Jump to content
Welcome to our new Citrix community!

Load Balancing StoreFront 2203 using NetScaler ADC - Cannot complete your request


Ken Z

Recommended Posts

Hi

 

Building a Server 2022 environment with CVAD 2203 CU3

Built two StoreFront Servers with wildcard SSL cert, and using a NetScaler ADC to load balance the two servers

Also using the ADC as a NetScaler Gateway appliance.

This works fine as long as I don't enter the SNIP IP address into the "VServer IP Address" in the Authentication Settings section of the "Manage Gateway"settings

as soon as i add the ADC SNIP in there, I get the "Cannot Complete your Request" error

 

Anyone else seen this?

I've logged a call with Citrix but thought I'd also try here.

 

Regards

 

Ken Z

Link to comment
Share on other sites

I'm going to add some info to what Carl said in case you are treating two separate issues as one issue regarding storefront load balancing. So is your issue the load balancing or the gateway/storefront handoff specifically?

 

So, for the load balancing, you can test that as an "internal" user without the gateway to make sure it works by point to the storefront fqdn associated to the lb vserver and the store path. LBMethod: LeastConnections, Persistence: Usually SourceIP.

As Carl, pointed out, if you are also using the Gateway to proxy the StoreFront traffic, on the storefront config for the "gateway" integration, you do not use the SNIP, but the GAteway VIP otherwise storefront can't tell the difference between internal users hitting the storefront vip directly (non-gateway users) and the users being proxied gateway to storefront lb vip to storefront as the SNIP is the same in both cases.

 

If your internal users work against storefront directly, then your load balancing is good.

If your users connecting through gateway is not working, then the issue is on the gateway side.

 

Also note Gateway sends a probe to the "storefront fqdn" configured in the session policy. And if it can't resolve that name to an IP or otherwise send an outbound probe from the system at all (due to no appropriate snip to reach the storefront vip) then the gateway appliance won't attempt the handoff to storefront for the gateway connections. So post gateway login you get an unavailable service  or no destination. You will see this error on the gateway in nslog (not syslog).

 

 

Link to comment
Share on other sites

On 10/19/2023 at 6:42 PM, Carl Stalhood1709151912 said:

The "VServer IP Address" field should contain the Gateway VIP, not the SNIP. This field is only needed if you have two different NetScalers with the same Gateway FQDN.

 

Ahh... I don't know what came over me... ?

of course you're right, and I've easily deployed over 50 environments with similar configs so I should know better...  I'm putting it down to  a flaky network at this site stressing me out

 

Regards

 

Ken Z

Link to comment
Share on other sites

7 hours ago, Rhonda Rowland1709152125 said:

I'm going to add some info to what Carl said in case you are treating two separate issues as one issue regarding storefront load balancing. So is your issue the load balancing or the gateway/storefront handoff specifically?

 

So, for the load balancing, you can test that as an "internal" user without the gateway to make sure it works by point to the storefront fqdn associated to the lb vserver and the store path. LBMethod: LeastConnections, Persistence: Usually SourceIP.

As Carl, pointed out, if you are also using the Gateway to proxy the StoreFront traffic, on the storefront config for the "gateway" integration, you do not use the SNIP, but the GAteway VIP otherwise storefront can't tell the difference between internal users hitting the storefront vip directly (non-gateway users) and the users being proxied gateway to storefront lb vip to storefront as the SNIP is the same in both cases.

 

If your internal users work against storefront directly, then your load balancing is good.

If your users connecting through gateway is not working, then the issue is on the gateway side.

 

Also note Gateway sends a probe to the "storefront fqdn" configured in the session policy. And if it can't resolve that name to an IP or otherwise send an outbound probe from the system at all (due to no appropriate snip to reach the storefront vip) then the gateway appliance won't attempt the handoff to storefront for the gateway connections. So post gateway login you get an unavailable service  or no destination. You will see this error on the gateway in nslog (not syslog).

 

 

 

Hi Rhonda

 

the issue was being overworked and having a mental block when I posted this. I was working at a site with a flaky Meraki MX firewall causing me issues (turns out it's a recent known issue with Meraki Firewall IDS - changes to firewall rules causes the Meraki to crash requiring a reboot). Having a glass of wine on a Friday night has de-stressed me ?

 

The StoreFront servers worked fine if accessed directly (via the ADC Load-Balancer). only had issues when going through the NetScaler Gateway and a session policy forwarding the connection to the load-balanced StoreFront server. As Carl mentioned, removing the SNIP from the StoreFront and leaving it blank, was the fix. I am going to implement GSLB onto the environment in the next week or two once the Firewall issues have been fixed and I deploy the 2nd ADC at the other data centre.

 

Regards

 

Ken Z

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...