Jump to content
Welcome to our new Citrix community!

Load Balance Horizon View with Citrix ADC 12.1


Recommended Posts

Hi all, I am new to Citrix ADC (VPX) and I am looking to deploy an HA pair in my DMZ to leverage my external Horizon Clients.  I have closely followed articles found on the net (Thanks Carl Stalhood - awesome guide!!) and even have a support call open.  However, I am unable to get the ADC to communicate with the virtual UAG.  

 

Firewall - Palo Alto NGFW PA 820

Logical DMZ - where DMZ traffic traverses transit VLAN from VMWare environment in the Data Center to DMZ zone on the Firewall for L3 routing.

ADC and vUAG in same subnet 192.168.250.0/24 and can ping one another. 

Telnet from ADC to UAG over ports fail (443,8443)

 

ARP table 

FW - can see all L3/L2 addresses


interface         ip address      hw address        port              status   ttl  
--------------------------------------------------------------------------------
ethernet1/5.250   192.168.250.10  00:50:56:80:8c:69 ethernet1/5         c      749  
ethernet1/5.250   192.168.250.20  00:50:56:80:8c:69 ethernet1/5         c      1585 
ethernet1/5.250   192.168.250.115 00:50:56:80:8c:69 ethernet1/5         c      1585 
ethernet1/5.250   192.168.250.116 00:50:56:80:a7:28 ethernet1/5         c      1742 
ethernet1/5.250   192.168.250.117 00:50:56:80:56:e0 ethernet1/5         c      1701

 

ADC - can see all L3/L2 addresses

root@ADC01# arp -a
? (192.168.250.20) at 00:50:56:80:8c:68 on 0/1 expires in 1195 seconds [ethernet]
? (192.168.250.116) at 00:50:56:80:8c:68 on 0/1 expires in 1182 seconds [ethernet]
? (192.168.250.117) at 00:50:56:80:8c:68 on 0/1 expires in 1161 seconds [ethernet]
? (192.168.250.1) at 00:50:56:80:8c:68 on 0/1 expires in 369 seconds [ethernet]
? (192.168.250.10) at 00:50:56:80:8c:69 on 0/1 permanent [ethernet]

 

vUAG - can only see default gw and NSIP addresses (Not sure is this is normal)

  image.thumb.png.ad87474d496d110a7909679de1c3f16b.png

 

I am at a lost and need to get this implemented.  

 

Please help.

 

Thank you in advance

 

Daryl M

Link to comment
Share on other sites

Hi!

 

" ADC - can see all L3/L2 addresses

root@ADC01# arp -a
? (192.168.250.20) at 00:50:56:80:8c:68 on 0/1 expires in 1195 seconds [ethernet]
? (192.168.250.116) at 00:50:56:80:8c:68 on 0/1 expires in 1182 seconds [ethernet]
? (192.168.250.117) at 00:50:56:80:8c:68 on 0/1 expires in 1161 seconds [ethernet]
? (192.168.250.1) at 00:50:56:80:8c:68 on 0/1 expires in 369 seconds [ethernet]
? (192.168.250.10) at 00:50:56:80:8c:69 on 0/1 permanent [ethernet]
 "

 

When you ping or telnet from the ADC , it will uses the NSIP.

 

According to the lines above all traffic is seen on interface 0/1 which is the management interface. So i am guessing you don't have a SNIP address .

ADC usually uses SNIP addresses to connect to everything that sits in the back-end. So if that uag is in the back-end you need a snip address. I don't know if you already have it.

It can be from the same subnet as the management ip.

 

Do a #show ns ip   , and see if you have a  SNIP.

 

 

thanks!

Link to comment
Share on other sites

Thanks for the response Mihai.  Yes, the SNIP address is configured, it's the .20 IP in the ARP output. 

 

ping -S 192.168.250.20 192.168.250.117
PING 192.168.250.117 (192.168.250.117) from 192.168.250.20: 56 data bytes
64 bytes from 192.168.250.117: icmp_seq=0 ttl=63 time=0.573 ms
64 bytes from 192.168.250.117: icmp_seq=1 ttl=63 time=0.687 ms

 

And interestingly enough, I took a test machine and enabled HTTP, created and pointed a service to it on the ADC and successfully connected. 

 

show service TEST_Service_PC
        TEST_Service_PC (192.168.250.15:80) - HTTP
        State: UP
        Last state change was at Mon Apr  1 12:28:10 2019
        Time since last state change: 0 days, 02:06:45.430
        Server Name: 192.168.250.15
        Server ID : None        Monitor Threshold : 0
        Max Conn: 0     Max Req: 0      Max Bandwidth: 0 kbits
        Use Source IP: NO
        Client Keepalive(CKA): NO
        Access Down Service: NO
        TCP Buffering(TCPB): NO
        HTTP Compression(CMP): NO
        Idle timeout: Client: 180 sec   Server: 360 sec
        Client IP: DISABLED
        Cacheable: NO
        SC: OFF
        SP: OFF
        Down state flush: ENABLED
        Monitor Connection Close : NONE
        Appflow logging: ENABLED
        Process Local: DISABLED
        Traffic Domain: 0

1)      Monitor Name: tcp-default
                State: UP       Weight: 1       Passive: 0
                Probes: 24228   Failed [Total: 22778 Current: 0]
                Last response: Success - TCP syn+ack received.
                Response Time: 0.0 millisec

 

curl -v telnet://192.168.250.15:80
* Rebuilt URL to: telnet://192.168.250.15:80/
*   Trying 192.168.250.15...
* TCP_NODELAY set
* Connected to 192.168.250.15 (192.168.250.15) port 80 (#0)

 

 

With this, I am confident that the issue lies at UAG.  I will contact VMWare support and hopefully they can assist.

 

Thank you

Link to comment
Share on other sites

  • 2 weeks later...

are you sure that uag is listening on those ports? You dais you will be talking to vmware. 

Can you connect on those ports from anywhere else?  You need to make sure that that UAG is not the problem.

 

What are the UAG logs tell you. Do you see the netscaler trying to connect? what about netscaler logs?

 

What monitor are your services use? If you haven't configured one i should be the tcp-default one.

Link to comment
Share on other sites

I think i am seeing something that is not OK.

 

"

ADC - can see all L3/L2 addresses

root@ADC01# arp -a
? (192.168.250.20) at 00:50:56:80:8c:68 on 0/1 expires in 1195 seconds [ethernet]
? (192.168.250.116) at 00:50:56:80:8c:68 on 0/1 expires in 1182 seconds [ethernet]
? (192.168.250.117) at 00:50:56:80:8c:68 on 0/1 expires in 1161 seconds [ethernet]
? (192.168.250.1) at 00:50:56:80:8c:68 on 0/1 expires in 369 seconds [ethernet]
? (192.168.250.10) at 00:50:56:80:8c:69 on 0/1 permanent [ethernet] "

"

 

The SNIP and NSIP  addresses should be permanent . According to your arp output ,  the  NSIP  address is 192.168.250.10.

 

 

You should try and do a show arp from the Netsclaer cli  and not shell. 

 

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...