Jump to content
Welcome to our new Citrix community!

Limiting download-speed from LB_vserver

Recommended Posts


we are using "Citrix ADC 13.0 52.24 Advanced" to provide remote access to Citrix Desktop through Storefront for our users. 


In addition we do have a couple of "content switching policies" defined in the "Citrix Gateway" VPN server.

One of the LB_vservers allows access from internet via a servicegroup to a download server.

All of the above works as required.


Meanwhile I spent a lot of hours trying to limit the download speed from the above mentioned server. 


First approach was trying to use the "Maximum Bandwith" setting in "Thresholds" at servicegroup level. This was not successful, seems the setting is affecting inbound traffic only. This made it possible to limit upload-speed, but not for downloads.

Second approach was using "stream selectors" by using below commands

add stream selector sel_PacketLimit CLIENT.TCP.SRCPORT CLIENT.IP.SRC

add stream identifier lid_PacketLimit sel_PacketLimit -trackAckOnlyPackets ENABLED

add responder policy pol_PacketLimit "ANALYTICS.STREAM(\"lid_PacketLimit\").COLLECT_STATS(\"PACKET_LIMIT\", 300, DROP, 1)" NOOP
bind lb vserver vServer-Downloads -policyname pol_PacketLimit -priority 10

The issue now is, after the DROP condition is reached the various browsers I tested, sending ACKs for another 20 seconds before they stop downloading. Since none of those ACKs are replied, due to the limit condition, the download does not continue.


Even crawling for hours through documentation and Google I haven't found a way to implement our request.


Still I'm guessing it should be possible using NetScaler to limit bandwith. 


Any help is highly appreciated, thank you in advance

Link to comment
Share on other sites

I don't have a good answer for you; hopefully, someone else can correct me if I'm wrong about these points.


The problem with your responder policy "dropping" requests, is that the transaction will be terminated when the "drop" occurs. Not just slowed down.


Rate limiting can't actually "LIMIT" bandwidth without stopping (block/reset/redirect or triggering a policy like caching (which won't help)) traffic exceeding a specified threshold.  See this FAQ:  https://support.citrix.com/article/CTX138964 - For Rate Limiting by bandwidth.  


An APPQOE policy *might* work in this case by de-prioritizing traffic...but that's still not quite the same as enforcing a bandwidth limit.  But as the above blog notes, an actual packet prioritization system (or sd-wan) might be needed


Older example when feature was new:  https://msandbu.wordpress.com/2015/02/17/how-to-use-appqoe-on-netscaler/


AppQOE is the advanced engine that does stuff handled by the original Priority Queuing, SureConnect, and HTTP DOS Protection features...with a few new tricks and captcha integration...but the settings are woefully under-documented and under explained.


If you do think AppQOE would work, you have to be sure the policy only impacts your traffic from these download servers and doesn't impact the other gateway or related traffic.


  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...