Citrix Netscaler Scripting


First a note: For automation purposes of a Netscaler, the best way is to integrate with the Netscaler NITRO API. Having said that, let's continue,

In a former post i'd described a scenario to execute a Netscaler 'script' remotely from a Linux based host against a remote Netscaler Command Line.

Now, here is an example. It's for loadbalancing Citrix XML Service.
Config notes: None Secure over HTTP (not HTTPS). Monitoring the XML Service by means of HTTP (there also is a dedicated XML monitor) If you don't utilize Netscaler traffic domains, remove the variables (everywhere) in the config and you're good to go. Download the script here:
----------BASH SCRIPT----------


# Citrix Netscaler v 10.5 configuration script.
# Ronny Holtmaat
# September 2014
# info @
# NOTE: There needs to be a basic netscaler config with 'correct' features and DNS enabled 

#Netscaler VPX Instances and loadbalanced Virtual Servers are deployed in a Two Arm mode.
#This script can also be used for a One arm deployment (load balancing in same subnet) 
#For One Arm: load balancing backend (be) en frontend (fe) SNIP need to be in the same 
#VLAN/IP Subnet then use identical SNIP, TD, VLAN and MASK values
#BASH Variables
#A Traffic Domain (Routing Domain) segments and isolates network traffic.
ns_td=33 #Traffic Domain, valid range: 0-4094;
ns_td_gw= #Traffic Domain Gateway, one per TD.
#Backend networking
be_snip= #SNIP for back-end servers. One SNIP per IP subnet is needed.
be_snip_mask= #SNIP subnet-mask for back-end servers.
be_vlan=33 #0-4094 #VLAN for for back-end servers.
#Frontend networking
fe_snip= #SNIP for front-end virtual server [1 per subnet]
fe_snip_mask= #NSIP subnet-netmask for front-end virtual server
fe_vip= #VIP for front-end virtual server [multiple per subnet] 
fe_vlan=66 #0-4094 #VLAN for LB front-end virtual server
#Backend 'to loadbalance' Server (no white space in HOSTNAME/FQDN)
ns_srv1="dnssrv1.rhcs.lab" #FQDN, needs to be DNS Resolvable. [if variable is not in use fill with "@empty" string]

#Utilizing @empy string will cause 'syntax errors' but the script will continue with a 'correct' execution.
#Normally this can be solved by utilizing IF/OR and WHILE logic. But these features are not accessible in a Netscaler Command Line
ns_srv_grp="" #Service Group Name; Collection of upper servers
ns_lb_vrt_srv="" #Virtual Server Name; LB Virtual Server connected to '$fe_vip'
#automatic/manual login to netscaler vpx/mpx // certs // expect? ->> for now you need tot punch in a password
echo "Netscaler VPX (instance) configuration"
#NOTE needs to be changed to you're NSIP / Management Interface IP
ssh -T nsroot@ << EOF
add ns trafficDomain $ns_td -aliasName $ns_td #Add traffic domain
add vlan $be_vlan -aliasName $be_vlan #Add VLAN for backend (to loadbalance) servers 
add vlan $fe_vlan -aliasName $fe_vlan #Add VLAN for frontend (Netscaler LB Virtual Server)
add ns ip $be_snip $be_snip_mask -vServer DISABLED -gui DISABLED -td $ns_td #Add SNIP for backend (to loadbalance) servers 
add ns ip $fe_snip $fe_snip_mask -vServer DISABLED -gui DISABLED -td $ns_td #Add SNIP for frontend (Netscaler LB Virtual Server)
add ns ip $fe_vip -type VIP -td $ns_td #Add VIP. The mask is always /32 CIDR
bind ns trafficDomain $ns_td -vlan $be_vlan #Bind TD to SNIP VLAN
bind ns trafficDomain $ns_td -vlan $fe_vlan #Bind TD to SNIP VLAN

