Jump to content
Welcome to our new Citrix community!

Recommended Posts

I have two StoreFront Server and be configured Server Group.

 

The StoreFront uses a wildcard certificate.

 

Configure NetScaler LB

Add server

Add Service Group

 

But, the service Group is down

Use Monitor Details to check Service Group Member Monitors:

State of StoreFront is DOWN

State of ping is UP

 

What should I do? 

Link to comment
Share on other sites

To better troubleshoot, show your config of the servicegroup:

show ns runningconfig | grep <servicegroupname> -i

show ns runningconfig | grep <monitorname> -i  #if using storefront or other monitor

 

Which monitor are you using?

 

1) If using the storefront monitor, check the following:

  • Is your service member HTTP or SSL and therefore the monitor secure flag disabled or enabled to agree.   Make the monitor Secure:ON for SSL servicegroup members.
  • Do you have the correct store name specified?  Does not need the "web" addition, but is the actual storefront store name you are referencing?
  • Disable "check backend web services" as this requires additional config to work; if on without these changes on storefront, the service members will be down.

2) Try a simpler monitor first:  swap in a simple monitor like PING to see if it works instead of the custom monitor. If ping fails, then you have a networking issue.

 

3) If networking issue, confirm you have a valid SNIP in the network facing the storefront servers. Confirm any necessary routes have been configured. Verify you don't have any networking firewalls blocking access from SNIP to storefront destination.

If you do a ping test from the NetScaler, use; ping <stf ip> -S <snip>  to force the ping to use a specific SNIP or source IP instead of using the NSIP by default.

 

 

  • Like 1
Link to comment
Share on other sites

19 hours ago, Rhonda Rowland1709152125 said:

To better troubleshoot, show your config of the servicegroup:

show ns runningconfig | grep <servicegroupname> -i

show ns runningconfig | grep <monitorname> -i  #if using storefront or other monitor

 

Which monitor are you using?

 

1) If using the storefront monitor, check the following:

  • Is your service member HTTP or SSL and therefore the monitor secure flag disabled or enabled to agree.   Make the monitor Secure:ON for SSL servicegroup members.
  • Do you have the correct store name specified?  Does not need the "web" addition, but is the actual storefront store name you are referencing?
  • Disable "check backend web services" as this requires additional config to work; if on without these changes on storefront, the service members will be down.

2) Try a simpler monitor first:  swap in a simple monitor like PING to see if it works instead of the custom monitor. If ping fails, then you have a networking issue.

 

3) If networking issue, confirm you have a valid SNIP in the network facing the storefront servers. Confirm any necessary routes have been configured. Verify you don't have any networking firewalls blocking access from SNIP to storefront destination.

If you do a ping test from the NetScaler, use; ping <stf ip> -S <snip>  to force the ping to use a specific SNIP or source IP instead of using the NSIP by default.

 

 

 

This is Service Group configure:

A.thumb.PNG.502440e9f3ba268af576f2df881094ad.PNGb.thumb.PNG.c8537cc07e528be916be1b1895bbc72b.PNG

 

I have two monitor:

  • StoreFront
  • ping

StoreFront show  Failure - Probe failed.

Ping show Success - ICMP echo reply received.

C.thumb.PNG.ac1c92a6160a26514fda01e365e2be40.PNG

 

The Secure option has been selected.

The Store name is correct.

I don't have select "check backend web services "

 

The StoreFront monitor  is OK on other service group.

 

 

Link to comment
Share on other sites

If the monitor works for one servicegroup and not the other, then the problem is with this monitor detail on this specific servergroup members or the member details themselves. 

 

So let's tackle that first.

What is different between the working servicegroup (A) and the non working servicegroup (B)? 

  • If you are using one monitor for both, then is the store name "NewStore" actually created on both sets of servers? 
  • Are certs bound to the servicegroup (B) servers (the actual servers) so that they can respond/listen on SSL:443?
  • If part of a storefront server group, have you fully propagated changes amongst all participating servers.

On your NetScaler, since the PING works and the STOREFRONT monitor is not, lets try something else.  Plus, if multiple monitors are bound any one failures will bring the service group down.

  • Ping confirms the backend services are reachable by an available SNIP. But it is not confirming a port check or SSL/cert presence.
  • Test 1: unbind the storefront monitor from the servicegroup B and use the PING only.  Then test your load balancing to see if the storefront servers are working or not?
    • Assuming this works, then the issue is related to the storefront monitor specifically.  If not, we have backend issues to solve first.
  • Test 2: unbind the ping monitor and rely on the tcp-default monitor (remove all monitors and it will attache automatically).  This will do a minimal port check. If storefront still works, proceed.
  • Test 3:  At this point, if the only thing that is not working is the storefront monitor, then double check that the settings in the monitor should work for the servicegroupB members (and the store is not different between it and the A group).   Note: unlike the ping and tcp monitors which use the SNIP, the storefront monitor relies on the NSIP to reach its destination and you may some firewall rules that allow it to talk to the serviceGroup A members but are blocking servicegroup B members. 
    • So at this point, run a nstrace to look for issues related to the NS to storefront communication specific to this monitor.
    • Issue could be a cert/trust issue between NS and backend. 

You can also check syslog/nslog for additional issues. But your probably going to need the trace depending on how the monitor tests go.

 

 

 

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...