Case Study – Web Browser Displays “401 – Unauthorized: Access is denied due to invalid credentials”

Problem Definition

A customer was attempting to configure ICA Proxy mode on Citrix Access Gateway Enterprise Edition with XenApp 5.0 and Web Interface. The customer reported that when configuring the same, the 401 – Unauthorized Access is denied due to invalid credentials error message is displayed on the Web browser after a successful authentication to the Citrix Access Gateway Enterprise Edition Login page, as shown in the following screenshot:

User-added image

Environment

The customer had installed the following hardware and software components on the network:

  • Windows Server 2008
  • Internet Information Server 7
  • NetScaler appliance
  • Web Interface 5.0
  • XenApp 5.0

Troubleshooting Methodology

To troubleshoot this issue, the Technical Support Engineers investigated the Windows event logs of the XenApp Server and observed an error message in the Citrix Web Interface event log, as shown in the following screenshot:

User-added image

This prompted the engineers to shift the focus of the investigation towards the XenApp Server. The engineers recorded network packet traces on the XenApp server during a login attempt. Each time, the engineers killed the Access Gateway Enterprise Edition session to ensure that a new session starts. The Web Interface makes the outbound https request to the Access Gateway Enterprise appliance to retrieve the SmartAccess settings, such as VServer and Session Policy Name.

When analyzing the packet traces, the engineers observed that when the XenApp Server communicates to the URL in the preceding screenshot, /CitrixAuthService/AuthService.asmx, the XenApp Server sends a FIN-ACK packet during the Secure Socket Layer (SSL) handshake negotiation, as shown in the following screenshot:

User-added image

When attempting to open the /Citrix/XenApp1/auth/agesso.aspx URL, the Web Interface sends the 401 response code because the XenApp server could not complete the SSL handshake.

After further investigating the event logs, the engineers noticed that there was an issue with the SSL certificates.

Related:

  • No Related Posts

7023078: Security Vulnerability: “L1 Terminal Fault” (L1TF) ??? Hypervisor Information (CVE-2018-3620, CVE-2018-3646, XSA-273).

Full mitigation for this issue requires a combination of hardware and software changes. Depending on the guest type, software changes may be required at both the Hypervisor and guest level.

Updated Intel microcode (provided through your hardware / BIOS vendor or by SUSE) introduces a new feature called “flush_l1d”. Hypervisors and bare-metal kernels use this feature to flush the L1 data cache during operations which may be susceptible to data leakage (e.g. when switching between VMs in Hypervisor environments).

Software mitigations exist for the Linux Kernel and for Hypervisors. These mitigations include support for new CPU features, passing these features to guests, and support for enabling/disabling/tuning the mitigations. Recommended mitigations vary depending on the environment.

For the Linux kernel (on both bare metal and virtual machines) L1TF mitigation is controlled through the “l1tf” kernel boot parameter. For complete information on this parameter, see TID 7023077.

KVM

For KVM host environments, mitigation can be achieved through L1D cache flushes, and/or disabling Extended Page Tables (EPT) and Simultaneous MultiThreading (SMT).

The L1D cache flush behavior is controlled through the “kvm-intel.vmentry_l1d_flush” kernel command line option:

kvm-intel.vmentry_l1d_flush=always

The L1D cache is flushed on every VMENTER.

kvm-intel.vmentry_l1d_flush=cond

The L1D cache is flushed on VMENTER only when there can be leak of host memory between VMEXIT and VMENTER. This could still leak some host data, like address space layout.

kvm-intel.vmentry_l1d_flush=never

Disables the L1D cache flush mitigation.

The default setting here is “cond”.

The l1tf “full” setting overrides the settings of this configuration variable.


L1TF can be used to bypass Extended Page Tables (EPT). To mitigate this risk, it is possible to disable EPT and use shadow pages instead. This mitigation is available through the “kvm-intel.enable_ept” option:
kvm-intel.enable_ept=0

The Extended Page tables support is switched off.
As shadow pages are much less performant than EPT, SUSE recommends leaving EPT enabled, and use L1D cache flush and SMT tuning for full mitigation.


