Citrix NetScaler Release Notes

Citrix NetScaler 9.1 Classic, 9.1 nCore, and 9.1 VPX Beta

Copyright and Trademark Notice CITRIX SYSTEMS, INC., 2009. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL. CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radiofrequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler Request Switch 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures: Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment. Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product. BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders. Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 Carnegie Mellon University. All rights reserved. Copyright David L. Mills 1993, 1994. Copyright 1992, 1993, 1994, 1997 Henry Spencer. Copyright Jean-loup Gailly and Mark Adler. Copyright 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright 1982, 1985, 1986, 1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright UNIX System Laboratories, Inc. Copyright 2001 Mark R V Murray. Copyright 1995-1998 Eric Young. Copyright 1995,1996,1997,1998. Lars Fenneberg. Copyright 1992. Livingston Enterprises, Inc. Copyright 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, Inc. Copyright 1991-2, RSA Data Security, Inc. Created 1991. Copyright 1998 Juniper Networks, Inc. All rights reserved. Copyright 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright 19992001 The Open LDAP Foundation. All Rights Reserved. Copyright 1999 Andrzej Bialecki. All rights reserved. Copyright 2000 The Apache Software Foundation. All rights reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004 University of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas. All rights reserved. Copyright 2000 Jason L. Wright. Copyright 2000 Theo de Raadt. Copyright 2001 Patrik Lindergren. All rights reserved.

Last Updated: May 2009

C ONTENTS

Contents

Chapter 1

New Features and Enhancements

NetScaler 9.1 nCore Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Features With Improved Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Per-Core Statistics (nCore) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 NetScaler 9.1 VPX Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 NetScaler 9.1 Classic Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Chapter 2

Issues Fixed in this Release

NetScaler 9.1 nCore Resolved Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Chapter 3

Limitations
Features Not Supported in NetScaler 9.1 nCore . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Supported Features with Unchanged or Moderately Improved Performance in NetScaler 9.1 nCore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Chapter 4

Known Issues and Workarounds

Issues and Workarounds in NetScaler 9.1 nCore. . . . . . . . . . . . . . . . . . . . . . . . . . .11 Installation and Upgrade Issues and Workarounds . . . . . . . . . . . . . . . . . . . . . .11 General Issues and Workarounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Traffic Management Issues and Workarounds . . . . . . . . . . . . . . . . . . . . . . . . . .13 Other Configuration Issues and Workarounds . . . . . . . . . . . . . . . . . . . . . . . . . .13 Issues and Workarounds Common to NetScaler 9.1 Classic and 9.1 nCore. . . . . .15 Issues and Workarounds Common to NetScaler 9.1 Classic and 9.1 VPX. . . . . . .16 Issues and Workarounds in NetScaler 9.1 VPX. . . . . . . . . . . . . . . . . . . . . . . . . . . .16

iv

Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes

C HAPTER 1

New Features and Enhancements

This chapter describes enhancements in the beta releases of NetScaler 9.1, NetScaler 9.1 nCore (which introduces multiple CPU cores for improved performance), and NetScaler 9.1 VPX (which introduces a software-only appliance). These release notes primarily discuss the NetScaler 9.1 nCore software. Note: You can determine your NetScaler type by looking at the build information in the upper-right corner of the NetScaler browser window, or by issuing the show version command at the command line. The file extension indicates the product type, for example, an nCore Netscaler has a .nc extension and a classic NetScaler has a .cl extension. In This Chapter NetScaler 9.1 nCore Enhancements NetScaler 9.1 VPX Enhancements NetScaler 9.1 Classic Enhancements

NetScaler 9.1 nCore Enhancements

The NetScaler nCore software uses multiple CPU cores for packet handling, which greatly improves the performance of many NetScaler features. Performance of the other available features is either somewhat improved or the same as before the enhancement. A few previously supported features are not supported in this release of the nCore NetScaler (see Limitations, on page 7), but will be supported in the single-core 9.1 NetScaler and in future releases of the nCore NetScaler. This version of the NetScaler nCore software is currently intended for use on the MPX 15000 and MPX 17000.

Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes

Features With Improved Performance

The following table describes features that exhibit improved performance due to the introduction of multiple CPU cores. Features With Improved Performance in This Release
Category Load Balancing, Content Switching, Link Load Balancing Feature HTTP, TCP, FTP support DNS Monitoring (with a partial exception for User monitors, as described in Known Issues and Workarounds, on page 11) Stateful Session Failover (SSF). High availability must be configured SSL Networking SSL, SSL Offload IPv4 ACL SNMP Failover Dynamic Routing (with the exception of dynamic routing for IPv6) Reverse Network Address Translation (RNAT) Inbound Network Address Translation (INAT) Security and Performance features Compression HTML Injection TCP Buffering HTTP response body parsing (HTTP Pipelining) Content Filtering Responder URL Rewrite Body URL Transformation Policies Classic Policies Advanced Policies Cache Redirection HTTP Service Callouts Cache Redirection HTTP Service Callouts

New Features and Enhancements

Note: Web logs, historical charting, application templates, auditing, role-based access control, and the Xen Desktop wizards are not throughput-intensive. These features are fully supported in this release, but performance is not a salient factor.

Per-Core Statistics (nCore)

In this release, the Reporting Tool for the nCore NetScaler displays statistics for individual cores, which you select in the Counters dialog box. You can also collect historical log data on a per-core basis in the newnslog file.

NetScaler 9.1 VPX Enhancements

NetScaler VPX is a virtual NetScaler appliance that is hosted on a XenServer. NetScaler VPX distributes, optimizes, and secures Layer 4 - Layer 7 (L4-L7) network traffic for Web applications. NetScaler VPX performs application-specific traffic analysis to provide an effective implementation of the enabled features. For example, a NetScaler VPX makes load balancing decisions based on individual HTTP requests rather than on the basis of long-lived TCP connections. This ensures that the failure or slowdown of a server is managed quickly and with less disruption to clients. Other features can be used to reduce load and simplify server-farm management and to accelerate end-user performance. NetScaler VPX, though installed on XenServer, appears to the administrator as a separate physical NetScaler appliance with its own network identity, user authorization, authentication capabilities, operating system version, configuration, applications, and data. However, it shares physical resources with other virtual machines.

NetScaler 9.1 Classic Enhancements

NetScaler 9.1 Classic enhancements will be documented in a later version of these release notes.

Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes

C HAPTER 2

Issues Fixed in this Release

This chapter describes resolved issues in this beta release of NetScaler 9.1 nCore.

NetScaler 9.1 nCore Resolved Issues

Issue 58309: An internal logic error causes some timer-based functions to fail after 49 days. Features that relied on timers stopped working at that time (for example, logging). Issue 57374: Several Perl modules that are required for server monitoring are not present. Issue 56685: The show transform profile ProfileName command does not not display the list of actions for the profile. Issue 55835: The show techsupport command does not return a response. Issue 55612, 52115: SNMP processing can take up to 20 percent of CPU capacity. In a large deployment, if you enable an SNMP alarm, the processing of SNMP data can occupy as much as 20 percent of the CPU, and traps for request rate, service request rate, and RX TX might not be generated. Issue 54811: An earlier release note reported that Link Aggregation Control Protocol (LACP) settings could not be disabled. However, this was a configuration issue, not a bug. You can use LACP to aggregate a group of ports to take advantage of the increased speed and redundancy of the aggregated interfaces. Note that LACP is not currently supported. Use static Link Aggregation instead of LACP. Issue 54571: Newly-added virtual servers (vservers) can remain in Slow Start mode for more time than was expected. In normal NetScaler operations, immediately after you add a vserver a Slow Start phase is initiated in which the vserver uses the default Round Robin method. Slow Start continues until the vserver has received the number of HTTP requests that determines the end of this phase. In this release, traffic is distributed across multiple cores and a vserver can remain in slow start mode for additional requests.

Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes

Issue 50153: A Transparent SSL/SSL TCP service can be displayed as down on some of the NetScaler packet engines even if you had bound a certificate. This potentially leads to intermittent failure to establish a connection to the service.

C HAPTER 3

Limitations

This chapter describes known limitations in NetScaler 9.1 nCore. In This Chapter Features Not Supported in NetScaler 9.1 nCore Supported Features with Unchanged or Moderately Improved Performance in NetScaler 9.1 nCore

Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes

Features Not Supported in NetScaler 9.1 nCore

The following table lists the features that are not supported in this release. NetScaler Features That Are Not Supported in the 9.1 nCore NetScaler
Category Traffic Management Feature All of GSLB, as described in the Global Server Load Balancing chapter in the Citrix NetScaler Traffic Management Guide. Real Time Streaming Protocol (RTSP) support for a load balancing service or vserver, as described in the Load Balancing chapter in the Citrix NetScaler Traffic Management Guide. Link load balancing persistence, as described in the Link Load Balancing chapter in the Citrix NetScaler Traffic Management Guide. Policies that examine the traffic rate and their use in traffic rate limiting, redirection, and other features, as described in the Traffic Rate chapter in the Citrix NetScaler Traffic Management Guide. Connection failover for a load balancing virtual server, as described in the Load Balancing chapter in the Citrix NetScaler Traffic Management Guide. NetScaler Push (scaling of Web 2.0 applications that use reverse Ajax or Comet-style communication), as described in the NetScaler Web 2.0 Push chapter in the Citrix NetScaler Traffic Management Guide. Diverting excess traffic to a backup vserver using the Spillover parameter, as described in the Load Balancing and Content Switching chapters in the Citrix NetScaler Traffic Management Guide. Maximum bandwidth settings for a service, as described in the Load Balancing chapter in the Citrix NetScaler Traffic Management Guide. Masking vserver IP addresses, as described in the Load Balancing chapter in the Citrix NetScaler Traffic Management Guide. Support for load balancing using Server/Application State Protocol (SASP), as described in the Load Balancing chapter in the Citrix NetScaler Traffic Management Guide. SSL SSL-FIPS acceleration, as described in the Secure Sockets Layer (SSL) Acceleration chapter in the Citrix NetScaler Traffic Management Guide. Link Aggregation Control Protocol (LACP), as described in the Interfaces chapter in the Citrix NetScaler Traffic Management Guide.

Networking

Limitations

NetScaler Features That Are Not Supported in the 9.1 nCore NetScaler
Category System Feature SureConnect, as described in the SureConnect chapter in the Citrix NetScaler Application Optimization Guide. Priority Queueing, as described in the Protection Features chapter in the Citrix NetScaler Application Security Guide. Denial of Service Protection, as described in the Protection Features chapter in the Citrix NetScaler Application Security Guide. Application Firewall Infrastructure No supported features. AAA for Traffic Management, as described in the Authentication Authorization Auditing (AAA) for Application Traffic chapter in the Citrix NetScaler Security Guide.

Supported Features with Unchanged or Moderately Improved Performance in NetScaler 9.1 nCore
The following table shows features that are fully functional but whose performance is not substantially improved in this release. NetScaler Features that Are Unchanged or Somewhat Improved in NetScaler 9.1 nCore
Category Networking Feature Support for IPv6, as described in the IP Version 6 chapter in the Citrix NetScaler Networking Guide. Support for Link Aggregation, as described in the Configuring Link Aggregation chapter in the Citrix NetScaler Networking Guide. Infrastructure Authentication, Authorization, and Auditing (AAA), as described in the Citrix Access Gateway Enterprise Edition Administrators Guide. Access Gateway Enterprise Edition, as described in the Citrix Access Gateway Enterprise Edition Administrators Guide. Integrated Caching, as described in the Integrated Caching chapter in the Citrix NetScaler Application Optimization Guide. Maximum Client parameter

Access Gateway

Caching

Load Balancing, Content Switching, Link Load Balancing

10

Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes

NetScaler Features that Are Unchanged or Somewhat Improved in NetScaler 9.1 nCore
Category Other features that are not throughput intensive Feature Web logs, historical charting, application templates, auditing, role-based access control, and the Xen Desktop wizards.

C HAPTER 4

Known Issues and Workarounds

The following are known issues in this beta release. Where applicable, workarounds are provided. In This Chapter Issues and Workarounds in NetScaler 9.1 nCore Issues and Workarounds Common to NetScaler 9.1 Classic and 9.1 nCore Issues and Workarounds Common to NetScaler 9.1 Classic and 9.1 VPX Issues and Workarounds in NetScaler 9.1 VPX

Issues and Workarounds in NetScaler 9.1 nCore

This section discusses issues related to installation, traffic management, configuration, and general issues and workarounds.

Installation and Upgrade Issues and Workarounds

Issue 58483. The installation script prompts you to delete the /var directory if additional swap space is required. During installation, you are prompted to delete the /var directory if the swap partition is smaller than 32 GB. If you receive this prompt, do the following: 1. 2. 3. 4. Type N. Save important files in /var to a backup location. Reconfigure the swap partition (and /var). Re-run the installation script.

Important: Do not type Y in response to this prompt before backing up important core and log files in /var. Typing Y deletes the /var directory. Issue 51295. The upgrade script issues error messages regarding invalid variable names.

12

Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes

You can configure an HTML Injection variable with an invalid name. If you do this, no error message is generated at variable creation time. You will see an error after upgrading if, for example, a filter action uses the variable with the invalid name.

