Citrix ADC SDX 14.1 and 13

Last Modified: Mar 6, 2024 @ 6:11 am

Navigation

Change Log

Overview

Citrix CTX226732 Introduction to Citrix NetScaler SDX.

Citrix ADC SDX is normal Citrix ADC hardware, but runs XenServer hypervisor, and several virtual machines that are listed below:

  • Service VM (aka Management Service, aka SVM) – every SDX comes with this Virtual Machine. The SVM enables the SDX Administrator to create additional VMs on XenServer. It’s analogous to vCenter, except each SDX has its own SVM.
    • It’s not possible to build this VM yourself. If it something happens to it, your only choice is to do a factory reset on the physical appliance, which deletes all local virtual machines, and recreates the Service VM.
    • Each Service VM only manages the VMs on the local SDX. Each SDX has its own Service VM. To manage multiple SDXs, use Citrix Application Delivery Management (ADM).
    • XenServer on SDX is a special build. Do not attempt to directly upgrade XenServer, patch XenServer, configure XenServer, etc. Instead, all upgrades and configurations should be performed by the Service VM.
  • Citrix ADC VPX Instances – you create one or more Citrix ADC instances on top of XenServer.
    • The number of Citrix ADC instances you can create is limited by your SDX license. Most models let you buy more instances.
    • The physical resources (CPU, Memory, NICs, SSL Chips, FIPS HSM) of the SDX are partitioned to the different instances.
    • The amount of bandwidth (throughput) available to the VPX instances depends on your license. For example, the 14040 SDX license gives you 40 Gbps of throughput, which is partitioned across the instances.
    • The Citrix ADC instances are created from a normal XenServer .xva template.
    • Each VPX has its own NSIP. Once the VPX is provisioned, you connect to the NSIP, and configure it like a normal Citrix ADC .

If the top left of the window says SDX, then you are logged into the Management Service (aka Service VM, aka SVM). If it says VPX, then you are logged into an instance.

High Availability – Citrix ADC SDX does not have any High Availability capability at the XenServer or SVM layer. In other words, every SDX is completely standalone. To achieve HA, you create Citrix ADC VPX instances on two separate SDXs, and pair the VPX instances in the normal fashion. See Citrix ADC High Availability.

Why Citrix ADC VPX on top of SDX instead of normal hypervisors?

  • VPX on SDX gets physical access to SSL chips. These SSL ASICs are not available on normal hypervisors. SSL Chips provide significantly higher SSL throughput than normal hypervisors.
  • VPX on SDX gets SR-IOV access to the Network interfaces. This enables full 50 Gbps throughput to a single VM.
  • The SDX NICs can filter VLANs to different instances, thus ensuring that VPX instances cannot cross security boundaries by adding the wrong VLANs.
  • Some SDXs have Hardware Security Modules (HSM) for FIPS compliance. The VPXs on SDX can utilize this hardware security resource.

SDX Networking

  • Management port – Every SDX has a 0/1 port.
    • The SVM and XenServer management IP are on this NIC.
    • You need a minimum of two IPs on a management network connected to the 0/1 port.
    • SVM and XenServer cannot use any of the data ports for management.
  • LOM port – Every SDX has a Lights Out Management (LOM) port.
    • The LOM port gives you out-of-band console access to XenServer. Once you’re on XenServer, you can use Xen commands to see the SVM console, and/or VPX consoles.
  • Data ports – The remaining interfaces can be aggregated into port channels. Port channels are configured at XenServer, not from inside the VPXs. Use the Service VM to create channels, and then connect the VPXs to the channels.
  • VPX networking – When VPXs are created, you specify which physical ports to connect the virtual machine to.
    • If you want the VPX NSIP to be on the same subnet as SVM and XenServer, then connect the VPX to 0/1.
    • Connect the VPX to one or more LA/x interfaces (port channels).
    • Once the VPX is created, log into it, and create VLAN objects in the normal fashion. VLAN tagging is handled by the VPX, not XenServer.
    • On SVM, when creating the VPX instance, you can specify a list of allowed VLANs. The VPX administrator is only allowed to add VLANs that are in this list.
  • SVM to NSIP – SVM must be able to communicate with every VPX NSIP. If VPX NSIP is on a different subnet than SVM, then ensure that routing/firewall allows this connection.
    • SDX 13 has a new internal network for SVM-to-VPX communication, thus eliminating the need for VPX and SVM to be on the same subnet.

LOM IP Configuration

For new SDX models 16000 / 9100, LOM is locked for external out of band access by default on power reset. Please run the following command in XS/Dom0 shell. More info at CTX477557 On new SDX, LOM access via the GUI works but configuration settings are disabled / read-only.
/usr/sbin/sdx_bmc_unlock.sh

There are two ways to set the IP address of the Lights Out Module (LOM):

  • ipmitool from the NetScaler SDX XenServer command line
    • For MPX, you can run ipmitool from the BSD shell.
  • Crossover Ethernet cable from a laptop with an IP address in the 192.168.1.0 network.

Ipmitool Method:

  1. For SDX, SSH to the XenServer IP address (not the Service VM IP).
    • For MPX, SSH to the Citrix ADC NSIP.
  2. Default XenServer credentials are root/nsroot.
    1. Default MPX credentials are nsroot/nsroot.
  3. If MPX, run shell. XenServer is already in the shell.
  4. Run the following:
    ipmitool lan set 1 ipaddr x.x.x.x
    ipmitool lan set 1 netmask 255.255.255.0
    ipmitool lan set 1 defgw ipaddr x.x.x.x

  5. You should now be able to connect to the LOM using a browser.

Laptop method:

  1. Configure a laptop with static IP address 192.168.1.10 and connect it to the Lights Out Module port.
  2. In a Web browser, type the IP address of the LOM port. For initial configuration, type the LOM port’s default address: http://192.168.1.3
  3. In the User Name and Password boxes, type the administrator credentials. The default username and password are nsroot/nsroot.
  4. In the Menu bar, click Configuration, and then click Network.
  5. Under Options, click Network, and type values for the following parameters:
    1. IP Address—The IP address of the LOM port.
    2. Subnet Mask—The mask used to define the subnet of the LOM port.
    3. Default Gateway—The IP address of the router that connects the appliance to the network.
  6. Click Save.
  7. Disconnect the laptop, and instead connect a cable from a switch to the Lights Out Module.

LOM Firmware Upgrade

The LOM firmware at https://www.citrix.com/downloads/citrix-adc/components/lom-firmware-upgrade.html differs depending on the hardware platform. The LOM firmware for the 8000 series is different than the 11000 series and the 14000 series. Do not mix them up.

SDX automatically upgrades the LOM firmware when you upgrade the SDX firmware. For SDX firmware older than 12.0 build 57, update the LOM firmware manually.

Citrix ADC MPX has a new method for updating LOM as detailed at CTX218264 How to Upgrade the LOM Firmware on Any NetScaler MPX Platform

To manually update the LOM firmware:

  1. Determine which firmware level you are currently running. You can point your browser to the LOM and login to the see the firmware level. Or you can run ipmitool mc info from the XenServer shell.
  2. If your LOM firmware is older than 3.0.2, follow the instructions at CTX137970 How to Upgrade LOM Firmware on NetScaler 115xx and CloudBridge 4xxx/5xxx Model Families From AMI 2.52 Using CLI to upgrade the firmware.
  3. If your LOM firmware is version 3.02 or later, follow the instructions at CTX218514 How to Upgrade LOM Firmware to the latest 14k_xxx revision on NetScaler 14xxx, NetScaler 25xxx Model Families, CloudBridge 5100, T1120 and T1300 to upgrade the firmware.
  4. If your firmware is version 3.0.2 or later, you can upgrade to 3.39. Download LOM firmware.
  5. In the LOM, click the Maintenance menu and then click Firmware Update.
  6. On the right, click Enter Update Mode.
  7. Click OK when prompted to enter update mode.
  8. Click Choose File, and browse to the extracted bin file.
  9. After the file is uploaded, click Upload Firmware.
  10. Click Start Upgrade.
  11. The Upgrade progress will be displayed.
  12. After upgrade is complete, click OK to acknowledge the 1 minute message.
  13. The LOM will reboot.
  14. After the reboot, login and notice that the LOM firmware is now 3.39.

SDX IP Configuration

The default IP address for the SVM Management Service is 192.168.100.1/16 bound to interface 0/1. Use a laptop with crossover cable to reconfigure the IP. Point your browser to http://192.168.100.1. Default login is nsroot/nsroot.

The default IP address for XenServer is 192.168.100.2/16. Default login is root/nsroot.

  • There should be no need to connect to XenServer directly. Instead, all XenServer configuration (e.g. create new virtual machine) is performed through the Management Service (SVM).
  • When you set the SVM’s IP Address, there is also a field to also set the XenServer IP address (aka Application supportability IP). XenServer IP and SVM Management Service IP must be on the same subnet.

To change the XenServer IP, make the change through the SVM as detailed below:

  1. Point a browser to http://192.168.100.1, and login as nsroot/nsroot.
  2. When you first login to the SDX SVM Management Service, the Welcome! Wizard appears. Click the first row for Management Network.
  3. Configure the IP addresses.
    1. Application supportability IP = XenServer. You’ll almost never connect to this IP.
    2. Appliance Management IP = SVM (Management Service). This is the IP you’ll normally use to manage SDX.
    3. The bottom has an Additional DNS checkbox that lets you enter more DNS servers.
    4. You can change the nsroot password at this time, or change it later after LDAP is configured.
  4. Click Done.
  5. Click the System Settings box.
  6. Enter a Host Name.
  7. You can optionally check Secure Access only to ensure that administrators must use https when connecting to the SVM.
  8. Select the time zone, and click Continue.
  9. Click the Licenses box.
  10. Click Add License File.
  11. Allocate Citrix ADC SDX licenses at mycitrix.com using the normal license allocation process.
    1. The SDX license defines the number of instances you can create.
    2. The SDX license also defines the amount of throughput available to the instances.
    3. The SDX license is allocated to ANY, which means you can use the same license on all SDX hardware, assuming all of them are purchased with the same license model.
  12. Click Browse to upload the license file. After uploading, click Finish and it should apply automatically.
  13. Or you can click Apply Licenses.
  14. Then click Continue to close the Welcome! wizard.

Another way to change the SVM Management Service IP address is through the serial port. This is actually the XenServer Dom0 console. Once logged in to XenServer, run ssh 169.254.0.10 to access the SVM Management Service virtual machine. Then follow instructions at CTX130496 How to Configure the Service Virtual Machine on NetScaler SDX to change the IP.

