Jump to content
Welcome to our new Citrix community!

can't route to LDAP from secondary Netscaler

todd dunwoodie

Recommended Posts

I have a 3 leg Netscaler pair with an ldap authentication policy but can't authenticate on the passive Netscaler due to a routing issue.


Management subnet

NSIP 1 - Active

NSIP2 - Passive


Server Subnet



DMZ subnet




I am able to authenticate on the primary, but not the secondary Netscaler using LDAP.  The LDAP server is a vip that is routable from the server subnet SNIP.  

If I traceroute from the primary Netscaler with no source ip specified it routes correctly.

If I traceroute from the primary using the Server Subnet SNIP as source it takes the same successful route. (i.e. out the server subnet GW, to a second router, to the LDAP vip)

If I traceroute from the primary using the NSIP as source it fails to route.

If I traceroute from the secondary it's first step is to go to the primary NSIP, then fails to route. i.e. * * *


There is a route that includes the LDAP vip subnet routing out the GW that the server subnet SNIP is on.

There is a Direct route for the server subnet SNIP showing it's local subnet with the SNIP as the GW.

I also tried adding a routing for just the LDAP vip ip address going out the server subnet GW, but there is no change.


Any idea why the Netscaler can't route to the server subnet SNIP from the NSIP?

Link to comment
Share on other sites

I originally read this as your secondary can't reach the ldap; but your primary can.

Your secondary NetScaler is passive on all IPS (VIPs/SNIPs) except for the NSIP.

So if your ldap policy is configured via lb vserver, the SNIP isn't active on the secondary ADC.


For system authentication, you might require a policy depending on the NSIP instead of a VIP/SNIP to allow the secondary to authentication or use local accounts.  All other traffic should work when its the primary appliance.

If its not working during failover, then that is a different problem.


However, if what you meant was your primary can reach ldap from the ldap vip (using snip); but can't from the  NSIP, then you need to identify that first before thinking about the secondary. 

Its sounds like you've separated your NSIP from SNIP with the nsvlan and vlan configurations. (The NSIP isn't isolated to the management IPs physically, without additional networking configurations.)  This would then imply your NSIP and SNIP.  Your routing rules and vlans may support only using the SNIP to reach the ldap network destination.


Are there ACLs or firewall rules preventing the NSIP from reaching the ldap server; while allowing the snip? 

Is your NSIP in an isolated vlan or nsvlan restricted to certain interfaces.


There's  not quite enough info about the nsip, nsvlan, snip, route, or other vlan/subnet mappings to know for sure what is happening on primary.


That being said, the secondary appliance can only use its own NSIP to egress traffic as the only active IP.  Its own snips/vips are not "active" in a secondary state (unless you arein INC mode; which is atypical.)



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...