Citrix NetScalers

Last updated on 17 March, 2023

Configuring SNMP Access

The NetScaler configuration must include a line allowing SNMP requests with the appropriate community from the collector.
 For example:

add snmp community "community" ALL
add snmp manager

In the above example, is the address of the host running the LogicMonitor collector.

To help troubleshoot SNMP access issues, it is often useful to confirm that:

  • The SNMP requests are arriving from the collector
  • The SNMP requests are arriving with the same community string that has been set on the device
  • The NetScaler is replying to the requests

You can see whether this is the case by connecting to the Netscaler via SSH, logging in as nsroot, typing “shell”to get to a command shell, then run “ port 161”

This will show you all SNMP packets going to/from the NetScaler.

Monitoring NetScaler Clusters

The recommended way to monitor NetScalers is by means of two groups.

You should add all the physical NetScaler devices to the LogicMonitor system. (It is convenient to place these in one or more groups – NetScalers, or Network Gear, for example.) These devices will be checked for health, synchronization status, hardware failures, etc, but not for VIP activity.

For each NetScaler HA pair, you should add a device to the LogicMonitor system with the DNS or IP of one of the “floating” IPs (the subnet IP or mapped IP addresses) that will move to the active node.

Note: in order for SNMP access to work correctly on the floating IPs, the Netscaler must have management access enabled on them.

For example:

set ns ip -mgmtAccess enabled

In the above example, is the NetScaler mapped IP.

This host should be added to the NetScalersActive group. Members of this group will have VIP activity trended and alerted on them, as well as CPU and other health information. This separation allows continuity in monitoring VIP traffic, without breaks in the trends despite Netscaler failover events

Configuring SSH Access for ConfigSources

NetScaler ConfigSources require read-only ssh access to retrieve device configs. To use these ConfigSources, create a read-only account on your device and store the userid and password credentials in ssh.user & ssh.pass device properties, respectively.

LogicMonitor provides two flavors of ConfigSources: one that monitors general system configuration only, and another that tracks and stores ALL device configuration files. The former alerts on standard NetScaler config changes, while the latter encompasses all data required to restore a device from bare-metal.

Note: If the ability to monitor and alert on configuration files is not currently available in your LogicMonitor platform and you would like to learn more, reach out to your customer success manager.

If you’d like to use the full-backup ConfigSource you’ll also need to create a NetScaler Command Policy to provide adequate rights to this userid. The appropriate cmdspec should look like:

(^show\s+(?!audit messages)(?!techsupport).*)|(^stat.*)|(^shell ((cat|ls|ls -1|ls -la) (/nsconfig|/var|/netscaler)\S+)$)|(^show\s+(?!audit messages)(?!techsupport).*)|(^stat.*)

Configuring NTP Access

LogicMonitor will check the NTP synchronization of NetScalers by default (as good time synchronization is essential for any data center debugging operations), however, NTP is not enabled by default on NetScalers.

To enable NTP on the NetScaler:

  1. Log on to the Application Switch CLI.

  2. Copy the /etc/ntp.conf file to /nsconfig/ntp.conf.

  3. Edit /nsconfig/ntp.conf, and add the IP address for the desired NTP server under the file’s server and restrict entries.

  4. Add the IP of the LogicMonitor collector under a restrict entry

  5. Edit /nsconfig/rc.conf, and add the text ntpd_enable=”YES”.

  6. Reboot the Application Switch to enable clock synchronization (or run /usr/sbin/ntpd -g)


Monitoring Virtual Services

Older versions of NetScalers used different OIDs to list the virtual server names. Change the SNMP OID in the Active Discovery section for the datasources Netscaler_lb_vip- and Netscaler_vip- from . to:

  • For version 9.0 – 9.1, use
  • For a version < 9, use

Note that if you later upgrade to version 9.2 or later, you will need to revert this change.

The Number of Services Up is always zero!
 This is a bug in NetScaler v7 code – if you use service groups, they will always report zero services up for a server.
 Workaround: Upgrade to v8 or later, or do not use service groups – bind the services individually.

None of my virtual servers show the services up/down data. 
For this information to be available, you need to be running NetScaler code v7.0 or later.

In This Article