How to Enable Client IP in TCP/IP Option of NetScaler

This article describes how to enable client IP in TCP/IP option of NetScaler.

Background

Currently, several customers are trying to make use of the NetScaler as a centralized resource to perform load balancing for many applications in large data centers. When NetScaler application switch is used as >= L3 switch, it is setup as a proxy as many servers are across an L3 network. We need to operate as a proxy for such environments, however this results in the loss of the client’s source IP. As a result, we need to insert the client’s connection information as part of the initial data stream.

For HTTP and SSL services this is done by inserting ClientIP address as HTTP Header on the request to the server. Inserting Client IP address header is not possible for TCP based services . So we can use TCP header insertion as an alternative.

This drawback is solved by this feature. After the three way handshake with the server, a single packet of additional data will be sent to the server. This data will be prepended with the 32 bit binary representation of the value entered as the CIP header, and then the complete TCP/IP header information for the packet that induced the backend connection to be established. This data starts with the start of the IP header to the end of the TCP header, including IPv6 extension headers, IPv4 options, and TCP options as appropriate. As such, proper logic in the application will need to be incorporated to ensure that the proper fields are being parsed.

Note that this feature does not work on HTTP load balancing virtual server/service.

An extra packet is sent by the NetScaler to the server side containing the following information

  • Variable length: Client side session information, it is a copy of final acknowledgement packet used in client side connection establishment (only header).
  • IPV6: Basic IPv6 header is copied to the server side as it is. NetScaler does not have dual IPv6 stack rather it converts IPv6 packet to IPv4 and Layer 3 and after upper layers processes the packet. Again the packet is translated from IPv4 to IPv6. While converting original IPv6 header to IPv4 for TCP level proxing all extension headers are ignored. But for TCP CIP, we copy the original IPv6 basic header and forward to the server side.

Screen shots of sample trace

User-added image

User-added image

Note: In SSL_BRIDGE NetScaler TCP does not proxy the final packet from client to the server side. On the final ACK, protocol control block (PCB, TCP session structure) itself is not created on the NetScaler. We do this because we know that this is an SSL protocol and client has to send first data packet (SSL client hello), only then PCB is allocated on NetScaler for the client side connection and IP+TCP header is stored from this client hello packet and forwarded to the sever side and client side information. If suppose client hello may be 265 bytes, so we will see the IP len as 265 bytes.

In our Lab we successfully tested this feature for following services:

  • TCP service
  • SSL_BRIDGE service
  • SSL_TCP service

Related:

  • No Related Posts

How to Determine the IP Addresses of Active Connections to a Virtual Server of a NetScaler

You can use the connection table to display all TCP/IP connections. The table lists the source IP address and port, destination IP address and port, and the NetScaler appliance to the application server IP addresses, which are NetScaler Mapped IP (MIP) or Subnet IP (SNIP) addresses and destination server IP address.

NetScaler GUI

To display the connection table using NetScaler GUI:

  1. Log in to the NetScaler appliance using nsroot credentials.

  2. Select Configuration > System > Network > TCP/IP connections link.

    User-added image

  3. Select the Client Server Link Mapping option and click Continue.

    User-added image

  4. The Client and Server IP addresses are displayed in the Client-Server Connections table.

    User-added image

NetScaler CLI

To display the connection table using NetScaler CLI, run the following command:

show ns connectiontable “CONNECTION.LB_VSERVER.NAME.EQ(“Web-VServer”)”

For more information about this command refer to Citrix Documentation – show ns connectiontable.

Related:

  • No Related Posts

7021934: Enabling File Transfer on an IBM i over TCP/IP in Reflection

Verifying Host Services on the IBM System i

Before you can use Reflection to transfer files over TCP/IP, you must verify whether Host Servers is installed on IBM i, and then start the LIPI servers on the IBM System i.

To verify whether Host Servers is available, follow these steps:

  1. Open Reflection and connect to IBM i with a terminal session.
  2. Enter the command DSPSFWRSC.
  3. In the Software Resource list, look for at least one Option 12 (i5/OS – Host Servers).

If Option 12 is listed, continue with the next section. If you do not see Option 12 listed, you will need to install the host servers from the i5/OS installation media before continuing.

Starting the LIPI Servers

The LIPI servers must be started because they are not available by default.

Note: You need *ALLOBJ system administrator privileges on the IBM i to successfully complete these instructions.

On the IBM i, you can start the LIPI servers all at once or individually.

