Category : NetScaler

Citrix, Citrix ADC, NetScaler

High CPU Usage on Citrix ADC VPX reported on Hypervisor.

Oldie but goldie! Reminder that this feature still applies to latest Citrix ADC  (formerly NetScaler ADC) versions.


Hypervisor, at least VMware and Citrix Hypervisors, might be reporting high CPU for the Citrix ADC or Gateway VPX instances.

If you check actual CPU on the Citrix ADC Dashboard, the CPU shows normal. But newly deployed VPX instance without real load on hypervisor shows high CPU and spikes to 90% and above on the hypervisor.

This is an expected behavior with latest Citrix ADC builds. With version NetScaler 11.1 and earlier VPX was sharing CPU with other VMs. From Citrix ADC 12.0 and later version, VPX will not share CPU by default.

In case you want to over-ride it, you can use CLI command to enable yield:

Display the current vpxparam settings:

show ns vpxparam

Allow each VM to use CPU resources that have been allocated to another VM but are not being used:

set ns vpxparam -cpuyield yes

YES: Allow allocated but unused CPU resources to be used by another VM.
NO: Reserve all CPU resources for the VM to which they have been allocated. This option shows higher percentage in hypervisor for VPX CPU usage.



Views: 1855

Read More
Citrix, NetScaler

NetScaler SSH or SFTP Management Access Not Working – SSH Daemon Not Running

Sometimes, especially when NetScaler appliance has been upgraded from previous much older version, could happen that ssh daemon won’t start anymore. This leads to the issue, that you can’t connect to NetScaler management console via SSH or SFTP anymore. Troublehooting this, log in to the NetScaler virtual appliance console from hypervisor or if physical appliance using console port and go to NetScaler Shell. Let’s see if sshd is running or not;

Run: root@NSVPX01# ps ax | grep sshd

If daemon is running, you’ll see ( my example):

5889 ?? Is 0:00.01 /usr/sbin/sshd -f /etc/sshd_config
5910 ?? Ss 0:00.10 sshd: nsroot@pts/0 (sshd)
5931 ?? Ss 0:20.92 sshd: nsroot@notty (sshd)

But, if you can’t see it running, let’s start to troubleshoot it…

Let’s try to start sshd:

Run: root@NSVPX01# /usr/sbin/sshd –f /etc/sshd_config

In my case I got an error (yours might be different, but sshd config file still could be faulty):

/etc/ssh/sshd_config line 10: Deprecated option UsePrivilegeSeparation

So, I need to edit ssh daemon configuration file in etc/sshd_config, because of NetScaler and not normal Linux OS, we have to use lovely VI editor 🙂

Run: root@NSVPX01# cd /etc/
Run: root@NSVPX01# vi sshd_config

In my case I commented out line: “UsePrivilegeSeparation no” to “#UsePrivilegeSeparation” because The UsePrivilegeSeparation is no longer supported (recent SSHD always runs
with previlege separation), so I removed this option from the default config and saved configuration file.

Then let’s try to start ssh daemon again:

Run: root@NSVPX01# /usr/sbin/sshd –f /etc/sshd_config

And sshd started succesfully!

This was just quick tour to quide troubleshooting SSH Daemon errors 🙂

Btw, if you are looking for those ultimate nasty VI Editor commands, take a look this link:

Views: 1662

Read More
Citrix, NetScaler

NetScaler Gateway – Two-Factor Authentication – How to hide 2nd password field

Some two-factor products (e.g. DUO, SMS Passcode) require you to hide the 2nd password field. Easiest way is to use Rewrite policies, which works both Web browser and Receiver self-service.

Tested with:

Citrix Receiver for Windows 4.6.0
Citrix Receiver for Mac 12.4.0
NetScaler 11.1

If you have any file level customizations on NetScaler, it needs to be reset as per default settings before doing these Rewrite policy – modifications.

For Web browser:

1. Create a Rewrite Action

Header Name: Set-Cookie
Expression: (“pwcount=”+ 1″)

2. Create a Rewrite Policy

Action: Select the rewrite action which you created
Undefined Result Action: -Global undefined result action
Expression: HTTP.REQ.HEADER(“Set-Cookie”).CONTAINS(“pwcount”).NOT

Bind this policy to the Netscaler Gateway Virtual Server where 2FA is configured.

For Receiver Self-Service:

1. Create a Rewrite Action

Expression to choose target location: http.res.body(1024)
Expression: “rn”+”<META http-equiv=”X-Citrix-AM-GatewayAuthType” content=”SMS”>”
Pattern: content=”text/html; charset=UTF-8″>

2. Create a Rewrite Policy

Action: Select the Rewrite action which you created
Undefined Result Action: -Global undefined result action
Expression: http.req.url.path.endswith(“vpn/index.html”)

Bind this policy to the Netscaler Gateway Virtual Server where 2FA is configured.


Views: 5222

Read More
1 2 3