Jump to content
Welcome to our new Citrix community!

TCP Syslog on non-standard port


Recommended Posts

Hi Folks,

I'm trying to implement syslog on port 5124 over TCP for an ADC MPX5560 HA pair running NS14.1: Build 4.42.nc. All appears to be configured as per documentation but I don't see any traffic from the NSIP to the endpoint. If I configure syslog over UDP to port 5124 I can see that traffic being sourced from the NSIP. This ADC is in a DMZ with a separate default gateway for normal data traffic - NSIP traffic and replies are configured via PBR.

As stated nstcpdump.sh shows UDP/5124 leaving the ADC with NSIP as the source IP, while TCP/5124 only shows traffic from a SNIP to the endpoint (which isn't allowed through the Firewall, it should follow the NSIP next-hop router as per PBR).

Am I missing something here?

Regards,

Brendan

Link to comment
Share on other sites

Hi Morten,

Thanks for the reply and suggestions. I added a static host route for the syslog server to go via the NSIP gateway router. Afterwards nstcpdump.sh doesn't show anything i.e. the traffic I previously saw as being sourced from a SNIP no longer appears. It looks as if the ADC is not sending the syslog TCP traffic.

As per the documentation, and proven on other ADC we have, I think I'm correct in saying that once you define a syslog action server for transport TCP, attach it to a policy and bind it globally, then this traffic should be sent from the NSIP to the syslog server over TCP. Is this correct?

I have never configured/applied RNAT/ACL on the ADC, so if you wouldn't mind showing a quick example that would be very beneficial please.

Thanks again for your assistance.

Regards,

Brendan

Link to comment
Share on other sites

Hi Brendan

If there is no ACL, Traffic Policy or anything else, it appears there is a conflict between your routing table and\or PBRs

Does the syslog server have  IP in the same network as the SNIP?

Is there a route other than the default to the syslog server?

If you have multiple defaults, are they handled with different weights?

Is the configured syslog server one server or a balanced VIP with multiple syslog servers?

Link to comment
Share on other sites

  • 2 weeks later...

Hi Nicola,

Thanks for the response, answers as follows:

No, the syslog server is on a different subnet to my SNIPs.

The route to the syslog server is via the NSIP gateway rather than the default route.

No, just one default route.

The syslog is just one server.

It is sending messages to the syslog server on UDP/5124 and working OK, I couldn't get TCP/5124 to work.

Regards,

Brendan

Link to comment
Share on other sites

Hi Brendan
TCP is a connection-based protocol and UDP is connectionless
Netscaler checks the server status for TCP syslog, while for UDP it sends packets out without worrying whether the server has received them.
I think your problem is due to the fact that the server is not reachable via a SNIP, but only via NSIP. 
Netscaler monitors the server with SNIP and if ok sends logs to the server with NSIP.
Try opening the firewall port to the SNIP you saw being blocked. 
Then check again if you see tcp logs arriving or if you see TCP:port packets leaving NSIP with tcpdump
This is documented with a note, but in my opinion on the wrong chapter

 

image.thumb.png.84d8368c99ecc0265d8435acffbc13db.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...