NetScaler SDX 10.5

Last Modified: Nov 6, 2020 @ 7:09 am

Navigation

SDX IP Configuration

Default IP for Management Service VM is 192.168.100.1/16 bound to interface 0/1. Use laptop with crossover cable to reconfigure. Point browser to http://192.168.100.1. Default login is nsroot/nsroot.

Default IP for XenServer is 192.168.100.2/16. Default login is root/nsroot. Use the Management Service virtual machine to configure. XenServer and Management Service IPs must be on the same subnet.

  1. When you first login to the SDX Service virtual machine, the Setup Wizard appears. In the Network Configuration page, configure the IP addresses. Management Service IP Address and XenServer IP Address must be different but on the same subnet. Scroll down.
  2. In the System Settings page, select the time zone.
  3. Check the box next to Change Password, enter the new password. Click Continue.
  4. In the Manage Licenses section, allocate licenses normally. Click Continue when done.
  5. Then click Done.

To modify the network configuration of the SDX appliance:

  1. Switch to the Configuration tab.
  2. In the navigation pane, click System.
  3. In the System pane, under Setup Appliance, click Network Configuration.
  4. In the Modify Network Configuration dialog box, specify values for the following parameters:
    • Interface*—The interface through which clients connect to the Management Service. Possible values: 0/1, 0/2. Default: 0/1.
    • XenServer IP Address*—The IP address of the XenServer.
    • Management Service IP Address*—The IP address of the Management Service.
    • Netmask*—The netmask for the subnet in which the SDX appliance is located.
    • Gateway*—The default gateway for the network.
    • DNS Server—The IP address of the DNS server.
  5. Click OK.

 

Another way to login to the Management Service virtual machine is through the serial port. This is actually the XenServer Dom0 console. Once logged in to XenServer, run ssh 169.254.0.10 to access the Management Service virtual machine. Then follow instructions at http://support.citrix.com/article/CTX130496 to change the IP.

The console of the Management Service virtual machine can be reached by running the following command in the XenServer Dom0 shell (SSH or console):

xe vm-list params=name-label,dom-id name-label=”Management Service VM“

Then run /usr/lib/xen/bin/xenconsole <dom-id>.

Service VM Firmware – Upgrade

  1. If the webpage says NetScaler SDX on top then you are connected to the Service VM.
  2. Switch to the Configuration tab.
  3. In the navigation pane, expand Management Service, and then click Software Images.
  4. In the right pane, click Upload.
  5. In the Upload Management Service Software Image dialog box, click Browse, navigate to the folder that contains the build-svm file, and then double-click the build file.
  6. Click Upload.

To upgrade the Management Service:

  1. In the navigation pane, click System.
  2. In the System pane, under System Administration, click Upgrade Management Service.
  3. In the Upgrade Management Service dialog box, in Build File, select the file of the build to which you want to upgrade the Management Service.
  4. If you see a Documentation File field, ignore it.
  5. Click OK.
  6. Click Yes if asked to continue.
  7. If desired, go back to the Software Images node and delete older firmware files.

XenServer – Upgrade

SDX Service VM 10.1 or newer requires XenServer 6.1 to be installed on the SDX appliance. Make sure you use the XenServer 6.1 media that is specific to SDX. It should be named XenServer-6.1.0-install-sdx.iso. Installing XenServer will cause the physical appliance (and all VPX instances) to reboot.

  1. Switch to the Configuration tab.
  2. In the navigation pane, expand Management Service, and then click XenServer Files.
  3. In the right pane, in the ISO Images tab, click Upload.
  4. In the Upload XenServer ISO Image File dialog box, click Browse, navigate to the folder that contains the build file, and then double-click the build file.
  5. Click Upload.

 

To upgrade the XenServer software:

  1. In the Configuration tab navigation pane, click System.
  2. In the details pane, click Upgrade XenServer.
  3. In the Upgrade XenServer section, select the Image file from the list. Then click OK.
  4. Click Yes to confirm that a connection failure will occur.

XenServer Supplemental Pack

A full reboot of the physical appliance will occur.

  1. Download the XenServer 6.1 Supplemental Pack from the same download page containing the SDX Service VM firmware. It’s in the Additional Components section.
  2. On the Configuration page, on the left, expand Management Service and click XenServer Files.
  3. On the right, switch to the Supplemental Packs tab and click Upload.
  4. Browse to the Supplemental Pack and click Upload.
  5. Select the Supplemental Pack and click Install.

  6. Click Yes when prompted to reboot the appliance.


XenServer Hotfixes

A full reboot of the physical appliance will occur.

