Start Free Trial

asked on

Citrix NetScaler VPX 10 Routing Issue

I have a Netscaler VPX 10.0 setup like follows:

NSIP (management) 10.5.5.x
SubNet IP (10.5.5.x)

VIP (174.3.x.x)

When I setup a Virutal Server under the Access Gateway option it keeps showing the virtual server as down. I have read online the VIP only respond to external request and simple forwards the request to internal servers.

I know / believe i have a routing issue but being new to the netscaler I do not know how to fix it.

The netscaler has all of these routing options:

Nat, RNAT, INat etc...

What do I need to do to allow users external users to access (174.3.x.x) and be directed to the login page for my internal XenApp servers. I have been working on this issue for two weeks with out any luck

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

I'm sorry but I'm confused.

Yes my default route does look simlar to what you posted.

I already have both ports on my Netscaler connected one to internal LAN and the other in the DMZ my SubNet IP points t my internal LAN. Should I an another subnet IP for my external VIP address? Also if the external VIP just responds to request should I use the subnet given to me by my IP so use the default 255.255.255.255. Also for the VIP gateay should this point to the ISP external router for my internal Subnet ip

Alright. I think with the two arm setup you should have the default route point to your ISP router (the 174.3.x.x gateway). Your SNIP will create a route for the 10.5.5.x subnet, so your internal traffic will head out that route and everything else will go external.

Let me know if that helps. We may also need to create "generic vlans" within the netscaler to attach the SNIP's to a specific interface. Essentially you create vlan 100 (any number) and say that IP address A and interface 0/1, so that traffic on that subnet only goes out port 0/1. The traffic is not tagged, so the only function of the "vlan" is to force specific traffic to an interface

ASKER

when I removed my current default route and tried to enter in the new one that points to my ISP gateay I get the message gateway cannot be reached

ASKER

I was able to add my new default route and point it to my ISP router by following this article:

http://support.citrix.com/article/CTX131368/

I created my external VIP address for example 174.3.2.2

Then created my Access Gateway Virtual server and giving it the same external Ip as listed above and the link still shows as down.

Ok. Do you have a certificate and STA addresses added to the access gateway VS?

ASKER

I have a cert but no sta as of yet. Even without a STA shouldn't the Access Gateway Virtual Server show an up connection?

I usually add all of it when I create the VS, but I am pretty sure once the certificate is assigned it usually comes up.

ASKER

I added my sta and it is listed as UP yet my Access Gateway serve is still showing as down???

dunno if you have a typo, but it should be IP/scripts/ctxsta.dll not IP/scritps/ctxsta.dll. Though you should make sure your XML broker/STA server is using the default port 80 because if it's set to something else like 8080 then you need to modify this path: (i.e. http://10.x.x.x:8080/scripts/ctxsta.dll

ASKER

Just my bad typing..

I feel like I'm actually making headway on the Netscaler for the first time in weeks!!!

I do have a new problem now. When I changed my default route to point to my ISP's router I had to first create a new subnet IP. I random used any address with in our ISP block . Now I cannot remove this temp subnet IP. I keep getting the message: IP is tied to a route bla, bla..

Like I mentioned I only created the new subnet IP to create a new default route as mentioned in the Citrix article I posted. How can I force remove this route? I'm now have a dupliocate ip problem.

Delete the route then the IP? Delete any associations then the SNIP itself...

ASKER

Thanks the problem the options to remove the route is grayed out!!!!!!!

perhaps change the default gateway to an internal IP, then the route may be 'released' (not grayed out) and you'll be able to remove the route and SNIP?

ASKER

I cannot edit the route to point to an internal gateway the IP vaules are grayed out..

can you open the command line from System->Diagnostics and run the: nsconfig command to reset the default gateway?

ASKER

when I type in nsconfig I get: Error No Such Command

type shell, then try nsconfig.

nevermind, the options isn't in there, i hadn't looked till now. essentially you need to create a new SNIP or route that will take over for the one that is currently defined that you need to remove in order to free the SNIP that has the duplicate IP.