#!! You will need to change the interface bindings of a VLAN !!!!
bind vlan $be_vlan -ifnum LA/1 -tagged #Bind back-end VLAN to LA 
bind vlan $be_vlan -IPAddress $be_snip $be_snip_mask -td $ns_td #Bind back-end VLAN to back-end SNIP
bind vlan $fe_vlan -ifnum LA/1 -tagged #Bind front-end VLAN to LA
bind vlan $fe_vlan -IPAddress $fe_snip $fe_snip_mask -td $ns_td #Bind VIP VLAN to VIP
#ADD Default Route to Traffic Domain
add route $ns_td_gw -td $ns_td
#ADD (to loadbalance)Servers to Netscaler
#EXAMPLE: add server 661.rhcs.lab -td 66
add server $ns_srv1 $ns_srv1 -td $ns_td
add server $ns_srv2 $ns_srv2 -td $ns_td
add server $ns_srv3 $ns_srv3 -td $ns_td
add server $ns_srv4 $ns_srv4 -td $ns_td
add server $ns_srv5 $ns_srv5 -td $ns_td
add server $ns_srv6 $ns_srv6 -td $ns_td
#ADD Service Group Netscaler
#EXAMPLE: add serviceGroup 6666SVGroup HTTP -td 66 -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLED
add serviceGroup $ns_srv_grp HTTP -td $ns_td -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
#ADD Load Balancing Virtual Server to Netscaler
#EXAMPLE: add lb vserver 66_VirtualServer HTTP 80 -persistenceType COOKIEINSERT -persistenceBackup SOURCEIP -cltTimeout 180 -td 66
add lb vserver $ns_lb_vrt_srv HTTP $fe_vip 80 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout 180 -td $ns_td
#BIND Load Balancing Virtual Server to Service Group
#EXAMPLE: bind lb vserver 66_VirtualServer 6666SVGroup
bind lb vserver $ns_lb_vrt_srv $ns_srv_grp
#Set Load Balancing 'default' Monitor adjustments
#EXAMPLE: set lb monitor name type
#Add Load Balancing 'custom' Monitor
#EXAMPLE: add lb monitor name type
#BIND Service Group to Servers
#EXAMPLE:bind serviceGroup 6666SVGroup 661.rhcs.lab 80
bind serviceGroup $ns_srv_grp $ns_srv1 80
bind serviceGroup $ns_srv_grp $ns_srv2 80
bind serviceGroup $ns_srv_grp $ns_srv3 80
bind serviceGroup $ns_srv_grp $ns_srv4 80
bind serviceGroup $ns_srv_grp $ns_srv5 80
bind serviceGroup $ns_srv_grp $ns_srv6 80
#BIND Service Group to Default/Custom Monitor
#EXAMPLE: bind serviceGroup 6666SVGroup -monitorName http
bind serviceGroup $ns_srv_grp -monitorName http-ecv
#BIND SSL ServiceGroup to SSL Certificate (CertKeyName)
#EXAMPLE: bind ssl serviceGroup "exchange webmail-ssl.rhcs.lab" -certkeyName wildcard4
#EXAMPLE: bind ssl serviceGroup "exchange webmail-ssl.rhcs.lab" -certkeyName rhcs-root-ca -CA -ocspCheck Optional
#BIND ECC SSL Cert (not in use, skip?)
#EXAMPLE: bind ssl vserver "exchange webmail-ssl.rhcs.lab" -eccCurveName P_256
exit #Ending of netscaler configuration file

Citrix Netscaler VPX – High CPU usage – 50% – One Core


Seeing high CPU utilization on a Netscaler VPX (one core dedicated?) which is running on a hypervisor platform? (vmware, hyper-v, xenserver). I did some investigation, and found the following Citrix Statement:

This is normal behavior and NetScaler appliances exhibit the same behavior. To see the true extent of NetScaler VPX CPU utilization, use the stat cpu command in the NetScaler CLI, or view NetScaler VPX CPU utilization from the NetScaler GUI. The NetScaler packet processing engine is always “looking for work,” even when there is  no work to be done. Therefore, it will do everything it can to take control of the CPU and not release it. On a server installed with NetScaler VPX and nothing else, this  results in it looking like (from the hypervisor perspective) that NetScaler VPX is consuming the entire CPU. Looking at the CPU utilization from “inside NetScaler”  (by using the CLI or the GUI) provides a picture of NetScaler VPX CPU capacity being used.

From a Netscaler Command Line, (not from the BASH shell) run the command ‘stat cpu’
It should result in:

ID      0

NOTE: Utilize the ‘stat cpu’ command in the Netscaler Command Line. Don’t utilize TOP within the bash shell, or look at hypervisor monitoring solution’s, etc… They give a ‘wrong view’ on Netscaler CPU utilization. The NS-PPE process is utilizing a lot of CPU resources. This is for TCP/UDP/IP packet processing (even if there is no work load) and this is ‘default behavior’. If this is behavior is ‘not done’ then invest in a Netscaler MPX or SDX.

So that’s cleared,