0% found this document useful (0 votes)

41 views48 pages

SUM410-Getting The Best Performance With Citrix NetScaler

The document discusses performance enhancing features and settings for Citrix NetScaler including SSL offloading, compression, caching, and TCP session management. It provides examples of how these features can improve performance and response times when used individually and together. Common troubleshooting tools for NetScaler like NSCONMSG are also covered.

Uploaded by

Satish Singh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPT, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

41 views48 pages

SUM410-Getting The Best Performance With Citrix NetScaler

Uploaded by

Satish Singh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPT, PDF, TXT or read online on Scribd

You are on page 1/ 48

SUM410

Getting the Best Performance with Citrix

NetScaler
Edward Targonski

May 2013
Agenda

• Netscaler Model and Network Deployment Options

• Performance Enhancing Features
• Commonly Used Troubleshooting Tools and Commands
• Questions?
• Conclusion

NetScaler VPX NetScaler SDX

• Three main differences exist between MPX and VPX:

ᵒ System capacity
ᵒ Performance
ᵒ Tagged VLAN Configuration

• NetScaler VPX system capacity:

ᵒ No hardware SSL acceleration
ᵒ Processing not offloaded to dedicated silicon

NetScaler Appliances NetScaler VPX

• Gig+ performance • Labs/test environments

• High volume SSL Offload • Development environments

• >100 SSL VPN CCUs • “Datacenter-in-a-box”

• FIPS requirements • CPU-intensive workloads

• Physical device security • Frequently moved apps

• Fast/remote deployment
© 2013 Citrix
NetScaler SDX

• Instances, not partitions

• Complete CPU isolation
• Complete memory isolation
• Version independence
• High availability independence
• Lifecycle independence

If you are able to, one-armed topologies are the preferred method of
deploying NetScaler in most environments.

1. User Request 2. User Request

Public/Front 4. Response 3. Response

VLAN Private/Server
VLAN

The most common implementation of two-armed topologies are when a

NetScaler is replacing another legacy two-armed device in a network

© 2013 Citrix
Performance Enhancing
Features and Settings
TCP Connection without NetScaler
Client Server
SYN
SYN+ACK Server allocates storage for
ACK connection

GET

Server sees eleven packets

Data
Data
Data
FIN
ACK Server de-allocates storage for
the connection
FIN

ACK
© 2013 Citrix
Transaction with NetScaler
Client NetScaler Server
SYN
SYN+ACK
ACK
GET
GET
Data Server sees
Data
Data Data four packets
Data
Data
FIN
ACK
FIN
ACK

• Surge Protection

• Path MTU discovery

© 2013 Citrix
HTTP Parameters
• Client IP Insertion
• Cookie Version
• Requests/Responses:
ᵒ Drop invalid HTTP requests
ᵒ Mark CONNECT request as invalid
ᵒ Mark HTTP/0.9 request as invalid
ᵒ Log HTTP error responses
• Server Header Insertion

• Window Scaling

• Selective Acknowledgments

• Nagle’s Algorithm

• SYN Attack Detection

Citrix Confidential - Do Not Distribute

• Reduce Server Load

• Higher TPS
• Central Certificate
Management
• Central Cipher Management

Citrix Confidential - Do Not Distribute

• In end-to-end, use low-level

ciphers in NS-to-service
communication
• Cipher selection depends on client-
needs, and security considerations.
• Can be combined with IC and
Compression for maximum impact

Citrix Confidential - Do Not Distribute

• Faster response
• Fewer bytes on-wire
• Better response for low-
bandwidth clients
• Policy-based rules

Citrix Confidential - Do Not Distribute

• NetScaler supports various ways of compressing traffic

• HTTP traffic can easily be compressed by NetScaler
ᵒ Less work for the web server
ᵒ Client can understand and de-compress (accept-encoding header)
• Compression governed via policies
• Preconfigured policies exist

• Reduce server load

• Faster response
• Policy-based controls

Citrix Confidential - Do Not Distribute

© 2013 Citrix
Advanced Optimization: Caching
• Use Content-Group settings to optimize
for min/max content size, or overall
number of hits.
• Use parameterization to optimize cache
retrieval or invalidation.
• Prioritize NO_CACHE policies before
CACHE policies
• Use multiple Content-Groups to allow for
specific cache-clearing
Citrix Confidential - Do Not Distribute
© 2013 Citrix
Performance Enhancing Features – TCP Session
Mangement

• Reduce server load

• Faster server response
• Full Traffic Optimization and
Traffic Security Feature
Sets

