Jump to content
Welcome to our new Citrix community!

NetScaler VPX 100 Clear Config Start lost SSL Certificate config


Recommended Posts

During an issue encountered for our Citrix NS 1000 version 11 servers, the NS server were rebooted to fix the problem.  But instead, it lost the configurations and SSL Certificates.  The certificates had to be reinstalled and reconfigured.  May I know whats the NetScaler boot sequence. and why the configuration were lost.

Also I have the the log showing CLEAR CONFIG STARTED .... CLEAR CONFIG ENDED many a times during the NetScaler reboot process.  Can you explain it is the normal behavior? What is the boot sequence for NetScaler?

NS failure.png

Link to comment
Share on other sites

"Loosing the configuration" occurs in most cases after editing the ns.conf file. In fact, the configuration does not get lost, instead, during boot it will just stop executing the ns.conf file after the first error. If the error was fatal, it will even clear the configuration. That's why Citrix does not support editing the ns.conf file at all. There may be some more reasons for this to happen, but editing the ns.conf file is the most popular one.

 

Like always in Citrix ADC, nothing will get lost. There is always a ns.conf.0 file, containing the previous configuration, the .1, .2, .3, and .4 file.

 

Greetings from sunny Austria

 

Johannes Norz

CTA, CCI, CCE-N

Link to comment
Share on other sites

The ssl-certificate files as well? That's a really bit of surprise to me. I never have seen this happening. Which firmware version do you use? Did you patch your ADC after this CVE 2019-19781 bug? If not, someone may have done stupid things to your ADC. In this case you should recreate your VPX (maybe you want to follow my blog).

 

Best regards

 

Johannes Norz

CTA, CCI, CCE-N

Link to comment
Share on other sites

It was the SSL certificate bindings that were lost.  I am curious about the boot process specifically about the clear config start/end commands.  How are these initiated?

The NetScaler is installed in our local network.  It is not facing the the internet and there is no Citrix communication passing through perimeter Firewall. 

Link to comment
Share on other sites

I would be curious as well.

A Citrix ADC (NetScaler) boots up without any configuration. It does not know about anything, no IPs, no certificates. During boot, it executes the /flash/nsconfig/ns.conf file, a batch file. It executes this file from top down. This will teach the box how to use IPs, which certificate files belong together and many more (add ssl certkey ...)

Usually, if there is some non-sense in this file, execution stops. This may lead to incomplete configuration. I have never seen an ADC execution a clear configuration command on it's own, so I can't tell you why it did. I think, this clear config command had been in the ns.conf file, but I have no clue, how it came there.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...