  • To start all i5/OS LIPI servers, use this command:
STRHOSTSVR *ALL

Note: After executing the above command you may see the error, “Host server daemon jobs unable to communicate using IPX.” You can ignore this error because IPX is not needed.

  • To start the required LIPI servers individually, use these commands:
STRHOSTSVR *CENTRAL

STRHOSTSVR *DATABASE

STRHOSTSVR *SIGNON

STRHOSTSVR *SVRMAP

Determining Which LIPI Servers Are Started

To confirm which LIPI servers are started, follow these steps:

  1. On the IBM System i, issue this command:
NETSTAT
  1. Select option 3: Work with TCP/IP connection status.
  2. Look for the following items under the Local Port heading to verity that the required LIPI servers are running (names may be displayed truncated):

For non-SSL:

as-central

as-database

as-signon

as-svrmap

For SSL:

as-central-s

as-database-s

as-signon-s

Japanese and Other Double-byte Systems

The NETSTAT command will not display the LIPI servers in Japanese or other double-byte operating systems. Instead, look for the TCP port numbers of the LIPI servers.

The following table lists the default ports for the required LIPI servers:

LIPI Server

TCP Port Number

(Default)


SSL Port Numbers

(Default)


Central server
8470
9470
Database server
8471
9471
Signon server
8476
9476
Server mapper
449 (must not be changed from default)
none

You can use non-default ports for all of the servers except the server mapper, which must be on port 449. This port allows the PC to query the host to determine where the other ports are mapped.

Verifying Prestart Jobs

Before you can make a connection and transfer files, one of the following prestart jobs must be started: QZDAINIT or QZDASOINIT. A prestart job is started when you start the corresponding host server daemon. The prestart job then waits and listens for an incoming connection before going to an active state.

  • QZDAINIT is for an SNA (or 802.2) connection. QZDAINIT is the Server program.
  • QZDASOINIT is for TCP/IP, specifically a TCP/IP and IPX socket connection. QZDASOINIT is the Server program, and QZDASRVSD is the Server Daemon program.

To verify whether a prestart job is running, enter the following command on the i5/OS command line:

WRKSBSJOB QSERVER

Configuring File Transfer in Reflection for IBM

Using Reflection, you can transfer files directly to or from the IBM i host over TCP/IP without starting a terminal session. Follow these steps:

  1. In the Reflection Workspace, open a session document or create a new terminal session document.
  2. On the Ribbon, click the File Transfer Settings icon.
2224_0.gif
  1. The Transfer dialog box is displayed. On the Protocol tab, select AS/400.
  2. On the AS/400 tab, select TCP/IP from the Transport drop-down menu.
  3. Select LIPI from the Host TP drop-down menu.
  4. In the System name field, enter the name of the IBM i host, if you have not already specified this information.
  5. Click OK.
  6. In the Transfer dialog box, specify the files you wish to transfer.
  7. Click the appropriate Transfer button.

Configuring File Transfer in Reflection for the Web

Using Reflection for the Web, you can transfer files directly to or from the AS/400 host over TCP/IP without starting a terminal session. Follow these steps:

  1. Launch the Administrative WebStation and under Tools, click Session Manager.
  2. Click Add to create a new session.
  3. Select the IBM AS/400 Data Transfer option as the Web-Based Session Type and enter a Session name, such as AS/400 Transfer. Click Continue.
  4. Configure your session, and then click Launch to start your file transfer session.
  5. To configure file transfer, on the Connection menu, click Connection (or Session) Setup. In the dialog box, enter your Host, User ID, and Password.
  6. (Optional) To configure security, click the SSL/TLS (or Security) button.
  7. Click OK to connect to the AS/400.
  8. Click File > Save and Exit to save your file transfer session.

To change your file transfer settings, open your file transfer session and on the Options menu, click To Host or click From Host to configure the settings.

Troubleshooting

1. If you receive the error, “TCP connection dead,” check the following settings on the IBM System i:

  • Verify that the LIPI servers are running. (This is the most likely cause of the error.)
  • Check whether the default ports are being used. See the table above for default values.

If non-default ports are being used, verify that the Use default ports check box is cleared in the advanced file transfer setup dialog box.

  • Check whether any of the specified ports—default or not—are blocked on the host.

To verify whether files can be transferred to or from the designated host, try a different transfer protocol, such as MPTN.

2. If you receive the error, “TCP – Unable to open Connection”, ensure a certificate on the IBM System i has been assigned to the:

a.) Central Server,

b.) Database Server,

c.) Signon Server, and

d.) File Server

  • Symptom: Initial SSL/TLS connection to the mainframe is successful, yet LIP transfer fails very quickly with the message, “TCP – Unable to open Connection”.
  • Host services were verified, LIPI servers are running for SSL, appropriate prestart jobs are running, and Reflection is configured correctly for LIPI transfers.

Related:

  • No Related Posts

DHCP Client Service will not start and shows “Access Denied” error

It’s unclear where this problem is coming from, but it appears to be an issue with the way the registry hives are combined when building boot images. You can see this while editing layers, in published images (in App LAyering 4) or in edited desktops (Unidesk 2). To fix this, you need to edit the permissions on a registry key.

Give “Full control” permission to these three users:

  • DHCP
  • Network Service
  • Add local admin: MachineNameadministrator

for the Registry folder “Tcpip” located at:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTcpip

Click Advanced, and in that page, check the “Replace all child object permission with inheritable permissions from this object” box. DHCP and Network Service should already be listed, so just set them to Full Control. You will need to manually Add a new record for your local Administrator account, and set that to Full Control as well.

This can be done in the published image, or in each layer as you find the problem, but if you preemptively do it in the OS Layer itself, you should find that the fix automatically propagates out to the layers and images (and desktops in Unidesk 2), so you don’t have to do it each time you find it elsewhere.

Related:

  • No Related Posts

7021470: Configuring TCP/IP and LAN Adapter for an IBM System i

Verify That TCP/IP Configured Properly on the System i

TCP/IP is configured properly on the System i when TCP/IP is enabled and that you can ping the host. Verify your system as follows:

Netstat

To ensure that TCP/IP is enabled, enter the following command at the i5/OS command line:

NETSTAT
  • If NETSTAT reports that “TCP/IP is not started,” refer to the section below on Installing and Configuring TCP/IP on the System i.
  • If TCP/IP is configured, you may be prompted to verify the settings.

Ping

To check whether you can ping the System i, enter the PING command at the i5/OS command line. An example:

PING '192.168.1.1'

The above command would have the System i ping a system with an IP address of 192.168.1.1.

Configuring TCP/IP on the System i

To install and configure TCP/IP on the System i, enter the following command at the i5/OS command line:

CFGTCP

When you enter CFGTCP you will see up to twenty-two different configuration options. Verify and configure the required settings below.

  • TCP/IP Interfaces.

The TCP/IP Interface description is typically:

    • Line Description: ETHERNET
    • Line Type: ELAN
  • TCP/IP Routes.

Check the DFROUTE and MTU entries.

    • DFROUTE indicates the router IP address.
    • Set route’s MTU size to *IFC (recommended).
  • TCP/IP Attributes.

Enter the following command at the AS/400 system prompt:

STRTCP

The administrator must start the TCP/IP transport once configuration is complete.

Verify That the LAN Adapter is Installed and Functional

To check whether the LAN adapter is installed and functioning, follow these steps:

  1. Enter the following command at the i5/OS command line:
DSPHDWRSC *CMN
  1. Find Ethernet Port Tokenring Port in the listing. If there is no value for Ethernet Port or Tokenring Port, then i5/OS is not automatically reporting the existence of an Ethernet adapter. This indicates either a hardware failure or that no LAN adapter is installed on the system.
  2. You will need to know the value of the Resource Line Description entry. Note the Resource Line Description value: L_____. This typically corresponds to LAN adapter (Ethernet or Token-Ring) and is directly above the Port resource line.
  3. Select option 5 to display configuration descriptions.
  4. Enter 8 to work with Configuration Status.
  5. Verify that the status is Active.
  6. Option 1-Vary On may be entered for an inactive device.

Checking the LAN Interface (LINE) Configuration

The way you check a LAN interface configuration depends on whether you have an Ethernet or Token-Ring adapter. You will need to know the Resource Line Description value that you got in step three of the Verify the LAN Adapter is Installed and Functional section above. Steps are included in separate sections below.

Ethernet

If you have an Ethernet adapter follow these steps:

  1. Enter the following command at the i5/OS command line:
CRTLINETH

Press F4 any you will be prompted for configuration entries. Do not press Enter. In the Line Description field the recommended entry is ETHERNET.

Related:

  • No Related Posts

How to Use Policy Based TCP Profile in NetScaler

Note: Policy based TCP profile is not present in 10.x. It is only available from 11.0 64.x and 11.1.

How to configure policy based TCP profile in NetScaler

Consider the following requirement in a customer deployment. Customer has 3G/4G subscribers, all the 3G subscribers are coming through VLAN-1 and 4G from VLAN-2. Based on this parameter, we can give different TCP profile to these clients.

User-added image

Using the APPQOE policy we have created two policies based on VLAN IDs. The action configured for APPQOE policy will select the profile for the subscriber traffic. On getting the request from client, policy evaluation happens, based on the VLAN ID, corresponding TCP profile is used based on the APPQOE action configured. For instance, in the below configuration when 3G traffic comes in to NetScaler using VLAN1, the APPQOE policy “appqoe_3G” is hit and the corresponding action “action_3G” with 3G_profile is applied for the session.

User-added image

  • add appqoe action action_3G -tcpProfile 3G_profile

  • add appqoe action action_4G -tcpProfile 4G_profile

  • add appqoe policy appqoe_3G -rule “client.vlan.id.eq(1)” -action action_3G

  • add appqoe policy appqoe_4G -rule “client.vlan.id.eq(2)” -action action_4G

  • bind lb vserver tcpopt_traffic_manager -policyname appqoe_3G –priority 1

  • bind lb vserver tcpopt_traffic_manager –policyname appqoe_4G –priority 2

Policy based TCP Profiles using configuration utility

Navigate to AppExpert -> AppQoE

User-added image

User-added image

User-added image

APPQOE Policy Examples

Some examples for APPQOE policy that can be used for other parameters like source IP, HTTP parameters, subscriber specific information are as follows,

TCP/IP specific rule :

add appqoe policy <name> -rule “CLIENT.IP.SRC.EQ(10.12.12.16)” -action <action-name>

HTTP specific rule :

add appqoe policy apppol1 -rule “HTTP.REQ.URL.CONTAINS(“5k.html”)” -action appact1

add appqoe policy apppol2 -rule “HTTP.REQ.URL.CONTAINS(“500.html”)” -action appact2

Subscriber specific rule:

add appqoe policy apppol1 -rule “SUBSCRIBER.AVP(250).VALUE.CONTAINS(“hi”)” -action appact1

add appqoe policy apppol2 -rule “SUBSCRIBER.SERVICEPATH.IS_NEXT(“SF1″)” -action appct2

This feature leverages the flexibility available in APPQOE policies and actions to dynamically

select the TCP profile required for the traffic going through NetScaler.

User-added image

Related:

  • No Related Posts

Best practice for load balancing on outbound proxy IP address

I need a solution

We have the following challenge: Multiple thousand users are accessing a web service through a ProxySG, explicit deployment. At some point we will run into a port exhaustion issue.
Apart from increasing the source port range by setting “#(config) tcp-ip inet-lowport xxx” as explained in https://support.symantec.com/en_US/article.TECH243… the usual advice is to add more IP addresses to the proxy and split the connection between those IP addresses using reflect_ip(proxyIPaddress1), reflect_ip(proxyIPaddress2), etc.

Now my question is: What is the best way to distribute clients between the outgoing proxy IP addresses? I’d like to use a smarter solution than simple client subnets, as in

client.address=192.168.1.0/24 reflect_ip(proxyIPaddress1)
client.address=192.168.2.0/24 reflect_ip(proxyIPaddress2)

because there are a lot of subnets and I’d have to manually calculate how many clients are in each subnet in average to create groups which are of equal size. Also of course new subnets are created, deleted, changed every once in a while. Is there a way to distribute the clients in an automatic way? I thought of creating groups like

<Forward>
condition=clientsForIP1 reflect_ip(proxyIPaddress1)
reflect_ip(proxyIPaddress2)

define condition clientsForIP1
client.address=*.*.*.1 
client.address=*.*.*.3
client.address=*.*.*.5
...
end

So all clients with uneven IP address are automatically sent via IPaddress1, regardless how many subnets exists. However I’m not sure if this is really efficient. Do you have any other ideas? Is there a way how I can perform mathematical calculations inside CPL?

0

1517320932

Related:

  • No Related Posts

HWhy does JMON stop with FEJ202E TCP/IP may have failed or been recycled. Server stopping.

JMON stops with the following message
FEJ202E TCP/IP may have failed or been recycled. Server stopping.

The above message is preceded by many itterations of the messages below.
FEJ275E Socket accept failed rc=-1, errno=120 (remaining retries 42).
FEJ206I Logout S26:A500421 due to lost connection.

The above message is preceded by many itterations of the messages below.
FEJ275E Socket accept failed rc=-1, errno=120 (remaining retries 42).
FEJ206I Logout S26:A500421 due to lost connection.

Related: