Jump to content
Welcome to our new Citrix community!

Citrix ADC - content switching policy - default load balancing virtual server


Recommended Posts

Hi,

 

I have set up a SSL Content switching virtual server(ADC VPX, version 13.0.71). I'm using several content switching policies, based on the requested hostname and I'm using pattern set files (because there are quite some hostnames).

This is working quite good, but this is hard to troubleshoot.

 

I have policy and according action that don't get hit, although everything seems to be configured correctly.

I have 2 questions:

- is there some way (except the evaluate policy feature) to see how a incoming request is handled (which policy is used and why, and to get some logging of the flow followed)?

- I have also configured a so called 'default load balancing virtual server' in the content switching virtual server (as fallback mechanism in case I forget a host in one of the policies). I see though that the hits on the default LB VS are increasing very fast (with the command 'sh cs vserver <name>) and I would like to see which requests are hitting on the default LB VS. Is there a way to find out which requests are handled by the default Target LB (in other words, to see which requests are not handled by a content-switching policy and because off that, are falling back on the default Target LB) ?

 

Any help would be much appreciated.

 

Regards,

 

Gijs.

Link to comment
Share on other sites

How are you checking hostname:  http.req.header("host"), http.req.hostname, or http.req.url.contains (because url doesn't usually contain host, depending on how request is structured; the other two should work).

 

CS Policies don't have logging actions themselves.  But you can bind a responder policy with a NOOP action (do nothing) to the target lb vservers behind the cs vserver and use its' logging action to record details about the requests reaching this lb vserver into syslog for troubleshooting.  Be sure to set bind goto to next (if other responder policies are needed later in the flow).

 

You could have a separate responder NOOP policy on the CS vserver as pre-cs evaluation login to note request details and other things.  And catch the pre-cs decision with this logging action and the post-cs decision at the target lb tier (if the traffic gets that far and you can see if there are gaps).  You would also need to enable "user configurable messages" in your syslog audit parameters either in the global settings for local log or the audit policy for external logging.

(Example of responder with noop and log action to log cipher info to syslog as an example:  https://discussions.citrix.com/topic/413011-capture-source-ips-on-vip-for-any-connections-which-are-using-weak-ciphers/)

 

You also should look if any of your cs policies are triggering undefined results and then you need traces or web logging to figure out what transactions are affected.

 

While you mention you have a large amount of policies with pattern sets, its possible that there is something in the way you are evaluating your requests that you have a scenario that isn't always present OR you might be able to construct your expressions and pattern sets differently to avoid the gaps.

Common mistakes:

- undefined results due to expressions not able to evaluate for the scenarios presented

- expressions are case-sensitive and user requests don't conform to the evaulation being made; make comparisons case-insensitive for broader matches. 

- Make sure cs persistence is NOT set as this will override cs decisions based on prior evaluations.

- is the browser caching interfering with expected results (or ADC caching?)

 

(Here's a thread where cs policies were going undefined because a parameter that wasn't present in all evaluations would be undefined:  https://discussions.citrix.com/topic/415518-customized-syslog-messages/#comment-2088139)

 

So, sometimes we just need to change or simplify the cs  behavior to achieve more consistent results.

 

But share your expressions and maybe some of the pattern set and we can see if there's a better way to write the evals.

 

 

Link to comment
Share on other sites

Hi Rhonda,

 

first of all, thanks a lot for your reply.

 

Meanwhile, I did some further troubleshooting and I was able to solve part of the problem. 

I still don't understand why, but it seems that the pattern set file (created based on an imported UTF_8 csv file) was the cause. If I create the same pattern set file manually (with the same entries), then everything is working fine. I still need to investigate this because I don't understand it, output of the command show patset <name> gives me exactly the same output for both files (one file manually created and the other on based on the imported csv file).

 

The Default Load balancing virtual server (when no content switching policies are applied) is still getting quite some hits though and I would like to understand why (because for me, this is some kind of last resort scenario, in case I forgot a hostname in one of the pattern set files somewhere, and as a result no content switching policy is applied).

So I'm still very curious to see which requests are handled by the default virtual server (which is a non-addressable virtual server with ip address 0.0.0.0).

 

=> As I have set up netscaler web logging, would it be a possibility to create an additional filter for this default virtual server? Problem is that I can filter on a virtual server with its ip address, but this is non-addressable in this case so do you see another possibility (or should I assign a real ip address, to be able to filter on this) ?

=> I'm not familiar with responder policies (with a noop action) and I'm a bit stuck on this. Do I understand it correcly that I need to create :

  • an audit message action (I chose to use informational as log level) and I used as expression 'http.req.hostname' (because I would like to know the hostname for requests handled by the default virtual server
  • a responder policy (action = noop, log action = previously configured audit message action and an expression - what do I configure as expression, because I would like to get all requests handled by this virtual server without filtering ?) I configured http.req.hostname.eq("*") as an attempt to have this rule always applied

This should be working or am I doing something wrong?

 

Thank you !

 

Gijs

 

Link to comment
Share on other sites

[pat set issue] You can share your original pat set or the before and after of a subset. Its possible there is a like a bad character like an em-dash or en-dash vs. straight quote or smart quote that looks the same but isn't in the pre-vs. post conversion.  But you'd probably have to test line by line (or blocks of 10) to find the likely issue.  

 

If you already have nswl, then it will catch on cs vserver and not the lb vserver (even if a vip was provided). i'd thinkyou'd have to use a trace or use the responder/noop/audit log trick on the default vserver to get mroe info about what transactions are getting to that point.

 

Link to comment
Share on other sites

Responder logging example:

 

## Be sure your syslog audit policy (global default) or custom policy includes User Defined Messages enabled.  System > Auditing::<syslog parameters in right pane> OR CLI:

set audit syslogParams -userDefinedAuditlog YES

 

## Create the necessary audit message:

add audit messageaction audit_act_debuglogging INFORMATIONAL '"Default cs vserver traffic: policy hit for: " + http.req.hostname + " and url " + http.req.url.path_and_query'

 

## Create responder NOOP logging policy. (use a true expression to log all hits)

add responder policy rs_pol_noop_customlog true NOOP -logAction audit_act_debuglogging

 

Bind to the necessary lb vserver for the default destination as a high priority 10 and if needed set GOTO Expression to "NEXT" if you need follow up policies to apply.
Adjust logging message expression in GUI if you want to include additional info; thought start simple and watch for undefined hits being triggered.

Link to comment
Share on other sites

Hi Rhonda,

 

I think both my problems are solved. Thanks a lot for your help!

 

=> what concerns the patset file problem:

I noticed (credits to the responder policy!) that the patset was build in reversed order (last entry in the patset was the first entry in the csv file). Somehow each last entry of every patsetfile was not hit by a policy so I investigated the csv files. I did 3 changes to the imported csv file and now everything seems to be working fine:

- I removed an extra (empty) line feed in every csv file (so that there is only 1 line)

- I added a comma after the last value (there was no delimiter at the end of the line)

- csv file was saved in UTF8 format (instead of UTF8 with BOM)

=> responder policy is working fine now (expression 'true' instead of http.REQ.HOSTNAME.EQ("*") did the trick)

So if the default rule is hit again, I'm able to see on which host name

 

Regards,

 

Gijs.

Link to comment
Share on other sites

Hi Rhonda,

 

one more question, do you know if it should be possible to send these audit messages to a nslog server (nslog audit server)?

I'm able to see them now with this command:

 sh audit messages -logLevel informational

 

but this is only showing logs for a short term and ideally this should be logged to nslog server... (unless there is a better approach?)

 

Thanks!

 

Gijs
 

Link to comment
Share on other sites

By default, I recommend custom audit logging going to syslog instead of nslog (but it can be changed).  

For syslog, the logging action does not have log to newnslog enabled (its off) and the syslog parameter or syslog audit policy must include Enable: User Configurable Log Messages.

 

If you decide you want the logging in nslog (/var/nslog/newnslog), then:

In your logging action, you must enable "lot to newnslog" AND the associated nslog paratmer or nslog output policy, must also have User Configurable Log Messages enabled along with the proper logging level: Debug / Info, etc enabled... based on the log action.

By default nslog log paramters, log locally. IF you configure an nslog external logging policy and configure the audit server component to receive logs, then you may have this via the nslog external destination too.

 

 

 

-Rhonda

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...