Академический Документы
Профессиональный Документы
Культура Документы
Citrix NetScaler 9.1 Classic, 9.1 nCore, and 9.1 VPX Beta
Copyright and Trademark Notice CITRIX SYSTEMS, INC., 2009. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL. CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radiofrequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler Request Switch 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures: Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment. Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product. BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders. Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 Carnegie Mellon University. All rights reserved. Copyright David L. Mills 1993, 1994. Copyright 1992, 1993, 1994, 1997 Henry Spencer. Copyright Jean-loup Gailly and Mark Adler. Copyright 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright 1982, 1985, 1986, 1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright UNIX System Laboratories, Inc. Copyright 2001 Mark R V Murray. Copyright 1995-1998 Eric Young. Copyright 1995,1996,1997,1998. Lars Fenneberg. Copyright 1992. Livingston Enterprises, Inc. Copyright 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, Inc. Copyright 1991-2, RSA Data Security, Inc. Created 1991. Copyright 1998 Juniper Networks, Inc. All rights reserved. Copyright 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright 19992001 The Open LDAP Foundation. All Rights Reserved. Copyright 1999 Andrzej Bialecki. All rights reserved. Copyright 2000 The Apache Software Foundation. All rights reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004 University of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas. All rights reserved. Copyright 2000 Jason L. Wright. Copyright 2000 Theo de Raadt. Copyright 2001 Patrik Lindergren. All rights reserved.
C ONTENTS
Contents
Chapter 1
Chapter 2
Chapter 3
Limitations
Features Not Supported in NetScaler 9.1 nCore . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Supported Features with Unchanged or Moderately Improved Performance in NetScaler 9.1 nCore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Chapter 4
iv
Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes
C HAPTER 1
This chapter describes enhancements in the beta releases of NetScaler 9.1, NetScaler 9.1 nCore (which introduces multiple CPU cores for improved performance), and NetScaler 9.1 VPX (which introduces a software-only appliance). These release notes primarily discuss the NetScaler 9.1 nCore software. Note: You can determine your NetScaler type by looking at the build information in the upper-right corner of the NetScaler browser window, or by issuing the show version command at the command line. The file extension indicates the product type, for example, an nCore Netscaler has a .nc extension and a classic NetScaler has a .cl extension. In This Chapter NetScaler 9.1 nCore Enhancements NetScaler 9.1 VPX Enhancements NetScaler 9.1 Classic Enhancements
Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes
Note: Web logs, historical charting, application templates, auditing, role-based access control, and the Xen Desktop wizards are not throughput-intensive. These features are fully supported in this release, but performance is not a salient factor.
Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes
C HAPTER 2
This chapter describes resolved issues in this beta release of NetScaler 9.1 nCore.
Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes
Issue 50153: A Transparent SSL/SSL TCP service can be displayed as down on some of the NetScaler packet engines even if you had bound a certificate. This potentially leads to intermittent failure to establish a connection to the service.
C HAPTER 3
Limitations
This chapter describes known limitations in NetScaler 9.1 nCore. In This Chapter Features Not Supported in NetScaler 9.1 nCore Supported Features with Unchanged or Moderately Improved Performance in NetScaler 9.1 nCore
Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes
Networking
Limitations
NetScaler Features That Are Not Supported in the 9.1 nCore NetScaler
Category System Feature SureConnect, as described in the SureConnect chapter in the Citrix NetScaler Application Optimization Guide. Priority Queueing, as described in the Protection Features chapter in the Citrix NetScaler Application Security Guide. Denial of Service Protection, as described in the Protection Features chapter in the Citrix NetScaler Application Security Guide. Application Firewall Infrastructure No supported features. AAA for Traffic Management, as described in the Authentication Authorization Auditing (AAA) for Application Traffic chapter in the Citrix NetScaler Security Guide.
Supported Features with Unchanged or Moderately Improved Performance in NetScaler 9.1 nCore
The following table shows features that are fully functional but whose performance is not substantially improved in this release. NetScaler Features that Are Unchanged or Somewhat Improved in NetScaler 9.1 nCore
Category Networking Feature Support for IPv6, as described in the IP Version 6 chapter in the Citrix NetScaler Networking Guide. Support for Link Aggregation, as described in the Configuring Link Aggregation chapter in the Citrix NetScaler Networking Guide. Infrastructure Authentication, Authorization, and Auditing (AAA), as described in the Citrix Access Gateway Enterprise Edition Administrators Guide. Access Gateway Enterprise Edition, as described in the Citrix Access Gateway Enterprise Edition Administrators Guide. Integrated Caching, as described in the Integrated Caching chapter in the Citrix NetScaler Application Optimization Guide. Maximum Client parameter
Access Gateway
Caching
10
Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes
NetScaler Features that Are Unchanged or Somewhat Improved in NetScaler 9.1 nCore
Category Other features that are not throughput intensive Feature Web logs, historical charting, application templates, auditing, role-based access control, and the Xen Desktop wizards.
C HAPTER 4
The following are known issues in this beta release. Where applicable, workarounds are provided. In This Chapter Issues and Workarounds in NetScaler 9.1 nCore Issues and Workarounds Common to NetScaler 9.1 Classic and 9.1 nCore Issues and Workarounds Common to NetScaler 9.1 Classic and 9.1 VPX Issues and Workarounds in NetScaler 9.1 VPX
Important: Do not type Y in response to this prompt before backing up important core and log files in /var. Typing Y deletes the /var directory. Issue 51295. The upgrade script issues error messages regarding invalid variable names.
12
Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes
You can configure an HTML Injection variable with an invalid name. If you do this, no error message is generated at variable creation time. You will see an error after upgrading if, for example, a filter action uses the variable with the invalid name.
Issue 61010. In the Monitoring application in the NetScaler GUI, the number of SSL cards is incorrect in the System Overview page. Similarly, the stat ns command will show you incorrect number of SSL cards. Workaround: View the number of SSL cards using the SSL monitoring page or the stat ssl command. Issue 57261. The stat cpu command may not display all CPUs. On a multi-core NetScaler, this command typically displays information for eight different cores. In this release, the information on CPU 0 (the management core) does not appear, and the other CPUs may not be listed in numeric order. Issue 54366. None of the nsapimgr -B commands is supported. These commands are not supported. The following are examples of nsapimgr commands:
nsapimgr -B"call ns_pi_error_show(0x2)" nsapimgr -B"w ldns_use_RR 2"
Issue 54112. The same pages can be selected multiple times during memory recovery, leading to failure of the memory recovery. This issue typically occurs after a surge if there were long-lived connections or object scattered across pages in the connection pool before the surge. Issue 48907. NetScaler online help does not work in a Safari browser running on Windows.
13
If you access a help topic from a configuration utility pane or dialog box, you may receive a 404 (file not found) error. You may also be unable to access the help Table of Contents. The work-around is to use another Windows-based browser.
