Jump to content
Welcome to our new Citrix community!

Netscaler MPX 8905 - NSIP , Subnet IP and DMZ vlan - ROUTE Related issue


Recommended Posts

Hello Citrix Champions! i Need your urgent assistance, please help!

 

As per carl stalhood's blog, he mentions not to add SNIP from NSIP network. I'm trying to avoid that, however, when i Remove the SNIP which is from the NSIP network, my STA servers and other Vservers start to show status as down.

 

I'm having issues with Regards to the routes and connectivity when Subnet IP from NSIP network (vlan 20) Is removed. all Vservers Work only when i keep SNIP from same network as NSIP network.

the Moment i Remove The SNIP, all Vservers status show as down.

 

I have two MPX 8905 configured in HA.

  1. My NSIP of the netscaler, my DDC , Storefront, Netscaler ADM (MAS) and AD Domain controllers are all in VLAN 20 (192.168.20.x) - VLAN 20 is a production VLAN
  2. My MPX devices are In DMZ,  - SNIP 10.1.1.x (VLAN 800)

 

Physical cabling Connections:
-----------------------

  • Managment Port - RJ45 plugged in, connected to mgmt Switch(VLAN 20)
  • 10/1 and 10/2 plugged - SFP plugged in and connected to DMZ network. Port Channel done for 10/1 and 10/2 into LA/1.(VLAN tagged to 800)
  • from 10.1.1.x Network all the internal network is open no port is being blocked at the moment. (able to telnet DDC, SF, LDAP servers on respective ports.)

 

NS Configuration
------------------
Netscaler NSIP (both) - 192.168.20.x HA - working absolutely fine

Static route added - 0.0.0.0  0.0.0.0 10.1.1.X (DMZ gateway)

SNIP - 10.1.1.X (VLAN 800)

access gateway VIP 10.1.1.X

 

 

Issue is that on the access gateway VIP STA status shows down when there is No SNIP In mangement Network ( VLAN 20)

1) All the Virtual servers (Ldap load balancing vserver & accessgateway vServer) show state as down when SNIP  from NSIP VLAN (vlan 20) is removed.

 

attached screenshots for your reference.

What should i do ?

 

any inputs shall be greatly appreciated! thanks in advance

 

 

 

 

Link to comment
Share on other sites

If you need to communicate to the STA's and other vserver service destinations from the same network as the NSIP, then you will have to have a SNIP in that subnet/vlan as the SNIP is needed for the ADC to backend communication; the NSIP alone can't do that.

 

If you segregate your NSIP to a management network separate from your backend network, then you can have a SNIP in a different subnet/vlan from your NSIP, but your traffic flow doesn't appear to support that.  

 

Confirm your routes are properly applied for your network destinations too; but this may be expected before for your current network deployment.

 

Edit additional thoughts:

Did look at your route/nsip stuff above, so you are trying to separate them. Can you confirm which subnet the STA and backend lb services belong to?  If its not directly accessible via your 10.1.1.x network/vlan 20, then you may be missing some routes for example that say how to get to a 10.10.x.x network from the 10.1.1.x network.  And the system is falling back to the NSIP network for some reason.  Also, have you associated the subnets and interfaces/channels to the vlans as well (check your vlan bindings).

 

Certain monitors require the NSIP for use such as the storefront monitor; but I don't think that's your initial issue for the STA.  (Scriptable monitors are those for which you can't set a net profile, source from the NSIP; non-scriptable monitors use a SNIP to reach the destination network or an alternate net profile ip if specified.)

 

You should see STA failure events and a possible reason though in the syslog file. It may have some insight if the failure is specific to lack of available SNIP.

StoreFront specific issues may appear in syslog, but an additional event will show up in nslog (either events or console messages) indicating if the storefront fqdn is unreachable/resolvable from the Gateway. If it doesn't see a valid storefront resolution (even if the vip is on this adc), it will not attempt gateway to storefront hand off.  Usually the vent will show a "snip unavailable" if that is in fact the problem.

 

 

 

Edited by Rhonda Rowland
added notes
Link to comment
Share on other sites

  • 3 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...