The console of the SVM Management Service virtual machine can be reached by running the following command in the XenServer Dom0 shell (SSH or console):

xe vm-list params=name-label,dom-id name-label="Management Service VM"

Then run /usr/lib64/xen/bin/xenconsole <dom-id>

SDX Platform Software Bundle

If your Citrix ADC SDX is not version 11 or newer, and if your Citrix ADC SDX is running 10.5 build 57 or later, then do the following:

  1. Go to Management Service > Software Images, and upload a Single Bundle older than 13. The single bundle is around 1.5 GB.
    Note: Direct upgrade from version 10.5 to 13.0 is not supported. You must first upgrade from 10.5 to 11.0 or 11.1 or 12.0 or 12.1, and then upgrade to SDX 13.0.
  2. On the left, click System.
  3. On the right, click Upgrade Management Service. Select the Single Bundle upgrade file you already uploaded.
  4. Management Service will upgrade and reboot. A few minutes after that, XenServer will be upgraded. Be patient as there’s no notification that the box will reboot again.

Starting with SDX 11.0, all updates are bundled together and installed at once.

  1. Make sure your Management Service (SVM) is running SDX 10.5 build 57 or newer.
    Note: Direct upgrade from version 10.5 to 13.0 is not supported. You must first upgrade from 10.5 to 11.0 or 11.1 or 12.0 or 12.1, and then upgrade to SDX 13.0.
  2. Download the latest SDX Platform Software bundle from Downloads > Citrix ADC > Release 13 > Service Delivery Appliances.

  3. Login to the SDX Management Service and go to Configuration > System.
  4. On the right, in the right column, click Upgrade Appliance.
  5. Browse to the build-sdx-13.0.tgz software bundle, and click OK.
  6. It will take some time to upload the SDX image.
  7. It should show you the estimated installation time.
  8. Check boxes next to the instances that need configs saved.
  9. Click Upgrade.
  10. Click Yes to continue with the upgrade.
  11. The SVM Management Service displays installation progress. It will take a while.
  12. Once the upgrade is complete, click Login.

  13. If you click the Configuration tab, the Information page will be displayed showing the version of XenServer, Management Service (Build), etc.

FIPS

If your SDX is a FIPS appliance, see Citrix Blog Post Meet Security Compliance and Be Scalable with NetScaler FIPS SDX for detailed HSM setup instructions:

  1. Zeroize the HSM
  2. Upgrade HSM firmware
  3. Create HSM partitions
  4. Create Citrix ADC instance and attach HSM partition:
    • Only one CPU core
  5. From inside Citrix ADC instance:
    1. Reset FIPS
    2. Initialize FIPS
    3. Create FIPS Key
    4. Create HA Pair and synchronize FIPS

DNS Servers

To add more than one DNS server, do the following:

  1. In the SVM Management Service, on the left, click System.
  2. On the right, click Network Configuration.
  3. On the bottom, there’s a checkbox for Additional DNS that lets you put in more DNS servers.
  4. Click OK when done.

SVM Management Service NTP

  1. On the Configuration tab, in the navigation pane, expand System, and then click NTP Servers.
  2. To add a new NTP server, in the right pane, click Add.
  3. In the Create NTP Server dialog box, enter the NTP server name (e.g. pool.ntp.org), and click Create.
  4. Click Yes when prompted to restart NTP Synchronization.
  5. In the right pane, click NTP Synchronization.
  6. In the NTP Synchronization dialog box, select Enable NTP Sync. Click OK.
  7. Click Yes when asked to restart the SVM Management Service. This only restarts the SVM. Other instances/VMs on the same box won’t be affected.

Licensing

If you haven’t already licensed your SDX, you can upload a license file to the SDX appliance.

  1. Login to http://mycitrix.com and go to Manage Licenses.
  2. In the New Licenses section, find a Citrix ADC SDX license, and allocate it. There is no need to specify a hostname. You can use the same license file on multiple SDX appliances.

  3. On the SDX Configuration tab, in the navigation pane, expand System, and then click Licenses.
  4. In the right pane, click Add License File.
  5. Click Browse and upload the allocated license file.
  6. Click Finish.
  7. If you refresh your browser, the number shown on the top left of the window will indicate your licensed model number.

SVM Management Service Alerting

Syslog

  1. On the Configuration tab, expand System > Auditing, and click Syslog Servers.
  2. In the right pane, click the Add button.

    1. Enter a name for the Syslog server.
    2. Enter the IP address of the Syslog server.
    3. Change the Choose Log Level section to Custom, and select log levels.
  3. Click Create.
  4. On the right is Syslog Parameters.
  5. You can configure the Date Format and Time Zone. Click OK.

Mail Notification

  1. On the Configuration tab, expand System > Notifications, and click Email.
  2. In the right pane, on the Email Servers tab, click Add.
  3. Enter the DNS name of the mail server, and click Create.
  4. In the right pane, switch to the tab named Email Distribution List, and click Add.
  5. In the Create Email Distribution List page:
    1. Enter a name for the mail profile.
    2. Select the Email Server to use.
    3. Enter the destination email address (distribution list).
  6. Click Create.
  7. SDX 13 has a Test button for the Distribution List.

System SNMP

  1. Go to System > SNMP.
  2. On the right, click Configure SNMP MIB.
  3. Enter asset information, and click OK. Your SNMP management software will read this information.
  4. Under the SNMP node, configure normal SNMP including: Trap Destinations, Managers, Alarms, etc.

