Jump to content
Welcome to our new Citrix community!

NS Active/Active issue with OS X Safari


Ryan Fisher

Recommended Posts

Having an issue where I just changed my gslb configuration to active active to help with my connections due to so many people working from home right now.  Since enabling this, I'm having an issue where ONLY Safari is having a problem logging in.  

 

Once logging in, it'll hang at various points before it gets the handoff to storefront.  It'll usually sit at "Loading your apps" but sometimes I'll get this "Please Select One of the Following" page with no options on it.  Also, sometimes it'll get past the Loading your Apps then go to a white screen and sit there.  AND, sometimes, if you leave it long enough, it'll eventually go in and give you your app list.

 

If I put a static entry in my hosts file to make it go to the same site every time, it works perfectly every time.  Also, if I use another browser on OS X, like Chrome or Firefox, it works fine as well.  It's only Safari that has this issue.  Windows machines with all browsers do not have this issue either.  Most of the time if I empty caches it won't work, but there are times that it'll work right away after emptying caches, but it's rare.

 

For now we're telling users to use Chrome or Firefox as a workaround, but I'd still like to get this fixed to help tamp down support calls.  Up to this point, I have applied the Safari 12 line to the web.config file on the storefront servers as outlined in CTX238286.  Also, there's a forum post where someone stated that they had to put a space in that line in protocolHandler as outlined here:  

 

https://discussions.citrix.com/topic/399689-macos-safari-12-stuck-at-loading-your-apps/

 

Beyond this I'm out of ideas.  I feel like it might a persistence thing, but I have that set on both the gslb vserver as sourceIP, and on the gslb services as ConnectionProxy, Insert Client IP true and Client IP Header=client-ip.  Maybe that's the problem, having it set on the vserver and the service?  But all the other browsers are working, so I wouldn't think so.  I have a case open with Citrix, but so far they haven't been much help, so hoping someone else might have some ideas.

 

Netscaler v12.1.55.18

Storefront v3.12

 

Thanks!

Link to comment
Share on other sites

I would list both your gslb lb method and gslb persistence type in use (NOTE: i saw that at the bottom) AND your storefornt lb method/persistence type.

For GSLB you are using: gslb method:sourceip and gslb persistence CookieInsert:connectionproxy

 

So you have three types of gslb persistence: sourceip persistence (gslb vserver property) or cookie-based persistence (via gslb service) as either connectionproxy or httpredirect.

Safari doesn't usually like regular lb persistence based on cookie insert; so its probably also choking on the cookie insert for gslb persistence too.

Source-ip persistence (or contentswitching for gslb *might* work to move "safarI" users to a different gslb vserver source ip persistence decision might work...)

 

But my guess, safari is blocking the gslb persistence cookie which is then breaking your scenario. You can check your safari setting to see what is cookie handling behavior is and see if accepting all 3rd party cookies or all cookies from this site would work or not. It might be the proxy method is confusing the storefront identification of users when being proxied from the other ADC location; but I would start with the gslb persistence and safari first.

 

Here's one thread noting that safari + cookieinsert persistence (during regular load balancing) was an issue:  https://discussions.citrix.com/topic/361879-cannot-complete-your-request/ 

 

 

 

Link to comment
Share on other sites

Thanks for getting back to me.  After looking at my config, I see that I'm already using SOURCEIP as the persistence in the load balancer vserver for the storefront servers.  Also, I have one storefront server disabled so it's only going to one for now to help troubleshoot.

 

Here is my config for the gslb and for the LB vserver for the storefront servers.  Let me know if any other information would help.  Thank you for the help!

 

add gslb vserver "remote.domain.com - SD" HTTP -lbMethod ROUNDROBIN -backupLBMethod LEASTCONNECTION -tolerance 0 -EDR ENABLED -appflowLog DISABLED
set gslb vserver "remote.domain.com - SD" -lbMethod ROUNDROBIN -backupLBMethod LEASTCONNECTION -tolerance 0 -EDR ENABLED -appflowLog DISABLED
add gslb site "SD Local GSLB" 172.16.20.11 -publicIP xxx.xxx.xxx.185
add gslb site "DR Remote GSLB" 172.16.100.13 -publicIP xxx.xxx.xxx.198
add gslb service "remote.domain.com - SD" 172.16.20.39 SSL 443 -publicIP xxx.xxx.xxx.171 -publicPort 443 -maxClient 0 -siteName "SD Local GSLB" -cltTimeout 180 -svrTimeout 360 -downStateFlush DISABLED
add gslb service "remote.domain.com - LV" 172.16.100.19 SSL 443 -publicIP xxx.xxx.xxx.199 -publicPort 443 -maxClient 0 -siteName "DR Remote GSLB" -cltTimeout 180 -svrTimeout 360 -downStateFlush ENABLED
bind gslb vserver "remote.domain.com - SD" -serviceName "remote.domain.com - SD"
bind gslb vserver "remote.domain.com - SD" -serviceName "remote.domain.com - LV"
bind gslb vserver "remote.domain.com - SD" -domainName remote.domain.com -TTL 5





add serviceGroup "storefront server group" SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forward-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add lb vserver "storefront load balancer" SSL 172.16.20.63 443 -persistenceType SOURCEIP -timeout 20 -cltTimeout 180
bind lb vserver "storefront load balancer" "storefront server group"
add lb monitor "storefront desktop" STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -interval 6 -resptimeout 5 -secure YES -storename desktop
bind serviceGroup "storefront server group" xenweb01-v 443
bind serviceGroup "storefront server group" xenweb02-v 443 -weight 2 -state DISABLED
bind serviceGroup "storefront server group" -monitorName "storefront desktop"
set ssl vserver "storefront load balancer" -dh ENABLED -dhFile "/nsconfig/ssl/xxxx.key" -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -HSTS ENABLED -maxage 157680000
bind ssl serviceGroup "storefront server group" -eccCurveName P_256
bind ssl serviceGroup "storefront server group" -eccCurveName P_384
bind ssl serviceGroup "storefront server group" -eccCurveName P_224
bind ssl serviceGroup "storefront server group" -eccCurveName P_521
bind ssl vserver "storefront load balancer" -cipherName pchs_ciphers
bind ssl vserver "storefront load balancer" -certkeyName "wldcard.domain.com sha2"
bind ssl vserver "storefront load balancer" -eccCurveName P_256
bind ssl vserver "storefront load balancer" -eccCurveName P_384
bind ssl vserver "storefront load balancer" -eccCurveName P_224
bind ssl vserver "storefront load balancer" -eccCurveName P_521

 

Link to comment
Share on other sites

The trick is that if you are doing sourceip load balancing on the storefront lb vserver, but your GSLB config is set to proxyconnections, you could be confusing the storefront load balancer of the "source ip" of the originating connection when proxied by the other GSLB server OR it might be throwing off storefront's beacons/source ip detection mechanism

 

However, if everything is working except for safari, then the most likely culprit is the gSLB cookie insert:connection proxy persistence, and a different gslb persistence (not cookie based) but sourceip based might fix both potential causes of the issue. 

 

Maybe someone else has a better idea.

 

 

 

 

Link to comment
Share on other sites

So, that's good information.  I went in the Cookies and Website data section on Safari preferences, and when I turn off Prevent Cross-site Tracking (v12) or Always Allow (v11) I can get in every time without issue.  So, as you mention, it seems to be the way Safari is handling the cookies from netscaler with the load balancing.  Based on the config I provided above, are there any suggestions you could give on how I might change the persistence settings or combination of to make this work better?  I really don't want to have to change those settings within Safari, especially on other people's machines.

 

Thanks!

Link to comment
Share on other sites

Sorry!  I realized I put the wrong gslb vserver config in my last post!  Here's the one I'm working on

 

add gslb vserver "remote.domain.com - SD" HTTP -backupLBMethod ROUNDROBIN -tolerance 0 -persistenceType SOURCEIP -persistenceId 10 -timeout 5 -EDR ENABLED -appflowLog DISABLED
set gslb vserver "remote.domain.com - SD" -backupLBMethod ROUNDROBIN -tolerance 0 -persistenceType SOURCEIP -persistenceId 10 -timeout 5 -EDR ENABLED -appflowLog DISABLED
add gslb site "SD Local GSLB" 172.16.20.11 -publicIP xxx.xxx.xxx.185
add gslb site "DR Remote GSLB" 172.16.100.13 -publicIP xxx.xxx.xxx.198
add gslb service "remote.domain.com - SD" 172.16.20.40 SSL 443 -publicIP xxx.xxx.xxx.156 -publicPort 443 -maxClient 0 -siteName "SD Local GSLB" -cip ENABLED client-ip -sitePersistence ConnectionProxy -cltTimeout 180 -svrTimeout 360 -downStateFlush DISABLED
add gslb service "remote.domain.com - LV" 172.16.100.21 SSL 443 -publicIP xxx.xxx.xxx.201 -publicPort 443 -maxClient 0 -siteName "DR Remote GSLB" -cip ENABLED client-ip -sitePersistence ConnectionProxy -cltTimeout 180 -svrTimeout 360 -downStateFlush ENABLED
bind gslb vserver "remote.domain.com - SD" -serviceName "remote.domain.com - SD"
bind gslb vserver "remote.domain.com - SD" -serviceName "remote.domain.com - LV"
bind gslb vserver "remote.domain.com - SD" -domainName remote.domain.com -TTL 5

 

And, I'll put the storefront LB vserver config here again, too

 

add serviceGroup "storefront server group" SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forward-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add lb vserver "storefront load balancer" SSL 172.16.20.63 443 -persistenceType SOURCEIP -timeout 20 -cltTimeout 180
bind lb vserver "storefront load balancer" "storefront server group"
add lb monitor "storefront desktop" STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED -interval 6 -resptimeout 5 -secure YES -storename desktop
bind serviceGroup "storefront server group" xenweb01-v 443
bind serviceGroup "storefront server group" xenweb02-v 443 -weight 2 -state DISABLED
bind serviceGroup "storefront server group" -monitorName "storefront desktop"
set ssl vserver "storefront load balancer" -dh ENABLED -dhFile "/nsconfig/ssl/xxxx.key" -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls13 ENABLED -HSTS ENABLED -maxage 157680000
bind ssl serviceGroup "storefront server group" -eccCurveName P_256
bind ssl serviceGroup "storefront server group" -eccCurveName P_384
bind ssl serviceGroup "storefront server group" -eccCurveName P_224
bind ssl serviceGroup "storefront server group" -eccCurveName P_521
bind ssl vserver "storefront load balancer" -cipherName pchs_ciphers
bind ssl vserver "storefront load balancer" -certkeyName "wldcard.domain.com sha2"
bind ssl vserver "storefront load balancer" -eccCurveName P_256
bind ssl vserver "storefront load balancer" -eccCurveName P_384
bind ssl vserver "storefront load balancer" -eccCurveName P_224
bind ssl vserver "storefront load balancer" -eccCurveName P_521

 

Link to comment
Share on other sites

I think I have this fixed!  In the persistence settings on the gslb service, I turned off Insert Client IP.  Once I did that Safari logs in every time.  (so far).  I'll monitor and let you know the status after some time.

 

Thanks for the ideas!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...