Jump to content
Welcome to our new Citrix community!

Netscaler ADC HTTPS Not Accessible


Daniel Bove

Recommended Posts

VPX Hyper-V

13.0.83.27

Netscaler Management IP not accessible thru HTTPS. Only HTTP. All internal services are running and have netscaler-certificate binded. Cert is not expired. Have tried using CA cert. Not using HA. Very basic setup. Gateway Vserver works fine thru https.  

Link to comment
Share on other sites

Its possible there is a firewall rule or ACL either external to the ADC or within the ADC (for ACLs) that is preventing access to the management IP over SSL.

A network trace from client to ADC can help confirm.

 

Next, for the management IP in question is this a NSIP vs. SNIP or any management enabled IP.

Since management IPs include HTTP and HTTPS automatically. HTTP can be restricted to HTTPS only, you can't take HTTPS away.  The following are possible causes:

 

1) ACL or Firewall rule between client and NSIP/SNIP was not configured to allow HTTPS:<IP>.

1b) OR ACL on ADC restricted access to specified NSIP or SNIP over HTTPS from the source network.  

Troubleshoot this first. And look at any ACLs on the ADC first. They may not be included in Logging. So go to System > Networking > ACL to see if the ADC has any restrictions both simpleacl and ACLs (IPV4) and the IPV6 versions.

 

To reiterate: I would test for network issue first. Article at end of step 2(below) can be used to confirm you are not missing a cert binding on a management service discusssed below. But I would make sure you understand info before attempting to fix it.

 

2) Someone changed the CERT in use and did not properly bind the the management IPs.

First, certs for management services are separate from Gateway/VPN vservers and LB/CS vserver use. So a Gateway VIP being accessible doesn't guarantee management access will work. Also, separate management networks could be affected by acls/firewall rules that don't impact the gateway vip anyway.

 

Second, you potentially have multiple management IPs and therefore Management services.

The NSIP and any management access enabled SNIPs have three Internal Services associated with them, an https, rpc(rpcs) and krpc (krpcs) services for different functionalies.  

By default the built-in cert key ns-server-certificate certkey (certificate key pair) is bound to all management services. It points to the default self-signed Netscaler certificate and is the default certificate for all management interfaces for -https (web services) and rpc/krpcs which is involved in ssh/gslb mep/ha sync-prop and some other communications depending on the type of IP in question.

 

If admins want to change to a domain-signed or other CA-issued certificate, the EASY way is to keep the ns-server-certificate certkey in use as it will be bound by default to ALL management services (now and future ones), but change the cert/private key that certkey points to.

 

If someone edited the certkey in use or improperly configured the certkey bindings to the internal services, you MIGHT lose access to HTTPS on that management ID.  

Do not attempt to change these settings 1) unless you understand them, 2) have a backup of your appliance config, and 3) have console access or alternate access in case you loose remote ssh/remote https.

 

Internal services can be viewed in GUI under Traffic Management > Load Balancing > Services. Go to the "internal services" tab.

From CLI:  show service  -internal

This article goes over verifying and possible change to ns-server-certificate.  But what you are looking for is if any of your management ip's -https service is missing a cert binding. Find the problem first, then you can identify a fix.

https://support.citrix.com/article/CTX122521/how-to-replace-the-default-certificate-of-a-netscaler-appliance-with-a-trusted-ca-certificate-that-matches-the-hostname-of-netscaler

 

  • Like 1
Link to comment
Share on other sites

  • 4 weeks later...

So after call with Citrix support. They told me TLS 1.1 is required to HTTPS to work for netscaler nsip. I only had TLS 1.2, 1.3 enabled. I dont know why they would say this. I thought TLS 1.1 is being deprecated. I realize that cipher suites needed to change to match TLS protocols.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...