Monitoring

Citrix NetScalers

Configuring SNMP Access

The NetScaler configuration must include a line allowing SNMP requests with the appropriate community from the collector.
 e.g.

add snmp community "community" ALL
add snmp manager 192.168.0.100

(where 192.168.0.100 is the address of the host running the LogicMonitor collector)

To help troubleshoot SNMP access issues, it is often useful to confirm that:

  • The SNMP requests are arriving from the collector
  • The SNMP requests are arriving with the same community string that has been set on the device
  • The NetScaler is replying to the requests

You can see whether this is the case by connecting to the Netscaler via SSH, logging in as nsroot, typing "shell"to get to a command shell, then run "nstcpdump.sh port 161"

This will show you all SNMP packets going to/from the NetScaler.

Monitoring NetScaler Clusters

The recommended way to monitor NetScalers is by means of two groups.

You should add all the physical NetScaler devices to the LogicMonitor system. (It is convenient to place these in one or more groups - NetScalers, or Network Gear, for example.) These devices will be checked for health, synchronization status, hardware failures, etc, but not for VIP activity.

You should then create a device group, such as NetScalersActive, to monitor your clustered node IPs. This group must be tagged with the system category "NetScalersActive". The process is as follows:

  • Select the group, click "Edit".
  • Click Properties Add, type system.categories in the name field, and "NetScalersActive" in the value field.  If the system.categories property exists, append the value  ",NetScalersActive". (i.e. add NetScalersActive to the comma separated list of values of the property.)
  • Click "Submit".

For each NetScaler HA pair, you should add a device to the LogicMonitor system with the DNS or IP of one of the "floating" IPs (the subnet IP or mapped IP addresses) that will move to the active node.

Note: in order for SNMP access to work correctly on the floating IPs, the Netscaler must have management access enabled on them.

e.g:

set ns ip 10.1.1.1 -mgmtAccess enabled

(where 10.1.1.1 is the NetScaler mapped IP.)

This host should be added to the NetScalersActive group. Members of this group will have VIP activity trended and alerted on them, as well as CPU and other health information. This separation allows continuity in monitoring VIP traffic, without breaks in the trends despite Netscaler failover events

Configuring SSH Access for LM Config

NetScaler ConfigSources require read-only ssh access to retrieve device configs. To use these ConfigSources, create a read-only account on your device and store the userid and password credentials in ssh.user & ssh.pass device properties, respectively.

LogicMonitor provides two flavors of ConfigSources: one that monitors general system configuration only, and another that tracks and stores ALL device configuration files. The former alerts on standard NetScaler config changes, while the latter encompasses all data required to restore a device from bare-metal.

If you'd like to use the full-backup ConfigSource you'll also need to create a NetScaler Command Policy to provide adequate rights to this userid. The appropriate cmdspec should look like:

(^show\s+(?!audit messages)(?!techsupport).*)|(^stat.*)|(^shell ((cat|ls|ls -1|ls -la) (/nsconfig|/var|/netscaler)\S+)$)|(^show\s+(?!audit messages)(?!techsupport).*)|(^stat.*)

Configuring NTP Access

LogicMonitor will check the NTP synchronization of NetScalers by default (as good time synchronization is essential for any data center debugging operations), however, NTP is not enabled by default on NetScalers.

To enable NTP on the NetScaler:

  1. Log on to the Application Switch CLI.

  2. Copy the /etc/ntp.conf file to /nsconfig/ntp.conf.

  3. Edit /nsconfig/ntp.conf, and add the IP address for the desired NTP server under the file’s server and restrict entries.

  4. Add the IP of the LogicMonitor collector under a restrict entry

  5. Edit /nsconfig/rc.conf, and add the text ntpd_enable="YES".

  6. Reboot the Application Switch to enable clock synchronization (or run /usr/sbin/ntpd -g)

Troubleshooting

Monitoring Virtual Services

Older versions of NetScalers used different OIDs to list the virtual server names. Change the SNMP OID in the Active Discovery section for the datasources Netscaler_lb_vip- and Netscaler_vip- from .1.3.6.1.4.1.5951.4.1.3.1.1.59 to:

  • For version 9.0 - 9.1, use 1.3.6.1.4.1.5951.4.1.3.1.1.49
  • For a version < 9, use 1.3.6.1.4.1.5951.4.1.3.1.1.1

Note that if you later upgrade to version 9.2 or later, you will need to revert this change.

The Number of Services Up is always zero! This is a bug in NetScaler v7 code - if you use service groups, they will always report zero services up for a server.
 Workaround: Upgrade to v8 or later, or do not use service groups - bind the services individually.

None of my virtual servers show the services up/down data. 
For this information to be available, you need to be running NetScaler code v7.0 or later.