Tag Archives: adc

High CPU usage on Citrix ADC VPX

This posting is ~4 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

While building a small Citrix NetScaler… ehm… ADC VPX (I really hate this name…) lab environment, I noticed that the fan of my Lenovo T480s was spinning up. I was wondering why, because the VPX VM was just running for a couple of minutes – without any load. But the task manager told me, that the VMware Workstation Process was consuming 25% (I have a Intel i5 Quad Core CPU) CPU. So VMware Workstation was just eating a whole CPU core without doing anything. I would not care, but the fan… And it reminded me, that I’ve seen an similar behaviour in various VPX deployments on VMWare ESXi.

Fifaliana/ pixabay.com/ Creative Commons CC0

A quick search lead me to this Citrix Support Knowledge Center article: High CPU Usage on NetScaler VPX Reported on VMware ESXi Version 6.0. That’s exactly what I’ve observed.

The solution is setting the parameter cpuyield  to yes.

> set ns vpxparam -cpuyield YES
> show ns runningConfig | grep "cpuyield"
set ns vpxparam -cpuyield YES

The VPX does not need a reboot. Short after setting the parameter, the fan stopped spinning. Have I mentioned how I love silence on my desk? I’m pretty happy that my T480s is a really quiet laptop.

But what does this parameter is used for? In pretty simple words: To allocate CPU cycles, that are not used by other VMs. Until ADC VPX 11.1, the VPX was sharing CPU with other VMs. This changed with ADC VPX 12.0. Since this release, the VPX was like a child, that was playing with their favorite toy just to make sure, that no other child can play with it. Not very polite…

This is a quote from the Support Knowledge Center article:

Set ns vpxparam parameters:
-cpuyield: Release or do not release of allocated but unused CPU resources.

YES: Allow allocated but unused CPU resources to be used by another VM.

NO: Reserve all CPU resources for the VM to which they have been allocated. This option shows higher percentage in hypervisor for VPX CPU usage.

I don’t think that I would change this in production. But for lab environments, especially if you run this on VMware Workstation, I would set -cpuyield  to yes .

NetScaler ADC – Hidden vServer for HTTPS redirect

This posting is ~5 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Starting with release 11.1, NetScaler ADC offers an easy way to redirect traffic from HTTP to HTTPS within the configuration of a load-balanced vServer. With 11.1, Citrix introduced the paramter  -redirectFromPort and -redirectURL.

While playing with a NetScaler ADC in my lab, I discovered a strange error message as I tried to configure the redirect.

NetScaler HTTP Redirect Error Message

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Internal vserver couldn’t be set?! Okay, there was already a vServer, that was listening on port 80. After removing the vServer, I was able to setup the redirection and it was working as expected.

A hidden vServer

Later, I was really suprised to find a hidden vServer in the output of the “stat lb vserver” command.

> stat lb vserver lb_vsrv_https_httpredir_31 -fullValues

Virtual Server Summary
                                          vsvrIP  port     Protocol
lb_vsrv_https_httpredir_31    80         HTTP

lb_vsrv_https_httpredir_31                                  DOWN

                                              Health              actSvcs
lb_vsrv_https_httpredir_31                         0                    0

lb_vsrv_https_httpredir_31                         0

Virtual Server Statistics
                                          Rate (/s)                Total
Vserver hits                                       0                    0
Requests                                           0                    0
Responses                                          0                    0
Request bytes                                    108                 1131
Response bytes                                    66                  690
Total Packets rcvd                                 1                   15
Total Packets sent                                 1                   12
Current client connections                        --                    3
Current Client Est connections                    --                    0
Current server connections                        --                    0
Requests in surge queue                           --                    0
Requests in vserver's surgeQ                      --                    0
Requests in service's surgeQs                     --                    0
Spill Over Threshold                              --                    0
Spill Over Hits                                   --                    0
Labeled Connection                                --                    0
Push Labeled Connection                           --                    0
Deferred Request                                   0                    0
Invalid Request/Response                          --                    0
Invalid Request/Response Dropped                  --                    0
Vserver Down Backup Hits                          --                    3
Current Multipath TCP sessions                    --                    0
Current Multipath TCP subflows                    --                    0

The name of the vServer is always the same (name of the vServer plus suffix _httpredir_##). Sometimes, the vServer has an other ending number after a reboot. There is no hint to this vServer in the config of the NetScaler. The behaviour is the same for NetScaler ADC 11.1 and 12.0.

I don’t think that this some kind of a hack or an issue. But I think that’s something you should know when working with HTTPS redirection, or for troubleshooting purposes.