3 Quick Tips for Citrix ADC (NetScaler)

Welcome to our first tips article. So, let’s just do some simple quick hits for the Citrix ADC (formerly NetScaler) to get things started.

1. Working with Server Certificates/Certkeys in the CLI

Since Citrix ADC 11.1 released, the GUI has tried to make it easier to create certkeys (pointers to the certificate/private key pair files) by dynamically prompting you for the certificate file, key file, and/or password was needed.  But sometimes you just need to do this from the CLI to get it done.

Depending on how your certificate file was created, will depend on which parameters you need to include.  For this example, I’ll focus on three different ways to import a Server Certificate (for a SSL vserver or other entity on the ADC).

Method 1:  You have a separate file for the certificate (.cer) and private key (.pem/.der).

Untitled-1_02Method 2:  You have one file that includes the certificate and private key components.  (Usually, this is from a previously imported PKCS#12 (.pfx) bundle which was then converted to a .cer file.)


Method 3:  You have the PKCS#12 bundle and you want to use the .pfx directly (without import/conversion).

3_02Bonus:  Remember when entering CLI commands that require a password prompt, don’t enter the password inline.  If you include the  -password parameter without the password value, the CLI will prompt you for the password, and what you enter will be securely masked in SYSLOG and the command history.  If you include the password inline as -password <value>, while it will still be securely masked in SYSLOG, the command history may still retain the clear text value.

2. How to find where your default monitors are bound

I ran into this question on the forums.  Someone wanted to find which services/service groups were depending on the default monitors so they could review and change to other monitor types.  Usually, this is the perfect type to run a grep on the running config.  But, this time it didn’t work:4_04

Well, a lot of built in commands are hidden; so let’s try with defaults showing:5_04
Even searching the saved config file didn’t work, because the tcp-default/ping-default monitors are attached automatically but not a stored setting.  For almost any other entity the above would have been fine.

There are lots of ways to pull back lists of service and service groups and then look for the ones without a bind command. But none of these were going to make it easy to find the entities using the default monitors.

Except, there a command that helps us here. Long story short, this is easy if you do it this way. Everything else was just unnecessarily complicated:

6_04The show lb monitor bindings command can retrieve a list of all entities a given monitor is bound too, including the default monitors.

By the way, you can find a reference to almost all commands on your ADC using:

7_04It’s a great way to find a command you didn’t know you needed.  (Final tip: grep -i is a case-insensitive search, so I don’t have to match the name exactly as specified.)

3. Best commands for troubleshooting with Syslog via CMD Line

You want to troubleshoot an event on your ADC and your not sure what is affected or going wrong yet.  Especially, for things related to App Firewall, Citrix Gateway, or custom logging messages, you want to see the event output as it happens across possibly multiple features (aka Modules) but you don’t want to see all of the command changes occurring while navigating/interacting with the GUI or DASHBOARD.

Let me introduce you to your new best friend:

8_04You can could use grep to restrict the log output to Error or APPFW or a specific module. But when troubleshooting gateway considerations, output may span TCP, AAA, SSLVPN modules.

Using “tail -f” allows you to view the output as an open file and see events as they occur; stop and restart output when the log file rolls over.  The “-v CMD_EXECUTED” option, excludes all the CMD_EXECUTED audit commands for GUI and CLI and you can focus on events occurring and less on what happens when you navigate the GUI.

Remember:  We’ll try to share some additional tips across a wide range of products in future newsletters. And anything that’s too long for the newsletter will find its way to our website. If there is a topic/product you want specific information on, drop us a line at info@layer8training and we’ll see what we can do.