General Issues and Workarounds

Bug 61306. The NetScaler may crash if Selective Acknowledgement (SACK) is enabled and the NetScaler experiences an out-of-memory condition. Issue 61016. Chelsio 1Gb NICs do not advertise link parameters if the link speed is set to 10 or 100 Mbps and duplex is FULL. Workaround: Do one of the following: Disable auto-negotiation of the link partner and set its link parameters to 10/100, Full Duplex. Set the Netscaler port parameters to speed 10/100 duplex AUTO. Set the Netscaler port parameters to speed AUTO duplex FULL. Set the Netscaler port parameters to speed AUTO duplex AUTO.

Issue 61010. In the Monitoring application in the NetScaler GUI, the number of SSL cards is incorrect in the System Overview page. Similarly, the stat ns command will show you incorrect number of SSL cards. Workaround: View the number of SSL cards using the SSL monitoring page or the stat ssl command. Issue 57261. The stat cpu command may not display all CPUs. On a multi-core NetScaler, this command typically displays information for eight different cores. In this release, the information on CPU 0 (the management core) does not appear, and the other CPUs may not be listed in numeric order. Issue 54366. None of the nsapimgr -B commands is supported. These commands are not supported. The following are examples of nsapimgr commands:
nsapimgr -B"call ns_pi_error_show(0x2)" nsapimgr -B"w ldns_use_RR 2"

Issue 54112. The same pages can be selected multiple times during memory recovery, leading to failure of the memory recovery. This issue typically occurs after a surge if there were long-lived connections or object scattered across pages in the connection pool before the surge. Issue 48907. NetScaler online help does not work in a Safari browser running on Windows.

Known Issues and Workarounds

13

If you access a help topic from a configuration utility pane or dialog box, you may receive a 404 (file not found) error. You may also be unable to access the help Table of Contents. The work-around is to use another Windows-based browser.

Traffic Management Issues and Workarounds

The following are issues in load balancing, link load balancing, content switching, and service monitoring. Issue 59391. For any configured load balancing method, if a load monitor is bound to a service and if the monitor probes fail or the monitor threshold is reached, the service is excluded from load balancing. If the probes fail for all the services bound to the vserver, the vserver sends a 500 error response despite the state of the services. Issue 57309. When you add a service having an IPv6 address, the service remains in the UP state even if you do not enable the USNIP mode. This is because the concept of MIP IPv6 addresses does not exist in the NetScaler operating system, and therefore, the NetScaler looks for SNIP IPv6 addresses irrespective of the state of the USNIP mode. Issue 56915: Link load balancing persistency is not working. You cannot configure link load balancing persistency in this release.

Other Configuration Issues and Workarounds

Issue 61331. If the certificate-key pair of a transparent service is updated, the service is displayed as DOWN. To display the service as UP, unbind and re-bind the monitor to the service. Issue 61063. When using the configuration utility to create an SSL key or certificate, a high availability master may cause a failover. Workaround: Create the DH key by using the command-line interface. Issue 60980. The default value for the useproxyport parameter is YES, which enables the NetScaler to use the proxy port to connect to the server when use source IP address (USIP) is enabled. To use the client port to connect to the server when USIP is enabled, set the useproxyport parameter to NO. Issue 60838. If a cipher or certificate-key pair on a vserver or a service of type SSL is modified when the SSL traffic is flowing through the vserver or service, the NetScaler Packet Engine may fail because of memory corruption. Issue 60173. The Open Shortest Path First (OSPF) Version 3 dynamic routing protocol is not supported on the NetScaler nCore platform. Issue 59735. The show cache object locator locator_id command does not display the object properties.

14

Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes

Issue 56952. If multiple instances of a dynamic service exist on different packet engines, and the sh service -a command is run at the NetScaler command prompt, every instance of the dynamic service is displayed. Issue 57309. IPv6 service remains in an UP state. When you add a service of type IPv6, the service remains in an UP state even if you do not enable USNIP mode. This is because the concept of MIP IPv6 addresses does not exist in NetScaler and therefore, the NetScaler looks for SNIP IPv6 addresses irrespective of the state of the USNIP mode. Issue 55682. Advertising full duplex from the Netscaler results in incorrect duplex setting on the peer. In a NetScaler topology, you can set a speed and a duplex mode, as in the following example:
set interface 1/4 -speed 10 -duplex full -flowcontrol RXTX

However, if you configure the NetScaler to advertise a 10Mbps full-duplex mode interface, a peer device that advertises 10Mbps auto-duplex mode may not recognize and implement the correct duplex setting. The same problem can occur when the Netscaler advertises 100Mbps. This issue has been seen on the following platforms, which use Chelsio 1G cards: NetScaler 15000: eight 1G interfaces NetScaler 17000 (28G): eight 1G interfaces

Issue 55119. The CPU, Memory, Throughput, HTTP Requests, and System Events statistics on the Monitoring tab are not present in this Beta release. These options have been temporarily removed. Issue 54839. Chelsio drivers do not automatically negotiate flow control parameters. Ordinarily, when there is congestion on the Ethernet between the NetScaler and a peer device, flow control functionality stops packet transmission from the NetScaler. However, with the interface cards used in the following NetScaler models, you must manually activate flow control on the NetScaler and its peer device: NetScaler 12000: two 10G interfaces NetScaler 15000: two 10G interfaces and eight 1G interface NetScaler 17000 (28G): two 10G interfaces and eight 1G interfaces NetScaler 17000 (40G): four 1G interfaces

The following command establishes flow control:

set interface interface_name -flowcontrol OFF|RX|TX|RXTX

Known Issues and Workarounds

15

Issues and Workarounds Common to NetScaler 9.1 Classic and 9.1 nCore
Issue 60249. Binding a responder policy to a content switching vserver produces a different result in NetScaler versions 9.0.x and later than in 8.x versions. In NetScaler 9.0 and later versions, evaluation occurs as follows: Content switching policies are evaluated before other policies. If a content switching policy evaluates to TRUE, the target load balancing vserver is selected and any responder policies that are bound to the target vserver are evaluated. If all content switching policies evaluate to FALSE, the default load balancing vserver under the content switching VIP is selected, and responder policies that are bound to the default load balancing vserver are evaluated.

After a target load balancing vserver is selected by the content switching process, responder policies are evaluated in the following order: 1. 2. 3. 4. Responder policies that are bound to the global override bind point. Responder policies that are bound to the default load balancing vserver. Responder policies that are bound to the target content switching vserver. Responder policies that are bound to the global default bind point.

To be sure that the policies are evaluated in the intended order, follow these guidelines: Make sure that the default load balancing vserver is not directly reachable from the outside; for example, the vserver IP address can be 0.0.0.0. To prevent exposing internal data on the load balancing default vserver, configure a responder policy to respond with a 503 Service Unavailable status and bind it to the default load balancing vserver.

The following is an example of a default load balancing vserver that is bound to a content switching VIP named cs-vserver.
add lb vserver "default-lb-vserver" HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 bind lb vserver "default-lb-vserver" svc1 bind cs vserver "cs-vserver" "default-lb-vserver"

The following is a responder policy that returns a 503 Service Unavailable status message when there are no matching responder policies. This policy is bound to the default load balancing vserver.

16

Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes

add responder action "service-unavailable-action" respondwith q{"HTTP/1.1 503 Service Unavailable\r\nContentLength:62\r\nConnection: close\r\n\r\n<html><body><b>Http/1.1 Service Unavailable</b></body> </html>"} add responder policy "service-unavailable-policy" "true" "serviceunavailable-action" bind lb vserver "default-lb-vserver" -policyName "serviceunavailable-policy" -priority 1 -gotoPriorityExpression END

Issues and Workarounds Common to NetScaler 9.1 Classic and 9.1 VPX
Issue 61269. If the state of an HTTP monitor is UNKNOWN, the service is displayed as DOWN. Issue 61268. On a TCP content switching vserver, if you configure advanced Content Switching policies, a stat cs vserver vip command always returns 0 requests per second. HTTP-based content switching vservers are not affected. Issue 61337. In a load balancing setup for FTP traffic, if the use source IP address (USIP) and the -useproxyport parameter are configured on a service with a port range from 1025 through 1030, the NetScaler sends a Service Unavailable error when the active FTP session is established. Issue 61020. An SNMP multi varbind GET-NEXT REQUEST yields incomplete response from the NetScaler. Issue 60972. The NetScaler may fail when a large number of entities are configured on a NetScaler 7000 platform. Issue 60172. If a secure parameter value is configured as YES for the remote procedure call (RPC) nodes of the GSLB sites, and GSLB synchronization is initiated on the GSLB sites involved in the configuration, the synchronization fails with an error.

Issues and Workarounds in NetScaler 9.1 VPX

Issue (no number). The Documentation tab in the configuration utility lists several Quick Start guides that describe the hardware version of the NetScaler. These guides are not applicable to the NetScaler VPX.