Jump to content
Welcome to our new Citrix community!

Classic policy conversion question


Trey Wessel

Recommended Posts

Hello,

 

We recently had an ADC crash, the dump was analyzed by Dev and tied back to some classic polices on our ADC, according to support this can be resolved by using the nspepi tool and converting them to advanced policies.  You can convert each expression manually or convert the entire ns.conf file. 

 

Question is, when you convert the ns.conf file it creates a new one in the same director.  What's the best practice for using the new file? Rename to ns.config and reboot? The guide leaves that out and I wanted better info before proceeding. 

Link to comment
Share on other sites

Technically, yes if you have a conf file, you can make a backup of your previous file. Rename this one to ns.conf and place in /nsconfig/ and reboot to apply changes.  As long as you have the previous ns.conf file, you can restore to your pre-conversion settings. (I would also make a separate backup first for added protection: System > Back and restore > Full backup or create system backup in cli.)

 

Though, I would set up a test netscaler in an isolated network (to avoid an ip conflict) with your pre-converted file, then test the applied changes on the test system before applying in production.

 

But depending on the amount of changes, you made, you could also use the new file to help you with individual policy conversions, if you want to test individual changes in smaller batches.

 

 

Link to comment
Share on other sites

Touching base after working in my Dev environment. Disabling HA and swapping the config file worked for the most part. Session policies are now using advanced expressions.

 

A problem I did notice is my SAML \ LDAP authentication policies are now missing from the GUI, but the servers are still there. When I run show authentication policy from the cli it shows what's missing from the GUI.

 

I tried manually swapping my SAML policy to advanced (changing ns_true to true) but it says invalid rule.

 

 

I have an open case with the ADC team but I'm wondering if the advanced policies are not allowed authentication? 

Link to comment
Share on other sites

So, 12.1 has some weird GUI issues anyway. But this seems different.

 

I saw someone else mention the policies missing from the GUI after conversion, but that forum question came up after I responded to your thread or I would have mentioned it.  (But this is why we do test it first.)  You can also, just restore the original one if needed.

 

Personally, I kind of favor using the conversion tool to give me a template, but implement the policies manually to try to eliminate those weird side effects.

As for changing your original policy from ns_true to true, note the following. If you have an existing classic policy, you can't convert it to advanced using the radio button (or just changing the expression) if it was already created as a classic policy.  But you can highlight the policy and click "ADD" to create a copy, and then change from classic to advanced (and update expression to true) when creating it NEW.  I usuall take old policy as authe_pol_ldap to authe_poladv_ldap when creating the new name.

 

So that may take care of the display in GUI issue. if it still doesn't show in GUI even if you create it manually in the advanced engine then its a gui bug.

 

Link to comment
Share on other sites

Thanks for the responses. After working with the ADC team we tried to manually add advanced saml policies via GUI and command line. When trying in the GUI it said invalid rule, then trying to in CLI we could add it but it wouldn't show up in the GUI.  Wondering if advance expressions are not allowed with SAML auth policies. 

 

We uploaded the original and converted config file, as well as a support bundle. The escalation engineer is looking into now but I never feel good when they are stumped like me lol. 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...