Citrix Confidential - Do Not Distribute

© 2013 Citrix
Results of Performance
Enhancing Feature
Configuration
Standard HTTP Load Balancing
“Sharepoint” SSL+HTTP Load Balancing Configuration

Doc. Size Baseline

987 kB .doc 16.34s

5.29 MB .doc 89.86s SSL Handling on Servers

1.75 MB .pdf 28.62s
*Times based on 1.5mbps connection with 0.7%
5.10 MB .pdf 80.28s
packet loss.

Source: Citrix Application Optimization for MOSS 2007 Performance Assessment - http://support.citrix.com/article/ctx120235
Citrix Confidential - Do Not Distribute
© 2013 Citrix
SSL-Offloaded HTTP Load Balancing
SSL-Offload + Compression Load Balancing Configuration

SSL Offload
Doc. Size Baseline + Compress
SSL Handling on NetScaler
987 kB .doc 16.34s 12.29s
Static/Dynamic content
5.29 MB .doc 89.86s 56.20s compressed
1.75 MB .pdf 28.62s 18.87s
Servers configured as plaintext
5.10 MB .pdf 80.28s 70.36s HTTP

Source: Citrix Application Optimization for MOSS 2007 Performance Assessment - http://support.citrix.com/article/ctx120235
Citrix Confidential - Do Not Distribute
© 2013 Citrix
SSL-Offload + Cmp +Caching HTTP Load Balancing
SSL offload + Compression + Integrated CachingLoad Balancing Configuration

SSL Offload
Doc. Size Baseline + Compress Caching

987 kB .doc 16.34s 12.29s 8.62s

SSL Handling on NetScaler +
5.29 MB .doc 89.86s 56.20s 42.78s Compression with Integrated
1.75 MB .pdf 28.62s 18.87s 14.51s Caching
5.10 MB .pdf 80.28s 70.36s 60s
*Cache object max. limit set to 10MB

• Primary tool for detailed analysis

• NetScaler logs all statistics every
7 seconds
• Uses logs from /var/nslog
• Logfiles are gzipped (use zcat)
• Some stats now available via GUI
(System > Diagnostics)
Citrix Confidential - Do Not Distribute
© 2013 Citrix
NSCONMSG – Examples
Scenario: Testing reports problems with SSL VIP earlier. What happened?
nsconmsg –K newnslog –g ssl_err –d stats

Current logfile
Displaying current counter value information
NetScaler V20 Performance Data
Grep for ‘ssl_err’ NetScaler NS9.3: Build 57.53.nc, Date: Jul 20 2012, 07:26:39

reltime:mili second between two records Fri Feb 5 10:31:31 2010

View initial statistics Index reltime counter-value symbol-name&device-no
0 0 0 ssl_err_ssl3_badversion
1 0 0 ssl_err_cavium_random_seed_failed
2 0 0 ssl_err_ubsec_card_reset
3 0 0 ssl_err_ssl3_send_server_hello
4 0 0 ssl_err_ssl3_send_server_certificate
5 0 0 ssl_err_ssl3_send_server_key_exchange
6 0 0 ssl_err_ssl3_send_certificate_request
7 0 0 ssl_err_ssl3_send_server_done

Citrix Confidential - Do Not Distribute

© 2013 Citrix
NSCONMSG – Examples
Scenario: Testing reports problems with SSL VIP earlier. What happened?
View timestamps
nsconmsg –K newnslog –s disptime=1 –g ssl_err_ssl3 –d current
View historic statistics

Index rtime totalcount-val delta rate/sec symbol-name&device-no&time

108 0 78 1 0 ssl_err_ssl3_get_client_hello Fri Feb 5 12:01:06 2010
109 14000 11 2 0 ssl_error_cvm_bad_record Fri Feb 5 12:01:20 2010
110 7000 79 1 0 ssl_err_ssl3_badversion Fri Feb 5 12:01:27 2010
111 0 79 1 0 ssl_err_ssl3_get_client_hello Fri Feb 5 12:01:27 2010
112 28000 81 2 0 ssl_err_ssl3_badversion Fri Feb 5 12:01:55 2010
113 0 81 2 0 ssl_err_ssl3_get_client_hello Fri Feb 5 12:01:55 2010
114 7000 83 2 0 ssl_err_ssl3_badversion Fri Feb 5 12:02:02 2010

Citrix Confidential - Do Not Distribute

© 2013 Citrix
NSCONMSG – Examples
Scenario: Testing reports problems with SSL VIP earlier. What happened?
Output to csv
nsconmsg –K newnslog -s csv=1 –g ssl_err_ssl3_badversion –d current > sslv3.csv
Grep specific counter

