Jump to content
Welcome to our new Citrix community!

When does Citrix plan to change that the DNS servers by default are reachable on the NSIP ip address but the health montor probes are send on the SNIP ip address?

Recommended Posts

By default you need SNIP in the same subnet as NSIP so that the health monitoring probes to work           https://support.citrix.com/article/CTX215665/citrix-adc-dns-resolution-fails  ?


The only other wortkaround is to create dns virtual server that will do the dns resolution and the data traffic to go through a SNIP (not onnly the health monitor probes but the data traffic) https://vzerotohero.com/2016/08/citrix-netscaler-dns-server-effective-state-down-probe-failed/ or maybe use rnat to replace the NSIP addresss with a SNIP address. From what I checked with rnat you can change the source ip with any other except with  the NSIP one.

Link to comment
Share on other sites

Hello @Gunther De Poortere


Nice idea and from what I read this does not have the limitation of RNAT where the NAT address can't be NSIP, so this should mean that the traffic can be sourced  either the interfaces for SNIP (data interfaces) or NSIP (managment interface).


Still this means from what I read for example if we decide to use the dataplane interface for DNS probes and DNS resolution then the source IP address of the DNS traffic will still be the NSIP ip address but it will be send  on to the data plane interface not the managment interface or if we decide to change the DNS health monitor probes to exit the managment interface (to use the managment interface for DNS probes and DNS resolution) then the health monitor DNS probes will still be with the SNIP address but will be send on the managment interface and this could lead to routing issues when the source ip address is not changed but just the interface.




This is what I think if I am not wrong as  have not played with PBR or the PBR actually changes the source IP to either be NSIP if the managment interface is used or a SNIP if a data plane interface is used before sending the traffic out of the interface  and then this will work like a charm?





Link to comment
Share on other sites

Hi Nikolay,


As you can imagine, my reply was quite generic in the sense that I don't have enough details on your environment to give you a specific solution. How you use PBR to force traffic in your setup depends very much on those details.


For example if your ADC only has one interface which is used for both data and management traffic, then obviously having traffic forced to that specific interface alone will not do much as it will generally still honor your regular routing table. In a scenario where your default gateway is only reachable by the NSIP, I would suggest to change the default gateway to one that is reachable by the SNIP and use PBR to force the management traffic to the 'old' default gateway. Depending then in which subnet your DNS is located, you might or might not need an additional PBR for the DNS traffic as well.


PBRs offer tremendous routing flexibility, but how to use it is very much dependent on the topology in which the ADC is deployed.




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...