If you’re trying to troubleshoot a Citrix Netscaler Access Gateway and attempt to telnet from the Netscaler via a Putty session to an STA/XenApp server you’ll notice that more than likely nothing will connect and it will eventually timeout. This is because by default the NSIP is where telnet is being established from. Telnet is a management function and most all management functions are on the NSIP. You need to telnet from the SNIP instead.
The quick solution is to forgo telnet all together. Instead create a Service under Load Balancing on the STA port you are troubleshooting:
-Service Name = porttest
-Protocol = HTTP (but you can use TCP too)
-Port = the port you’re trying to test
-Server = the IP address of the server you’re trying to hit
For this article I’ve created 4 porttest services to test ports 80, 8080, 443, and 1494. I can see only 1494 is responding meaning there is likely a firewall blocking me on the other ports or a misconfiguration on the back end XenApp servers:
If you click on the Service, you can see more good troubleshooting info on the attempted connections:
If you realize your STA and XML port are failing, then it’s time to gather additional information to prove exactly what is going on. Putty into your Netscaler and enter the shell.
nstcpdump.sh -ne host
Put your server IP and the XML port in where it needs to be above. In my case I’m testing port 8080 and as you can see from the result below, my SNIP keeps trying to talk to the XenApp/STA server on port 8080 but is never getting a response back. The carrot shows the direction of the communication. The IP to the left is all from the SNIP and the IP to the right on port 8080 is my STA:
Once you open up the firewall port, communication becomes bi-directional and it will look more like this. You can see the IPs will swap back and forth and port 8080 is moving from side to side (source to destination and destination to source) meaning they are talking now:
Hope this helps! 🙂