  5. MIBs can be downloaded from the Downloads tab.

Instance SNMP

  1. The instances will send SNMP traps to the Service VM. To get alerted for these traps, in the Configuration page, in the navigation pane, expand Citrix ADC, expand Events, and click Event Rules.
  2. On the right, click Add.

    1. Give the rule a name.
    2. Move the Major and Critical severities to the right.
    3. Scroll down.
    4. For the other sections, if you don’t configure anything then you will receive alerts for all of the devices, categories, and failure objects. If you configure any of them, then only the configured entities will be alerted.
    5. Scroll down.
    6. Click Save.
  3. Select an Email Distribution List, and click Done.

SVM Management Service nsroot Password and AAA

Change nsroot password

  1. On the Configuration tab, in the navigation pane, expand System, expand User Administration, and then click Users.
  2. On the right, in the Users pane, right-click the nsroot user account, and then click Edit.
  3. In the Configure System User dialog box, check the box next to Change Password.
  4. In Password and Confirm Password, enter the password of your choice.
  5. You can optionally Configure User Session Timeout.
  6. Scroll down and click OK.

AAA Authentication

To enable LDAP authentication for the Service VM:

  1. Go to Configuration > System > Authentication > LDAP.
  2. In the right pane, click Add.
  3. This is configured identically to Citrix ADC.
    1. Enter a Load Balancing VIP for LDAP servers.
    2. Change the Security Type to SSL, and Port to 636.
    3. Note: if you want to Validate LDAP Certificate, then there are special instructions for installing the root certificate on the SVM. See Installing CA certificates to the SDX/SVM for LDAPS user authentication at Citrix Discussions for details.
    4. Scroll down.
    5. Enter the Base DN in LDAP format.
    6. Enter the bind account in UPN format, or Domain\Username format, or DN format.
    7. Check the box for Enable Change Password.
    8. Click Retrieve Attributes, and scroll down.
    9. For Server Logon Attribute, select sAMAccountName.
    10. For Group Attribute, select memberOf.
    11. For Sub Attribute Name, select CN.
    12. To prevent unauthorized users from logging in, configure a Search Filter as detailed in the LDAP post. Scroll down.
  4. Click Create.
  5. Expand System, expand User Administration, and click Groups.
  6. On the right, click Add.
  7. In the Create System Group page:
    1. Enter the case sensitive name of the Active Directory group.
    2. Check the box next to System Access.
    3. Configure the Session Timeout.
    4. Optionally Configure User Session Timeout.
  8. Click Create.
  9. On the left, under System, click User Administration.
  10. On the right, click User Lockout Configuration.

    1. If desired, check the box next to Enable User Lockout, and configure the maximum logon attempts. Click OK.
  11. On the left, under System, click Authentication.
  12. On the right, click Authentication Configuration.

    1. Change the Server Type drop-down to EXTERNAL, and click Insert.
    2. Select the LDAP server you created earlier, and click OK at the top of the page.
    3. Make sure Enable fallback is enabled, and click OK.

SSL Certificate and Encryption

Replace SDX SVM Management Service Certificate

To replace the SVM Management Service certificate:

  1. PEM format: The certificate must be in PEM format. The SVM Management Service does not provide any mechanism for converting a PFX file to PEM. You can convert from PFX to PEM by using the Import PKCS#12 task in a Citrix ADC instance.
  2. On the left, click System.
  3. On the right, in the left column, in the Set Up Appliance section, click Install SSL Certificate.
  4. Select the certificate and key files in PEM format. If the key file is encrypted, enter the password. Then click OK.
  5. The SVM Management Service will restart. Only the SVM restarts; the Citrix ADC instances do not restart.

Force HTTPS to the SVM Management Service

  1. Connect to the SVM using HTTPS. You can’t make this upcoming change if you are connected using HTTP.
  2. On the Configuration tab, click System.
  3. On the right, click Change System Settings.
  4. Check the box next to Secure Access Only, and click OK. This forces you to use HTTPS when connecting to the SVM Management Service.

SSL Encrypt SVM Management Service to Citrix ADC Communication

From CTX134973 How to Secure Network Traffic from Service Virtual Machine to NetScaler VPX Instances: Communication from the SVM Management Service to the Citrix ADC VPX instances is HTTP by default. If you want to configure HTTPS access for the Citrix ADC VPX instances, then you have to secure the network traffic between the SVM Management Service and Citrix ADC VPX instances. If you do not secure the network traffic from the SVM Management Service configuration, then the Citrix ADC VPX Instance State appears as Out of Service and the Status shows Inventory from instance failed.

  1. Log on to the SVM Management Service .
  2. On the Configuration tab, click System.
  3. On the right, click Change System Settings.
  4. Change the Communication with Citrix ADC Instance drop-down to https, as shown in the following screen shot:
  5. Run the following command on the Citrix ADC VPX instance, to change the Management Access (-gui) to SECUREONLY:
    set ns ip ipaddress -gui SECUREONLY
  6. Or in the Citrix ADC VPX instance GUI, go to Network > IPs, edit the NSIP, and then check the box next to Secure access only.

