Citrix NetScaler

How to telnet from the Netscaler Access Gateway SNIP to your Citrix STA and verify the firewall port is open

If you’re trying to troubleshoot a Citrix Netscaler Access Gateway and attempt to telnet from the Netscaler via a Putty session to an STA/XenApp server you’ll notice that more than likely nothing will connect and it will eventually timeout. This is because by default the NSIP is where telnet is being established from. Telnet is a management function and most all management functions are on the NSIP. You need to telnet from the SNIP instead.

The quick solution is to forgo telnet all together. Instead create a Service under Load Balancing on the STA port you are troubleshooting:

-Service Name = porttest
-Protocol = HTTP (but you can use TCP too)
-Port = the port you’re trying to test
-Server = the IP address of the server you’re trying to hit

Advertisement. Scroll to continue reading.

For this article I’ve created 4 porttest services to test ports 80, 8080, 443, and 1494. I can see only 1494 is responding meaning there is likely a firewall blocking me on the other ports or a misconfiguration on the back end XenApp servers:

If you click on the Service, you can see more good troubleshooting info on the attempted connections:

A success –

vs. a fail –

If you realize your STA and XML port are failing, then it’s time to gather additional information to prove exactly what is going on. Putty into your Netscaler and enter the shell.

Advertisement. Scroll to continue reading.

Then type:

nstcpdump.sh -ne host and tcp port

Put your server IP and the XML port in where it needs to be above. In my case I’m testing port 8080 and as you can see from the result below, my SNIP keeps trying to talk to the XenApp/STA server on port 8080 but is never getting a response back. The carrot shows the direction of the communication. The IP to the left is all from the SNIP and the IP to the right on port 8080 is my STA:

Advertisement. Scroll to continue reading.

Once you open up the firewall port, communication becomes bi-directional and it will look more like this. You can see the IPs will swap back and forth and port 8080 is moving from side to side (source to destination and destination to source) meaning they are talking now:

Once you check your Service again it should say UP now:

Hope this helps! 🙂

Advertisement. Scroll to continue reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Exchange 2003

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Cloud Design Architecture

The community-driven paperback book initiated by my friends Bas van Kaam and Christiaan Brinkhoff is available for sale on Amazon. If you haven’t picked...

JasonSamuel.com was launched in 2008 as a platform to give back to the IT community by sharing knowledge and expertise. Over the years, it has become a trusted global resource for the latest insights, how-to guides, and thought leadership on enterprise mobility, security, virtualization, cloud architecture, automation, and other cutting-edge technologies. Today, it serves as a go-to reference hub for IT professionals, attracting hundreds of thousands of unique visitors from around the world each month. Learn more on the About Me page.
Copyright © 2008-2025 JasonSamuel.com

Exit mobile version