NetScaler Displays “Unable to load a kernel” When Booting After a Firmware Upgrade

Note: Please contact your NetScaler Admin or Citrix Support Contact for the below mentioned steps.

OK prompt shown is from the FreeBSD Bootloader.

The most likely cause of this issue is that the NetScaler kernel file is missing from /flash. Because the firmware upgrade was installed from /var, a copy of the kernel file will exist on the hard drive. To resolve this issue, you can attempt to temporarily boot from the copy of the kernel file that resides in /var. Once booted, you can reinstall the NetScaler firmware using the standard procedure.

  1. Determine the device name of the /var partition on the hard drive, by referring to CTX124609.

  2. You can display the available devices using the following command from the OK prompt:​​​

    lsdev -v

  3. The FreeBSD bootloader uses a different naming convention than the actual operating system. To determine the proper naming convention for the bootloader, use the following procedure:

    1. Determine which physical drive contains /var. If lsdev -v shows 2 disk drives, disk0 will be flash and disk1 will be the hard drive. If only 1 drive is listed, disk0 will be the hard drive/SSD and there is no separate flash drive. You are interested in the hard drive.

    2. From CTX124609, determine the device name for the /var partition.

    3. The naming convention for the bootloader is in the form of disk{n}d1{part}:

    4. For example, on an MPX-8200, the device name for the /var partition is /dev/ad4s1e. lsdev -v shows that there is only one disk drive (disk0). This means that the proper name for the /var partition is disk0s1e:

  4. The NetScaler kernel file is named ns-{version}-{build}.gz. For instance, ns-10.5-55.8.gz.

  5. Use the ls command to locate the NetScaler kernel file on the /var partition of the hard drive. Note that there is no cd command, so you must specify the entire path as part of the command.

    For instance:

    ls disk0s1e:/nsinstall/<firmware folder name>/ns-10.5-55.8-nc

  6. Once you locate a suitable NetScaler kernel file to load, load it as follows (leave off the .gz extension)

    set currdev=disk0s1e:


    load disk0s1e:/nsinstall/<firmware folder name>/ns-10.5-55.8

  7. If the kernel loads successfully, try to boot the kernel by typing boot at OK prompt.

  8. After the NetScaler boots, re-run the firmware upgrade procedure and prior to rebooting again, verify that /flash contains the proper kernel file.


  • No Related Posts

How to resolve “Failed to probe partitions from virtual disk” error while importing an OS Layer

There may be other reasons you could get this error, like the customer is using EFI or GPT partition tables. Unidesk requires MBR partition tables currently.

But if you get this error:

Failed to attach the disk /mnt/repository/Unidesk/OsImport Disks/Windows 10.vhd. Failed to probe partitions from virtual disk

Collect logs from Citrix Enterprise Layer Manager (ELM) as described in When you export logs, the Citrix software creates a gzipped tar file (.tgz) containing the log files. On extracting the .tgz log file you will find camlogfile.


Open the camlogifle in notepad and see if you have a block like this:

2016-07-15 12:53:39,717 ERROR DefaultPool3 AttachDiskJobStep: Disk attach failed, detaching /dev/nbd255 Message: MessageId=FailedProbeVirtualDiskPartitions, DefaultTitle=, CategoryData={[ExternalToolFailure { Call = “/bin/nice”, Args = “-n-10 /sbin/partprobe /dev/nbd255”, Output = “”, Error = “Warning: Error fsyncing/closing /dev/nbd255: Input/output error

Warning: Error fsyncing/closing /dev/nbd255: Input/output error

Error: Can’t have a partition outside the disk!

Warning: Error fsyncing/closing /dev/nbd255: Input/output error”, ErrorCode = 1 }]}

The important bit is that “Can’t have a partition outside the disk!” line.

For reasons we don’t yet understand, sometimes the ELM’s way of mounting up a disk comes up about 1MB short. If you mount the same disk to a VM through a hypervisor, the size is correct, but in the ELM, the size is reported just a hair too small. The partition then ends just slightly after the end of the disk, which is illegal.


  • No Related Posts

SQL Injection Into Windows executable

I wonder if there is one kind of sql injection attack application able to modify an executable (.exe) in a way that the size remain unaltered and the Checksum header field will be recalculated. I found one of this where the attack was applied in the resource section of the windows executable where all the …


  • No Related Posts

Throttle the bandwidth of replication possible?

Yes –

> replication throttle add [destination host | default] sched

Change the rate of network bandwidth used by replication. By default, network

bandwidth use is unlimited, meaning it continuously runs as fast as possible. If you set a

throttle, replication runs at the given rate until the next scheduled change, or until new

throttle command options force a change. Throttle is usually set at the source Data

Domain system, but can optionally be set at the destination. Role required: admin,


To limit replication to 5 megabits per second for a destination Data Domain system

named ddr1-ny, starting on Tuesdays and Fridays, at 10:00 a.m., enter:

# replication throttle add destination ddr1-ny tue fri 2200 5Mbps


  • No Related Posts

Microsoft Releases More Spectre/Meltdown Patches

It’s shaping up to be a relatively light patch load for administrators this month, with just 15 critical vulnerabilities to fix out of a total of 75.

The update round covered a pretty wide range of products as usual: including Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Microsoft Office, Exchange and ASP.NET Core.

