Citrix ADC SNMP Counters

This article contains information about the newnslog Simple Network Management Protocol (SNMP) counters, and its brief description.

Using the Counters

Log on to the ADC using an SSH client, change to SHELL, navigate to the /var/nslog directory, and then use the ‘nsconmsg’ command to see comprehensive statistics using the different counters available. For the detailed procedure refer to Citrix Blog – NetScaler ‘Counters’ Grab-Bag!.

The newnslog SNMP

The following table lists the newnslog SNMP counters with a simple description of the counter.

Newnslog Counter

Description

snmp_tot_rxpkts

This counter tracks the SNMP packets received.

snmp_tot_txpkts

This counter tracks the SNMP packets transmitted.

snmp_tot_badVersions

This counter tracks the number of SNMP messages received, which were for an unsupported SNMP version.

snmp_tot_badCommName

This counter tracks the SNMP messages received, which used an SNMP community name not known to the NetScaler appliance.

snmp_tot_badCommUse

This counter tracks the total number of SNMP Messages received that represented an SNMP operation which is not allowed by the SNMP community named in the Message.

snmp_tot_parseErrs

This counter tracks the number of ASN.1 or BER errors encountered when decoding received SNMP Messages.

snmp_tot_getBulkReqs

This counter tracks the SNMP Get-Bulk PDUs that are accepted and processed.

snmp_tot_getReqs

This counter tracks the SNMP Get-Request PDUs that are accepted and processed.

snmp_tot_getNextReqs

This counter tracks the SNMP Get-Next PDUs that are accepted and processed.

snmp_tot_responses

This counter tracks the SNMP Get-Response PDUs that the NetScaler appliance generates.

snmp_err_req_dropped

This counter tracks the SNMP requests dropped.

snmp_tot_traps

This counter tracks the SNMP Trap PDUs that the NetScaler appliance generates.

snmp_tot_unsupportedSecurityLevel

This counter tracks the SNMP packets that are dropped because they requested a security level that is

unknown to the NetScaler appliance or otherwise unavailable.

snmp_tot_notInTimeWindow

This counter tracks the SNMP packets that are dropped because they appeared outside the Window of the authoritative SNMP engine.

snmp_tot_unknownUserName

This counter tracks the SNMP packets that are dropped because they referenced a user that is not known to the SNMP engine.

snmp_tot_unknownEngineIds

This counter tracks the SNMP packets that are dropped because they referenced an SNMP engine ID that is not known to the NetScaler appliance.

snmp_tot_wrongDigests

This counter tracks the SNMP packets that are dropped because they do not contain the expected digest value.

snmp_tot_decryptionErrors

This counter tracks the SNMP packets that are dropped because they cannot be decrypted.

Related:

Management Center failed to send emails due to authentication errors

I need a solution

Dears,

I’ve an issue with management center appliance ( v2.2.1.1), as i cannot send emails when a job finished it’s task, in the time SMTP configuration (Mail Settings) is as follow:

Mail Server: Mail Server IP

Mail Server Port: 587 (Custom Port)

From Address: BlueCoat.MC@qnbalahli.com

Notes:

– This SMTP Server with customer port (587) uses a secure connection.

– On mail server a policy is created with MC IP address not to require authentication from that IP.

– We imported exchage server certificate on management center.

When we use default port 25 (not secure port) it works well.

– When checking MC logs we found the following error 

caused by: org.springframework.mail.MailAuthenticationException: Authentication failed; nested exception is javax.mail.AuthenticationFailedException: 535 5.7.3 Authentication unsuccessful

0

Related:

SFTP through a Transparent ProxySG

I do not need a solution (just sharing information)

Dear all,

         My customer need to SFTP through a Transparent ProxySG. I already intercepted ssh service. Then test create policy by specific destination is destination/host port object such as 159.x.x.x port 22, this is work. But if create policy by specific destination is destination/host port object such as sftp.aaa.com,this isn’t working. After I trace policy, this connection does’t match rule. Please help to verify and please help to recommend how to resolve this issues. 

This connection trace policy as below:

connection: service.name=SSH client.address=172.x.x.x proxy.port=22 client.interface=0:0.1 routing-domain=default
  location-id=0 access_type=unknown
time: 2019-08-19 03:21:44 UTC
TUNNEL tcp://159.x.x.x:22/

0

Related:

Advisory: Sophos XG Firewall email fails to send to servers that only support TLS 1.0

On a Sophos XG Firewall with version 17, with email protection enabled, some recipient servers fail to negotiate a TLS 1.0 connection and the email fails to send.

Applies to the following Sophos product(s) and version(s)

Sophos Firewall

In v17 some emails will not be delivered to the recipient server, either incoming or outgoing.

There will be a UI change that will allow the admin of the firewall to disable/enable TLS1.0 for email communication.

Email behavior will change when TLS cannot be correctly negotiated and will fall back to plain text.

Fix to be released in v17 MR2.

For incoming email an administrator can add their email servers to the Skip TLS Negotiation Hosts/Nets field under Email > General Settings > SMTP TLS Configuration section

For outgoing mail, please log a support request and reference this KB article.

Note the domains that mail is failing to be sent to and lookup the MX records, add all IP Addresses to the Skip TLS Negotiation Hosts/Nets field under Email > General Settings > SMTP TLS Configuration section. This is a tedious process as it involves continuous monitoring.

The other option is to edit the mta.conf file from the shell of the XG Firewall and restart the awarrenmta service. Before making any command line changes we recommend creating a backup of your system. Please use a reliable SSH client, like Putty before making changes. If you have any questions or concerns call support for assistance in following these steps:

  1. Login to the command line interface of the Sophos XG Firewall with Putty.
  2. Select option 5. Device Management.
  3. Select option 3. Advanced Shell.
  4. Put file system into write mode: mount -n -o remount,rw /
  5. Use VI to edit the file: vi /static/proxy/smtp/mta.conf
  6. Look for the line with disable_tls1 yes
  7. Change from yes to no.
  8. Save and write changes :wq from the vi command line, (press ESC to reach the command line).
  9. Restart awarrentmta service: service awarrenmta:restart -ds nosync
  10. Put system back into read-only mode: mount -n -o remount,ro /
  11. The change is now in effect.

The other option is to edit the smtp.conf file from the shell of the XG Firewall and restart the awarrensmtp service. Before making any command line changes we recommend creating a backup of your system. Please use a reliable SSH client, like Putty before making changes. If you have any questions or concerns call support for assistance in following these steps:

  1. Login to the command line interface of the Sophos XG Firewall with Putty.
  2. Select option 5. Device Management.
  3. Select option 3. Advanced Shell.
  4. Put file system into write mode: mount -n -o remount,rw /
  5. Use VI to edit the file: vi /static/proxy/smtp/smtp.conf
  6. Look for the line with disable_tls1 yes
  7. Change from yes to no.
  8. Save and write changes :wq from the vi command line, (press ESC to reach the command line).
  9. Restart awarrentmta service: service awarrensmtp:restart -ds nosync
  10. Put system back into read-only mode: mount -n -o remount,ro /
  11. The change is now in effect.

This article will be updated when information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Be a Smart Port City of Call!

Port of Rotterdam Authority, Photographer: Eric Bakker Over the years, ports have constantly evolved and embraced innovation to stay relevant. Just think about the advent of the bridge crane and shipping containers, which radically transformed how materials were shipped and handled. Once again, the winds of change are blowing. Homogenous competition among ports is forcing operators to think about value innovation. With Brexit coming down the tracks and the US negotiating new global trade agreements, things look set to become even more complex. The current business model of seeking competitive advantage and profitable growth by focusing … READ MORE

Related:

  • No Related Posts

How to drop inbound connection requests to specified URLs on XenMobile Server

So that connection requests can be dropped for specific URLs only, a number of configuration tasks are required.

A prerequisite of using this method is that SSL Offload configuration be used on the NetScaler (not SSL Bridge).

This requirement is true of the two MDM Load Balancer vServers (one for port 443 and the other for port 8443), found on the NetScaler.

To configure this method, use the following template as a starting point for the settings…

# Create a pattern set with name ‘XMS_DropURLs’

add policy patset XMS_DropURLs

# Add the listed URLs to the new pattern set. Customise this list as required.

bind policy patset XMS_DropURLs /zdm/shp/console -index 6

bind policy patset XMS_DropURLs /zdm/login_xdm_uc.jsp -index 5

bind policy patset XMS_DropURLs /zdm/helper.jsp -index 4

bind policy patset XMS_DropURLs /zdm/log.jsp -index 3

bind policy patset XMS_DropURLs /zdm/login.jsp -index 2

bind policy patset XMS_DropURLs /zdm/console -index 1

# Create a policy to drop all traffic to these URLs (unless the connection request originates from the specified subnet)

add responder policy XMS_DROP_pol “CLIENT.IP.SRC.IN_SUBNET(192.168.0.0/24).NOT && HTTP.REQ.URL.CONTAINS_ANY(”XMS_DropURLs”)” DROP -comment “Allow only subnet 192.168.0.0/24 to access these URLs. All other connections are DROPed”

# Bind the new policy to both MDM load balancer vServers (port 443 and port 8443)

bind lb vserver _XM_LB_MDM_XenMobileMDM_443 -policyName XMS_DROP_pol -priority 100 -gotoPriorityExpression END -type REQUEST

bind lb vserver _XM_LB_MDM_XenMobileMDM_8443 -policyName XMS_DROP_pol -priority 100 -gotoPriorityExpression END -type REQUEST

Related:

WSS/SEP Seamless Integration Issues

I need a solution

I have SEP / WSS integration active but port 2968 is closed in the SEPM console, how can I enable this port on the server ?.

We make a telnet to this port but it is closed, and we execute the following command in the SEPM server but it is closed:

netstat -an | find ": 2968" | find "LISTENING"

Can someone help us?

ATT andres Garcia

0

Related:

s500 PS- not resolving url in the defined class

I need a solution

i had created a url class on PS s500, but its not resolving URL to ip address while implementing and checking class. the shaping was off at the time of implementation.

Image Version Currently Running  PacketShaper 11.6.4.3

DNS is resolving on PS while doing dns lookup of “wsus.ds.download.windowsupdate.com” on PS (CMD)

show result:

Matching Rules:

  [1  ]   inside  any host  service:Client  any port  TCP

          outside host 13.107.4.50  service:Microsoft-Updates  any port

  [2  ]   inside  any host  service:Client  any port  TCP

          outside host wsus.ds.download.windowsupdate.com(<unknown address>)  service:HTTP  any port

  [3  ]   inside  any host  service:Microsoft-Updates  any port  TCP

          outside host 13.107.4.50  service:Client  any port

  [4  ]   inside  any host  service:HTTP  any port  TCP

          outside host wsus.ds.download.windowsupdate.com(<unknown address>)  service:Client  any port

Please help me to resolve the issue.

0

Related: