550-201410403-BG (sata-ahci)
  • ESXi550-201410404-BG (xhci-xhci)
  • ESXi550-201410405-BG (tools-light)
  • ESXi550-201410406-BG (net-vmxnet3)

More specifically, it’s the patch ESXi550-201410401-BG that is causing the problem. It is reported that the patch ESXi510-201410401-BG is also cause problems. VMware has published a KB article under the the KB2092809. Citrix has also published a KB article under the ID CTX200278. The VMware KB2092809 includes a workaround. You have to add the line

hw.em.txd=512

 in the loader.conf. Check the KB for a detailed procedure. I recommend to exclude the patches from the VMware Update Manager baselines. Open the “Admin View” and double click the “Critical Host Patches (Predefined)” baseline.

vum_exclude_patch_1

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Click “Next” until you hit the “Patches to exclude” page. Exclude patch ESXi550-201410401-BG and click “Next” until you can finish the wizard.

vum_exclude_patch_2

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Now open the “Non-Critical Host Patches (Predefined)” baseline. Repeat the steps above and exclude the other 6 patches.

vum_exclude_patch_3

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

That’s it. Now the patches are excluded. New patches will be added automatically to the baselines, because both baselines are dynamic baselines. If you wish to install the patches, repeat the steps above and remove the patches from the exclude list using the up arrow button.