Jump to content
Welcome to our new Citrix community!

Service groups, services and virtual servers in a DOWN state (state and effective state)


Eunice Mapong

Recommended Posts

Hey folks,

 

I have some issues testing load balancing feature on my appliance (CITRIX ADC MPX 5901 build 11.1). After creating services, service groups, virtual servers and binding the service groups and services to virtual servers, they all appear to be in a DOWN state, both state and effective state.

Please, where may be the issue?

 

PS1 : The servers appears ENABLED and the services are of different protocols  (HTTP, FTP, TCP, SSL and DNS).

PS2 : Load balancing and SSL Offloading are enabled also

Link to comment
Share on other sites

Standard Troubleshooting:

1) Are you on the primary member of an HA pair?

2) I know you noted features above, but just to be sure verify that features are both licensed and enabled: LB SSL CS etc...

3) Do you have a SNIP configured and possibly any required routes?  A snip is required to reach the destination where services is located; if in a separate network a route  may also be needed.

4) ACLS or firewall rules can block access from SNIP to destination as well.

5) Run ping tests from the ADC to the destination ips.  NOTE:  ping by default will ping from the NSIP and not confirm if the SNIP is working.  use ping -S <snip> <destination IP> to force ping to use specified SNIP as ping source ip. (or ping --h to see parameters)

6) For additional troubleshooting, you can check syslog and nslog (or run a network trace)?

Syslog:   (audit log but will also report up/down states and deny messages that may help see what is happening)

shell

cd /var/log

tail -f /var/log/ns.log | grep -v CMD_EXECUTED

 

nslog: (for lower level networking and other issues)

cd /var/nslog

nconmsg -K /var/nslog/newnslog -d consmsg

nconmsg -K /var/nslog/newnslog -d event

 

trace:

Can easily be run from System > Diagnostics in GUI

- Be sure to set trace fromat to PCAP

-Adjust packet size if needed (0 for full packet or if not sure)

- Filter expression can be used to follow traffic from a given source ip, but be sure to also enable "Trace Filtered Connections Peer Traffic" to get full client to vip; snip to server, server to snip, and vip to client transactions.

 

 

 

Link to comment
Share on other sites

Hi Rhonda

Thanks very much for your elaborate reply

Concenrning :

1) Are you on the primary member of an HA pair? --> NO. There's no HA config between the 02 ADCs. They are still in Standalone mode

2) I know you noted features above, but just to be sure verify that features are both licensed and enabled: LB SSL CS etc...  --> Crosschecked again. Every feature is licensed and enabled

3) Do you have a SNIP configured and possibly any required routes?  A snip is required to reach the destination where services is located; if in a separate network a route  may also be needed --> I have an SNIP configured and also created some routes. I think the problem may lie here because the NSIP, SNIP and VIPs are all three in different subnets (Examples NSIP = x.x.1.21; SNIP=x.x.110.87; VIP=x.x.110.35). I have a default route which I created in the same subnet as the NSIP (0..0.0.0 0.0.0.0 x.x.1.55). I thought the problem was with this default route which I created in the same subnet as NSIP. I then created another default route in the same subnet as the SNIP (0.0.0.0 0.0.0.0 x.x.110.82) and tried pinging a service using this SNIP(ping -S <subnetIP> <serviceIP>, but I could succeed in accessing it.

4) ACLS or firewall rules can block access from SNIP to destination as well. --> NO ACLs defined nor any firewall existing between SNIP and backend servers in the architecture

5) Run ping tests from the ADC to the destination ips.  NOTE:  ping by default will ping from the NSIP and not confirm if the SNIP is working.  use ping -S <snip> <destination IP> to force ping to use specified SNIP as ping source ip. (or ping --h to see parameters) --> pinged multiple destination IPs from the actual SNIP without any positive result

6) For additional troubleshooting, you can check syslog and nslog (or run a network trace)? --> I tried checking syslog and nslog and the results I got can be seen on the attached screenshots (screen1 and screen2)

 

Up to now, the monitors attached to the services show the failure error which can be ssen on screenshot3. A SNIP exists though. What can I do to solve this please?

No client can actually access the Virtual servers and thus the services.

What am I loosing please?

screen1.jpg

screen2.jpg

screen3.png

Link to comment
Share on other sites

1) I think you missed a phrase up above, but you said that the pings from SNIPs were not working (in one case you said it worked and then later not worked...so I assumed a mistype).

You don't want two default routes.  System will alternate between them. Be sure a route to get to the services location exists on behalf of the SNIP

 

2) Check your ns modes: show ns modes (or System > Settings:: Modes are in right pane)

Ensure: usnip mode is enabled  (usip mode is usually off).  L3 mode is on (but can be on or off depending) L2 mode is usually OFF...

 

PBR (policy based routes) or MBF might be required...but before that we'll need to check some additional network/routing config

 

3) Since your syslog has no detail in it, check 1) your local syslog audit policy and see if it is logging less than informational OR if the local logging is replaced with external logging only.

System > Auditing:  right hand pane and check local syslog parameters (or logging settings)

> see if the syslog parameters log local or remote destination?

> see if the syslog logging level is less set to warning or error and higher and is skipping informational (you probably don't need or want debug yet)

 

If the local parameter are logging externally, you'll need to look at external log.

Usually you can keep parameters logged locally and then use syslog policies to log externally too (and get both)

IF logging locally, but different logging level, you might need or want to adjust the logging level to get output.

 

OR repeat the syslog command with no grep filter:

shell

cd /var/log

tail -f ns.log

 

For the nslog, you are using the wrong command:

cd /var/log

nsconmsg -K newnslog -d consmsg

nsconmsg -K newnslog -d event

 

You forgot the nsconmsg and have nconmsg instead.

 

IF the ADC has PBRs configured or its own ACLs it might affect things.

But at this point, you might be looking at network config (if channels are in use), routes, and other network settings first.

 

 

 

Link to comment
Share on other sites

  • 4 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...