Jump to content
Welcome to our new Citrix community!

ADC cannot contact STA Servers


Recommended Posts

Hello team,

I have a new ADC (in AWS, BYOL). It has these 3 IPs: NSIP- 192.168.250.74, VIP - 192.168.250.4 (52.7.182.62) and, SNIP - 192.168.250.79. I configured a gateway to deliver apps from some XA servers, but when I add STA servers they appear as DOWN. When I ping them from nsip they are reachables but when I ping them from SNIP they are not... (Backend servers are in the same subnet, 192.168.250.75 is one of them). Could it be due a missconfiguration on the routes/VLANs?

ARP.PNG

Interfaces.PNG

Routes.PNG

VLANs.PNG

Link to comment
Share on other sites

Yes; snip traffic is affected by your routes/vlans.  So if there is a mistake that would affect SNIP dependent traffic.

>> check that USNIP mode is enabled (show ns mode)

>> Check your vlans/routes/snip settings for valid route and ownership of IPs via vlans to appropriate interfaces/networks

>> run a traceroute to confirm egress or an actual network trace

If you know there is an issue, then start there. If you are trying to identify the route/vlan issue, then we might need more info.

 

Firewall rules may be allowing the NSIP and not the SNIP.

But gateway to controller communication (STA traffic) and gateway to storefront communication is dependent on the SNIP and not the NSIP.

  • Like 1
Link to comment
Share on other sites

In Summary: I hope this could help us to know what is causing the principal issue (communication)
ADC in AWS (BYOL)
The backend servers are in same subnet of SNIP it should talk directly, if not traffic will go through router(this is not the case)
will have default route point to default gateway (created when we add SNIP address)

 

Backend servers, NSIP, VIP and SNIP are in same subnet then it is One ARM Config
NSIP 192.168.250.74
VIP  192.168.250.4 (52.7.182.62)
SNIP 192.168.250.79

Backend Servers
STA1 192.168.250.79
STA2 192.168.250.111
SF1 192.168.250.72
SF2 192.168.250.102

 

ADC has 4 Interfaces:
Interface 1/1 
Interface 1/2
Interface 1/3
Interface LO/1

 

1)      VLAN ID: 1
        Link-local IPv6 addr: fe80::8b5:d2ff:feb9:d81f/64
        Interfaces : 1/2 1/3 LO/1

2)      VLAN ID: 10     VLAN Alias Name:
        Dynamic Routing: Enabled
        Interfaces : 1/1
        IPs :
             192.168.250.74     Mask: 255.255.255.224

 

Link to comment
Share on other sites

I can't tell if there is a routing issue; but a routing issue would be a problem.

USNIP mode is needed.  A route won't be added if a route already exists. 

And you're SNIP and STA IP are the same above (see note at bottom:  First issue)

 

Is your interface 1/1 physically cabled to a device that allows it to reach the 192.168.250.74 network that you have configured?

Is your switch configured properly for vlan 10 traffic?  You have this as a port-based vlan instead of tagged vlans. What does your traffic require?

 

Troubleshooting:

1) You've done a ping.

2) Next, do a trace route

3) Do an nstrace 

4) Do you have any acls or firewall restrictions between the gateway appliance and the STA's?

5) Do you have name to ip resolutions (dns resolutions) working for the STA names?

6) Are the sta's (controllers) configured on the gateway to match the correct controller ips and ports for STA communication on the backend.  http vs https and which port?

7) Check the ADC syslog and then nslog for issues (but maybe do this first, given the next note):

shell

cd /var/log

tail -f ns.log

# you want to look for things related to gateway or sta:

tail -f /var/log/ns.log | grep STA -i

tail -f /var/log/ns.log | grep vpn -i

 

# nslog

cd /var/nslog

nsconmsg -K newnslog -d event

nsconmsg -K newnslog -d consmsg

 

# issues such as interface issues and ip conflicts should show up here.

 

First issue:

You just identify your SNIP is 192.168.250.79 and your STA is 192.168.250.79?

Your SNIP and STA are in an ip conflict or you made a typo.

 

 

4 hours ago, Omar Mireles1709161715 said:

SNIP 192.168.250.79

Backend Servers
STA1 192.168.250.79

 

Link to comment
Share on other sites

On 10/13/2021 at 6:44 PM, Rhonda Rowland1709152125 said:

I can't tell if there is a routing issue; but a routing issue would be a problem.

USNIP mode is needed.  A route won't be added if a route already exists. 

And you're SNIP and STA IP are the same above (see note at bottom:  First issue)

 

Is your interface 1/1 physically cabled to a device that allows it to reach the 192.168.250.74 network that you have configured?

Is your switch configured properly for vlan 10 traffic?  You have this as a port-based vlan instead of tagged vlans. What does your traffic require?

 

Troubleshooting:

1) You've done a ping.

2) Next, do a trace route

3) Do an nstrace 

4) Do you have any acls or firewall restrictions between the gateway appliance and the STA's?

5) Do you have name to ip resolutions (dns resolutions) working for the STA names?

6) Are the sta's (controllers) configured on the gateway to match the correct controller ips and ports for STA communication on the backend.  http vs https and which port?

7) Check the ADC syslog and then nslog for issues (but maybe do this first, given the next note):

shell

cd /var/log

tail -f ns.log

# you want to look for things related to gateway or sta:

tail -f /var/log/ns.log | grep STA -i

tail -f /var/log/ns.log | grep vpn -i

 

# nslog

cd /var/nslog

nsconmsg -K newnslog -d event

nsconmsg -K newnslog -d consmsg

 

# issues such as interface issues and ip conflicts should show up here.

 

First issue:

You just identify your SNIP is 192.168.250.79 and your STA is 192.168.250.79?

Your SNIP and STA are in an ip conflict or you made a typo.

 

 

 

Sorry, it was a typo STA is 192.168.250.75

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...