SDX/XenServer LACP Channels

For an overview of Citrix ADC SDX networking, see Citrix CTX226732 Introduction to Citrix NetScaler SDX

To use LACP, configure Channels in the SVM Management Service, which creates them in XenServer. Then when provisioning a VPX instance, connect it to the Channel.

  1. In the SVM Management Service, on the Configuration tab, expand System, and click Channels.
  2. On the right, click Add.
  3. In the Create Channel page:
    1. Select a Channel ID.
    2. For Type, select LACP or STATIC. The other two options are for switch independent load balancing and are only supported for the management ports.
    3. In the Interfaces section, move the Channel Member interfaces to the right by clicking the right arrow.
    4. In the Settings section, for LACP you can select Long or Short, depending on switch configuration. Long is the default.
  4. Click Create when done.
  5. Click Yes when asked to proceed.
  6. The channel will then be created on XenServer.

VPX Instances – Provision

Admin profile

Admin profiles specify the nsroot user credentials for the instances. SVM Management Service uses these nsroot credentials later when communicating with the VPX instances to retrieve configuration data.

The default admin profile for an instance specifies a user name of nsroot, and the password is also nsroot. To specify a different nsroot password, create a new admin profile.

  • You can create a single admin profile that is used by all instances. To delegate administration, don’t give out the nsroot password to the instance administrators. One option is to enable LDAP inside the instance before granting access to a different department.
  • When creating an instance, there’s an option to create a non-nsroot account, which has almost the same permissions as nsroot, but leaves out some SDX specific features (e.g interfaces). This is another option for delegating administration to a different team.
  • Or you can create different admin profiles for different instances, which allows you to inform the different departments the nsroot password for their VPX instances.

Important: Do not change the password directly on the Citrix ADC VPX instance. If you do so, the instance becomes unreachable from the SVM Management Service. To change a password, first create a new admin profile, and then modify the Citrix ADC instance, selecting this new profile from the Admin Profile list.

  1. On the Configuration tab, in the navigation pane, expand Citrix ADC, and then click Admin Profiles.
  2. In the Admin Profiles pane, click Add.
  3. In the Create Admin Profile dialog box, set the following parameters:
    • Profile Name*—Name of the admin profile.
    • User Name—User name used to log on to the Citrix ADC instances. The user name of the default profile is nsroot and cannot be changed.
    • Password*—The password used to log on to the Citrix ADC instance. Maximum length: 31 characters.
    • Confirm Password*—The password used to log on to the Citrix ADC instance.
    • Use global settings for Citrix ADC communication – you can uncheck this box and change the protocol to https.
    • SNMP v2 or v3 – for SNMP communication between the SVM and the VPX
    • Community
  4. Click Create. The admin profile you created appears in the Admin Profiles pane.

Upload a Citrix ADC VPX .xva file for XenServer

You must upload a Citrix ADC VPX .xva file to the SDX appliance before provisioning the Citrix ADC VPX instances. XVA files are only used when creating a new instance. Once the instance is created, use normal firmware upgrade procedures.

  1. Go to the Citrix ADC VPX download page and select a VPX Release.
  2. Download the Citrix ADC VPX for XenServer.
  3. After downloading, use 7-zip to extract the .gz file. You can’t upload the .gz file to SVM. You must extract it first.

  4. On the SVM’s Configuration tab, in the navigation pane, expand Citrix ADC, and then click Software Images.
  5. On the right, switch to the tab named XVA Files, and then click Upload.
  6. In the Upload ADC Instance XVA dialog box, click Browse and select the XVA image file that you want to upload. Click Upload.
  7. The XVA image file appears in the XVA Files pane after it is uploaded.

Provision a Citrix ADC instance

  1. In the SVM Management Service, go to the Dashboard page.

    1. On the bottom right, the System Resource Utilization pane shows you the amount of physical resources that are available for allocation.
    2. Click Core Allocation to see the number of cores available for assignment.
    3. Click Crypto Capacity to see the SSL capacity.
  2. On the Configuration tab, in the navigation pane, expand Citrix ADC, and then click Instances.
  3. In the Citrix ADC Instances pane, click Add.
  4. In the Provision Citrix ADC section, enter a name for the instance.
  5. SDX 13 has an option for Manage through internal network which means that the VPX no longer needs NSIP on the same subnet as the SDX SVM.
  6. Enter the NSIP, mask, and Gateway.
  7. Nexthop to Management Service – If the instance’s NSIP is on a different subnet than the SVM IP, and if Manage through internal network is not checked, and if the instance’s default gateway is on a different network than the NSIP, then enter a next hop router address on the instance’s NSIP network, so the instance can respond to the SDX SVM Management Service.
  8. In the XVA File field, you can Browse > Local to select an XVA file on your local machine that hasn’t been uploaded to SDX yet. Or you can Browse > Appliance, and select an XVA file that has already been uploaded to SDX.

  9. Select an Admin Profile created earlier. Or you can click the Add button or plus icon to create a new Admin Profile.
  10. Enter a Description. Scroll down.
  11. In the License Allocation section, change the Feature License to Platinum.
  12. For Throughput, partition your licensed bandwidth. If you are licensed for 40 Gbps, make sure the total of all VPX instances does not exceed that number.
  13. For Allocation Mode, Burstable is also an option. Fixed bandwidth can’t be shared with other instances. Burstable can be shared. See Bandwidth Metering in SDX at Citrix Docs.
  14. In the Crypto Allocation field, allocate at least one multiple of Asymmetric Crypto Units. Clicking the up arrow should increment in the correct multiple. See Managing Crypto Capacity at Citrix Docs. You can find the minimum by dividing the total Asymmetric Crypto Units by the Crypto Virtual Interfaces. Enter in a multiple of this result.
  15. In the Resource Allocation section, consider changing the Total Memory to 4096.
  16. For CPU, for production instances, select one of the Dedicated options. Dev/Test instances can use Shared CPU. Then scroll down.
  17. In the Instance Administration section, you can optionally add an instance administrator has has fewer permissions than the nsroot account.. Enter a new local account that will be created on the VPX. Scroll down.
  18. In the Network Settings section, if the VPX NSIP is on the same network as the SDX SVM, then leave 0/1 selected.
  19. Click Add to connect the VPX to more interfaces.
  20. If you have Port Channels, select one of the LA interfaces.
  21. If you configure any VLAN settings here, then XenServer filters the VLANs available to the VPX instance. Changing the VLAN filtering settings later probably requires a reboot. Note: VLAN tagging is configured inside the instance, and not here.
  22. Click Add. Continue adding the interfaces needed by your new VPX.
  23. In the Management VLAN Settings section, do not configure anything in this section unless you need to tag the NSIP VLAN.
  24. Click Done.
  25. After a couple minutes the instance will be created. Look in the bottom right of Chrome to see the status.
  26. Click Close when it’s done booting.
  27. If you go to the Dashboard page…
  28. If you click an instance name, you can see how the instance is connected to the physical NICs.
  29. Back in Configuration > Citrix ADC > Instances, in your Instances list, click the blue IP address link to launch the VPX management console. Or, simply point your browser to the NSIP and login.
  30. Do the following at a minimum (instructions are in the Citrix ADC System Configuration article):
    1. Create Policy Based Route for the NSIP – System > Settings > Network > PBRs
    2. Add SNIPs for each VLAN – System > Network > IPs
    3. Add VLANs and bind to SNIPs – System > Network > VLANs
    4. Create Static Routes for internal networks – System > Network > Routes
    5. Change default gateway – System > Network > Routes > 0.0.0.0
    6. Create another instance on a different SDX, and High Availability pair them together – System > High Availability

VPX Instances – Manage

You may login to the VPX instance and configure everything normally. SDX also offers the ability to manage IP addresses and SSL certificates, from SDX, rather than from inside the VPX instance. The SDX SVM Management Service does not have the ability to create certificates, so it’s probably best to do that from within the VPX instance.

View the console of a Citrix ADC instance

  1. Connect to the SDX SVM Management Service using https.
    • Viewing the virtual machine console might not work unless you install a valid certificate for the SDX Management Service.
  2. In the SVM Management Service, go to Configuration > Citrix ADC > Instances.
  3. On the right, right-click an instance, and click Console.
  4. The instance console then appears.
  5. Another option is to use the Lights Out Module, and the xl console command, as detailed at Citrix Blog Post SDX Remote Console Access of VIs.

Start, stop, delete, or restart a Citrix ADC instance

  1. On the Configuration tab, in the navigation pane, expand Citrix ADC, and click Instances.
  2. On the right, in the Instances pane, right-click the Citrix ADC instance on which you want to perform the operation, and then click Start or Shut Down or Delete or Reboot.
  3. In the Confirm message box, click Yes.

Create a Subnet IP Address on a Citrix ADC Instance

  1. On the Configuration tab, in the navigation pane, click Citrix ADC.
  2. On the right, in the Citrix ADC Configuration pane, click Create IP.
  3. In the Create Citrix ADC IP dialog box, specify values for the following parameters.
    • IP Address* – Specify the IP address assigned as the SNIP address.
    • Netmask* – Specify the subnet mask associated with the SNIP address.
    • Type* – Specify the type of IP address. Possible values: SNIP.
    • Save Configuration* – Specify whether the configuration should be saved on the Citrix ADC . Default value is false.
    • Instance IP Address* – Specify the IP address of the Citrix ADC instance on which this SNIP will be created.
  4. Click Create.

Create a VLAN on a Citrix ADC instance

  1. Go to Citrix ADC > Instances.
  2. On the right, right-click an instance, and click VLAN Bindings.
  3. In the VLAN Bindings page, click Add.
  4. Enter a VLAN ID, and select an interface.
  5. Check the box for Tagged if needed.
  6. Notice there’s no way to bind a SNIP to the VLAN. You do that inside the instance. Click Create.

Save the configuration of a Citrix ADC instance

  1. On the Configuration tab, in the navigation pane, click Citrix ADC.
  2. On the right, in the Citrix ADC pane, click Save Configuration.
  3. In the Save Configuration dialog box, in Instance IP Address, select the IP addresses of the Citrix ADC instances whose configuration you want to save.
  4. Click OK.

Change NSIP of VPX Instance

The best way to change the NSIP is to edit the instance. Go to Configuration > Citrix ADC > Instances, right-click an instance, and click Edit.

Then change the IPv4 Address at the top of the page. Click Done. SVM will push the configuration change to the instance.

If you change NSIP inside of VPX instead of Editing the Instance in the SVM Management Service, see article CTX139206 How to Change NSIP of VPX Instance in SDX to adjust the XenServer settings.