  1. On the left, expand Management Service and click XenServer Files.
  2. On the right, switch to the Hotfixes tab and click Upload.
  3. Upload XenServer 6.1 Hotfix 44.
  4. Also upload XenServer 6.1 Hotfix 45.
  5. Also upload XenServer 6.1 Hotfix 48.
  6. Highlight one of the hotfixes and click Apply.
  7. Click Yes when asked to apply.
  8. Apply the next hotfix.
  9. Click Yes when asked to apply. Repeat for the remaining hotfixes.
  10. On the left, click the System node.
  11. On the right, in the right column, click Reboot Appliance.
  12. Click Yes when asked to reboot.


Service VM Hostname

  1. On the Configuration tab, click System.
  2. In the right pane, click Change Hostname in the System Settings section.
  3. Enter a new hostname and click OK.

Service VM Time Zone and NTP

  1. Go to Configuration tab and click System on the left.
  2. On the right, under System Settings click Change Time Zone.
  3. Select the time zone. For Central time, look for UTC-0500 and Chicago.

 

To configure an NTP server:

  1. On the Configuration tab, in the navigation pane, expand System, and then click NTP Servers.
  2. To add a new NTP server, in the right pane, click Add.
  3. In the Create NTP Server dialog box, set the following parameters:
    • Server Name/IP Address*—The domain name of the NTP server or the IP address of the NTP server. The name or IP address cannot be changed for an existing NTP server.
    • Preferred—Synchronize with this server first. Applicable if more than one server is configured.
  4. Click Add.
  5. In the right pane click NTP Synchronization.
  6. In theNTP Synchronization dialog box, select Enable NTP Sync. Click OK.

Licensing

To upload a license file to the SDX appliance:

  1. Login to Citrix.com and go to Account.
  2. Click Allocate Licenses, find a NetScaler SDX license, and allocate it. There is no need to specify a hostname. You can use the same license file on multiple SDX appliances.
  3. On the Configuration tab, in the navigation pane, expand System, and then click Licenses.
  4. In the right pane, click Manage Licenses.
  5. In the Manage Licenses page, select Upload License Files and click Upload.
  6. In the Upload License File dialog box, do the following:
    1. Click Browse.
    2. Navigate to the folder that contains the license file you want to upload, and then double-click the license file.
    3. Click Upload.
  7. In the License Files pane, click Apply Licenses.
  8. In the Confirm message box, click Yes.

Service VM Alerting

Syslog:

  1. On the Configuration tab, expand System > Notifications and click Syslog Servers.
  2. In the right pane click the Add button.
  3. Enter a name for the server.
  4. Enter the IP address of the Syslog server.
  5. Select log levels and click Add.

 

Mail Notification

  1. On the Configuration tab, expand System > Notifications and click Email.
  2. In the right pane, on the SMTP Server tab, click Add.
  3. Enter the DNS name of the mail server and click Create.
  4. In the right pane, switch to the Email Distribution List tab and click Add.
  5. Enter a name for the mail profile.
  6. Enter the destination email address and click Create.
  7. The instances will send SNMP traps to the Service VM. To get alerted for these traps, in the Configuration page, in the navigation pane, expand NetScaler, expand Events, and click Event Rules.
  8. On the right, click Add.
  9. Give the rule a name.
  10. Select the Major and Critical severities and move them to the right. Scroll down.
  11. For the other sections, if you don’t configure anything then you will receive alerts for all of the devices, categories, and failure objects. If you configure any of them then only the configured entities will be alerted. Scroll down.
  12. Click Save.
  13. Select an Email Distribution List and click Done.

Service VM nsroot Password and AAA

To change the password of the default user account:

  1. On the Configuration tab, in the navigation pane, expand System, and then click Users.
  2. In the Users pane, click the default user account, and then click Edit.
  3. In the Configure System User dialog box, in Password and Confirm Password, enter the password of your choice. Click OK.

To create a user account:

  1. In the navigation pane, expand System, and then click Users. The Users pane displays a list of existing user accounts, with their permissions.
  2. To create a user account, click Add.
  3. In the Create System User or Modify System User dialog box, set the following parameters:
    • Name*—The user name of the account. The following characters are allowed in the name: letters a through z and A through Z, numbers 0 through 9, period (.), space, and underscore (_). Maximum length: 128. You cannot change the name.
    • Password*—The password for logging on to the appliance.
    • Confirm Password*—The password.
    • Session Timeout
    • Groups —The user’s privileges on the appliance. Possible values:
      • owner—The user can perform all administration tasks related to the Management Service.
      • readonly—The user can only monitor the system and change the password of the account.
  4. Click Create. The user that you created is listed in the Users pane.

