Jump to content
Welcome to our new Citrix community!

Netscaler SNIP and NSIP same subnet issues


Recommended Posts

We recently moved a pair of Netscalers to a new location with new IPs. Everything looks okay, but the network folks are saying that all traffic is going through the management port and none through the redundant ports.

 

We have interfaces 0/1, 1/1 and 1/2 configured.

 

The routes I am seeing is

0.0.0.0               0.0.0.0                XXX.251.3.1  STATIC

127.0.0.0           255.0.0.0            127.0.0.1 PERMANENT

XXX.251.3.0      255.255.255.0    XXX.251.3.35 DIRECT

 

XXX.251.3.35 is the NSIP

XXX.251.3.39 is the SNIP

 

How do I force all none management traffic through the redundant ports?

Link to comment
Share on other sites

  • 1 year later...

Hi Carl

 

I am also having same issue, we installed a new firewall ( cisco ASA ) . now all traffic appears going from  nsip and not snip. Netscaler  is a VPX with one interface only in DMZ

 

nsip X.X.4.70

snip X.X.4.71

 

0.0.0.0               0.0.0.0                XXX.40.1  STATIC

127.0.0.0           255.0.0.0           127.0.0.1 PERMANENT

X.X..4.0      255.255.255.0          X.X.4.70 DIRECT

 

 

Also should I see the snip entry in arp table

 

Link to comment
Share on other sites

  • 2 years later...
  • 2 years later...

fyi - I was just researching this and came across this thread.  The problem appears when the SNIP and NSIP are in the same subnet.  You want the management traffic using the managment interface 0/1, and the SNIP production traffic using the production interface i.e. 1/1.  If you bind the SNIP to a vlan to associate it with the non-management interface then it tries to bind all ip's in the same subnet to that interface/vlan which causes an error.  I guess because the NSIP wants to be bound to the management interface.  The preferred setup is to have a separate subnet for SNIP and NSIP, so each subnet can be bound to a different VLAN and interface.

 

If that is not possible, the way I see around this would be to use the arp command as shown in the blog post - https://www.citrix.com/blogs/2014/12/30/netscaler-snips-bound-to-an-interface-without-a-vlan/

add arp -ipAddress 10.10.10.2 -mac 00:e0:ed:0f:bc:e0 -ifnum 1/2

 

This binds the SNIP to a MAC address.  This will force traffic for the SNIP to use the correct interface.  You would need to do this on each member of the HA pair since the mac's will differ.

 

I personally and going to go back to our networking team and try to get a different subnet instead.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...