How to Manually Change the Default Gateway From the Management Network to the Data Network on the NetScaler Instance of a CloudBridge 4000/5000 Appliance

When a CloudBridge 4000/5000 appliance is provisioned for the first time, the default gateway of the NetScaler instance is configured by default on the “management” subnet.

Management network: interface 0/1 (XenServer, SVM, CloudBridge instance, NetScaler instance) and the data/traffic network: data/traffic interfaces (CloudBridge apA/apB/apC ports) should be segregated on two different networks.

For more information refer to Citrix Documentation – Deployment Worksheet of CloudBridge 4000/5000 appliance.

This article depicts the steps to manually change the default gateway of the NetScaler instance of a CloudBridge 4000/5000 appliance from the management network to the data network using the command line interface (CLI).

Related:

Re: setting up ROUTE for new interface on VNX 5200

Thanks Rainer for picking up this for us. We have a new eNAS installed recently, but when we created interfaces which are used for CIFS filers. We found the eNAS would automatically create a route for it, just like kevlee mentioned in the topic.

For example, we create:

interface with ip 192.168.100.43/24 – vlan43, it will automatically create a route to 192.168.100.0/24 via 192.168.100.43.

interface with ip 192.168.101.43/24 – vlan143, it will automatically create a route to 192.168.101.0/24 via 192.168.101.43

interface with ip 192.168.102.43/24 – vlan 243, it will automatically create a route to 192.168.102.0/24 via 192.168.102.43

our DNS/AD is 192.168.150.50 – vlan 50

The physical link between eNAS and Ethernet switch is running with 802.1Q. For each VLAN, it’s gateway is on the switch side.

I suppose we should tell eNAS that the gateway IP of each VLAN, but we couldn’t as the system automatically created route is already there (192.168.10x/24 via 192.168.10x.43)

Per your advise we define a default route per data mover, in that case, the eNAS knows how to forward the traffic out, but each traffic has a VLAN id tagged with it, the switch/firewall will drop the packet because the VLAN id.

In theory, host x (vlan x) need to talk to host y (vlan y),

the traffic flow is: host x -> gateway-vlan x -> gateway-vlan y -> host y

If we define 192.168.100.1 as the gateway (0.0.0.0/0 192.168.100.1), we have no issues for the communication of 192.168.100.43, but how about 192.168.101.43 and 192.168.102.43? The packets will be dropped because of VLAN id.

Either our deployment/understanding has something wrong, or we should be able to define gateway for each interface, such 192.168.100.1 for vlan 43, 192.168.101.1 for vlan 143, 192.168.102.1 for vlan 243.

I know each physical DM has a default/global CIFS server for antivirus, etc. I think that default route should be for that default/global CIFS server. But how about the other cifs servers on VDMs? do we have a way to define gateway/defaultroute for each of them?

Thanks,

John

Related:

Re: eNAS static route issue

Thanks Rainer. It turned out to be we should NOT try to use the ‘Run_Ping_Test’ from eNAS to ping an external IP from an interface. It looks eNAS doesn’t rely on it when it’s working. that’s a wrong verification method we’re told.

If we try, the issue is still there, the eNAS will put the traffic to default route, then the packet will be dropped as VLAN ID mismatch.

My understanding,

eNAS contains CIFS server, the interface IP is linked to the CIFS server, such as 192.168.10.50. the CIFS server doesn’t have its own gateway set (for example, 192.168.10.1). Like a Windows server, it only has its IP set, but no gateway defined. Gateway is used to forward traffic to another subnet. eNAS does have the gateway connected – it’s on the other side of 802.1Q link between eNAS and switch.

It does make sense to define a default route for local interface/subnet. the traffic flow would be:

192.168.10.50 -> 192.168.10.1 -> 192.168.20.1 (DC’s gateway) -> 192.168.20.50 (DC)





I still don’t know when it needs to start communication to outside, such as DNS, authentication/DC, what source address to be used. I believe it’s not 192.168.10.50. It’s like there is a proxy there for all interfaces to forward the traffic to default route. It’s like on 802.1Q trunk, we have vlan 10, 20, 30, 40, 50, each vlan’s gateway is resided on switch side, but we will only use vlan 30 (192.168.30.1) as the default route for every thing.

I also don’t understand your saying ‘traffic to all IP’s for that subnet 192.168.10.0 – 192.158.10.255 will be sent out through the local interface 192.168.10.50′.

192.168.10.50 is a host IP for CIFS server, it’s supposed to receive nothing but destined to 192.168.10.50. What’s the meaning of the route — 192.168.10.0/24 via 192.168.10.50



Related:

ProxySG Split Gateway

I need a solution

Hi all,

I want to ask can proxysg deployed to used 2 gateway?

i set 2 itnerface,
interface 0:0 -> 192.168.x.x
interface 1:0 -> 172.16.x.x

i have set gateway each 192 and 172 in same routing domain.

the goal was i want to use gateway 172 for video traffic, and the other use gateway 192.

any documentation or use case to achieve this goal?

Regards.

0

Related:

Re: Security settings (TLS & Certificates)

Whilst it is possible, we don’t recommend disabling TLSv1.0/1.1 on ESRS-VE gateways at this stage. The reason being there are still a few products which can only support TLSv1.0 for HTTPS call-home.

Note that ESRS-VE always uses TLSv1.2 secured connections across the Internet to the ESRS backend. Any TLSv1.0 connections are on the customer internal network between the Dell EMC product and the ESRS gateway.

Regarding your other question, to change the ESRS WebUI certificate see the following KB article:

https://support.emc.com/kb/485953

Kind Regards,

Marc

Related:

Some IP address or Domain are bypassing WSS

I need a solution

Hi,

Some times I see some IP address or Domain access going direct to network gateway were It should go to web security services through unified Agent or Explicit method.

When I search that IP and Domain in WSS portal Bypass List, they are not there.

Do anyone knows why is It happening?

As a sample, some akamai http/https destinations are going direct where the main URL goes to WSS.

O want all 80/443 traffic going to WSS.

I appreciate any help.

0

Related:

Re: One question regarding VPLEX witness deployment.

Hello experts,

We have a question regarding VPLEX witness deployment.

Our witness virtual server is on a third site, but it reaches the 2nd site via the the gateway(firewall) in 1st site , unless the firewall in 1st site fails, in that situation, the gateway will switch to the firewall in 2nd site, the gateway switch delay time is about 5 seconds.

Now suppose 1st site fails totally(lose power for example), both VPLEX and network are down in this site, when this happen, the witness will not reach to the VPLEX management server in 2nd site in the first 5 seconds, because of the gateway switch delay, in such situation, the distributed volumes will probably also be suspended in 2nd site.

Is there a perfect network connection solution, so the witness can communicate with both sites symmetrically(without any path and gateway switch …) ?

Related:

ECS: Unable to connect to hosts on a subnet with 172.17.x.x

Article Number: 479579 Article Version: 2 Article Type: Break Fix



ECS Appliance,ECS Appliance Software with Encryption,ECS Appliance Software without Encryption,ECS Appliance Software with Encryption 2.2,ECS Appliance Software without Encryption 2.2

The ECS nodes are using an internal docker bridge interface of 172.17.42.1 with an interface name of docker0. This interface has a subnet mask of 255.255.0.0. This subnet mask means that if a customer attempts to access a host in their environment on the subnet 172.17.x.x, the ECS will not be able to route to the host by default.

ecs1-n1:~ # ifconfig docker0

docker0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX

inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0

UP BROADCAST MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

To work around this issue a static route will need to be added to the host on the ECS nodes to allow the ECS to route to the host.

To work around this issue, a static route will need to be added for the host on the ECS nodes to allow the ECS to route to the host.

Edit the following file on all ECS nodes.

vi /etc/sysconfig/network/routes

Under the default route, add the IP address of the host in question followed by the IP of the default gateway of the public interface, followed by the subnet mask of 255.255.255.255 with a – at the end of the line.

Example:

<HOST IP> <PUBLIC DEFAULT GATEWAY> 255.255.255.255 –

172.17.10.5 10.213.1.1 255.255.255.255 –

In the example above, the host IP is 172.17.10.5, use the public default gateway 10.213.1.1. If you are not sure of the public interface default gateway, use the command netstat -rn and identify the gateway with the flag UG for the public interface.

ecs1-n1:~ # netstat -rn

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

0.0.0.0 10.213.1.1 0.0.0.0 UG 0 0 0 public

10.213.1.0 0.0.0.0 255.255.255.0 U 0 0 0 public

169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 private.4

172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0

192.168.219.0 0.0.0.0 255.255.255.0 U 0 0 0 private

After the /etc/sysconfig/network/routes file has been edited on all nodes, reload the network configuration on all nodes with the command service network reload.

Attempt to ping the host to confirm you are now able to route to the host.

Related:

One question regarding VPLEX witness deployment.

Hello experts,

We have a question regarding VPLEX witness deployment.

Our witness virtual server is on a third site, but it reaches the 2nd site via the the gateway(firewall) in 1st site , unless the firewall in 1st site fails, in that situation, the gateway will switch to the firewall in 2nd site, the gateway switch delay time is about 5 seconds.

Now suppose 1st site fails totally(lose power for example), both VPLEX and network are down in this site, when this happen, the witness will not reach to the VPLEX management server in 2nd site in the first 5 seconds, because of the gateway switch delay, in such situation, the distributed volumes will probably also be suspended in 2nd site.

Is there a perfect network connection solution, so the witness can communicate with both sites symmetrically(without any path and gateway switch …) ?

Related:

Error: “Your apps are not available at this time. Please try again” When Receiver Connects Through NetScaler Gateway

Solution 1

To resolve this issue change the beacon entries in StoreFront. Add the NetScaler Gateway addresses to external beacon.

Reference: https://docs.citrix.com/en-us/storefront/3-11/integrate-with-netscaler-and-netscaler-gateway/configure-beacon.html

External Beacon

If you want to use ICA proxy from internal and external connections (all clients should only go through NetScaler), then add a fake address in the internal beacon of StoreFront.

Note: The internal beacon should only be resolvable inside the network, if the beacon is resolvable externally then Citrix Receiver will not be able to add the account.

Solution 2

The issue relates to compatibility of Receiver 4.x and Web Interface XenApp services site. Receiver 4.x supports services sites but when connecting thru NS, users may experience issues as described in CTX136828 – Error When Using Windows Receiver PNAgent through Access Gateway Enterprise Edition Appliance.

Also note Citrix Documentation – NetScaler to Web Interface XenApp Services site is not supported.

Related: