Jump to content
Welcome to our new Citrix community!

NetScaler VPX configure Load Balance failed.


Recommended Posts

I hava a NetScaler VPX and configure it as Load Balance.

 

First I create a web server certificate

A.thumb.PNG.ff5c0cf253309a88a0f42c18f599f7b2.PNG

 

Then export private key and use WinSCP import to the /nsconfig/ssl/

 

Open the Citrix ADC appliance command line interface (CLI).

Type Shell 

Change directory using cd /nsconfig/ssl/

Run openssl pkcs12 -in <imported cert file>.pfx -nokeys -out <certfilename>.cer and enter the PFX password when prompted.

Run openssl pkcs12 -in <imported cert file>.pfx -nocerts -out <keyfilename>.key and enter the PFX password when prompted, and then set the private key PEM passphrase to protect the .KEY file.

 

Then  us ls to check the .CER and .KEY files

 

Then log on to the Citrix ADC appliance management GUI.

Select Traffic Management > SSL > Certificates > Server Certificate and click Install.

A.thumb.PNG.b40b99ce2e0f91cfd39cce5f4f549959.PNG

 

Select Traffic Management > Load Balancing > Servers > Add and add two StoreFront.

A.thumb.PNG.b0eeb0bad7123ed2b0fc8e8cdd7acdb0.PNG

 

Select Traffic Management > Load Balancing > Monitors > Add and add a new monitor 

A.thumb.PNG.bb814213e6ccee9e30bdf88d720e471c.PNG

 

Select Traffic Management > Load Balancing > Service Groups > Add to Create Service Group

 

Select new Service Group and click Edit

Select Service Group Members and Add Server. but Service state is Down

A.thumb.PNG.e9c7b4d9e4d6dc1c8ccab48a0473ae29.PNG

 

What should I do?

 

 

 

 

Link to comment
Share on other sites

12 hours ago, Carl Stalhood1709151912 said:

In your monitor, uncheck "Check Backend Services". Does it come up?

 

On StoreFront servers, does IIS have an https binding with certificate?

After uncheck "Check Backend Services", the Effective State is UP.

 

I have an https binding with certificate on StoreFront.

 

But the certificate isn't *.domian.local. 

It is StoreFront.domain.local

Link to comment
Share on other sites

13 hours ago, Carl Stalhood1709151912 said:

In your monitor, uncheck "Check Backend Services". Does it come up?

 

On StoreFront servers, does IIS have an https binding with certificate?

I continue the configure

 

Create a Virtual Servers

Select Traffic Management > Load Balancing > Virtual Servers > Add

Type a name for the Virtual Servers

Protocol select SSL

type a IP address

Then click OK.

A.thumb.PNG.17982cb0df31efbcbe07adf1c4f67a5f.PNG

 

Configure a locad balancing Virtual Server ServiceGroup Binding —— binding to SF Service Group

 

Configure a Server Certificate —— *.domain.local

A.thumb.PNG.375fca438ad21900624b422800ed66b5.PNG

 

Change SSL Parameters —— Check "SSL Redirect"

A.thumb.PNG.e5a13c3145e054adb0211bff7c7ec6e7.PNG

 

Change Persistence —— Select SOURCEIP

And change Time-out to 60

A.thumb.PNG.08987cfcd3999201014ec3bce4e69f95.PNG

 

Click Done.

 

But hte Virtual Servers is Down.

A.thumb.PNG.68cb0d237b0c25849939ebc4adb25020.PNG

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Link to comment
Share on other sites

For better assistance with troublshooting, use the CLI and show the runningconfig commands as opposed to the screenshots.

 

show ns runningconfig | grep <storefront vserver name> -i

show ns runningconfig | grep <storefront serviceName or servicegroup name> -i

show ns runningonfig | grep <storefront monitor name> -i

 

1) On your storefront servers, confirm you have a cert installed so that the actual storefront servers themselves are properly configured for HTTPS.

2) On your monitors, be sure the secure flag is enabled AND disable the "check backend services" as this requires an addition setting on the storefront server, or else the monitor will fail.

3) On the NetScaler, confirm the following:

  • Make sure the following features are enabled:  Load Balancing, SSL Offload
  • You have the correct storefront IPs specified. You may need to run a nstrace to see if the NS can reach the storefront servers.
  • You can try swapping the storefront monitor for a ping monitor or the default monitor to see if it works with a simple monitor but fails with custom monitor.
  • If the servicegroup is down, then the vserver will be down.

If the NetScaler cannot reach the storefront server IPs, then you need to make sure you have a SNIP configured and any required routes or networking settings need to be configured.

 

Here's an example config, that may help you see what is wrong:

# The storefront monitor

You need to identify your store name that you have configured on the storefront server.  Example, if your store path is: https://storefront.demo.com/Citrix/Store-1Web, then the store name is Store-1.  In your original post, you had your store name as "Store".  Is this the actual name of your store?  And disable the backend services check to see if this resolves your problem.

 

There are several default parameters that are specified in the GUI that you can omit in the CLI and will be automatically specified.

So the command you enter can be this:

 add lb monitor mon_storefront_ssl storefront -scriptName nssf.pl -LRTM Disabled -secure yes -storename store-1 -storefrontacctservice yes -storefrontcheckbackendservices no

 

But the final command (when you use the GUI or when viewing the running config will look like this:)  Don't worry about or change the dispatcher IP or other settings.

add lb monitor mon_storefront_ssl STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -secure YES -storename Store-1 -storefrontacctservice yes -storefrontcheckbackendservices no

 

# The service group

The service group should point to the IPs of your actual storefront servers. If these IPs are unreachable, then you will have to fix this first:

Example, uses 192.168.10.101 and 192.168.10.102 as example storefront servers (backend IPs)

add servicegroup svcg_storefront SSL

bind servicegroup svcg_storefront 192.168.10.101 443

bind servicegroup svcg_storefront 192.168.10.102 443

bind servicegroup svcg_storefront -monitorName mon_storefront_ssl

 

# Create LB vserver

The lb vserver will need the SSL cert and be bound to the service group; assign a VIP in the network you want users to reach the storefront load balancer and create the lb storefront name which matches the cert that DNS will resolve to the VIP:

add lb vserver lb_vsrv_storefront ssl <vip1> 443 -lbmethod leastconnections -persistencetype sourceip -timeout 20

bind lb vserver lb_vsrv_storefront svcg_storefront

bind ssl vserver lb_vsrv_storefront -certkey <certkeyname>

 

Link to comment
Share on other sites

3 hours ago, Rhonda Rowland1709152125 said:

For better assistance with troublshooting, use the CLI and show the runningconfig commands as opposed to the screenshots.

 

show ns runningconfig | grep <storefront vserver name> -i

show ns runningconfig | grep <storefront serviceName or servicegroup name> -i

show ns runningonfig | grep <storefront monitor name> -i

 

1) On your storefront servers, confirm you have a cert installed so that the actual storefront servers themselves are properly configured for HTTPS.

2) On your monitors, be sure the secure flag is enabled AND disable the "check backend services" as this requires an addition setting on the storefront server, or else the monitor will fail.

3) On the NetScaler, confirm the following:

  • Make sure the following features are enabled:  Load Balancing, SSL Offload
  • You have the correct storefront IPs specified. You may need to run a nstrace to see if the NS can reach the storefront servers.
  • You can try swapping the storefront monitor for a ping monitor or the default monitor to see if it works with a simple monitor but fails with custom monitor.
  • If the servicegroup is down, then the vserver will be down.

If the NetScaler cannot reach the storefront server IPs, then you need to make sure you have a SNIP configured and any required routes or networking settings need to be configured.

 

Here's an example config, that may help you see what is wrong:

# The storefront monitor

You need to identify your store name that you have configured on the storefront server.  Example, if your store path is: https://storefront.demo.com/Citrix/Store-1Web, then the store name is Store-1.  In your original post, you had your store name as "Store".  Is this the actual name of your store?  And disable the backend services check to see if this resolves your problem.

 

There are several default parameters that are specified in the GUI that you can omit in the CLI and will be automatically specified.

So the command you enter can be this:

 add lb monitor mon_storefront_ssl storefront -scriptName nssf.pl -LRTM Disabled -secure yes -storename store-1 -storefrontacctservice yes -storefrontcheckbackendservices no

 

But the final command (when you use the GUI or when viewing the running config will look like this:)  Don't worry about or change the dispatcher IP or other settings.

add lb monitor mon_storefront_ssl STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -secure YES -storename Store-1 -storefrontacctservice yes -storefrontcheckbackendservices no

 

# The service group

The service group should point to the IPs of your actual storefront servers. If these IPs are unreachable, then you will have to fix this first:

Example, uses 192.168.10.101 and 192.168.10.102 as example storefront servers (backend IPs)

add servicegroup svcg_storefront SSL

bind servicegroup svcg_storefront 192.168.10.101 443

bind servicegroup svcg_storefront 192.168.10.102 443

bind servicegroup svcg_storefront -monitorName mon_storefront_ssl

 

# Create LB vserver

The lb vserver will need the SSL cert and be bound to the service group; assign a VIP in the network you want users to reach the storefront load balancer and create the lb storefront name which matches the cert that DNS will resolve to the VIP:

add lb vserver lb_vsrv_storefront ssl <vip1> 443 -lbmethod leastconnections -persistencetype sourceip -timeout 20

bind lb vserver lb_vsrv_storefront svcg_storefront

bind ssl vserver lb_vsrv_storefront -certkey <certkeyname>

 

Enable SSL offloading is OK.

 

I can connection to Store and show virtual desktop.

 

But, I cannot login the desktop

A.thumb.PNG.7eb205c089ef1d460306c37fb8d35699.PNG

 

What happened?

 

  • Like 1
Link to comment
Share on other sites

Planned maintenance, implies that you may have your desktops in maintenance mode.  https://support.citrix.com/article/CTX219998

 

At this point you are talking to storefront, so the load balancing should be working; now the issue might be storefront/load balanced related or it could be an issue in the storefront to controller configuration.

 

 

So check this first, for maintenance mode.

1) In the XD/CVAD site make sure you have adequate VDI's published to the appropriate user account or groups and that the resources are available and not in maintenance mode. 

 

If you are still having load balancing/configuration issues, then you may need to check more things:

1) it would still be more helpful if you showed the cli commands for your storefront load balancing config, to see if there is anything else off.

2) In the storefront store settings, double check your XML broker list.  If multiple storefront servers, be sure you propagate any config changes.

3) Check the event viewer on the StoreFront server for errors that may help diagnose issues.  You are looking in the "Citrix Delivery Services" event log under "Applications and Services" and not just the Application/System log in the standard logs.  Though check these too.  

4) Depending on your storefront config and event logs, you may then need to check the CVAD/XD config in studio and/or its events in the Application Log or we may have to look at the NetScaler config and its syslog. At this point, we've only been troubleshooting the storefront load balancing.  No gateway/ica proxy config or the rest of your CVAD site config.

 

 

 

Link to comment
Share on other sites

10 hours ago, Rhonda Rowland1709152125 said:

Planned maintenance, implies that you may have your desktops in maintenance mode.  https://support.citrix.com/article/CTX219998

 

At this point you are talking to storefront, so the load balancing should be working; now the issue might be storefront/load balanced related or it could be an issue in the storefront to controller configuration.

 

 

So check this first, for maintenance mode.

1) In the XD/CVAD site make sure you have adequate VDI's published to the appropriate user account or groups and that the resources are available and not in maintenance mode. 

 

If you are still having load balancing/configuration issues, then you may need to check more things:

1) it would still be more helpful if you showed the cli commands for your storefront load balancing config, to see if there is anything else off.

2) In the storefront store settings, double check your XML broker list.  If multiple storefront servers, be sure you propagate any config changes.

3) Check the event viewer on the StoreFront server for errors that may help diagnose issues.  You are looking in the "Citrix Delivery Services" event log under "Applications and Services" and not just the Application/System log in the standard logs.  Though check these too.  

4) Depending on your storefront config and event logs, you may then need to check the CVAD/XD config in studio and/or its events in the Application Log or we may have to look at the NetScaler config and its syslog. At this point, we've only been troubleshooting the storefront load balancing.  No gateway/ica proxy config or the rest of your CVAD site config.

 

 

 

The desktop isn't maintenance mode. I use StoreFront connect is OK. But use NetScaler Load Balance is failed.

 

These are features are enabled.

A.thumb.PNG.c0bc14e3fd72a10ce2d3e11f9104933b.PNG

 

How I should to check the XML broker list?

 

I check store event log and view a warning and a error.

A.thumb.PNG.833dc12a500866f3601af9840a60e7e1.PNG

 

b.thumb.PNG.124642898f9cd96122915b739092ebd3.PNG

Link to comment
Share on other sites

17 hours ago, Rhonda Rowland1709152125 said:

Planned maintenance, implies that you may have your desktops in maintenance mode.  https://support.citrix.com/article/CTX219998

 

At this point you are talking to storefront, so the load balancing should be working; now the issue might be storefront/load balanced related or it could be an issue in the storefront to controller configuration.

 

 

So check this first, for maintenance mode.

1) In the XD/CVAD site make sure you have adequate VDI's published to the appropriate user account or groups and that the resources are available and not in maintenance mode. 

 

If you are still having load balancing/configuration issues, then you may need to check more things:

1) it would still be more helpful if you showed the cli commands for your storefront load balancing config, to see if there is anything else off.

2) In the storefront store settings, double check your XML broker list.  If multiple storefront servers, be sure you propagate any config changes.

3) Check the event viewer on the StoreFront server for errors that may help diagnose issues.  You are looking in the "Citrix Delivery Services" event log under "Applications and Services" and not just the Application/System log in the standard logs.  Though check these too.  

4) Depending on your storefront config and event logs, you may then need to check the CVAD/XD config in studio and/or its events in the Application Log or we may have to look at the NetScaler config and its syslog. At this point, we've only been troubleshooting the storefront load balancing.  No gateway/ica proxy config or the rest of your CVAD site config.

 

 

 

After reset NetScaler is OK.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...