Enable Call Home

  1. On the Configuration tab, in the navigation pane, click the Citrix ADC node.
  2. On the right, click Call Home.
  3. Enter an email address to receive communications regarding Citrix ADC Call Home.
  4. Check the box next to Enable Call Home.
  5. Click Add to select instances.
  6. Select the instances to enable Call Home by moving them to the right, and then click OK.
  7. You can view the status of Call Home by expanding Citrix ADC, and clicking Call Home.
  8. The right pane indicates if it’s enabled or not. You can also configure Call Home from here.

VPX Instance – Firmware Upgrade

Upload Citrix ADC Firmware Build Files

To upgrade a VPX instance from the SVM Management Service, first upload the firmware build file.

  1. Download the Citrix ADC firmware using the normal method. It’s in the Build section.
  2. On the SDX, in the Configuration tab, on the left, expand Citrix ADC, and click Software Images.
  3. On the right, in the Software Images tab, click Upload.
  4. Browse to the build-##.#…tgz file, and click Open.
  5. The uploaded image is shown in the list.

Upgrade Multiple Citrix ADC VPX Instances

You can upgrade multiple instances at the same time:

  1. To prevent any loss of the configuration running on the instance that you want to upgrade, save the configuration on the instance before you upgrade the instance.
  2. On the Configuration tab, in the navigation pane, click Citrix ADC.
  3. On the right, click Upgrade.
  4. Select a Software Image that you already uploaded.
  5. Select the instances that you want to upgrade.
  6. Click OK.

  7. Click Close when done.
  8. You can view the Task Log at Diagnostics > Task Log.

SVM Management Service Monitoring

  1. To view syslog, in the navigation pane, expand System, click Auditing, and then in the right pane click Syslog Message.
  2. To view the task log, in the navigation pane, expand Diagnostics, and then click Task Log.
  3. To view SVM Management Service events, on the Configuration tab, expand System and click Events.
  4. Citrix ADC > Entities lets you see the various Load Balancing entities configured on the instances. You might have to click Poll Now to get them to show up.
  5. To view instance alerts, go to Citrix ADC > Events > All Events.
  6. There is also event reporting.

SVM Management Service Backups

The SDX appliance automatically keeps three backups of the SVM Management Service configuration that are taken daily at 12:30 am.

Backups in Citrix ADC SDX contain the following:

  • Single bundle image
  • Citrix ADC XVA image
  • Citrix ADC upgrade image
  • SVM Management Service image
  • SVM Management Service configuration
  • Citrix ADC SDX configuration
  • Citrix ADC configuration

You can go to Management Service > Backup Files to backup or restore the SDX appliance’s configuration. And you can download the backup files.

You can configure the number of retained backups by clicking System on the left, and then clicking Backup Policy in the right pane.

You can even transfer the backup files to an external system.

34 thoughts on “Citrix ADC SDX 14.1 and 13”

  1. For Management of SDX, the network configuration gives you the option of selecting interface 0/1 or 0/2… VPX aside, is there a way to provide redundancy for the SDX management connection itself?

      1. Thanks. The second link goes nowhere but I get the drift of the first, though the GUI looks aged…

        What if I don’t have LACP available to me, i.e., I have two disparate management switches presenting access ports in same VLAN?

        If I set the type to Active-Passive, is the sufficient to survive a switch outage?

  2. Hello Carl,

    Is there a configuration file for a SDX? Similar to ns.conf for VPX and MPX?
    If the answer is yes, where is it?

    Thanks for all your work.
    M.

  3. Hi Carl,

    I have setup two SDXs with two port channels:

    LA/9 (Consists of 0/1 0/2 management interfaces) (HA Monitoring On, Heart beats on by default ) Access port
    LA/1 (Consists of 25/1 25/2 Data Interfaces) (HA Monitoring Off, Heartbeats off) Trunk port

    On a pair of newly VPXs, I see 0/1 listed under critical interfaces.

    sh ha node
    1) Node ID: 0
    IP: IP_ADDRESS (hostname)
    Node State: UP
    Master State: Secondary
    Fail-Safe Mode: OFF
    INC State: DISABLED
    Sync State: SUCCESS
    Propagation: ENABLED
    Enabled Interfaces : 0/1 0/2 LA/1
    Disabled Interfaces : None
    HA MON ON Interfaces : 0/1
    HA HEARTBEAT OFF Interfaces : 0/2 LA/1
    Interfaces on which heartbeats are not seen : None
    Interfaces causing Partial Failure: None
    SSL Card Status: UP
    Sync Status Strict Mode: DISABLED
    Hello Interval: 200 msecs
    Dead Interval: 3 secs
    Node in this Master State for: 0:0:8:56 (days:hrs:min:sec)
    2) Node ID: 1
    IP: IP_ADDRESS
    Node State: UP
    Master State: Primary
    Fail-Safe Mode: OFF
    INC State: DISABLED
    Sync State: ENABLED
    Propagation: ENABLED
    Enabled Interfaces : 0/1 0/2 LA/1
    Disabled Interfaces : None
    HA MON ON Interfaces : 0/1
    HA HEARTBEAT OFF Interfaces : 0/2 LA/1
    Interfaces on which heartbeats are not seen : None
    Interfaces causing Partial Failure: None
    SSL Card Status: UP

    Local node information:
    Critical Interfaces: 0/1

    Even on a brand new standalone VPX, if i run sh ha node I see 0/1 listed as a critical interface.

