NTP status displays “No association ID ” error message on Secondary NetScaler

On the Secondary NetScaler, ” No association ID error” gets displayed when “Show NTP Status command ” is executed

Primary NetScaler Appliance:

=======================

> show ntp status

remote refid st t when poll reach delay offset jitter

=======================================================

adljj.john.com .LOCL. 1 u 9 64 7 0.293 -212012 2.175


Secondary NetScaler Appliance:

===========================

> show ntp status

No association ID’s returned

Done

Log Analysis:

==============

1) From the logs, we found that, NTP was configured after upgrade and during that time secondary device interface was down.

2) We can see that interface was down in the time interval of10:01 – 11:18 A.M. In that interval, none of the command gets propagated. Because of that ntp config was missing from secondary.

3) As per current design, even if the Secondary comes UP and the NTP configurations are Synchronized through HA Synchronization, we have to manually restart the NTP Daemon to get the NTP status on Secondary. Which is a current limitation on NetScaler.

4) Hence, Enhancement request was raised to address this limitation. 5) The limitation was fixed in the following versions: 12.1 50.x 12.0 60.x 11.1 60.x

Logs from Primary:

—————————–

var/log/ns.log

ns.log.0:649:Apr 23 10:15:59 <local0.info> X.X.X.X 2018:01:15:59 GMT NetScaler-Internal-TDC-01 0-PPE-1 : default GUI CMD_EXECUTED 136 0 : User nsroot – Remote_ip X.X.X.20 – Command “add ntp server X.X.X.3 -minpoll 6 -maxpoll 10 -devno 32833536” – Status “Success”

ns.log.0:651:Apr 23 10:15:59 <local0.info> X.X.X.X 04/23/2018:01:15:59 GMT NetScaler-Internal-TDC-01 0-PPE-1 : default GUI CMD_EXECUTED 137 0 : User nsroot – Remote_ip X.X.X.20 – Command “unset ntp server X.X.X.3 -autokey” – Status “Success”

Logs from secondary:

——————————–

var/log/ns.log

Apr 23 10:00:34 <local0.info> X.X.X.25 04/23/2018:01:00:34 GMT NetScaler-Internal-TDC-02 0-PPE-1 : default CLI CMD_EXECUTED 131 0 : User nsroot – Remote_ip 127.0.0.1 – Command “logout” – Status “Success”

Apr 23 10:01:13 <local0.notice> X.X.X.25 04/23/2018:01:01:13 GMT NetScaler-Internal-TDC-02 0-PPE-0 : default EVENT DEVICEDOWN 79 0 : Device “interface(0/1)” – State DOWN

Apr 23 10:01:13 <local0.notice> X.X.X.25 04/23/2018:01:01:13 GMT NetScaler-Internal-TDC-02 0-PPE-1 : default EVENT DEVICEDOWN 132 0 : Device “interface(0/1)” – State DOWN

Apr 23 11:18:15 <local0.notice> X.X.X.25 04/23/2018:02:18:15 GMT NetScaler-Internal-TDC-02 0-PPE-1 : default EVENT DEVICEUP 133 0 : Device “interface(0/1)” – State UP

Apr 23 11:18:15 <local0.notice> X.X.X.25 04/23/2018:02:18:15 GMT NetScaler-Internal-TDC-02 0-PPE-0 : default EVENT DEVICEUP 80 0 : Device “interface(0/1)” – State UP

Apr 23 11:18:29 <local0.info> X.X.X.25 04/23/2018:02:18:29 GMT NetScaler-Internal-TDC-02 0-PPE-1 : default AAA Message 134 0 : “rba authentication : user nsroot response_len-0 cmdPolicyLen-0, partitionLen-0 PromptLen-0 timeout 805307268 authPolicyLen-0 authActionLen-0 ssh_pubkey_len

Related:

The following error occurred during an authentication attempt for user:domain.comabc with realm:

At the Storefront server open a command line and run the following command:

>set u

There would be two fields called USERDOMAIN and USERDNSDOMAIN

And these will be like this:

USERDNSDOMAIN=DOMAIN.COM

USERDOMAIN=DOMAIN

Open Netscaler Gateway Virtual server session profile.

Go to Published applications tab and look for SSODomain field

As per the error it would be domain.com

We need to change it to domain, and save the configuration on Netscaler.

Also confirm that Storefront has either “Any” domain selected or has “domain.com” and “domain” added as trusted domain.

Related:

NetScaler GSLB Static Proximity Does Not Work After Upgrading to 11.0/11.1 Firmware

To resolve this issue delete the nslocation.* files from the /var/netscaler/locdb/ directory and then re-run the configuration to add the location file.

root@NS-Cumulus1# cd /var/netscaler/locdb/

root@NS-Cumulus1# ls

GeoIPCountryWhois.csv GeoLite2-City-Locations-en.csv IP2LOCATION-LITE-DB1.CSV nslocation.ck nslocation.db

root@NS-Cumulus1# rm nslocation.*

> add locationfile /var/netscaler/locdb/GeoIPCountryWhois.csv -format geoip-country

Related:

Re: Importing/Exporting Cluster settings from One Isilon Cluster to another

You can use isiBackup for this.

