Jump to content
Welcome to our new Citrix community!

Appflow connection to MAS


Recommended Posts

Hello,

 

I have a really weird issue with making a connection from a Netscaler VPX (running on an SDX appliance) to the mas appliance on UDP port 4739

The appliance & the mas are both running the the same version of software. 12.1 50.something (dont have the mas available out of the office).

The VPX has the NSIP on the LAN (10.10.10.241) & the SNIP is behind a firewall.

I have read conflicting documentation that says how the appflow logs are sent to the MAS. One site says it is via the NSIP another says that the SNIP is used.(both of these are citrix documents)

I have configured the firewall to allow a connection from the SNIP to the MAS on 4739, but am seeing no traffic & the collector is showing as down.

I have recreated the connector with a network profile pointing the network traffic down the SNIP, but again I cannot see any connection attempts being allowed or denied.

The strange thing is that I have another vpx with the NSIP (10.10.10.240) on the same subnet as the one that does not work & that connects fine. Even though that does not have a rule allowing the SNIP to communicate with the MAS on UDP 4739.

Is there a way of showing, either in the log or on the cmd line, just how the connection is going through? Or not as the case maybe.

The only difference that I can see is that there is a route on the working on that has an ip of 10.10.18.0/23 (the mas IP is 10.10.19.47) default route is the SNIP.

The one that does not work has a route of 10.10.18.0/24 (again default gateway to the SNIP), but nothing specifically defining 10.10.19.0.

I am able to ping the MAS fromt he cmd line, so does not seem to be a route issue. Could it be as simple as this? I dont want to affect the backups of the config to the MAS.

 

Thanks

Matt

Link to comment
Share on other sites

4 hours ago, Matthew Riddler1709154367 said:

Is there a way of showing, either in the log or on the cmd line, just how the connection is going through? Or not as the case maybe.

 

From the shell, you can run the following command to see all traffic with a destination port of 4739

 

nstcpdump.sh udp dst port 4739

 

This will output all traffic (if any) being sent to UDP/4739.

 

From your description of the issue, it looks like the subnet mask may be incorrect in the route of the VPX that is not working.  Can you verify that the 10.10.18.0 network is a /23 (I'm guessing it is, since route configured with the /23 is working and the route with the /24 isn't)?

  • Like 1
Link to comment
Share on other sites

 "10.10.18.0/23 (the mas IP is 10.10.19.47) default route is the SNIP."  - in this case teh netscaler does not use the default gateway as it is the same subnet as the MAS. So i ma guessing it does not go through the firewall.

"10.10.18.0/24 (again default gateway to the SNIP), but nothing specifically defining 10.10.19.0" - in this case it will go through the default gateway and probably thorugh that firewall.

 

form the cli you can also try this :

show connectiontable | grep 4739

 

You will see  what ip it is using on the netscaler to connect to mas.

You might check the firewall rules and also the routing. Does the firewall have a route  back to  what Netscaler ip us using to establish the connection?

 

In my case it is using the NSip because i have a default route  on this subnet,

  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...
  • 2 weeks later...

Got this figured out with the help of citrix.

The issue was that appflow was not enabled on the service group. As soon as this was checked on the service group then the data started coming through.

I dont remember seeing in the documentation that it needed to be enabled on the service / service group, but everything is flowing as expected.

 

Thanks for your assistance.

Matt

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...