Jump to content
Welcome to our new Citrix community!

NetScaler Virtual Server protection feature for radius

Dave Bishop

Recommended Posts

We have a NetScaler ( v12.1 63.23) with a virtual server for radius authentications named radius-pri. This works fine & authenticates gateway users. radius-pri has a single service group containing a single member. 
Radius-pri has Protection set which has a Backup Virtual Server defined as radius-sec. 
Radius-sec has a single service group containing a single member (but a different member to pri). When we deny access to radius-pri (by means of an upstream firewall) radius service doesn't fail over to the BackupVS.  Any thoughts why this might be pls?  pri has a netprofile bound to it which specifies a source IP, but sec doesn't.
For info, the server defined in the sec (BackupVS) is alive and does successfully serves radius requests to other clients. Looking at the logs on the upstream firewall, the NetScaler tries to contact radius-pri for 15mins then tries to contact radius-sec, but from a different snip. Is this normal/expected? After this 15 min period, the Netscaler marks the vip/service-group and server as down. I'm expecting the sec VServer to use the same source snip as it does for pri. Should sec inherit the netprofile when service fails over to it, or should it have its own netprofile bound? (if so, I'll use the same proflile which pri uses). Thanks for reading and for any help.

Link to comment
Share on other sites

Thanks for the quick response Carl! Yes, we have a monitor bound to pri and sec (the same monitor). Type=radius, interval=5min, response timeout =4sec, (Advanced) reties=3.

Looking at the syslogs, the mon bound to pri goes down at 15min (and takes the vip/service-group and server with it) then comes back once access to pri is restored.

Whilst access to pri was broken, sec service-group & monitor still showed up (pri showed down). During this time I did see polls from the correct snip (the same one which is defined in the netprofile) out to sec, so I assume they will be the monitor?(they were every 5min).

So, if I bind the Netprofile to sec as well as pri, I'm guessing it should work?

Is there any risk/harm dropping the monitor interval to 1min to shorten the failover time?

Thanks again for your help.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...