 

AAA Authentication:

  1. If you would like to enable LDAP authentication for the Service VM, do that under Configuration > System > Authentication > LDAP.
  2. In the right pane, click Add.
  3. Enter the LDAP settings. Change the port to 636 if using Secure LDAP (recommended). Enter the bind account. Scroll down.
  4. Change the Security Type to SSL. Check the box next to Enable Change Password. Click Create.
  5. Expand System, expand User Administration and click Groups.
  6. Click Add.
  7. Enter the case sensitive name of the Active Directory group.
  8. Select the admin permission.
  9. Configure the Session Timeout. Click Create.

SSL Certificate and Encryption

Replace SDX Service VM Certificate:

Before enabling secure access to the Service VM web console, you probably want to replace the Service VM certificate.

  1. PEM format: The certificate must be in PEM format. The Service VM does not provide any mechanism for converting a PFX file to PEM. You can convert from PFX to PEM by using the Import PKCS#12 task in a NetScaler instance.
  2. On the Configuration tab, expand Management Service and click SSL Certificate Files.
  3. On the right, click Upload.
  4. Browse to the certificate PEM file and click Upload.
  5. On the right, switch to the SSL Keys tab and click Upload.
  6. Browse to the PEM key file. This could be the same file containing the certificate or a separate file. Click Upload.
  7. On the left, click System.
  8. On the right, click Install SSL Certificate.
  9. Select the uploaded certificate and key files. If the key file is encrypted, enter the password. Then click OK. The Service VM will restart so there will be an interruption.
  10. After the Service VM restarts, connect to it using HTTPS. You can’t make this change if you are connected using HTTP.
  11. On the Configuration tab, click System.
  12. On the right, click Change System Settings.
  13. Check the box next to Secure Access Only and click OK. This forces you to use HTTPS to connect to the Service VM.

 

SSL Encrypt Management Service to NetScaler Communication:

From http://support.citrix.com/article/CTX134973: Communication from the Service Virtual Machine to the NetScaler VPX instances is HTTP by default. If you want to configure HTTPS access for the NetScaler VPX instances, then you have to secure the network traffic between the Service Virtual Machine and NetScaler VPX instances. If you do not secure the network traffic from the Service Virtual Machine configuration, then the NetScaler VPX Instance State appears as Out of Service and the Status shows Inventory from instance failed.

  1. Log on to the Service Virtual Machine Graphical User Interface (GUI) management.
  2. On the Configuration tab, click System.
  3. On the right, click Change System Settings.
  4. Change Communication with NetScaler Instance to https, as shown in the following screen shot:
  5. Run the following command on the NetScaler VPX instance, to change the Management Access (-gui) to SECUREONLY:

set ns ip ipaddress -netmask netmask -arp ENABLED -icmp ENABLED -vServer DISABLED -telnet ENABLED -ftp ENABLED -gui SECUREONLY -ssh ENABLED -snmp ENABLED - mgmtAccess ENABLED -restrictAccess DISABLED -dynamicRouting ENABLED -ospf DISABLED -bgp DISABLED -rip DISABLED -hostRoute DISABLED -vrID 0

Or in the NetScaler instance management GUI go to Network > IPs, open the NSIP and then check the box next to Secure access only.

XenServer LACP Channels

To use LACP, configure Channels in the Service VM, which creates them in XenServer. Then when provisioning an instance, connect it to the Channel. If you are instead using static port channels, you can configure them inside a VPX instance.

  1. In the Service VM, on the Configuration tab, expand System and click Channels.
  2. On the right, click Add.
  3. Select a Channel ID.
  4. For Type, select LACP or STATIC. The other two options are for switch independent load balancing.
  5. In the Interfaces tab, click Add.
  6. Move the Channel Member interfaces to the right by clicking the plus icon.
  7. On the Settings tab, you can select Long or Short, depending on switch configuration. Long is the default.
  8. Click Create when done.
  9. Click Yes when asked to proceed.
  10. The channel will then be created on XenServer.

VPX Instances – Provision

To create an admin profile:

Admin profiles specify the user credentials that are used by the Management Service when provisioning the NetScaler instances, and later when communicating with the instances to retrieve configuration data. The user credentials specified in an admin profile are also used by the client when logging on to the NetScaler instances through the CLI or the configuration utility.

