May 2013
This presentation is the property of its rightful owner.
Sponsored Links
1 / 48

May 2013 PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on
  • Presentation posted in: General

SUM410. Getting the Best Performance with Citrix NetScaler. Edward Targonski. May 2013. Agenda. Netscaler Model and Network Deployment Options Performance Enhancing Features Commonly Used Troubleshooting Tools and Commands Questions? Conclusion. Netscaler Models. NetScaler Models.

Download Presentation

May 2013

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


May 2013

SUM410

Getting the Best Performance with Citrix NetScaler

Edward Targonski

May 2013


Agenda

Agenda

  • Netscaler Model and Network Deployment Options

  • Performance Enhancing Features

  • Commonly Used Troubleshooting Tools and Commands

  • Questions?

  • Conclusion


May 2013

Netscaler Models


Netscaler models

NetScaler Models

NetScaler MPX

NetScaler VPX

NetScaler SDX


Differences between mpx and vpx

Differences Between MPX and VPX

  • Three main differences exist between MPX and VPX:

    • System capacity

    • Performance

    • Tagged VLAN Configuration

  • NetScaler VPX system capacity:

    • No hardware SSL acceleration

    • Processing not offloaded to dedicated silicon


When to use which

When to Use Which?

NetScalerAppliances

NetScalerVPX

  • Gig+ performance

  • High volume SSL Offload

  • >100 SSL VPN CCUs

  • FIPS requirements

  • Physical device security

  • Labs/test environments

  • Development environments

  • “Datacenter-in-a-box”

  • CPU-intensive workloads

  • Frequently moved apps

  • Fast/remote deployment


Netscaler sdx

NetScaler SDX

Instances, not partitions

Complete CPU isolation

Complete memory isolation

Version independence

High availability independence

Lifecycle independence


Network topologies one armed

Network TopologiesOne-Armed

If you are able to, one-armed topologies are the preferred method of deploying NetScaler in most environments.


Network topologies two armed

Network TopologiesTwo-Armed

The most common implementation of two-armed topologies are when a NetScaler is replacing another legacy two-armed device in a network


May 2013

Performance Enhancing Features and Settings


Tcp connection without netscaler

Client

Server

FIN

SYN+ACK

SYN

ACK

ACK

ACK

FIN

GET

Data

Data

Data

TCP Connection without NetScaler

Server allocates storage for connection

Server sees eleven packets

Server de-allocates storage for the connection


Transaction with netscaler

Client

NetScaler

Server

ACK

SYN+ACK

SYN

ACK

FIN

ACK

GET

GET

Data

Data

Data

Data

Data

Data

FIN

Transaction with NetScaler

Server sees

four packets


May 2013

Global Performance Settings


Global settings

Global Settings

  • Surge Protection

  • Path MTU discovery


Http parameters

HTTP Parameters

  • Client IP Insertion

  • Cookie Version

  • Requests/Responses:

    • Drop invalid HTTP requests

    • Mark CONNECT request as invalid

    • Mark HTTP/0.9 request as invalid

    • Log HTTP error responses

  • Server Header Insertion


Tcp parameters

TCP Parameters

  • Window Scaling

  • Selective Acknowledgments

  • Nagle’s Algorithm

  • SYN Attack Detection


Performance enhancing features

Performance Enhancing Features

Compression

SSL Offload

Caching

TCP Session

Management

Citrix Confidential - Do Not Distribute


Performance enhancing features ssl offload

Performance Enhancing Features – SSL Offload

SSL Offload

Compression

  • Reduce Server Load

  • Higher TPS

  • Central Certificate Management

  • Central Cipher Management

Caching

TCP Session

Management

Citrix Confidential - Do Not Distribute


Advanced optimization ssl offload

Advanced Optimization: SSL Offload

  • In end-to-end, use low-level ciphers in NS-to-service communication

  • Cipher selection depends on client-needs, and security considerations.

  • Can be combined with IC and Compression for maximum impact

Citrix Confidential - Do Not Distribute


Performance enhancing features compression

Performance Enhancing Features – Compression

SSL Offload

Compression

  • Faster response

  • Fewer bytes on-wire

  • Better response for low-bandwidth clients

  • Policy-based rules

Caching

TCP Session

Management

Citrix Confidential - Do Not Distribute


Compression

Compression

  • NetScaler supports various ways of compressing traffic

  • HTTP traffic can easily be compressed by NetScaler

    • Less work for the web server

    • Client can understand and de-compress (accept-encoding header)

  • Compression governed via policies

  • Preconfigured policies exist


Performance enhancing features caching

Performance Enhancing Features – Caching

SSL Offload

Compression

  • Reduce server load

  • Faster response

  • Policy-based controls

Caching

TCP Session

Management

Citrix Confidential - Do Not Distribute


Advanced optimization caching

Advanced Optimization: Caching

  • Use Content-Group settings to optimizefor min/max content size, or overallnumber of hits.

  • Use parameterization to optimize cache retrieval or invalidation.

  • Prioritize NO_CACHE policies before CACHE policies

  • Use multiple Content-Groups to allow for specific cache-clearing

Citrix Confidential - Do Not Distribute


Performance enhancing features tcp session mangement

Performance Enhancing Features – TCP Session Mangement

SSL Offload

Compression

  • Reduce server load

  • Faster server response

  • Full Traffic Optimization and Traffic Security Feature Sets

Caching

TCP Session

Management

Citrix Confidential - Do Not Distribute


May 2013

Results of Performance Enhancing Feature Configuration


Standard http load balancing

Standard HTTP Load Balancing

“Sharepoint” SSL+HTTP Load Balancing Configuration

SSL Handling on Servers

*Times based on 1.5mbps connection with 0.7%

packet loss.