Two have been publicly disclosed, meaning that hackers may be exploiting them in the wild, although the bugs themselves are only rated “Important”. They are: CVE-2018-0940, affecting Microsoft Exchange Server 2010-2016 and CVE-2018-0808, which hit ASP.NET Core 2.0 systems.

“The Windows Kernel received a lot of attention this month, likely due to the ongoing attention on Meltdown and Spectre vulnerabilities. I stopped counting the CVEs after a dozen,” said Ivanti director of product management, security, Chris Goettl. “The good news is I did not see anything higher than an Important rating, but those are a lot of changes in the Kernel. Test the OS updates well this month.”

As regards Spectre and Meltdown, Microsoft has released patches for 32-bit versions of Windows 7 and 8.1, as well as Server 2008 and 2012.

All the critical updates fix problems in the browser, or browser-related technologies and should be dealt with first, claimed Qualys director of product management, Jimmy Graham.

He highlighted another “Important” vulnerability for special attention. CVE-2018-0886 affects security support protocol CredSSP, which is used to process authentication requests and could allow could allow an attacker with Man in the Middle capabilities to gain full access to a Remote Desktop Protocol (RDP) session.

“While CredSSP is used for other applications, the attack scenario mentioned by Microsoft involves Remote Desktop. The update covers both the CredSSP protocol used by the RDP server as well as the RDP clients,” he explained.

Group Policy settings must be enabled to ensure full mitigation of the vulnerability for RDP. Microsoft has also given a tentative timeline for additional updates. In April, new versions of the RDP client will be released to add better error messages, and in May an update will be released to prevent clients from connecting using insecure versions of CredSSP.”

Adobe also released patches for seven vulnerabilities.


  • No Related Posts

7022731: Error: “Failed to get network providers” when attempting to view/set network provider order

This document (7022731) is provided subject to the disclaimer at the end of this document.


Novell iPrint

Microsoft Windows 10 build 1709 (RS3)


After upgrading to Windows 10 build 1709 (RedStone 3 / RS3), when you view the “Provider Order” under “Network Connections” (see TID 7000693), an error message “Failed to get network providers” appears and the network provider list is not displayed.


Manually add a REG_DWORD value named “iPrntWinCredMan” under [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlNetworkProviderProviderOrder] and set the value to “4000” (decimal).
Follow these steps:
WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows to correct them.
1. As an Administrative user, run Registry Editor (REGEDIT.EXE).
2. From the HKEY_LOCAL_MACHINE subtree, go to the following key:
3. From the Edit menu, select New > DWORD (32-bit) Value.
4. Name the new value “iPrntWinCredMan” and assign data of 4000 (decimal).
Example registry before modification:
Example registry after modification (problem resolved):
In this example, the value of “4000” was assigned to iPrntWinCredMan. This value is usually appropriate, but can be adjusted to meet your needs.


Beginning with Windows 10 build 1709, the Windows registry entries have changed. In addition to [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlNetworkProviderHWOrder]
there now exists [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlNetworkProviderProviderOrder].
Under [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlNetworkProviderProviderOrder] the values “iPrntWinCredMan” is missing. Manually adding the value with appropriate data resolves the problem.


Reported to Engineering

Additional Information

A related issue exists with the Client for Open Enterprise Server (Novell Client). See TID 7022598.


This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.


  • No Related Posts

7022460: Reflection Security Proxy Server “Too Many Open Files” Error on UNIX/Linux Systems

Determining the Number of Descriptors Needed

Each security proxy server connection uses two file descriptors. In addition, a baseline of approximately 20 file descriptors is needed to run the security proxy server. To determine the number of file descriptors required, refer to the following formula:

<descriptors> = (<connections> * 2) + 20

where <connections> represents the maximum number of concurrent connections you predict the security proxy server may receive.

For example:

(22 connections * 2) + 20 = 64 descriptors

(502 connections * 2) + 20 = 1024 descriptors

Note: The number of permitted concurrent sessions is governed by your Reflection product licensing.

Increasing the File Descriptors

To increase the file descriptors, follow these steps:

  1. As a user with root privileges, open the command shell that launches the Reflection security proxy server. This should be the same shell used to configure the security proxy server.
  2. At the command line, enter the following command:
ulimit –n <descriptors>

where <descriptors> represents the integer number of descriptors needed to support the security proxy connections.

Note the following:

    • The ulimit command syntax may vary depending on your shell. For more information about using the command, refer to your Solaris documentation or man pages.
    • The shell inherits the default limit from the kernel variable rlim_fd_cur value set in the /etc/system file. The maximum number of descriptors that can be set (“hard limit”) is governed by the kernel variable rlim_fd_max.

Configuring the Security Proxy Server for Maximum Connections

In addition to increasing the file descriptors, it may be helpful to set the MaxConnections value in your Server.Properties file. To verify the MaxConnections value and change it if necessary, follow the steps below.

  1. Run the Security Proxy Wizard.
  2. Click the Advanced Settings tab.
  3. In the Other Settings group box, clear the Limit maximum connections check box if it is selected. Note: Your concurrent session limit is governed by your product licensing. Do not configure more concurrent sessions than authorized by your license.
  4. Click Save.
  5. Export the settings to the management server if prompted to do so.

If you made changes, stop and restart the security proxy server for the changes to take effect.


  • No Related Posts