The default admin profile for an instance specifies a user name of nsroot, and the password is also nsroot. This profile cannot be modified or deleted. However, you should override the default profile by creating a user-defined admin profile and attaching it to the instance when you provision the instance. The Management Service administrator can delete a user-defined admin profile if it is not attached to any NetScaler instance.

Important: Do not change the password directly on the NetScaler VPX instance. If you do so, the instance becomes unreachable from the Management Service. To change a password, first create a new admin profile, and then modify the NetScaler instance, selecting this profile from the Admin Profile list.

  1. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Admin Profiles.
  2. In the Admin Profiles pane, click Add.
  3. In the Create Admin Profile dialog box, set the following parameters:
    • Profile Name*—Name of the admin profile. The default profile name is nsroot. You can create user-defined profile names.
    • User Name—User name used to log on to the NetScaler instances. The user name of the default profile is nsroot and cannot be changed.
    • Password*—The password used to log on to the NetScaler instance. Maximum length: 31 characters.
    • Confirm Password*—The password used to log on to the NetScaler instance.
  4. Click Create. The admin profile you created appears in the Admin Profiles pane.

 

To upload a NetScaler VPX .xva file:

You must upload a NetScaler VPX .xva file to the SDX appliance before provisioning the NetScaler VPX instances.

  1. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Software Images.
  2. On the right, switch to the XVA Files tab and then click Upload.
  3. In the Upload NetScaler Instance XVA dialog box, click Browse and select the XVA image file that you want to upload. Click Upload. The XVA image file appears in the NetScaler XVA Files pane after it is uploaded.

 

To provision a NetScaler instance:

  1. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Instances.
  2. In the NetScaler Instances pane, click Add.
  3. In the Provision NetScaler Wizard follow the instructions in the wizard.
  4. Click Create. The NetScaler instance you provisioned appears in the NetScaler Instances pane.

The wizard will ask for the following info:

  • Name* – The host name assigned to the NetScaler instance.
  • IP Address* – The NetScaler IP (NSIP) address at which you access a NetScaler instance for management purposes. A NetScaler instance can have only one NSIP. You cannot remove an NSIP address.
  • Netmask* – The subnet mask associated with the NSIP address.
  • Gateway* – The default gateway that you must add on the NetScaler instance if you want access through SSH or the configuration utility from an administrative workstation or laptop that is on a different network.
  • XVA File* – The .xva image file that you need to provision. This file is required only when you add a NetScaler instance.
  • Feature License* – Specifies the license you have procured for the NetScaler. The license could be Standard, Enterprise, and Platinum.
  • Admin Profile* – The profile you want to attach to the NetScaler instance. This profile specifies the user credentials that are used by the Management Service to provision the NetScaler instance and later, to communicate with the instance to retrieve configuration data. The user credentials used in this profile are also used while logging on to the NetScaler instance by using the GUI or the CLI. It is recommended that you change the default password of the admin profile. This is done by creating a new profile with a user-defined password. For more information, see Configuring Admin Profiles.
  • Total Memory (MB)* – The total memory allocated to the NetScaler instance.
  • #SSL Cores* – Number of SSL cores assigned to the NetScaler instance. SSL cores cannot be shared. The instance is restarted if you modify this value.
  • Throughput (Mbps)* – The total throughput allocated to the NetScaler instance. The total used throughput should be less than or equal to the maximum throughput allocated in the SDX license. If the administrator has already allocated full throughput to multiple instances, no further throughput can be assigned to any new instance.
  • Packets per second* – The total number of packets received on the interface every second.
  • CPU – Assign a dedicated core or cores to the instance or the instance shares a core with other instance(s).
  • User Name* – The root user name for the NetScaler instance administrator. This user has superuser access, but does not have access to networking commands to configure VLANs and interfaces. (List of non-accessible commands will be listed here in later versions of this document)
  • Password* – The password for the root user.
  • Shell/Sftp/Scp Access* – The access allowed to the NetScaler instance administrator.
  • Interface Settings – This specifies the network interfaces assigned to a NetScaler instance. You can assign interfaces to an instance. For each interface, if you select Tagged, specify a VLAN ID.
    • Important:The interface ID numbers of interfaces that you add to an instance do not necessarily correspond to the physical interface numbering on the SDX appliance. For example, if the first interface that you associate with instance 1 is SDX interface 1/4, it appears as interface 1/1 when you log on to the instance and view the interface settings, because it is the first interface that you associated with instance 1.
    • If a non-zero VLAN ID is specified for a NetScaler instance interface, all the packets transmitted from the NetScaler instance through that interface will be tagged with the specified VLAN ID. If you want incoming packets meant for the NetScaler instance that you are configuring to be forwarded to the instance through a particular interface, you must tag that interface with the VLAN ID you want and ensure that the incoming packets specify the same VLAN ID.
    • For an interface to receive packets with several VLAN tags, you must specify a VLAN ID of 0 for the interface, and you must specify the required VLAN IDs for the NetScaler instance interface.
  • NSVLAN ID – An integer that uniquely identifies the NSVLAN. Minimum value: 2. Maximum value: 4095.
  • Tagged – Designate all interfaces associated with the NSVLAN as 802.1q tagged interfaces.
  • Interfaces – Bind the selected interfaces to the NSVLAN.

