Q: How does LB slow start work with persistence? When is the slow start exited?
A: By default a newly configured virtual server remains in a Slow Start mode for Startup RR Factor of 100.
If there are 2 services bound to the LB VIP, the LB vServer will exit the slow-start mode after 200 hits. The calculation is PE(n) X service(n) X 100 = 1 X 2 X 100 = 200 (assuming there is one PE).
When Source IP based persistency is configured, the client connections need to hit the LB VIP with different source IP’s. In the above case, if 200 connections are initiated from the same source IP, the counter will only decrement by 1 (with 199 connections remaining). The rest of the 199 connections need to be from unique source IP’s for the NetScaler to exit the slow-start mode and come back to the configured load balancing method
root@netscaler# nsconmsg -K newnslog -d current -s disptime=1 -g vsvr_do_next_rrreq | moreDisplaying performance informationNetScaler V20 Performance DataNetScaler NS11.1: Build 51.21.nc, Date: Dec 22 2016, 12:32:24 14 427000 200 200 28 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:55:59 2017 15 322000 199 -1 0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 11:01:21 2017 16 1938995 198 -1 0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 13:15:31 2017 17 14000 197 -1 0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 13:15:45 2017If the persistence is set to NONE, irrespective of the Source IP's, once the number of connections reaches 200, the slow start is exited 2 223997 200 1 0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:46:46 2017 3 49000 199 -1 0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:47:35 2017 4 7000 176 -23 -3 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:47:42 2017 5 7001 163 -13 -1 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:47:49 2017 6 6999 132 -31 -4 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:47:56 2017 7 7000 109 -23 -3 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:03 2017 8 7000 89 -20 -2 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:10 2017 9 7000 57 -32 -4 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:17 2017 10 7000 25 -32 -4 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:24 2017 11 7001 23 -2 0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:31 2017 12 14000 13 -10 -1 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:45 2017 13 6999 0 -13 -1 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul 7 10:48:52 2017
Refer to https://support.citrix.com/article/CTX108886 to know more about Slow-Start
Q: A persistence RULE is configured with a persistence timeout of 10 minutes. When “show persistent sessions” command is run for that particular load balancing vServer, many entries with a timeout of 0 (expired) are still see in the output table. What causes this persistence table entries to show even though the timeout has expired?
A: The “show persistence session” output only displays entry from master core and not from peer cores where persistence session is cached.
Even if the timeout value is set to 0 on the master core, the other core still has this session entry with non-zero value due to which the master core does not remove this from its table immediately after it times out.
By design, after the connection is idle and deleted and the persistence timeout has passed, in addition to remaining for 2 minutes due to the relationship between the master core and the peer core, there may be a case in which 120-330 seconds remain for synchronization between NSPPE and internal processing.
Q: LB vServer (HTTP) does not load balance the hits on the vServer correctly when LB method is Least Connection. Uneven number of hits seen on the 2 load balanced backend services.
A: In the “Least Connection” method of load balancing, the number of connections per service is the value that we take into account, not the number of hits to the service.
Q: Does the TCP profile bound on the CS VIP or the corresponding LB VIP takes precedence?
A: NetScaler will use the TCP profile bound on the Content Switch vServer for front-end/client connection
The TCP profile bound to the Load Balancing vServer will not be used if the connection is made through the Content Switching vServer
The TCP profile bound to the Load Balancing vServer will be applied only if the client establishes the connection with the Load Balancing VIP directly
If no TCP profile is bound to the Content Switch vServer, the default TCP profile will be used
Q: Can a VIP address be bound to netprofile/ ipset in Cluster?
A: This is currently not allowed. You will see the error “ERROR: Operation not permitted” while trying to do this. This is supported starting from 11.1 build 58.x and 12.0 build 33.x (Issue ID: 664024)
Q: Are active sessions dropped while disabling a service or a member of a service group?
A: Yes, the active connections are dropped if we do not do a “Graceful” disable of the service. Active connections are maintained if the “Graceful” checkbox is selected.
Traffic Management ->LB-> ServiceGroup-> Manage Member -> Select member then click disable -.> Check Graceful and click ok
Q: What does the “Graceful” option do while disabling a service?
A: This checkbox indicates graceful shutdown of the service. System will wait for all outstanding connections to this service to be closed before disabling the service.
Gracefully disabled services will maintain all current connections until these have timed-out/gracefully closed. All new connections will be sent to the enabled services.
Just disabling the services, will migrate all existing connections to the enabled service
|
State
|
Results
|
|
Graceful shutdown is enabled and a wait time is specified.
|
Service is shut down after the last of the current active client connections is served, even if the wait time has not expired. The appliance checks the status of the connections once every second. If the wait time expires, any open sessions are closed.
|
|
Graceful shutdown is disabled and a wait time is specified.
|
Service is shut down only after the wait time expires, even if all established connections are served before expiration.
|
|
Graceful shutdown is enabled and no wait time is specified.
|
Service is shut down only after the last of the previously established connections is served, regardless of the time taken to serve the last connection.
|
|
Graceful shutdown is disabled and no wait time is specified.
|
No graceful shutdown. Service is shut down immediately after the disable option is chosen or the disable command is issued. (The default wait time is zero seconds.)
|
Q: NS 10.5: NetProfile does not work intermittently and traffic is sourced from the wrong SNIP
A: This has been identified as an issue in the build of 10.5 and is fixed in 11.1 (Issue ID: 536377)
Q: Why does SSL VIP use HTTP/1.1 despite configuring HTTP/2 in the HTTP profile bound?
A: In the SSL handshake, we see in the client hello that client supports http2 over TLS (h2), however the VIP chooses HTTP 1.1.
HTTP/2 only supports TLS version 1.2 or higher for HTTP/2 over TLS (h2). HTTP/2 doesn’t support any of the ciphers suites that are listed in the following article.
https://http2.github.io/http2-spec/#BadCipherSuites
Ensure that HTTP/2 supported Ciphers are bound to the VIP
Q: Can we view SSL counters/ statistics specific to a vServer or a VIP?
A: This is currently not possible. An enhancement request with the Product management has been raised for this:
ENH0234441: Display of per vServer/service stats with “stat ssl” command
ENH0234442: SSL per vServer/service stats should be displayed with nsconmsg -s ConSSL output
Q: What does the spillover count (SO) for a vServer in the ConLb output indicate?
A: If you have spillover configured or have a backup vServer and spillover occurs, they will be sent to the backup and the counter will increment. If you do not have spillover configured or a backup vServer configured, then the connection is reset and the spillover counter will still increment. The incrementing counter is indicative of requests being reset when you have no spillover configured.
When you do have spillover configured and requests are actually being spilled over, the counter is going to increment. Thus the counter increments in either scenario. Hence, if you know you don’t have spillover configured and you see spillover hits, then you should consider setting up spillover so that requests are processed instead of being reset.
Q: What are the ways to protect a Load Balancing vServer against Failure when it goes DOWN?
A: “Disable Primary When Down”: If you want the backup virtual server to remain in control until you manually enable the primary virtual server even if the primary virtual server comes back up, select “Disable Primary When Down”. For more information on “Configuring a Backup Load Balancing Virtual Server” refer docs:
http://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-protect-configuration/config-backup-vserver.html
“Connection fail over”: Connection fail over helps prevent disruption of access to applications deployed in a distributed environment. In a NetScaler High Availability (HA) setup, connection fail over (or connection mirroring-CM) refers to keeping active an established TCP or UDP connection when a fail over occurs. The new primary NetScaler appliance has information about the connections established before the fail over and continues to serve those connections. After failover, the client remains connected to the same physical server. Setup supported for connection failover are Service type –> ANY, UDP, TCP, FTP, SSL_BRIDGE.
For more information on “Connection failover” refer
http://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-protect-configuration/connection-failover.html
Other methods can be viewed in the following link: https://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-protect-configuration.html
Q: Can we integrate MFA with LB vServer?
A: Yes, this can be done by configuring AAA vserver which can be configured as SAML SP. Microsoft MFA can be configured as SAML IDP if it has access to the LDAP/Radius.
