book

Troubleshooting NetScaler

by Raghu Varma Tirumalaraju

April 2016

Intermediate to advanced

270 pages

5h 47m

English

Packt Publishing

Read now

Unlock full access

eBooks, discount offers, and moreWhy subscribe?
What this book covers

ErrataPiracyQuestions
The NetScaler filesystemFolders on /flashFolders on /var
NetScaler IPVirtual IPMapped IPSubnet IPGSLB Site IP
GUICLIConsoleShellNitroSFTP
Endpoint and Nonend point modeANY, L4, or L7 modes
Modes that are enabled by defaultFast RampEdge ConfigurationUsing Subnet IPThe Layer 3 modePath MTU DiscoveryModes that are disabled by default
Load balancingConsiderationsStartup RR factorTo USIP or not to USIPChoosing a VIP typeSpecial considerations for load balancing Firewalls or CloudBridge appliancesPrefer Direct RoutevServer specific MAC – when daisy chaining FW VIPs or CloudBridge appliancesServices or ServiceGroupsCommon LB issuesTroubleshooting – unable to access a newly created VIPTroubleshooting application failures where VIP is UPTroubleshooting VIP performance issuesTroubleshooting VIP distribution issuesWhy is the table empty when I configure cookie persistency?What is the difference between established and open established?Troubleshooting intermittent issues
SSL deployment considerationsCertificatesUsing Wireshark to examine the handshakeSSL handshakeA session-reused handshakeSession reuse and troubleshootingDecrypting a trace using WiresharkWhat if I needed to share this key with the Citrix tech support for troubleshooting?Troubleshooting SSL issuesWireshark troubleshooting for SSL failuresSSL card failuresSSL security concernsEngaging with Citrix
Troubleshooting service unavailable errorsContent switching timeout errors
GSLB flowMetric Exchange ProtocolMEP versus monitorsRPC considerationsTroubleshooting GSLBDNS caching and GSLBMEP down issuesRPC related issuesTroubleshooting proximity-based methods
Integrated CachingUnderstanding HTTP headers as they relate to cachingEvaluating cache policiesA sample cache responseWhat kind of content should I cache and not cache?NetScaler's default caching behaviorHandling dynamic contentConsiderations for caching dynamic contentHow's my cache doing?Getting a closer look at objects in the cacheFlushing versus expiring an objectFlash cacheTroubleshooting caching issues
The NetScaler's default compression behaviorImpact of using CompressionVerifying and monitoring CompressionUnderstanding the packet flowTroubleshooting considerations
Lightweight Directory Access ProtocolAuthentication flowTroubleshooting LDAP
Authentication flowTroubleshooting RADIUS authentication
Client versus Server CertificatesAuthentication Flow when using Client Certificates
NTLM Authentication flowTroubleshooting NTLM
Authentication flow
Kerberos parties
Kerberos deployment optionsAuthentication flow
Troubleshooting Kerberos
Certificates in SAMLCanonicalization in SAMLSP Initiated SSOIDP initiated SSO
Troubleshooting
High Availability
HA Node state issuesHeartbeats not being seenIdentifying Failovers in eventsVLAN issues causing heartbeat failuresNew primary doesn't take over traffic after FailoverARP issuesStay secondary being setBoth nodes unhealthySplit brain issuesSynchronization and propagation issuesNetworking issuesNetScaler packet handlingError conditions that contribute to packet dropsNIC buffer issuesNetwork loopsVLAN issuesUnsupported SFPsLink aggregation issuesUSIP networking issuesNetwork issues from blocked source IPs
Deployment considerations
Cross-site scriptingTo protect against XSS attacksSQL injectionTo protect against SQL injection attacksForceful browsing attacksTo protect against forceful browsingAttacks based on Parameter tamperingCookie tamperingTo protect against cookie tamperingHidden field tamperingTo protect against hidden field tamperingBuffer overflow attacks via long URLs and queriesTo protect against buffer overflow attacksCross Site Request ForgeryTo protect against CSRF attacksXML protectionsSignatures
Identifying application Firewall blocksUsers reporting XXXX patterns in web pages
Ruling out AppFirewall as a potential cause
Basic and Smart Access ModesBasic modeSmart Access mode
Examining VPN session launch using WiresharkPhase 1 – The EPA exchangePhase 2 – The authentication exchangePhase 3 – Post-login exchangeTroubleshooting NetScaler Gateway™ VPNsCollecting debug logs from the client's PCDiagnosing EPA failuresUsing aaad.debug for authentication issuesUsing ns.log to see authorization and session informationUsing the pol_hits counter to examine policy hitsSeeing and managing the users who are logged inCapturing traces for troubleshooting
Published application/desktop launch processPhase 1 – steps involved in desktop enumerationPhase 2 – Steps leading to the launch of the published desktopTroubleshooting XenApp® and XenDesktop® launch issues
XenMobile componentsXenMobile launch process with NetScaler GatewayPhase 1 – Authentication and discoveryPhase 2 – App enumeration and Launch
Using the wizard for configurationUsing the connectivity checksKnowing where the logs areCommon integration issue areasLicensesNetwork settings for the applicationAccount services addressPersistence issues when Load Balancing XenMobile serversShareFile SSO issues
Licensing issues
Troubleshooting NTP synchronization
Troubleshooting SNMP on a NetScaler
Types of NetScaler CPUExploring high memory issuesTroubleshooting high memory issues
Understanding crashesWorking with crashesWorking with hang issuesDumping a core on a VPX/MPX when console is availableDumping a core when NetScaler is completely unresponsiveUnderstanding NetScaler Build names
The nsconmsg utilitynsconmsg syntax and options
Steps to run a trace
Running the utilityWhat does it contain?The shell directoryThe var directoryThe nsconfig directory
Troubleshooting tips
Troubleshooting insight center

Content preview from Troubleshooting NetScaler

RADIUS protocol

In NetScaler environments, RADIUS is commonly used for two-factor authentication, and is the protocol to choose when integrating with One Time Password (OTP) servers.

The ports used by Radius are as follows:

UDP 1812: Authentication
UDP 1813: Radius Accounting
UDP 1645 and 1646: Legacy ports for the same purpose that some servers might use

Authentication flow

When authenticating, the exchange will start with an access-request from the NetScaler to the RADIUS server. To this, the server can respond with one of three responses, given as follows:

Access-Accept: All is good and the User is through
Access-Reject: Either the RADIUS server parameters, such as the secret, are not configured correctly, or the User credentials are incorrect
Access-Challenge ...