Jump to content
Welcome to our new Citrix community!

Citrix ADC - Don't reply on ARP Request @ specific interface


Recommended Posts

Hey everybody,

 

I've some troube after upgrade a NetScaler 5550 HA Pair from 12.0 to 13.0.

After the upgrade everything looks good, all Backend Servers are avaliable and the vServers signed as up.

 

15 minutes later, the NetScaler Gateway looks down from external.

Ive investigated, that the firewall cant reach the NetScaler VIP, but the vServer is marked as up.

 

some key aspects of the configuration:

  • two netscaler in one High Availability Pair.
  • netscaler is configured with two interfaces bound to a LACP channel
  • multiple vlans are configured with multiple (different) subnets.
  • no traffic routes are configured
  • firewall is configured as Full-Nat.

 

my investigations at this points are:

  • ping to the vServer adress turns the gateway immediately accessible.
  • after 10-15 minutes the firewall can't reach the VIP.

 

at this point i've created different tcp dumps on the firewall and the netscaler as well.

 

NetScaler Virtual Server IP : 10.10.1.123

NetScaler LA/1 IP: aa-aa-aa-aa-aa-aa

Firewall IP in DMZ: 10.10.1.1/24

Firewall External IP 123.123.123.123

Test Client external : 188.1.1.2

Test Client internal: 10.10.1.10

 

Rule on Firewall looks like: Full-Nat from 123.123.123.123 to 10.10.1.123 Port: HTTPS

after clearing the arp cache in the firewall, netscaler gateway website in inaccessible.

 

while im trying to connect from external client, the firewall asks in the dmz:

ARP Request: Who was 10.10.1.123? tell 188.1.1.2 

...netscaler don't reply.

 

If i ping the interface from the firewall, the netscaler drop 2 or 3 icmp-packets and then netscaler answer with arp-reply.
 

ARP Request: Who has 10.10.1.123? tell 10.10.1.1
ARP Rely: aa-aa-aa-aa-aa-aa has 10.10.1.123


 

 

BTW: no changes on firewall & network. Citrix case is also created.

 

 

Maybe someone already had the same case and can help me or has an idea?

 

 

Thanks

Kevin

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...