Jump to content
Welcome to our new Citrix community!

vServers not replying

Johannes Norz

Recommended Posts

I am currently working with a customer's environment. The problem there is a bit strange. I try a description:

They have 3 subnets (,,, all 3 bound into vLANs. There is a SNIP for every vLAN. Router IP is 192.168.X.1

They have vServers in each of these vLANs. These vServers, however, don't work. If I do a network trace, I see a TCP SYN, SYN/ACK, ACK, the HTTP-Request (ACKed from the vServer), but no response, no RESET or FIN. So TCP works fine, it's a L7 problem.

They created vServers with 192.168.X.1, and disabled these. Now, everything works fine. The event-log is full of duplicated IP messages, as these (disabled) vServers and the routers share the same IP. It only works with these 192.168.X.1 vServers, it does not work with 192.168.X.2, 192.168.X.254 and so on.


With DNS, I see the query packet coming in, but no response. The result is "connection timed out; no servers could be reached" (Linux- Dig). A network trace shows the request coming in, a request from SNIP to the DNS-vServer, the correct reply from the DNS-vServer, but no reply to the client. I tried the same from Citrix ADC-Bash. Same result, I can see the service resolving the name, but no response from the vServer, so the DNS request times out.


I added an other vServer,, is the NS-vLAN. Same here: No connection possible, TCP SYN, SYN/ACK, ACK, HTTP-Request, but no response, no RESET or FIN. It starts working if I add a vServer with IP, however, this is the IP of my jump-host, so I loose connection to the ADC.


After deleting these 192.168.X.1 vServers, everything is still fine for a while, but stops eventually. My main problem is this "eventually". It makes things almost un-testable.


enable ns mode FR L3 USIP Edge USNIP PMTUD


I already recreated the box, put the original ns.conf in it, same behaviour. I created a "virgin" ADC, put, command by command, all several thousand of  lines in it, no problem. There are serious reasons to fix the issue instead of recreating the configuration.


Any ideas?




Johannes Norz

Link to comment
Share on other sites

Hi Johannes,
hope your doing well! 


Maybe i think in the wrong direction or missunderstood your problem, but its only an idea. I see that your customer has enabled "USIP" and "USNIP" Modes on this ADC. Could it be possible, that they configured "Direct Server Return" while they created the first Service and Virtual Server? It could be possible that this configurations get cloned when you select the first created Service/Virtual Server as template to create the other ones and the missconfiguration gets replicated to every new Service/Virtual Server? 


Configurations that impact Direct Server Return for example:
1. Service: Settings\Use Source IP Address"
2. Service Group: Settings\Use Client IP"
3. Virtual Server: Redirection Mode
4. Virtual Server: Traffic Settings\Down State Flush
5. ADC Modes: USIP, MFB


Next step I would check if it is frontend or backend related:

1. Create a VServer with a DummyService, so that it is Always-On
2. Create a Responder Policy with Expression "true" and Responder Action to Redirect to any Website


What happens, if you now request this VServer? Do you get a 301/302 Response? Or does it go to Nirvana too? If you receive this response, the failure should be within your backend connection.


Next step could be to do an easy curl from your ADC shell to the backend server to verify if the backend connection works as expected. If this fails, you could check your network configuration, Pbr, ... again.


Hope this helps you to get some new ideas, but i think you already verified this!


Best regards,

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...