    They are sending heartbeats through the management network because if i reboot the primary the HA mon kicks in, and failure occurs. I also see the heartbeats in a packet capture.

    Any ideas why I might see 0/1 listed as critical? on a VPX the management port channel is basically represented as a 0/1 interface but I am sure you probably already know that.

    1. SDX LA for 0/1 and 0/2 is a XenServer bond and not a real port channel. I don’t think the VPXs support a XenServer bond so inside the VPX all you see is the first member interface. In the VPX, go to System > Network > Channels and see if your LA/9 is there.

      1. When creating a channel with the 0/x interfaces or just using the 0/x NIC, the connection will go through a virtual switch on XenServer and be presented as a 0/1 interface. I recommend customers don’t connect 0/x at all to any instance and do all management through data ports. Internal management is fine and has advantages for SNMP event management with the SVM. Also when using the 0/x interfaces, there is no RSS queue on the NICs.

  4. hi carl ,
    i have two sdx each one had only one vpx and high availability is configured through the 0/1 and 0/1 is inherited from the sdx ( for managment only ) .
    i already created PBR for MGMT and every this is good .
    i am enabling the web mgmt through SNIP for redundancy .
    the issue as following :
    when disabling the 0/1 from the two vpx i lose the managment through the data interface ( SNIP ) and also traffic dropped . i think the problem maybe related to split brain as the 0/1 is used for HA .
    do you have any recommendation how to overcome this issue .
    thanks
    Mostafa

    1. Is HA Monitoring enabled on the 0/1 interface? By default, any failed interface causes a failover.

      SNIP fails over and stays on the primary node.

  5. hi
    we want to change the sdx and the vpx managment ip
    with what we need to start?
    the sdx or vpx

    1. You should be able to change the SDX Management IP without breaking anything, other than maybe firewall rules.

      For VPXs, I would remove the secondary node, change the NSIPs on the nodes, then re-add the secondary node. When removing the secondary node, wipe its config so you don’t get IP conflicts. To change the NSIPs, in SDX console, go to NetScaler > Instances and change it from there.

  6. Hi Carl,
    Thanks for sharing amazing doc to follow configuring SDX. In my scenario, default password for nsroot while logging first time to default SVM IP was nsroot/Appliance Serial number. Once I configured new IP addresses for SVC and XS, it asked me to save settings and rebooted appliance. Once machine got back, SVM IP does not changed and remains to default (192.168.100.1). However, XS IP got changed to my network subnet. Now once I am trying to login either via default SVM IP, it does not allow me to login and keep giving password error. I tried SSH to XS and also it does not take default password (root/nsroot). Any idea what breaks up all this config and how could I login back to SVM / XS to fix up / reset SVM IP. As of now, I am only reachable to LOM (192.168.1.3) and got logged in with default password (nsroot/Appliance Serial number).

    Regards,
    Syed

  7. Hi Carl,

    I would like to ask if in case of our current production setup has shared CPU core and I want to make it dedicated core, does it take effect right away or have downtime or the VPX or SDX needs to be rebooted?

    Thanks,
    RSF

  8. Hi Carl, great work – thanks! Can you tell anything about the behavior of the SDX when the air conditioning fails in the data center? What happens at what temperature? Environment/CPU. Do you know of a documentation?

        1. Usually, SDX first so it will support the newer VPXs. But it’s not required. There were older builds of VPX where the SDX upgrade had to be performed first but I haven’t seen that issue in a while.

  9. Hello Carl,

    Could i setup all network relatived such as VLANs, IPs, interfaces in ADC instance, no follow the steps in charpter “Create a Subnet IP Address on a Citrix ADC Instance?

  10. Thanks Carl. The newer 13.0 firmware on the SDX no longer has the up/down arrows for assigning crypto units and dividing my units by the number of crypto interfaces gives me a number like 1218.75. If I try 1218 or 1219 it says it must be in multiples of 1000. I’m still not sure how many crypto virtual interfaces I want to assign to any particular VPX. My SDX is the 15030 on 13.0 82.42

    1. Usually I just divide the maximum by the number of instances I plan to build while accounting for weight (giving more to higher usage instances).

        1. Are you asking for # of ICA sessions per VPX? I don’t have that info. If you can simulate users, then watch throughput, SSL crypto, and CPU while you ramp up the users. ICA Session Limits would be constrained by the size of the VM.

          1. Really just for ACU and SCU. Looks like you do this by dividing the total by the VPX count and then weight. How are you determining weight? I have one VPX that’s hosting 3-4k ICA sessions and another that host 10k. Are you using some calculation for weight?

          2. It can be based on machine size or based on traffic.

            Some models of hardware let you see SSL crypto utilization.

  11. Thank you Carl for this post, 1st time using SDX appliance, I followed most of your sequence and it’s working pretty good! Thanks again

  12. Hi Carl,
    We’ve recently upgraded to 13.0.61.48 and the XenServer has become inaccessible. This is true on an 8910 and an 11520. I verified the correct IP address is assigned via the “networkconfig” command in the SVM. Access to the XenServer worked without issue prior to the upgrade. Have you run into this issue?

    Thanks,
    Mike

    1. Many environments try to configure a “dedicated” management interface that is separate from the “data” interfaces. NetScaler doesn’t have true support for a dedicated management interface so we configure PBRs to simulate one.

Leave a Reply

Your email address will not be published. Required fields are marked *