ASKER

for the new Subnet IP can I use the external VIP address or does it have to be a new IP? I was only give one external ip for my netscaler

It will have to be a new IP. On your access gateway VS, if you have the certificate assigned and the STA's are up, I think it should show as up. If access gateway enabled in the left pane? Right-click the "Access Gateway" folder and select enable?

ASKER

Here is the problem though.. I was only assigned one vaild external IP for my netscaler which I was going to assigned to my Access Gateway VIP. Should I just make up an ip??

ASKER

Yes, Access Gateay is enabled as a feature. how is it tunder "IP" the VIP is showing as enabled and up yet under access gateway -> virtual server the server is listed as down.

ASKER

good news!!!

After I rebooted the netscaler my virtual server show as up and I was able to access it from the outside.

I still need to get rid of my other external ip

Great. If you disable the second IP under Network->IP's, will it allow you to remove the route?

I went into my system and was able to remove a SNIP that was attached to a route. Is there where you were getting the error before?

ASKER

From the Network -> IP screen I keep getting the error in the attached screen shot
netscaler-snip-error.png

Take a look at this forum. There are two suggestions.
http://forums.citrix.com/thread.jspa?threadID=104882

ASKER

HOw can I manually edit the /nsconfi/ns.conf file.

I've tried to SSH and run vi /nsconfig/ns.conf and keeping getting the message command not found

Try WinSCP to access the file and change it and save it back. http://winscp.net/eng/download.php

Connect WinSCP to the NetScaler and browse to the file and make the adjustments if necessary.

Try typing in..
shell

Than try your command.

Make sure to backup the file first
cp ns.conf ns.conf.backup

ASKER

That was great tip jvr006 on using the shell command then entering in the commands needed. I never thought about doing that. Does this have to do with the fact the appliance is running on a FreeBSD platform? I was able to edit the file using vi. I tried WinSCP. But notepad made this file very hard to read.

I was able to remove the subnet ip but I noticed when I when into routes it remove my default route to my external ISP's gateway as well. Yet when I view the config file I see the route still listed and I am to bring up the web interface on the appliance from the outside.

I'm powering down the appliance and power it on again to see if this will help.

ASKER

Doing a full power cycle on the VPX still did make the default gateway appear in the GUI. Yet, I can bring up the web interface on the outside. I'm just concerned since the GUI is not showing the default route even though this is present in the ns.conf file it could make troublshotting items very hard in the future if someone

Can you manually add the route and see if it changes the ns.conf file

CMD
add route 0.0.0.0 0.0.0.0 x.x.x.x

Or even through the GUI under route.

ASKER

I cannot added the default route via commdline nor GUI.

Error: Gateway cannot be reached.

Yet, I can access my web interface from the outside.. Weird...

ASKER

Stupid Question..

Does Citrix expect customers to have four IP addresses for a two leg NetScaler.

1 - NSIP
1 - SNIP or MIP (Internal IP Range)
1 - VIP (External IP)
1 -SNIP (External IP)

Using the old hardware based CAG I only needed two ip's one internal and one external

ASKER

Does anyone have an thoughts on my question above..

I'm kind of lost here

Silence speaks volumes... netscaler... not a well understood product!

Does Citrix expect customers to have four IP addresses for a two leg NetScaler.

I think Yes. This doesn't seem a problem anyway unless you're company is running out of internal private IPs. The only public IP you need is Netscaler Gateway VIP.

Are you using storefront or web interface?

If you're already running the environment into 2-Arm/Leg, meaning the backend servers lie on a different subnet, then you might need to add a callback vserver.

Thanks for that.
What do you mean by a "callback vserver"?
Is the public SNIP address not needed for default routing to the Internet?

Thanks for that.
What do you mean by a "callback vserver"?
Is the public SNIP address not needed for default routing to the Internet?

Hi

Please let me know if you found a solution setting af default gateway? We are seeing this issue: We cannot set a default gateway without a SNIP address. We would never use a SNIP address on the public interface but we need to set the default gateway to the ISP router.

Thank you in advance.