14
Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes
Issue 56952. If multiple instances of a dynamic service exist on different packet engines, and the sh service -a command is run at the NetScaler command prompt, every instance of the dynamic service is displayed. Issue 57309. IPv6 service remains in an UP state. When you add a service of type IPv6, the service remains in an UP state even if you do not enable USNIP mode. This is because the concept of MIP IPv6 addresses does not exist in NetScaler and therefore, the NetScaler looks for SNIP IPv6 addresses irrespective of the state of the USNIP mode. Issue 55682. Advertising full duplex from the Netscaler results in incorrect duplex setting on the peer. In a NetScaler topology, you can set a speed and a duplex mode, as in the following example:
set interface 1/4 -speed 10 -duplex full -flowcontrol RXTX
However, if you configure the NetScaler to advertise a 10Mbps full-duplex mode interface, a peer device that advertises 10Mbps auto-duplex mode may not recognize and implement the correct duplex setting. The same problem can occur when the Netscaler advertises 100Mbps. This issue has been seen on the following platforms, which use Chelsio 1G cards: NetScaler 15000: eight 1G interfaces NetScaler 17000 (28G): eight 1G interfaces
Issue 55119. The CPU, Memory, Throughput, HTTP Requests, and System Events statistics on the Monitoring tab are not present in this Beta release. These options have been temporarily removed. Issue 54839. Chelsio drivers do not automatically negotiate flow control parameters. Ordinarily, when there is congestion on the Ethernet between the NetScaler and a peer device, flow control functionality stops packet transmission from the NetScaler. However, with the interface cards used in the following NetScaler models, you must manually activate flow control on the NetScaler and its peer device: NetScaler 12000: two 10G interfaces NetScaler 15000: two 10G interfaces and eight 1G interface NetScaler 17000 (28G): two 10G interfaces and eight 1G interfaces NetScaler 17000 (40G): four 1G interfaces
15
Issues and Workarounds Common to NetScaler 9.1 Classic and 9.1 nCore
Issue 60249. Binding a responder policy to a content switching vserver produces a different result in NetScaler versions 9.0.x and later than in 8.x versions. In NetScaler 9.0 and later versions, evaluation occurs as follows: Content switching policies are evaluated before other policies. If a content switching policy evaluates to TRUE, the target load balancing vserver is selected and any responder policies that are bound to the target vserver are evaluated. If all content switching policies evaluate to FALSE, the default load balancing vserver under the content switching VIP is selected, and responder policies that are bound to the default load balancing vserver are evaluated.
After a target load balancing vserver is selected by the content switching process, responder policies are evaluated in the following order: 1. 2. 3. 4. Responder policies that are bound to the global override bind point. Responder policies that are bound to the default load balancing vserver. Responder policies that are bound to the target content switching vserver. Responder policies that are bound to the global default bind point.
To be sure that the policies are evaluated in the intended order, follow these guidelines: Make sure that the default load balancing vserver is not directly reachable from the outside; for example, the vserver IP address can be 0.0.0.0. To prevent exposing internal data on the load balancing default vserver, configure a responder policy to respond with a 503 Service Unavailable status and bind it to the default load balancing vserver.
The following is an example of a default load balancing vserver that is bound to a content switching VIP named cs-vserver.
add lb vserver "default-lb-vserver" HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 bind lb vserver "default-lb-vserver" svc1 bind cs vserver "cs-vserver" "default-lb-vserver"
The following is a responder policy that returns a 503 Service Unavailable status message when there are no matching responder policies. This policy is bound to the default load balancing vserver.
16
Citrix NetScaler 9.1 Classic, nCore, and VPX Beta Release Notes
add responder action "service-unavailable-action" respondwith q{"HTTP/1.1 503 Service Unavailable\r\nContentLength:62\r\nConnection: close\r\n\r\n<html><body><b>Http/1.1 Service Unavailable</b></body> </html>"} add responder policy "service-unavailable-policy" "true" "serviceunavailable-action" bind lb vserver "default-lb-vserver" -policyName "serviceunavailable-policy" -priority 1 -gotoPriorityExpression END
Issues and Workarounds Common to NetScaler 9.1 Classic and 9.1 VPX
Issue 61269. If the state of an HTTP monitor is UNKNOWN, the service is displayed as DOWN. Issue 61268. On a TCP content switching vserver, if you configure advanced Content Switching policies, a stat cs vserver vip command always returns 0 requests per second. HTTP-based content switching vservers are not affected. Issue 61337. In a load balancing setup for FTP traffic, if the use source IP address (USIP) and the -useproxyport parameter are configured on a service with a port range from 1025 through 1030, the NetScaler sends a Service Unavailable error when the active FTP session is established. Issue 61020. An SNMP multi varbind GET-NEXT REQUEST yields incomplete response from the NetScaler. Issue 60972. The NetScaler may fail when a large number of entities are configured on a NetScaler 7000 platform. Issue 60172. If a secure parameter value is configured as YES for the remote procedure call (RPC) nodes of the GSLB sites, and GSLB synchronization is initiated on the GSLB sites involved in the configuration, the synchronization fails with an error.