Jump to content
Welcome to our new Citrix community!

ADC Load Balancing PVS TFTP


Marcel Zunnebeld

Recommended Posts

Hello,
I am migrating an existing ADC to a new ADC following Carl's steps:
https://www.carlstalhood.com/migrate-citrix-adc-config-to-new-adc-appliances/
This is all going well (Thanks Carl  for this clear explanation) , IP addresses have been adjusted where necessary and almost all services/service groups are now UP.
Except for PVS ?


These are the commands to configure everything:

add server CTX-PVS-01 192.168.110.80 -comment PVS

add serviceGroup svcgrp_PVS TFTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport NO -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO

add lb vserver lb_vsrv_PVS TFTP 10.10.145.104 69 -persistenceType NONE -cltTimeout 120

bind lb vserver lb_vsrv_PVS svcgrp_PVS

add lb monitor MON-PVS USER -scriptName nstftp.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -LRTM DISABLED

bind serviceGroup svcgrp_PVS CTX-PVS-01 69

bind serviceGroup svcgrp_PVS -monitorName MON-PVS


The MOV-PVS uses the nstftp.pl 

 

The monitor status shows "Failure - Probe timed out"
 

When I remove the MON-PVS monitor (and the default becomes PING) the status of the service group and load balanced vip is UP
And also when I replace the MON-PVS with the udp-ecv monitor the status is UP

TFTP / 69 is allowed in the firewall rules.

 

On the current ADC the PVS load balancing works fine (status UP)
 

What am I doing wrong?

Link to comment
Share on other sites

The nstftp.pl likely is what we call a "scriptable" monitor and so it runs from shell and uses the nsip as a source IP.  (You can tell if there is no way to set a net profile in the monitor; if you can set the net profile, then the monitor will use a SNIP or alternate IP. In this case, you need to ensure a SNIP is configured with a route to the expected destination. Sorry, I don't have one in front of me to confirm which behavior it has.)

 

So are you seeing if the NSIP (of either pair) can reach the destination or just a SNIP?

  • Like 1
Link to comment
Share on other sites

There is only TFTP traffic from the SNIP configured in the firewall.
On the nstftp monitor the option to set a net profile is unfortunately greyed out. Is there any other option to load balancing PVS (TFTP) from the SNIP?
And does it apply to all scriptable monitors that the traffic runs via the NSIP if you bind such a monitor to a servie group?

 

Or should I see it separately? Does the monitor go through the NSIP and the actual load balancing through the SNIP?
Then the problem is also solved.

Link to comment
Share on other sites

Use the ping monitor instead.  Scriptable monitors invoke from shell and source for NSIP (account for both members of HA pair). Non-scriptable monitors source from SNIP or alternate IP via net profile (and/or whatever the service uses if no net profile on the monitor).

 

Admin Guide: Understanding Monitors:  https://docs.citrix.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-custom-monitors/understand-user-monitors.html

https://support.citrix.com/article/CTX208019

 

This section of the 13.1 admin guide mentions an usenetprofilebsdtraffic setting which would allow a monitor to use the ip in the net profile of the bound service, but may affect all related traffic sourced from bsd on the appliance:  https://docs.citrix.com/en-us/citrix-adc/current-release/networking/source-citrix-adc-freebsd-traffic-from-snip.html

This or a PBR *might* do what you want; but you should test heavily or just use a simpler monitor.

Link to comment
Share on other sites

6 hours ago, Marcel Zunnebeld said:

[1]And does it apply to all scriptable monitors that the traffic runs via the NSIP if you bind such a monitor to a servie group?

 

[2]Or should I see it separately? Does the monitor go through the NSIP and the actual load balancing through the SNIP?
Then the problem is also solved.

Missed these.

1) Yes, as noted above, scriptable monitors invoke from shell and use NSIP for source (whether on service or service group); the monitor traffic sources differently then the application/service traffic.

2) Yes - the monitors uses NSIP and the actual traffic flow is from SNIP to destination; unless you have USIP enabled in which case the traffic leaves the interface the snip uses, but he L3 source ip of packet is originating client side IP.  Also note, that even when USIP mode is enabled, a snip in the outbound destination network is still required; if no snip at all, your traffic flow will fail.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...