IsiBackup allows you to make backups of all configuration items available through the GUI of OneFS. IsiBackup does not store the actual data (files and folders) that reside on the file system. IsiBackup focuses on the systems configuration elements, such as: access zones, smb shares, nfs exports, quotas, network configurations etc.

IsiBackup allows you to keep track of all the configuration changes that have taken place on the cluster between calls to IsiBackup. It can be launched automatically at regular intervals and it will send notifications by email when configuration changes are detected.

This software can also restore specific Isilon configuration items, provided that they have been previously saved by IsiBackup. The restoration of configuration can be performed on the same cluster or another cluster. For example, it is possible to duplicate elements from one cluster to another.

Networks shares and quotas can also be restored on a different access zone as needed.

Here’s how to restore thousands of quotas with IsiBackup in less than 90 seconds: https://goo.gl/w7Ns7Z

For information, or for a free trial, please contact us at info@gallium-it.com.

Related:

Re: Isilon cluster configuration backup

IsiBackup allows you to make backups of all configuration items available through the GUI of OneFS. IsiBackup does not store the actual data (files and folders) that reside on the file system. IsiBackup focuses on the systems configuration elements, such as: access zones, smb shares, nfs exports, quotas, network configurations etc.

IsiBackup allows you to keep track of all the configuration changes that have taken place on the cluster between calls to IsiBackup. It can be launched automatically at regular intervals and it will send notifications by email when configuration changes are detected.

This software can also restore specific Isilon configuration items, provided that they have been previously saved by IsiBackup. The restoration of configuration can be performed on the same cluster or another cluster. For example, it is possible to duplicate elements from one cluster to another.

Networks shares and quotas can also be restored on a different access zone as needed.

Here’s how to restore thousands of quotas with IsiBackup in less than 90 seconds: https://goo.gl/w7Ns7Z



For information, or for a free trial, please contact info@gallium-it.com.

Related:

Re: STIG for ECS Switches?

I have a customer who is putting in ECS for their Data Domain Cloud Tier.

They are a customer who requires STIG certification, or a process to achieve it, for all hardware in their environment.

(Security Technical Implementation Guide is from DISA).

I found the “ECS Secuirty Configuration Guide” that goes into detail for the ECS operating system.

https://support.emc.com/docu90614_ECS-3.2.2-Security-Configuration-Guide.pdf?language=en_US

But I’m looking for some info on how the included switches can meet STIG requirements.

Thanks in advance,

Pat

Related:

STIG for ECS Switches?

I have a customer who is putting in ECS for their Data Domain Cloud Tier.

They are a customer who requires STIG certification, or a process to achieve it, for all hardware in their environment.

(Security Technical Implementation Guide is from DISA).

I found the “ECS Secuirty Configuration Guide” that goes into detail for the ECS operating system.

https://support.emc.com/docu90614_ECS-3.2.2-Security-Configuration-Guide.pdf?language=en_US

But I’m looking for some info on how the included switches can meet STIG requirements.

Thanks in advance,

Pat

Related:

FAQ: NetScaler Surge Queue

Q: What is NetScaler Surge queue?

A: A Surge queue is a path in the NetScaler appliance through which all client connections are sent, irrespective of the condition of the target service, such as service being loaded or service has reached the maximum connections state. When the number of requests to the servers is low, the connections are not observed in the Surge queue because the connections are sent to the servers quickly and the Surge queue build up is not observed.

Q: When connection is in Surge queue, is there a way to change the number of retries before giving up a connection (default is 7)?

A: No, this is as per design and it is not recommended to change the number of retries.

Q: What is the total maximum interval of 7 attempts of retransmit before NetScaler gives up on a connection? How long does the 7 retries take in total?

A: When there is a SYN without a response, the time is doubled for the retransmit and the time keeps doubling for every SYN without a response.

If you were to capture an nstrace for analysis then you can see the following retry pattern interval – 1 second, 2 seconds, 4 seconds, 8 seconds, 16 seconds, 32 seconds, 64 seconds and then a RST is sent. This works as per exponential back off algorithm.

Q: How many connections can NetScaler surge queue handle?

A: Surge queue is essentially a list of memory buffer thus there is no hard limit and it can go on building as far as there is memory in the connection pool (NSB/PCB). Till date there is no failover or crash grade issues observed with Surge queue.

Related:

Unable to access Storefront through NetScaler Gateway and getting ” Could reach the page ” error.

– After upgrading to 12.0 build 58.15 , unable to access the Storefront server through NetScaler Gateway and getting ” Could reach the page ” error.

NOTE: On NetScaler Gateway Session profile, the Storefront URL is configured with Storefront Load balancing server IP.

– If Storefront Load balancer IP is replaced with Actual Storefront Server IP, then Storefront is accessible through NetScaler gateway.

In the following nstrace screenshot, we could see that the Storefront Load balancer has sent Export cipher in the Server Hello. For which, we could see a FATAL Error message from NetScaler gateway Vserver.

User-added image

Related: