Citrix NetScaler

How to telnet from the Netscaler Access Gateway SNIP to your Citrix STA and verify the firewall port is open

on

If you’re trying to troubleshoot a Citrix Netscaler Access Gateway and attempt to telnet from the Netscaler via a Putty session to an STA/XenApp server you’ll notice that more than likely nothing will connect and it will eventually timeout. This is because by default the NSIP is where telnet is being established from. Telnet is a management function and most all management functions are on the NSIP. You need to telnet from the SNIP instead.

The quick solution is to forgo telnet all together. Instead create a Service under Load Balancing on the STA port you are troubleshooting:

-Service Name = porttest
-Protocol = HTTP (but you can use TCP too)
-Port = the port you’re trying to test
-Server = the IP address of the server you’re trying to hit

For this article I’ve created 4 porttest services to test ports 80, 8080, 443, and 1494. I can see only 1494 is responding meaning there is likely a firewall blocking me on the other ports or a misconfiguration on the back end XenApp servers:

2

If you click on the Service, you can see more good troubleshooting info on the attempted connections:

A success –
3

vs. a fail –
4

If you realize your STA and XML port are failing, then it’s time to gather additional information to prove exactly what is going on. Putty into your Netscaler and enter the shell.

Then type:

nstcpdump.sh -ne host and tcp port

Put your server IP and the XML port in where it needs to be above. In my case I’m testing port 8080 and as you can see from the result below, my SNIP keeps trying to talk to the XenApp/STA server on port 8080 but is never getting a response back. The carrot shows the direction of the communication. The IP to the left is all from the SNIP and the IP to the right on port 8080 is my STA:

1

Once you open up the firewall port, communication becomes bi-directional and it will look more like this. You can see the IPs will swap back and forth and port 8080 is moving from side to side (source to destination and destination to source) meaning they are talking now:

5

Once you check your Service again it should say UP now:
6

Hope this helps! 🙂

About Jason Samuel

Jason Samuel is an Infrastructure Architect in Houston, TX with a primary focus on mobility, virtualization, and cloud technologies from Citrix, Microsoft, & VMware. He also has an extensive background in web architecture and information security. He is certified in several technologies and is 1 of 50 people globally that is a recipient of the prestigious Citrix Technology Professional (CTP) award. He is 1 of 28 people in the world that is an Atlantis Community Expert (ACE). He is a featured author on DABCC which provides the latest IT Community News on Cloud, Data Center, Desktop, Mobility, Security, Storage, & Virtualization. In his spare time Jason enjoys writing how-to articles and evangelizing the technologies he works with.

Recommended for you

Leave a Reply

Your email address will not be published. Required fields are marked *