To eliminate the risk of untrusted processes or guests exploiting this vulnerability on a sibling hyper-thread, Simultaneous MultiThreading (SMT) can be disabled completely.

SMT can be controlled through kernel boot command line parameters, or on-the-fly through sysfs:

On the kernel boot command line:

nosmt

SMT is disabled, but can be later reenabled in the system.

nosmt=force

SMT is disabled, and can not be reenabled in the system.

If this option is not passed, SMT is enabled. Any SMT options used with the “l1tf” kernel parameter option overrides this “nosmt” option.


SMT can also be controlled through sysfs:

/sys/devices/system/cpu/smt/control

This file allows to read the current control state and allows to disable or (re)enable SMT.

Possible states are:

on

SMT is supported and enabled.

off

SMT is supported, but disabled. Only primary SMT threads can be onlined.

forceoff

SMT is supported, but disabled. Further control is not possible.

notsupported

SMT is not supported.

Potential values that can be written into this file:

on

off

forceoff

/sys/devices/system/cpu/smt/active

This file contains the state of SMT, if it is enabled and active, where active means that multiple threads run on 1 core.

Xen

For Xen hypervisor environments, mitigation is enabled by default and varies based on guest type. Manual adjustment of the “smt=” parameter is recommended, but the remaining parameters are best left at default values.A description of all relevant parameters are provided in the event any changes are necessary.

PV guests achieve mitigation at the Xen Hypervisor level. If a PV guest attempts to write an L1TF-vulnerable PTE, the hypervisor will force shadow mode and prevent the vulnerability. PV guests which fail to switch to shadow mode (e.g. due to a memory shortage at the hypervisor level) are intentionally crashed.

pv-l1tf=[ <bool>, dom0=<bool>, domu=<bool> ]

By default, pv-l1tf is enabled for DomU environments and, for stability and performance reasons, disabled for Dom0.

HVM guests achieve mitigation through a combination of L1D flushes, and disabling SMT.

spec-ctrl=l1d-flush=<bool>

This parameter determines whether or not the Xen hypervisor performs L1D flushes on VMEntry. Regardless of this setting, this feature is virtualized and passed to HVM guests for in-guest mitigation.

smt=<bool>
This parameter can be used to enable/disable SMT from the hypervisor. Xen environments hosting any untrusted HVM guests, or guests not under the full control of the host admin, should either disable SMT (through BIOS or smt=<bool> means), or ensure HVM guests use shadow mode (hap=0) in order to fully mitigate L1TF. It is also possible to reduce the risk of L1TF through the use of CPU pinning, custom CPU pools and/or soft-offlining of some hyper-threads.
These approaches are beyond the scope of this TID, but are documented in the standard Xen documentation.

WARNING – The combination of Meltdown mitigation (KPTI) and shadow mode on hardware which supports PCID can result in a severe performance degradation.

NOTE – Efforts are ongoing to implement scheduling improvements that allow hyper-thread siblings to be restricted to threads from a single guest. This will reduce the exposure of L1TF, and the requirement to disable SMT in many environments.

Related:

  • No Related Posts

Unable to enumerate resources with error “An error occurred while attempting to connect to the server ‘Delivery Controller’ on port 443”

Under certain conditions, when you login to Receiver or Receiver for Web you might not see any of the published resources. Additionally, following events are recorded on the StoreFront server at the time of the issue.

Source: Citrix Store Service

Event ID: 0

Description: An error occurred while attempting to connect to the server MTXenApp1 on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address https://MTXenApp1/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

Source: Citrix Store Service

Event ID: 4003

Description: All the Citrix XML Services configured for farm Controller failed to respond to this XML Service transaction.

Source: Citrix Store Service

Event ID: 4012

Description: None of the Citrix XML Services configured for farm Controller are in the list of active services, so none were contacted.

Related:

  • No Related Posts

Error: “Your apps are not available at this time. Please try again” When Receiver Connects Through NetScaler Gateway

Solution 1

To resolve this issue change the beacon entries in StoreFront. Add the NetScaler Gateway addresses to external beacon.

Reference: https://docs.citrix.com/en-us/storefront/3-11/integrate-with-netscaler-and-netscaler-gateway/configure-beacon.html

External Beacon

If you want to use ICA proxy from internal and external connections (all clients should only go through NetScaler), then add a fake address in the internal beacon of StoreFront.