 

Here are screenshots from the wizard:

  1. On the Provision NetScaler page, enter a name for the instance.
  2. Enter the NSIP, mask, and Gateway.
  3. Select the XVA File with your desired firmware build.
  4. Change the Feature License to Platinum.
  5. Select an Admin Profile created earlier.
  6. Enter a Description. Scroll down.
  7. In the Resource Allocation section, change the Total Memory to
  8. For SSL Chips, specify between 1 and 16.
  9. For Throughput, partition your licensed bandwidth. If you are licensed for 8 Gbps, make sure the total of all VPX instances does not exceed that number.
  10. For CPU, select one of the Dedicated options. Then scroll down.
  11. In the Instance Administration section, enter a new local account that will be created on the VPX. This is in addition to the nsroot user. Note, not all functionality is available to this account. Scroll down.
  12. In the Network Settings section, leave 0/1 selected and deselect 0/2.
  13. Click Add to connect the VPX to more interfaces.
  14. If you have Port Channels, select one of the LA interfaces.
  15. Try not configure any VLAN settings here. If you do, XenServer filters the VLANs available to the VPX instance. Changing the VLAN filtering settings later probably requires a reboot. Click Add.
  16. In the Management VLAN Settings section, do not configure anything in this section unless you need to tag the NSIP VLAN. Click Done.
  17. After a couple minutes the instance will be created. Click Close.
  18. In your Instances list, click the IP address to launch the VPX management console. Do the following at a minimum (instructions in the NetScaler System Configuration section):
    1. Create Policy Based Route for the NSIP – System > Settings > Network > PBRs
    2. Add SNIPs for each VLAN – System > Network > IPs
    3. Add VLANs and bind to SNIPs – System > Network > VLANs
    4. Create Static Routes for internal networks – System > Network > Routes
    5. Change default gateway – System > Network > Routes > 0.0.0.0
    6. Create another instance on a different SDX and High Availability pair them together – System > High Availability

 

Applying the Administration Configuration

At the time of provisioning a NetScaler VPX instance, the Management Service creates some policies, instance administration (admin) profile, and other configuration on the VPX instance. If the Management Service fails to apply the admin configuration at this time due to any reason (for example, the Management Service and the NetScaler VPX instance are on different subnetworks and the router is down or if the Management Service and NetScaler VPX instance are on the same subnet but traffic has to pass through an external switch and one of the required links is down), you can explicitly push the admin configuration from the Management Service to the NetScaler VPX instance at any time.

  1. On the Configuration tab, in the navigation pane, click NetScaler.
  2. In the NetScaler Configuration pane, click Apply Admin Configuration.
  3. In the Apply Admin Configuration dialog box, in Instance IP Address, select the IP address of the NetScaler VPX instance on which you want to apply the admin configuration.
  4. Click OK.

VPX Instances – Manage

You may login to the VPX instance and configure everything normally. SDX also offers the ability to manage IP address and SSL certificates from SDX rather than from inside the VPX instance. The SDX Management Service does not have the ability to create certificates so it’s probably best to do that from within the VPX instance.

To view the console of a NetScaler instance:

  1. Connect to the Service VM using https.
  2. Viewing the console might not work unless you replace the Service VM certificate.
  3. In the Service VM, go to Configuration > NetScaler > Instances.
  4. On the right, right-click an instance and click Console.
  5. The instance console then appears.
  6. Another option is to use the Lights Out Module and the xl console command as detailed at Citrix Blog Post SDX Remote Console Access of VIs.

 

To start, stop, delete, or restart a NetScaler instance:

  1. On the Configuration tab, in the navigation pane, expand NetScaler and click Instances.
  2. In the Instances pane, right-click the NetScaler instance on which you want to perform the operation, and then click Start or Shut Down or Delete or Reboot.
  3. In the Confirm message box, click Yes.

 

Creating a Subnet IP Address on a NetScaler Instance:

You can create or delete a SNIP during runtime without restarting the NetScaler instance.

  1. On the Configuration tab, in the navigation pane, click NetScaler.
  2. In the NetScaler Configuration pane, click Create IP.
  3. In the Create NetScaler IP dialog box, specify values for the following parameters.
    • IP Address* – Specify the IP address assigned as the SNIP or the MIP address.
    • Netmask* – Specify the subnet mask associated with the SNIP or MIP address.
    • Type* – Specify the type of IP address. Possible values: SNIP.
    • Save Configuration* – Specify whether the configuration should be saved on the NetScaler. Default value is false.
    • Instance IP Address* – Specify the IP address of the NetScaler instance.
  4. Click Create.

 

To save the configuration on a NetScaler instance:

  1. On the Configuration tab, in the navigation pane, click NetScaler.
  2. In the NetScaler pane, click Save Configuration.
  3. In the Save Configuration dialog box, in Instance IP Address, select the IP addresses of the NetScaler instances whose configuration you want to save.
  4. Click OK.

 

Change NSIP of VPX Instance:

If you change NSIP inside of VPX instead of using the Modify Instance wizard in the Service VM, see article http://support.citrix.com/article/CTX139206 to adjust the XenServer settings.

 

Enable Call Home:

  1. On the Configuration tab, in the navigation pane, click the NetScaler node.
  2. On the right, click Call Home.
  3. Enter an email address to receive communications regarding NetScaler Call Home.
  4. Check the box next to Enable Call Home.
  5. Select the instances to enable Call Home and click OK.

VPX Instance – Firmware Upgrade

Upload NetScaler Firmware Build Files:

To upgrade a VPX instance from the Service VM, first upload the firmware build file.

  1. In the Configuration tab, on the left, expand NetScaler and click Software Images.
  2. On the right, in the Software Images tab click Upload.
  3. Browse to the build…tgz file and click Upload.

 

Upgrading Multiple NetScaler VPX Instances:

You can upgrade multiple instances at the same time.

  1. To prevent any loss of the configuration running on the instance that you want to upgrade, save the configuration on the instance before you upgrade the instance.
  2. On the Configuration tab, in the navigation pane, expand NetScaler and click Instances.
  3. Click an instance to highlight it. Open the Action menu and click Upgrade.
  4. In the Upgrade NetScaler dialog box, in Build File, select the NetScaler upgrade build file of the version you want to upgrade to. Ignore the Documentation File. Click OK.

Service VM Monitoring

  1. To view the audit log, in the navigation pane, expand System, and then click Audit Logs.
  2. To view the task log, in the navigation pane, expand Diagnostics, and then click Task Log.
  3. To view events, on the Dashboard tab, in the System Health Events section on the bottom right, click Show All Events.

Service VM Backups

The SDX appliance automatically keeps three backups of the Service VM configuration that are taken daily at 12:30 am. Only configuration files and logs are backed up. This task does not backup the VPXs. You can go to Management Service > Backup Files to backup or restore the appliance’s configuration. And you can download the backup files.

53 thoughts on “NetScaler SDX 10.5”

  1. Hi Carl! I have created LACP on NS SDX but it does not work as properly with a switch. I need to delete it but: it not works!!! I cant delete LACP! How can i do it? THX

  2. Hi Carl, do you know if it is possible to take a snapshot from one of the vpx instaces running on the sdx platform?

    1. Probably not in any supported way. Alternatively, it’s easy to back up the instance. Login to the instance. Expand System, click Backup and Restore.

  3. I am looking for any Citrix Doc which specified Hardware available for VPX Instances, Like if SDX has 32GB RAM how much is available for VPX Instances. Similarly for HDD.

  4. Post reboot of the SDX I can see that all my vpx are in down state . I tried to starting but I am getting :-

    There was an error while starting VM:- VM-01
    Reason:
    NO_HOSTS_AVAILABLE

    Howsoever I can see all my vpx but in down state.

    Thank in Advance

  5. I followed the steps, HTTP > HTTPS access from SDX to Netscaler VPXs, and secure only on netscaler. but the SDX on the secondary Netscalers run in it, still shows out of service for all instances. what do you think ?

    1. If you fail over, do they work? If so, then I suspect that’s a cosmetic issue. You might have to call Citrix Support.

  6. Hi Carl,
    I have a SDX on subnet A and two VPX on subnets B and C. I provisioned them but now can’t access them to configure them individually. When I edit the instance to add a next hop IP, it does not allow me to. Im running version 11.1
    What do I need to configure in order to access the NSIP from both VPXs?
    Thank you.
    Sincerely,

    1. Can you access the console? (Right-click the instance, click Console) If so, you can enter CLI commands to configure routing so that the SVM can reach them.

        1. That depends on your network and firewalls. Is the instance connected to multiple subnets? Maybe you need a static route to the SVM through a router on the NSIP network.

  7. Hello Carl,
    On an SDX 14020, can you share a data interface between two different instances that are using different Certs?
    I have a situation where I cannot create a simple port 80 VIP on one NS but it works on the other. One the SSL traffic started to come thru Instance 1, the origional ICA traffic is not working anymore erroring in ” Cannot Complete your request”
    I am wondering if two different types of traffic cannot ride on the same Int.

    Your thoughts?

    1. If they’re different IPs. Each instance owns its IPs and can’t conflict with another instance.

      “Cannot Complete your request” is a StoreFront error. Look in StoreFront > Event Viewer > Applications and Services > Citrix Delivery Services.

      1. Those are different IPs however the storefront was working fine until I started Web traffic using a different ssl cert on the shared network int between the two instances and now its not. Storefront errors “An authentication request was made before establishing a web session. This typically occurs when sticky load-balancing between client and StoreFront is misconfigured.
        Citrix.DeliveryServicesClients.Authentication.Exceptions.NoSessionForAuthenticationException, Citrix.DeliveryServicesClients.Authentication, Version=3.0.0.0, Culture=neutral, PublicKeyToken=null
        No session for authentication
        at Citrix.Web.AuthControllers.Controllers.GatewayAuthController.Login()”

        But all the solutions to address this issues are already in place since it has always worked before

        Thanks for your input

        1. What kind of cert? SHA384 or higher?

          What version of StoreFront? Only 3.0.1 and newer support TLS 1.2.

          Gateway is talking to StoreFront load balancing VIP? NetScaler has difficulty with TLS 1.2. If you disable TLS 1.2 on the StoreFront load balancer, does it work?

  8. Hi Carl,
    I have upgraded the SVM to 11.0-65.31 along with XS to 6.5. On SDX box it shows platform 11515. However, when I log in to NetScaler VPX instance it shows NSSDX 11542. Any clue why it show different platform version in vpx and SVM since VPX is installed on the same SDX platform.

    1. The hardware for 11542 and 11515 are identical. The only difference is license. The only place that cares about the SDX license is the SVM. I suspect it’s just a cosmetic issue. You can call Support and they might be able to fix it.

  9. Hey Carl,

    In terms of upgrading the SDX LOM to 3.2 – is there an outage required? Excluding the device IP reset.

    Checking here – http://support.citrix.com/article/CTX137970 – it’s not clear if an outage is or is not required. Seeing as this is just the LOM interface, I can’t see I would need to organize an outage.

  10. Hi Carl,
    For the SVM, Is it possible to assign IP address to both interfaces 0/1 and 0/2, each one on different networks? I’m asking this because I have a two-tenant environment, in which there are two completely independent and isolated networks in the same datacenter. The SVM currently resides in tenant A but I need to create an Instance for tenant B, but the SVM would be unable to reach the NSIP on Network B. I have thought on 2 possible solutions:
    1- Use interface 0/2 to connect the SVM to Network B
    2- Keep the NSIP on Network A but the SubnetIPs and VIPs in Network B, and try to force the LDAP, Radius, DNS, NTP, etc (the instance will be used for NS Gateway SSL VPN), to be originated from any of the SubnetIPs instead of NSIP – not sure if its completely possible..
    Which one you think is feasible? would you have any other suggestion?
    Thanks in advance!

    1. I have not tried 0/2 so I don’t know if that would work. http://support.citrix.com/article/CTX130496 seems to indicate that 0/2 is configurable.

      There’s no routing or firewall between 0/1 and Network B? If so, you can configure a static route on the instance to route SVM reply traffic through a router that can reach the SVM.

      Otherwise your approach is fine. Just avoid putting any SNIP on the mgmt network. This would be easier if NSIP had its own routing table.

  11. Hi Carl, for provisioning an instance, I am struggling to understand the relationship between items 13 and item 16 for the management connectivity?

    Item 13 shows the 01 or 02 interface and optional vlan and item 16 shows the NSVLAN or L2VLAN settings, vlan and interfaces as well.

