Citrix NetScalersLast updated on 17 March, 2023
Configuring SNMP Access
The NetScaler configuration must include a line allowing SNMP requests with the appropriate community from the collector. For example:
add snmp community "community" ALL add snmp manager 192.168.0.100
In the above example, 192.168.0.100 is the address of the host running the LogicMonitor collector.
To help troubleshoot SNMP access issues, it is often useful to confirm that:
- The SNMP requests are arriving from the collector
- The SNMP requests are arriving with the same community string that has been set on the device
- The NetScaler is replying to the requests
You can see whether this is the case by connecting to the Netscaler via SSH, logging in as nsroot, typing “shell”to get to a command shell, then run “nstcpdump.sh port 161”
This will show you all SNMP packets going to/from the NetScaler.
Monitoring NetScaler Clusters
The recommended way to monitor NetScalers is by means of two groups.
You should add all the physical NetScaler devices to the LogicMonitor system. (It is convenient to place these in one or more groups – NetScalers, or Network Gear, for example.) These devices will be checked for health, synchronization status, hardware failures, etc, but not for VIP activity.
For each NetScaler HA pair, you should add a device to the LogicMonitor system with the DNS or IP of one of the “floating” IPs (the subnet IP or mapped IP addresses) that will move to the active node.
Note: in order for SNMP access to work correctly on the floating IPs, the Netscaler must have management access enabled on them.
set ns ip 10.1.1.1 -mgmtAccess enabled
In the above example, 10.1.1.1 is the NetScaler mapped IP.
This host should be added to the NetScalersActive group. Members of this group will have VIP activity trended and alerted on them, as well as CPU and other health information. This separation allows continuity in monitoring VIP traffic, without breaks in the trends despite Netscaler failover events
Configuring SSH Access for ConfigSources
NetScaler ConfigSources require read-only ssh access to retrieve device configs. To use these ConfigSources, create a read-only account on your device and store the userid and password credentials in ssh.user & ssh.pass device properties, respectively.
LogicMonitor provides two flavors of ConfigSources: one that monitors general system configuration only, and another that tracks and stores ALL device configuration files. The former alerts on standard NetScaler config changes, while the latter encompasses all data required to restore a device from bare-metal.
Note: If the ability to monitor and alert on configuration files is not currently available in your LogicMonitor platform and you would like to learn more, reach out to your customer success manager.
If you’d like to use the full-backup ConfigSource you’ll also need to create a NetScaler Command Policy to provide adequate rights to this userid. The appropriate cmdspec should look like:
(^show\s+(?!audit messages)(?!techsupport).*)|(^stat.*)|(^shell ((cat|ls|ls -1|ls -la) (/nsconfig|/var|/netscaler)\S+)$)|(^show\s+(?!audit messages)(?!techsupport).*)|(^stat.*)
Configuring NTP Access
LogicMonitor will check the NTP synchronization of NetScalers by default (as good time synchronization is essential for any data center debugging operations), however, NTP is not enabled by default on NetScalers.
To enable NTP on the NetScaler:
- Log on to the Application Switch CLI.
- Copy the /etc/ntp.conf file to /nsconfig/ntp.conf.
- Edit /nsconfig/ntp.conf, and add the IP address for the desired NTP server under the file’s server and restrict entries.
- Add the IP of the LogicMonitor collector under a restrict entry
- Edit /nsconfig/rc.conf, and add the text ntpd_enable=”YES”.
- Reboot the Application Switch to enable clock synchronization (or run /usr/sbin/ntpd -g)
Monitoring Virtual Services
Older versions of NetScalers used different OIDs to list the virtual server names. Change the SNMP OID in the Active Discovery section for the datasources Netscaler_lb_vip- and Netscaler_vip- from .126.96.36.199.4.1.59188.8.131.52.1.1.59 to:
- For version 9.0 – 9.1, use 184.108.40.206.4.1.59220.127.116.11.1.1.49
- For a version < 9, use 18.104.22.168.4.1.5922.214.171.124.1.1.1
Note that if you later upgrade to version 9.2 or later, you will need to revert this change.
The Number of Services Up is always zero! This is a bug in NetScaler v7 code – if you use service groups, they will always report zero services up for a server. Workaround: Upgrade to v8 or later, or do not use service groups – bind the services individually.
None of my virtual servers show the services up/down data. For this information to be available, you need to be running NetScaler code v7.0 or later.