Note: The internal beacon should only be resolvable inside the network, if the beacon is resolvable externally then Citrix Receiver will not be able to add the account.

Solution 2

The issue relates to compatibility of Receiver 4.x and Web Interface XenApp services site. Receiver 4.x supports services sites but when connecting thru NS, users may experience issues as described in CTX136828 – Error When Using Windows Receiver PNAgent through Access Gateway Enterprise Edition Appliance.

Also note Citrix Documentation – NetScaler to Web Interface XenApp Services site is not supported.

Related:

  • No Related Posts

Access to a Citrix Knowledge Center Article is Denied

Citrix has introduced Customer Success Services that allow customers to see privileged Knowledge Center content. Contact your local Citrix Solution Advisor or call 1-800-424-8749 and listen for the option to contact the Sales department; they can help determine which program is right for you.You will continue to have access to certain content as per the matrix below.

Software Updates

Product Type Readme Visible to Download Available to
XenApp 7.X or Higher

XenDesktop 7.X or Higher

Provisioning Services 7.x or Higher

XenMobile 10.X or Higher
Public or Limited or Superseded All
  • Customer Success Services customers
  • Subscription Advantage customers
  • Partners
XenApp 6.X or Earlier

XenDesktop 5.6 or Earlier

Provisioning Services 6.x or Earlier

XenMobile 9.X or Earlier

Application Streaming (all versions)

EdgeSight (all versions)

Single Sign-On (all versions)

Secure Gateway (all versions)

Smart Auditor (all versions)

User Profile Management (all versions)

Web Interface (all versions)

CloudPortal Services (all versions)

CloudPortal Business Manager (all versions)

CloudPlatform (all versions)

VDI-in-a-Box (all versions)
Public All All logged in users
Limited or Superseded All
  • Partners
  • Customers with a TRM agreement

XenServer 7.1 LTSR Cumulative Update 1

XenServer CR release earlier to the latest CR release

XenServer 7.0 hotfixes released after 1 December 2017 (XS70E050 and later)

Public All
  • Customer Success Services customers
  • Subscription Advantage customers
  • Partners
XenServer (Other versions) Public All All logged in users

Citrix Supportability Pack

Readme Visible to Download Available to
All
  • Customer Success Services customers
  • Partners


Premium Content

  • Available to Customer Success Services Customers and Partner designated technical contacts on customer’s support entitlement.


Other Content Type

Type Readme Visible to Download Available to
Technotes All All logged in users
Tools All All logged in users
Learning All All logged in users
Security Bulletins All All


Chat

  • Available only to Customer Success Services customers.


For Application Networking Group products (such as NetScaler, CloudBridge, NetScaler (Access) Gateway, Communication Gateway, and Application Gateway), consider subscribing to the Citrix Appliance Maintenance program.

Related:

  • No Related Posts

Citrix XenServer Security Update for CVE-2018-3639

Customers wishing to expose the new host firmware functionality to their guest VMs should install both the Citrix XenServer hotfixes and updated host firmware or BIOS code. The locations of the Citrix XenServer hotfixes are listed below; Citrix recommends following your hardware supplier’s guidance for firmware updates.

Citrix XenServer 7.4: CTX235133 – https://support.citrix.com/article/CTX235133

Citrix XenServer 7.3: CTX235132 – https://support.citrix.com/article/CTX235132

Citrix XenServer 7.1 LTSR CU1: CTX235131 – https://support.citrix.com/article/CTX235131

Citrix XenServer 7.0: CTX235130 – https://support.citrix.com/article/CTX235130

Note that, in line with previous issues that were not vulnerabilities in Citrix XenServer, mitigations are not available for versions 6.x of Citrix XenServer.

Related:

  • No Related Posts

How to Perform Reverse Imaging on a Provisioning Services Target Device for Windows and its Applicable Usages

When a Provisioning Services Target Device for Windows is booted from Provisioning Services (across the network), it is not possible to perform any software updates that affect the network stack, since the network stack changes will drop the connection to the vDisk.

The following provides a list of known network affecting software that periodically requires updating, this is not necessarily a complete list:

  • Hypervisor Tools/NIC Drivers (e.g. VMware Tools, XenServer Tools, VirtIO, etc.)
  • Provisioning Services Target Device Software for Windows – If the Provisioning Services Target Device Software for Windows is version 7.6.1 or newer, then reverse imaging is no longer needed to update the Provisioning Services Target Device Software. In this case, create a new maintenance version of your vDisk, boot it, and run the new Provisioning Services target device installer to do an in-place upgrade.
  • Windows 10 SAC releases upgrades
  • Antivirus definition updates
  • Firewall/Network security software

To update network stack-affecting software, you must first convert (clone) the Provisioning Services vDisk to a traditional virtual machine local disk. The process to convert from vDisk to local disk is sometimes called Reverse Imaging. Once booted from local disk (without going through the network), you can do whatever you want with the NIC. In this state, it’s just a regular virtual machine and no longer connected to the Provisioning Services server.

After Provisioning Services target device software is uninstalled and the system is rebooted to local disk, proceed to upgrade hypervisor tools, NIC driver, Provisioning services target device software, Windows 10, or update antivirus definitions.

Related:

  • No Related Posts

Hotfix XS71ECU1016 – For XenServer 7.1 Cumulative Update 1

Who Should Install This Hotfix?

This is a hotfix for customers running XenServer 7.1 Cumulative Update 1. All customers who are affected by the issues described in CTX234679 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix does not apply to XenServer 7.1. You must apply Cumulative Update 1 before you can apply this hotfix.

Note: XenServer 7.1 Cumulative Update 1 and its subsequent hotfixes are available only to customers on the Customer Success Services program.

Information About this Hotfix

Component Details
Prerequisite None
Post-update tasks* Restart Host
Content live patchable** No
Revision History Published on May 8, 2018
* Important: If you have previously disabled microcode loading on your XenServer host or pool. You must enable microcode loading again after applying this hotfix. For more information, see How to disable microcode loading on a XenServer pool.
** Available to Enterprise Customers.

Issues Resolved In This Hotfix

This security hotfix addresses the vulnerabilities as described in the Security Bulletin above.

This hotfix also includes the following previously released hotfixes:

Installing the Hotfix

Customers should use either XenCenter or the XenServer Command Line Interface (CLI) to apply this hotfix. As with any software update, back up your data before applying this update. Citrix recommends updating all hosts within a pool sequentially. Upgrading of hosts should be scheduled to minimize the amount of time the pool runs in a “mixed state” where some hosts are upgraded and some are not. Running a mixed pool of updated and non-updated hosts for general operation is not supported.

Note: The attachment to this article is a zip file. It contains the hotfix update package only. Click the following link to download the source code for any modified open source components XS71ECU1016-sources.iso. The source code is not necessary for hotfix installation: it is provided to fulfill licensing obligations.

Installing the Hotfix by using XenCenter

Before installing this hotfix, we recommend that you update your version of XenCenter to the latest available version for XenServer 7.1 CU 1.

Choose an Installation Mechanism

There are three mechanisms to install a hotfix:

  1. Automated Updates
  2. Download update from Citrix
  3. Select update or Supplemental pack from disk

The Automated Updates feature is available for XenServer Enterprise Edition customers, or to those who have access to XenServer through their XenApp/XenDesktop entitlement. For information about installing a hotfix using the Automated Updates feature, see the section Applying Automated Updates in the XenServer 7.1 Cumulative Update 1 Installation Guide.

For information about installing a hotfix using the Download update from Citrix option, see the section Applying an Update to a Pool in the XenServer 7.1 Cumulative Update 1 Installation Guide.

The following section contains instructions on option (3) installing a hotfix that you have downloaded to disk:

  1. Download the hotfix to a known location on a computer that has XenCenter installed.
  2. Unzip the hotfix zip file and extract the .iso file
  3. In XenCenter, on the Tools menu, select Install Update. This displays the Install Update wizard.
  4. Read the information displayed on the Before You Start page and click Next to start the wizard.
  5. Click Browse to locate the iso file, select XS71ECU1016.iso and then click Open.
  6. Click Next.
  7. Select the pool or hosts you wish to apply the hotfix to, and then click Next.
  8. The Install Update wizard performs a number of update prechecks, including the space available on the hosts, to ensure that the pool is in a valid configuration state. The wizard also checks whether the hosts need to be rebooted after the update is applied and displays the result.
  9. Follow the on-screen recommendations to resolve any update prechecks that have failed. If you want XenCenter to automatically resolve all failed prechecks, click Resolve All. When the prechecks have been resolved, click Next.

  10. Choose the Update Mode. Review the information displayed on the screen and select an appropriate mode.
  11. Note: If you click Cancel at this stage, the Install Update wizard reverts the changes and removes the update file from the host.

  12. Click Install update to proceed with the installation. The Install Update wizard shows the progress of the update, displaying the major operations that XenCenter performs while updating each host in the pool.
  13. When the update is applied, click Finish to close the wizard.
  14. If you chose to carry out the post-update tasks, do so now.

Installing the Hotfix by using the xe Command Line Interface

  1. Download the hotfix file to a known location.
  2. Extract the .iso file from the zip.
  3. Upload the .iso file to the Pool Master by entering the following commands:

    (Where -s is the Pool Master’s IP address or DNS name.)

    xe -s <server> -u <username> -pw <password> update-upload file-name=<filename>XS71ECU1016.iso

    XenServer assigns the update file a UUID which this command prints. Note the UUID.

    93364429-91e6-4c71-a761-a19269642d1c

  4. Apply the update to all hosts in the pool, specifying the UUID of the update:

    xe update-pool-apply uuid=<UUID_of_file>

    Alternatively, if you want to update and restart hosts in a rolling manner, you can apply the update file to an individual host by running the following:

    xe upload-apply host-uuid=<UUID_of_host> uuid=<UUID_of_file>

  5. Verify that the update was applied by using the update-list command.

    xe update-list -s <server> -u root -pw <password> name-label=XS71ECU1016

    If the update is successful, the hosts field contains the UUIDs of the hosts to which this hotfix was successfully applied. This should be a complete list of all hosts in the pool.

  6. If the hotfix is applied successfully, carry out any specified post-update task on each host, starting with the master.

Files

Hotfix File

Component Details
Hotfix Filename XS71ECU1016.iso
Hotfix File sha256 fc5f77170f261a308dda34624e67fd4704cbe1d7a48e58f2d83dd8c06f4e1942
Hotfix Source Filename XS71ECU1016-sources.iso
Hotfix Source File sha256 def6fdd14ad790760d7a7f2a5017fa3895871e64b6ad6418f6b3fd1af02f84c2
Hotfix Zip Filename XS71ECU1016.zip
Hotfix Zip File sha256 4e63fd5525554fda8a98c40473cb48c4891560b915dfff4be3e56a9c5794d709
Size of the Zip file 31.67 MB

Files Updated

dracut-033-360.el7.centos.xs13.x86_64.rpm
dracut-network-033-360.el7.centos.xs13.x86_64.rpm
kexec-tools-2.0.4-31.x86_64.rpm
linux-firmware-20170622-3.noarch.rpm
microcode_ctl-2.1-22.xs1.x86_64.rpm
xen-dom0-libs-4.7.5-1.17.x86_64.rpm
xen-dom0-tools-4.7.5-1.17.x86_64.rpm
xen-hypervisor-4.7.5-1.17.x86_64.rpm
xen-libs-4.7.5-1.17.x86_64.rpm
xen-tools-4.7.5-1.17.x86_64.rpm

More Information

For more information see, the XenServer 7.1 Documentation.

If you experience any difficulties, contact Citrix Technical Support.

Related:

  • No Related Posts

Driver Disk for Microsemi aacraid – 1.2.1.56008 – For XenServer 7.1

Who Should Install this Driver Disk?

Customers running a Citrix XenServer 7.1 LTSR who use Microsemi’s aacraid driver and wish to use the latest version of the following:

Driver Module Version
aacraid 1.2.1.56008

Issues Resolved In this Driver Disk

Includes general enhancements and bug fixes.

Firmware requirements for this Driver Disk

Please ensure that your hardware is running firmware versions greater or equal to the ones specified below, according to the chipset of your particular device:

  • Microsemi Adaptec HBA 1000 Series Host Bus Adapters with Firmware 4.02 [0]
  • Adaptec RAID 8805 with Firmware 33263

Note: If your device has been branded by your OEM, please ensure that you consult them regarding the currently supported driver/firmware versions.

Installing the Driver Disk

Customers should use XenServer Command Line Interface (CLI) to install this update. Once the driver has been installed, the server must be restarted. As with any software update, Citrix advises customers to back up their data before applying this driver disk.

Please note that the attachment to this article is a zip file. It contains both the driver disk ISO mentioned below, and the source code for the driver. The zip file should be unzipped (to produce the driver disk ISO image), before carrying out the steps below. The source code file is not necessary for driver disk installation: it is provided to fulfill licensing obligations.

Installing as Part of a Clean XenServer Installation

  1. After you have selected your keyboard layout at the first installer prompt, you will be presented with a welcome screen. At this point, press F9 on your keyboard, and insert the CD with the driver disk in it, or use one of the other methods such as installation over the network.

    Note: If installation over HTTP or FTP is to be used, the ISO image must be unpacked at that location (i.e. the installer expects to find the contents of the ISO at that network location, not the ISO itself).

  2. The installer will proceed to attempt to load the driver. If this is successful, you can continue with the installation as normal. Near the end of the installation, you will be prompted to re-insert the driver disk (otherwise known as a XenServer supplemental pack) so that the driver can be installed onto disk. You must re-supply the driver disk at this point. Failure to do so will mean that the installation will not contain the new drivers. After this step, no further action is required.

If the installer fails to load the new driver from the driver disk, it is likely to be because an earlier version of the driver has already been loaded. In general, this is because a hardware component is present that is supported by the version of the driver that ships as part of XenServer (even if another component is present that requires a newer version of the driver). To avoid the existing driver being loaded, use the following procedure.

  1. Reboot the host, leaving the XenServer installation CD-ROM in the drive.
  2. At the boot: prompt, type:

    shell

  3. You will now be presented with a command prompt. Type the following:

    rmmod aacraid

    If this succeeds (i.e. there are no error messages printed), the installer’s versions of the drivers have been unloaded. If error messages are presented, it is likely that other drivers depend on one or more of the drivers you are attempting to unload. If this is the case, please contact Citrix Technical Support.

  4. Type

    exit

    or press Control+D on your keyboard, to return to the installer.

  5. Use the procedure described above to provide the driver disk to the installer, which should now load correctly.

Installing the Update by using the xe Command Line Interface

Perform the following steps to install the update remotely using the xe CLI:

  1. Download the update to a known location on a computer that has XenCenter installed.
  2. Upload the update:

    xe update-upload file-name=driver-microsemi-aacraid-1.2.1.56008.iso

    Note: The UUID of the update is returned when the upload completes.

  3. Apply the update:

    xe update-apply uuid=63cd3ae9-3ff6-43f7-8d51-e1e04f4d46cf

  4. To complete the installation, restart the host. This ensures that the driver loads correctly.

Files

Update Files

Component Details
Filename driver-microsemi-aacraid-1.2.1.56008.iso
File sha256 6855c036b6fadbc691dae6fe81d7f7bee40ab23ad59984cc365a9e49f0e9e177
Source Filename driver-microsemi-aacraid-1.2.1.56008-sources.iso
Source File sha256 8beccd28d27c627a332abb58966853d9ebd32af7e6d62ac054eaad94515c898f
Zip Filename driver-microsemi-aacraid-1.2.1.56008.zip
Zip File sha256 120a940313699cf9ec7703caf739af40102eebc722806186bc7a456643a59672
Size of the Zip file 135.42 MB

RPMs Provided

RPM Name
microsemi-aacraid-1.2.1.56008-2.x86_64.rpm

More Information

If you experience any difficulties, contact Citrix Technical Support.

For information on how to build driver disks, refer to Citrix XenServer Supplemental Packs and the DDK Guide .

Related:

  • No Related Posts

How to upgrade SDX appliance from 10.5/11.x to 12.0 Version

If you are already running 11.x or 10.5 Build 57.x or later, then please jump to STEP 7, as STEP 1 to STEP 6 are only valid for versions up to 10.5 Build 56.x.

STEP 1: Make sure that your SVM (Management Service) version 10.5 Build 66.x or later. You can download it from downloads.citrix.com. Downloaded file will be of format build-svm-10.5-6x.xx.tgz

Download Link: https://www.citrix.co.in/downloads/netscaler-adc/service-delivery-appliances/sdx-release-105-build-6710.html

In this article, we would be using SVM 10.5 Build 67.10 as an example.

Please see the screenshots below to find out the download location/naming of the file:

User-added image

User-added image

STEP 2: Upload the downloaded file to the SDX under Management Service–>Software Images

User-added image

STEP 3: Click on System–>Under System Administration–>Upgrade Management Service

NOTE: In the screenshot below, you can also see “Upgrade Appliance” option. This is because we are already running SVM 10.5 Build 66+, however if you are running older versions of SVM (Example builds older than 10.5 Build 56.x) then you might not see the option of Upgrade platform. If you see the “Upgrade Appliance” option on your current version of SVM then you can skip the SVM upgrade and directly go for Single Bundle upgrade (STEP 7). The idea behind upgrading SVM to 10.5 Build 66+ is to get the “Upgrade Platform” option.

User-added image

This will take you to the next page with the list of builds that you have uploaded on the appliance. Select the one that you need to upgrade to and hit OK.

Hitting OK will give you a warning pop up before proceeding. Hit Yes.

User-added image

Hitting Yes will start the SVM upgrade process and will take you to a screen with the timer.

User-added image

NOTE: This only means that currently SVM is upgrading and none of the VPX hosted (if any) on the appliance are effected. VPX appliances are only effected if the whole SDX appliance is rebooted. With SVM rebooting, you only lose the SVM to VPX communication temporarily.

Once the reboot of the SVM is done, you will be presented with the login screen. Login again and confirm that you can see the new version.

STEP 4: Make sure that you have the bundle file downloaded for the Single Bundle Upgrade. The file format would be similar to build-sdx-12.0-xx.xx.tgz

Download Link: https://www.citrix.co.in/downloads/netscaler-adc/service-delivery-appliances/sdx-bundle-120-5719.html

Screenshots from the download site:

User-added image

User-added image

STEP 5: Upload the file under Management Service–>Software Images

NOTE: Since this is 10.5 and the bundle file is of .tgz format, it needs to be uploaded under Software Images and not platform Images.

User-added image

After Upload:

User-added image

STEP 6: Navigate to System–>System Administration–>Upgrade Management Service

User-added image

This is similar to STEP 3, however the only difference is that we have used the platform file (build-sdx-12.0-xx-xx.tgz) and not the SVM upgrade (build-svm-xx.xx.xx.tgz).

We do not have separate files for SVM upgrade starting 11.0 Version, and hence we have used the whole bundle to upgrade.This will go for a reboot after the warning.

NOTE: After the upgrade you will notice that only SVM has been upgraded and none of the other components like Platform Version, XenServer Version is still showing old. However, the new SVM will give us a new GUI option of “Upgrade Appliance” and old options of upgrade Management service/Upgrade platform are not existing on the new SVM.

STEP 7: Navigate to System–>System Administration–>Upgrade Appliance

User-added image

Choose the file and Hit OK.

User-added image

After you hit OK, you will be directed to a different page which shows the summary of the upgrade. Important to note is that platform version will be upgraded with this including the supplemental fix and hot fixes.

User-added image

Hit Upgrade.

NOTE: The process of upgrade takes time and you will notice that the appliance reboots more than once before it is finally up. During the upgrade you will see that the SVM page on browser is not displayed; this is expected.

After the upgrade is completed you will see a page that confirms the upgrade status.

User-added image

STEP 8: Login and confirm the upgraded Hypervisor information.

User-added image

NOTE: If for some reason you do not see the XenServer version as 6.5, then please collect the support bundle (Management Service + XenServer) and reach out to support.

Related:

  • No Related Posts