    What is the difference between these two as I cannot find enough clarity in eDocs on this. It suggests it wants to have two management connections but why? If item 13 is for the serviceVM instance communication, why does it need an interface at all as that is internal within the appliance unless it is for the benefit of XenServer virtual connectivity?

    So if I only patch interface 0/1 and vlan 1234 for all management purposes on both the SDX and VPX instances, how would I configure this?

    Cheers
    Andy

    1. NSIP is special. It doesn’t use the normal interface VLAN settings. If you need the NSIP to be VLAN tagged, then you need to configure NSVLAN. For all other IPs (SNIPs, VIPs, etc.), use interface VLAN tagging.

      On SDX, if you specify a VLAN on an interface, SDX will only allow traffic to reach the instance if it has the configured VLAN tags. All other VLANs are blocked from reaching the instance. This is called VLAN Filtering. I think if you only configure one VLAN then XenServer will handle the tagging. If you configure multiple VLANs then the instance is responsible for the tagging.

  12. Hi Carl

    Thank you for gereat info. Would you please advise if you ever had to roll back SDX hypervisor upgrade from version 6.1 to 6.0? Is any citrix documents that cover that part?

    Regards

    Firuz

      1. Hi Carl

        Thank you for getting back to me. I reviewed provided information, would you please advise if Appliance reset via GUI does the same thing? I mean does it revert XenServer version/updates?

        Thanks

        Firuz

  13. Hi Carl, thanks for all the documentation you have posted here. It has been very helpful and a huge time-saver for me.

  14. Hello, I am attempting to recover the nsroot password on our SDX 8200’s unsuccessfully. I attempted following both of these instructions with no luck:

    1. http://support.citrix.com/article/CTX109006

    I tested this on an MPX and it worked. However on the SDX, I am unable to interrupt the bootup at any point with Ctrl+C or Spacebar.

    2. http://discussions.citrix.com/topic/326636-sdx-11500-password-recover/

    I was able to perform everything up to the point of “As soon as the dom-id is changed from the third shell session, access the SVM console using: /usr/lib/xen/bin/xenconsole .” I get “command not found” when trying to run xenconsole. I see it when doing “ls.”

    Any ideas are much appreciated!!

    Chris

    1. Try “xl console

      Last time I tried this I couldn’t get into the SVM and my only option was to do a factory reset of the SDX.

      1. Thanks Carl, that command was not found either. I might consider the factory reset. Appreciate your feedback.

          1. XenServer release 6.1.0-59235p (xenenterprise)

            Weird, I cannot run any “xl” commands, like “xl list” either. I connected to the XenServer IP in Putty, right at root.

          2. Hi Carl, I found out what I was doing wrong, I wasn’t entering command using full path: /user/lib/xen/bin/xenconsole

            Now still following these instructions: http://discussions.citrix.com/topic/326636-sdx-11500-password-recover/

            When I enter “touch /flash/mpsconfig/.recover” and then reboot, the default root/nsroot creds are still not working for me. Also tried some other things I posted in that forum.

            Not sure if I can edit master.passwd file directly? Also using command “passwd nsroot” gives me
            “pam_chauthok(): error in service module”

            Any help is appreciated!
            Chris

  15. HI. Is it recommend to upgrade SDX from version 10.1 to 10.5 or is it better to upgrade till 11 release version?

    1. If you are running an SDX older than 11.0, then go to the download page for your SVM firmware version and only install the XenServer updates that are listed there. Do not install regular XenServer. You need the specific XenServer that is listed with your SVM firmware version. Once you upgrade your SVM to 11.0, all updates are bundled together. NetScaler 11.0 includes XenServer 6.5.

      1. Thanks Carl,

        We are planning to upgrade SVM to 10.5 57.7 , and the xenserver updates listed on it is Xenserver 6.1 + suppliment packs and hotfixes…
        Does that mean no option to upgrade to xen 6.2 until we upgrade SVM too ?

        1. Correct. You are welcome to upgrade the SVM (Management Service) to 11.0 build 62 and install the bundle. The instances can remain at 10.5.

      1. Never got it working till I did this: “set aaaserver primary_server_type=LDAP primary_server_name=”. Nowhere to be found in eDocs …

  16. Could you please let me know if access gateway platform and universal licenses should be allocated/installed on the netscaler sdx box or on the vpx instances that are created from the Netscaler Sdx?

    1. In newer versions of NetScaler the Platform license is no longer needed. But the Universal licenses do need to be allocated to the instances and installed on them.

Leave a Reply

Your email address will not be published. Required fields are marked *