jm01 Posted September 10 Posted September 10 Hi All, We are looking to use netscaler adc to load balance alwayson vpn ikev2 connections to backend aovpn servers. Is a content vserver the recommended approach ? Does anyone have a step by step guide on configuration?
Nicola Campaci Posted September 10 Posted September 10 HI There is this unofficial guide. You can implement it in a TEST environment and see if it works as you need. https://directaccess.richardhicks.com/2020/01/20/always-on-vpn-ikev2-load-balancing-with-citrix-netscaler-adc/ However, Netscaler already has ssl vpn functionality. I recommend you evaluate these features to make the most of your Netscalers
jm01 Posted September 10 Author Posted September 10 Yes I have seen this link and have configured Netscaler the sane but for some reason the services for udp 500 and 4500 is not coming up even when set to use ping for monitoring. The firewall is allowing all traffic to aovpn server. Is there a way to test udp 4500 and 500 ports from Netscaler? Any thing else to check ?
Nicola Campaci Posted September 10 Posted September 10 Hi, The behavior is correct. UDP is a connection-less Datagram protocol, meaning there is no traffic control or order guarantee for transmitted packets, no 3Way-TCP. You never receive any response from a UDP port. I'm afraid the Ping monitor is the only option. Alternatively, you need to monitor another HTTP/TCP port that is related to the UDP 500 and 4500 services. Regard
jm01 Posted September 10 Author Posted September 10 Yes tried that service is still not coming up for virtual server or service configured for port 500 and 4500 as per configuration richardhicks.com.
Nicola Campaci Posted September 11 Posted September 11 Hi I did not understand. Have you put the PING monitors and the services\servicegroups remain DOWN or the configuration is ok and the VIPs are UP but vpn ikev2 does not work through the VIP?
Nicola Campaci Posted September 11 Posted September 11 Does Ping on the backend server work from another device on the same subnet? Have you checked that there isn't a client firewall blocking ICMP on the backend server? If the netscaler is on a different subnet than the backend server, have you verified that there is a route to reach the server?
jm01 Posted September 11 Author Posted September 11 Both virtual server and service are showing down both configured with protocol UDP. I have not added ping to service group for IKE ports 500 and 4500 as ping is the default monitor. If I create separate SSL virtual server using port 443 and using service group also the same with monitoring on port 443 shows up. I can telnet to port 443 fine using external IP. Is there any other ports that need to be configured on Netscaler for AOVPN ? At the moment cant seem to get it working not sure what is missing.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now