Connect with us

Hi, what are you looking for?

Citrix NetScaler

How to telnet from the Netscaler Access Gateway SNIP to your Citrix STA and verify the firewall port is open

Published

If you’re trying to troubleshoot a Citrix Netscaler Access Gateway and attempt to telnet from the Netscaler via a Putty session to an STA/XenApp server you’ll notice that more than likely nothing will connect and it will eventually timeout. This is because by default the NSIP is where telnet is being established from. Telnet is a management function and most all management functions are on the NSIP. You need to telnet from the SNIP instead.

The quick solution is to forgo telnet all together. Instead create a Service under Load Balancing on the STA port you are troubleshooting:

-Service Name = porttest
-Protocol = HTTP (but you can use TCP too)
-Port = the port you’re trying to test
-Server = the IP address of the server you’re trying to hit

For this article I’ve created 4 porttest services to test ports 80, 8080, 443, and 1494. I can see only 1494 is responding meaning there is likely a firewall blocking me on the other ports or a misconfiguration on the back end XenApp servers:

2

If you click on the Service, you can see more good troubleshooting info on the attempted connections:

A success –
3

vs. a fail –
4

If you realize your STA and XML port are failing, then it’s time to gather additional information to prove exactly what is going on. Putty into your Netscaler and enter the shell.

Then type:

nstcpdump.sh -ne host and tcp port

Put your server IP and the XML port in where it needs to be above. In my case I’m testing port 8080 and as you can see from the result below, my SNIP keeps trying to talk to the XenApp/STA server on port 8080 but is never getting a response back. The carrot shows the direction of the communication. The IP to the left is all from the SNIP and the IP to the right on port 8080 is my STA:

1

Once you open up the firewall port, communication becomes bi-directional and it will look more like this. You can see the IPs will swap back and forth and port 8080 is moving from side to side (source to destination and destination to source) meaning they are talking now:

5

Once you check your Service again it should say UP now:
6

Hope this helps! 🙂

In this article:, , , , , , , , , , ,
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

How to properly use SSL redirects without getting certificate error messages

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

February 7, 2014

Citrix Workspace

How to use FIDO2 security keys remotely inside a virtual desktop session hundreds of miles away using Citrix HDX USB redirection and Microsoft Azure AD

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

February 7, 2014

Exchange 2003

Microsoft Exchange 2003 spam filtering made easy

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...

February 7, 2014

Cloud Design Architecture

Community-driven book available now! Byte-Sized: Cloud design principles and architectural recommendations

The community-driven paperback book initiated by my friends Bas van Kaam and Christiaan Brinkhoff is available for sale on Amazon. If you haven’t picked...

February 7, 2014

JasonSamuel.com began in 2008 as a way for me to give back to the IT community. This website features the latest news and how-to's on enterprise mobility, security, virtualization, cloud architecture, and other technologies I work with. This website has evolved over time to become a go-to reference hub for these technologies. It receives hundreds of thousands of unique visitors from all over the world each month. More details on the About Me page.
Copyright © 2008-2023 JasonSamuel.com