Write to file

© 2013 Citrix
NSCONMSG – Examples
Checking for distribution and performance
nsconmsg –K newnslog –s ConLb=3 –d distrconmsg

VIP(1.1.1.1:636:UP:WEIGHTEDRR): Hits(2506) Pers(OFF) PersHits(0:0%) Err(0:0%) Ovrride(0:0%)

S(1.1.1.100:636:UP) Hits(835:33%) PHits(0:0%) LbHits(835:100%)
S(1.1.1.101:636:UP) Hits(836:33%) PHits(0:0%) LbHits(836:100%)
S(1.1.1.102:636:UP) Hits(835:33%) PHits(0:0%) LbHits(835:100%)
VIP(2.2.2.2:389:UP:WEIGHTEDRR): Hits(6) Pers(OFF) PersHits(0:0%) Err(0:0%) Ovrride(0:0%)
S(2.2.2.100:389:UP) Hits(2:33%) PHits(0:0%) LbHits(2:100%)
S(2.2.2.101:389:UP) Hits(2:33%) PHits(0:0%) LbHits(2:100%)
S(2.2.2.102:389:UP) Hits(2:33%) PHits(0:0%) LbHits(2:100%)
VIP(3.3.3.3:123:UP:WEIGHTEDRR): Hits(180) Pers(SOURCEIP) PersHits(180:100%) Err(0:0%)
Ovrride(0:0%)
S(3.3.3.100:123:UP) Hits(42:23%) PHits(42:100%) LbHits(0:0%)
S(3.3.3.101:123:UP) Hits(49:27%) PHits(49:100%) LbHits(0:0%)
S(3.3.3.102:123:UP) Hits(46:25%) PHits(46:100%) LbHits(0:0%)
S(3.3.3.103:123:UP) Hits(43:23%) PHits(43:100%) LbHits(0:0%)

Citrix Confidential - Do Not Distribute

current time is Thu Apr 8 14:45:28 2010

-------------------------------------------------------
NATSession : Free(19644)A(21845)InUse(2201)
NATSession: Cur(Tcp[194] Udp[2007] Icmp[0] Other[0])
NATSession: Op/s(Tcp[3] Udp[436] Icmp[1] Other[0])
Session: A:9187 F:4604 IUse:4583 SEs: SIP:4582 C:0 SSL:0 Svr:1 UserId:0 SIPDIP:0
DIP:0 SO:0
SSF: Conn (Srvr 0 Clnt 1) U:0
CM: Conn (Srvr 0 Clnt 1) Sessions PCB 0 NATPCB 0
Z(SIP[68307], C[0], SSL[0] Server[22] SIPDIP[0] DIP[0] SO[0])
Mon: Probes: 24303862, Failed: 3757181

Citrix Confidential - Do Not Distribute

© 2013 Citrix
NSCONMSG – Examples
Checking for distribution and performance
nsconmsg –K newnslog –s Con???=3 –d oldconmsg

ConDebug - Debugging
ConLb - Load Balancing
ConMon - Monitoring Probes
ConMEM - Memory Management
ConCSW - Content Switching
ConSSL - SSL Offload
ConCMP - Compression
ConIC - Integrated Caching

Citrix Confidential - Do Not Distribute

• Nstrace supports filtering beginning in 9.x

nstrace -size 0 -filter "SOURCEIP == 10.1.2.3 && SOURCEPORT == 8080" -link ENABLE

Packet-size limit Filters in standard Booleans Automatically capture linked

NS policy format supported! client/server connections
Filter on:
SOURCEIP
SOURCEPORT
DESTIP
DESTPORT
SVCNAME
VSVRNAME
STATE
http://support.citrix.com/article/ctx121166
Citrix Confidential - Do Not Distribute
© 2013 Citrix
Wireshark

• nstrace files now officially

supported in Wireshark!
• Available in latest Stable release
• Includes ns.pdevno and
ns.l_pdevno filtering

Citrix Confidential - Do Not Distribute

• Netscaler HTTP Profiles

• Netscaler TCP Profiles
• Tune NetScaler TCP Stack
• Netscaler Advanced SSL Settings
• Nsconmsg to Excel Tool
• Netscaler SSL Offload

• Netscaler Integrated Caching

• Netscaler Compression
• Netscaler CPU Profiling
• Citrix AutoSupport (TaaS)
• Netscaler Datasheet - Models and Specs
• Citrix Application Optimization for MOSS 2007 Performance Assessment