ADM CS Vserver Monitoring of specific vServer

[Todd Harrington]

Hello, 

 

So I was trying to get some stats around a specific policy contained within a CS Vserver we have setup. I am looking to try to get client IP's of anyone hitting a particular policy within my CS Vserver, we are trying to identify any system hitting a particular policy so that we can eventually change some things around and know which systems our change will impact. I have a target lb vserver setup for each policy on the CS Vserver. 

 

I attempted to add in the lb vserver into ADM but I am getting an error "AppFlow configuration failed. [Command failed on <VPX IP> Request to <VPX IP> failed with error Vserver type mismatch.]" I am assuming because the LB vServer is setup as a non-addressable entity? 

 

So I thought I might be able to just monitor the CS Vserver and put an expression filter on it to only monitor based on the LB vServer or URL but it looks like the expressions in ADM are preset and not really versatile, at least for what I am trying to do. 

 

Does anyone know if a way to accomplish what I am trying to do or am I just out of luck? 

 

Thanks in advance. 

[Rhonda Rowland1709152125]

You could invoke a callout that logs the client ip as part of the policy hit and returns true. Instead of trying to do ADM.

[Rhonda Rowland1709152125]

Sorry, was in the middle of something and didn't really complete my thoughts on the original issue and only saw the "tracking IPs part".

 

First off, for the web insight reporting, is the CS vserver web based?  Otherwise, you should be able to enable the ADM for web insight here and at the lb vserver.  The CS vserver and LB Vserver would have to both be HTTP or HTTPS for web insight to work.  The fact that you are getting a "type mismatch" means something else is going on or share your appflow policy/adm settings you were trying to use.

 

Next, if you can't get the data you are looking for with ADM, what other ways can you do it:

If you just need the client ips for when a given cs policy is hit, 

Option 1) Add a logaction (custom logging message) to the cs policy.  Then enable user configurable log messages in your syslog parameters (for local syslog) or create a custom syslog policy and bind to the cs vserver to capture log events specifics to this cs vserver and this custom policy to its own log facility/log destination. Then you can poll the log for the ips to do whatever you need to do next.

 

Option 2)  Use the callout to insert logs to an external entity as noted above.

 

Option 3) Use rewrite or some other mechanism to insert a custom header and have the backend server extract the requests where this header was inserted and the ips it referenced.

 

Do any of these help you, Todd, or is there something else you are looking for? 

[Narasimha MurthyK]

@Rhonda Rowland, @Todd Harrington:  You can achieve this requirement using WebInsight on ADM.  Configuring Appflow on CS vserver which is front ending with target LB vservers, then you have the list of clients hitting the CS Vserver under clients tab of Citrix ADM under WebInsight reporting. Please follow the steps to configure appflow on CSVserver using below link.

 

https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/configure/enable-analytics-on-virtual-servers.html

[Todd Harrington]

Thanks for the input Rhonda, yes, that info helps a ton. Sorry it took so long to reply, Citrix was having login issues most of the morning it seems like. 

 

So the way the CS vServer and LB vServers are setup is a little confusing because of the complexity of this application. I think you are right on the service type mismatch and I should have noticed that by the error message, it pretty much spelled it out for me, derp.  I have both an HTTP and SSL CS vServer setup for this particular VIP, however the LB vServer is configured as HTTP. So we are doing the termination on the front end, and just passing HTTP all the way through to the back end.  The weird thing though is if I am trying to monitor the LB vServer independently of the CS vServer why would the service type matter? I guess internally the CS Vserver is passing the request to the LB vServer so maybe I am missing something with the internal flow in my head but it seems like the service type should be independent since all the CS vServer is really doing is terminating the SSL session then passing the request to the LB vServer.

 

Anyway, I do very much appreciate the tips as always and will one way get this working. I did not even think of the log callout but that is really a great option if I cannot get ADM to work the way I want. Thanks as always :) 

[Todd Harrington]

37 minutes ago, Narasimha MurthyK said:

@Rhonda Rowland, @Todd Harrington:  You can achieve this requirement using WebInsight on ADM.  Configuring Appflow on CS vserver which is front ending with target LB vservers, then you have the list of clients hitting the CS Vserver under clients tab of Citrix ADM under WebInsight reporting. Please follow the steps to configure appflow on CSVserver using below link.

 

https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/configure/enable-analytics-on-virtual-servers.html

 

I did try this, the problem with this is that I have about 17 policies setup on the CS vServer itself and I am only trying to capture traffic destined to 1 of the 17 policies. By monitoring the CS vServer I am in essence going to be capturing all traffic passing through it when in reality I only need a very specific flow destined for a single LB vServer. 

[Narasimha MurthyK]

Does this mean that there are 17 different LB vservers for each of 17 policies ? If so, then when you click on CS vserver from WebInsight Applications, there will be 17 LB vservers report. Going through drill down screen of LB vserver from CS vserver , you can filter out the traffic going through specific policy.

[Todd Harrington]

3 minutes ago, Narasimha MurthyK said:

Does this mean that there are 17 different LB vservers for each of 17 policies ? If so, then when you click on CS vserver from WebInsight Applications, there will be 17 LB vservers report. Going through drill down screen of LB vserver from CS vserver , you can filter out the traffic going through specific policy.

 

That is correct, each of the 17 policies has a different target LB vServer... when I try to setup monitoring in ADM on the CS vServer there is no option to select the policies bound to it, but I do have the ability to monitor the LB vServers individually, however that is when I get the "AppFlow configuration failed. [Command failed on <VPX IP> Request to <VPX IP> failed with error Vserver type mismatch.]" and I think Rhonda helped me determine that the reason I am getting that is likely because I have an both an SSL and HTTP CS vServer bound to HTTP LB vServers which makes sense why I get a type mismatch. 

[Rhonda Rowland1709152125]

I mean if you do use ADM, you can change the ADM logging expression to criteria that matches the cs policy hit you are looking for, bind it to the cs vserver, but only traffic with that criteria would log to adm.

You could also create the lb vserver of type ssl to probably get around the protocol mismatch temporarily...if its non-addressable it will still be decrypted at the cs level.

 

But i think the syslog action or the callout would be easier at this point.

 

But I think you have some options to get what you want now. :) (Always glad to help.)

[Evan Chadwick1709164034]

On 8/7/2019 at 6:16 AM, Narasimha MurthyK said:

Does this mean that there are 17 different LB vservers for each of 17 policies ? If so, then when you click on CS vserver from WebInsight Applications, there will be 17 LB vservers report. Going through drill down screen of LB vserver from CS vserver , you can filter out the traffic going through specific policy.

"Going through drill down screen of LB vserver from CS vserver , you can filter out the traffic going through specific policy"

Do you mean, when you have a CS reporting into ADM, you can selectively browse through all 17 vserver outputs attached to the Cs Vserver individually? Ie you can get requested Urls or source client ip addresses for each of the 17 vservers?