Shahzad Siddique 2

Hi harihara, Thanks a lot for clarifying my queries. now I can correlate shared and dedicated mode in BLX

Hi Harihara, you are correct, while running > /var/log/messages i can see many events showing SElinux is preventing to start blx and their dependencies. After Running > grubby --update-kernel ALL --args selinux=0 and rebooting linux host i can see SElinux is disabled & now i can able to start blx. Wants to know how to configure VIp on shared mode, were single nic is configured on linux. Since it is shared mode of deployment, where i have only single NIC, using IPtable external IP is configured with DNAT rule to access netscaler management on CLI 9022 and GUI 9080. But not sure how to configure VIP, can you guide on this.

cat /var/log/blx-boot.log > below error Thu Nov 9 05:35:26 PM IST 2023: Started parsing blx.conf blx-conf-parser-388: awk -f /usr/sbin/blx-get-block.awk -v block="blx-system-config" /root/.blx/blx-derived.conf blx-conf-parse-648: Config block interfaces not found. blx-conf-parse-807: Core Dumps enabled. blx-conf-parse-815: Using existing core_pattern set in /proc/sys/kernel/core_pattern for core dumps. If you want to use the default pattern mentioned in blx.conf, restart BLX after removing the existing pattern with below command: echo '' | tee /proc/sys/kernel/core_pattern blx-dpdk-nic-parse-1015: All interfaces specified in /etc/blx/blx.conf are not compatible with BLX DPDK, starting BLX in Non-DPDK mode blx-conf-parser-1037: Enabling net.ipv4.ip_forward=1. blx-conf-parse-1775: mgmt-ssh-port not specified in blx.conf. blx-ssh will use mgmt-ssh-port:9022 blx-conf-parse-1865: Both mgmt-http-port and mgmt-https-port not specified in blx.conf. blx-web-config will use mgmt-http-port:9080 and mgmt-https-port:9443 blx-conf-parse-2010: BLX listening to ip address configured on host for mgmt access. Ignoring static-routes. 192.0.0.1 is set as ipaddress by default for BLX. Thu Nov 9 05:35:26 PM IST 2023: Completed parsing blx.conf

sudo yum install ./blx*rpm While running "Systemctl start blx" getting below error root@blx-host blx]# systemctl status blx.service × blx.service - BLX service Loaded: loaded (/usr/lib/systemd/system/blx.service; enabled; preset: disabled) Active: failed (Result: exit-code) since Thu 2023-11-09 17:35:27 IST; 19min ago Process: 26918 ExecStartPre=/usr/sbin/blx-helper.sh (code=exited, status=0/SUCCESS) Process: 27107 ExecStartPre=/bin/bash -c ${CHCON} (code=exited, status=0/SUCCESS) Process: 27108 ExecStart=/root/.blx/blx-pre-start.sh (code=exited, status=203/EXEC) Process: 27109 ExecStopPost=/root/.blx/blx-post-stop.sh (code=exited, status=0/SUCCESS) Process: 27110 ExecStopPost=/bin/bash -c ${RESTORECON} (code=exited, status=0/SUCCESS) Process: 27111 ExecStopPost=/bin/rm -rf /root/.blx (code=exited, status=0/SUCCESS) Main PID: 27108 (code=exited, status=203/EXEC) CPU: 211ms Nov 09 17:35:26 blx-host blx-helper.sh[26944]: touch: missing file operand Nov 09 17:35:26 blx-host blx-helper.sh[26944]: Try 'touch --help' for more information. Nov 09 17:35:26 blx-host blx-helper.sh[26918]: /usr/sbin/blx-helper.sh: line 810: [: too many arguments Nov 09 17:35:26 blx-host blx-helper.sh[27099]: cat: '': No such file or directory Nov 09 17:35:26 blx-host systemd[27108]: blx.service: Failed to locate executable /root/.blx/blx-pre-start.sh: Permission denied Nov 09 17:35:27 blx-host systemd[27108]: blx.service: Failed at step EXEC spawning /root/.blx/blx-pre-start.sh: Permission denied Nov 09 17:35:27 blx-host systemd[1]: blx.service: Main process exited, code=exited, status=203/EXEC Nov 09 17:35:27 blx-host systemd[27109]: blx.service: Executable /root/.blx/blx-post-stop.sh missing, skipping: Permission denied Nov 09 17:35:27 blx-host systemd[1]: blx.service: Failed with result 'exit-code'. Nov 09 17:35:27 blx-host systemd[1]: Failed to start BLX service.

Also i use same backend http service for both SSL and http_quic protocol based vservers.

Hi Subhojit, I created 2 vservers for but and create http profile for SSL vserver. as mentioned in documentation Configure HTTP/3 service discovery add ns httpProfile http-profile -altsvc ENABLED -altSvcValue "h3-29=":443"; ma=3600; persist=1" add lb vserver lbvs SSL 10.20.40.150 443 -persistenceType NONE -cltTimeout 180 -httpProfileName http-profile I can also see the http response header is also showing Alt-svc header HTTP/1.1 200 OK Content-Type: text/html Last-Modified: Tue, 27 Oct 2020 10:41:40 GMT Accept-Ranges: bytes ETag: "b39ee5c04dacd61:0" Server: Microsoft-IIS/8.5 Date: Tue, 14 Mar 2023 07:04:20 GMT Content-Length: 5227 Alt-Svc: h3-29=":443"; ma=3600; persist=1 But further not redirecting to http_QUIC vserver, it is still continue to work on SSL vserver only. Attaching runningconfig for your reference , please help if any futher correction needed.

Hi Subhojit, Thank you for your guidance, we have to create 2 vserver : Flow: Cip > Vserver1 (HTTP/SSL) set with Quic profile bound. which then redirects HTTP traffic to QUIC configured vserver. is there anything in addition to enabling the client browser to support QUIC protocol? I enabled Quic flag extension in chrome browser

Configured Citrix netscaler to support HTTP_QUIC protocol to support http3 in frontend. my question how do we test it from open internet. below are the sample config add ns httpProfile http3_quic -http3 ENABLED add quic profile quic_http3 -ackDelayExponent 10 -activeConnectionIDlimit 4 add ssl profile ssl_profile1 -sslProfileType QUIC-FrontEnd -sessReuse ENABLED -sessTimeout 120 -tls1 DISABLED -tls11 DISABLED -tls12 DISABLED -tls13 ENABLED add lb vserver http_quic-lb HTTP_QUIC 10.20.40.150 443 -persistenceType NONE -cltTimeout 120 -httpProfileName http3_quic -quicProfileName quic_http3 bind lb vserver http_quic-lb service1 set ssl vserver http_quic-lb -sslProfile ssl_profile1 bind ssl vserver http_quic-lb -certkeyName emudra_connect.mspllabs.co.in.p bind ssl vserver http_quic-lb -eccCurveName P_256 bind ssl vserver http_quic-lb -eccCurveName P_384 bind ssl vserver http_quic-lb -eccCurveName P_224 bind ssl vserver http_quic-lb -eccCurveName P_521