Source: Citrix Application Optimization for MOSS 2007 Performance Assessment - http://support.citrix.com/article/ctx120235

Citrix Confidential - Do Not Distribute


Ssl offloaded http load balancing

SSL-Offloaded HTTP Load Balancing

SSL-Offload + Compression Load Balancing Configuration

SSL Handling on NetScalerStatic/Dynamic content compressed

Servers configured as plaintext HTTP

Source: Citrix Application Optimization for MOSS 2007 Performance Assessment - http://support.citrix.com/article/ctx120235

Citrix Confidential - Do Not Distribute


Ssl offload cmp caching http load balancing

SSL-Offload + Cmp +Caching HTTP Load Balancing

SSL offload + Compression + Integrated CachingLoad Balancing Configuration

SSL Handling on NetScaler + Compression with Integrated Caching

*Cache object max. limit set to 10MB

Source: Citrix Application Optimization for MOSS 2007 Performance Assessment - http://support.citrix.com/article/ctx120235

Citrix Confidential - Do Not Distribute


May 2013

Troubleshooting Tools and Commands


Nsconmsg

NSCONMSG

  • Primary tool for detailed analysis

  • NetScaler logs all statistics every 7 seconds

  • Uses logs from /var/nslog

  • Logfiles are gzipped (use zcat)

  • Some stats now available via GUI(System > Diagnostics)

Citrix Confidential - Do Not Distribute


Nsconmsg examples

NSCONMSG – Examples

Scenario: Testing reports problems with SSL VIP earlier. What happened?

nsconmsg –K newnslog –g ssl_err –d stats

Current logfile

Displaying current counter value information

NetScaler V20 Performance Data

NetScaler NS9.3: Build 57.53.nc, Date: Jul 20 2012, 07:26:39

reltime:mili second between two records Fri Feb 5 10:31:31 2010

Index reltime counter-value symbol-name&device-no

0 0 0 ssl_err_ssl3_badversion

1 0 0 ssl_err_cavium_random_seed_failed

2 0 0 ssl_err_ubsec_card_reset

3 0 0 ssl_err_ssl3_send_server_hello

4 0 0 ssl_err_ssl3_send_server_certificate

5 0 0 ssl_err_ssl3_send_server_key_exchange

6 0 0 ssl_err_ssl3_send_certificate_request

7 0 0 ssl_err_ssl3_send_server_done

Grep for ‘ssl_err’

View initial statistics

Citrix Confidential - Do Not Distribute


Nsconmsg examples1

NSCONMSG – Examples

Scenario: Testing reports problems with SSL VIP earlier. What happened?

View timestamps

nsconmsg –K newnslog –s disptime=1 –g ssl_err_ssl3 –d current

View historic statistics

Index rtimetotalcount-val delta rate/sec symbol-name&device-no&time

108 0 78 1 0 ssl_err_ssl3_get_client_hello Fri Feb 5 12:01:06 2010

109 14000 11 2 0 ssl_error_cvm_bad_record Fri Feb 5 12:01:20 2010

110 7000 79 1 0 ssl_err_ssl3_badversion Fri Feb 5 12:01:27 2010

111 0 79 1 0 ssl_err_ssl3_get_client_hello Fri Feb 5 12:01:27 2010

112 28000 81 2 0 ssl_err_ssl3_badversion Fri Feb 5 12:01:55 2010

113 0 81 2 0 ssl_err_ssl3_get_client_hello Fri Feb 5 12:01:55 2010

114 7000 83 2 0 ssl_err_ssl3_badversion Fri Feb 5 12:02:02 2010

Citrix Confidential - Do Not Distribute


Nsconmsg examples2

NSCONMSG – Examples

Scenario: Testing reports problems with SSL VIP earlier. What happened?

Output to csv

nsconmsg –K newnslog -s csv=1 –g ssl_err_ssl3_badversion –d current > sslv3.csv

Grep specific counter

Write to file


Nsconmsg examples3

NSCONMSG – Examples

Checking for distribution and performance

nsconmsg –K newnslog –s ConLb=3 –d distrconmsg

VIP(1.1.1.1:636:UP:WEIGHTEDRR): Hits(2506) Pers(OFF) PersHits(0:0%) Err(0:0%) Ovrride(0:0%)

S(1.1.1.100:636:UP) Hits(835:33%) PHits(0:0%) LbHits(835:100%)

S(1.1.1.101:636:UP) Hits(836:33%) PHits(0:0%) LbHits(836:100%)

S(1.1.1.102:636:UP) Hits(835:33%) PHits(0:0%) LbHits(835:100%)

VIP(2.2.2.2:389:UP:WEIGHTEDRR): Hits(6) Pers(OFF) PersHits(0:0%) Err(0:0%) Ovrride(0:0%)

S(2.2.2.100:389:UP) Hits(2:33%) PHits(0:0%) LbHits(2:100%)

S(2.2.2.101:389:UP) Hits(2:33%) PHits(0:0%) LbHits(2:100%)

S(2.2.2.102:389:UP) Hits(2:33%) PHits(0:0%) LbHits(2:100%)

VIP(3.3.3.3:123:UP:WEIGHTEDRR): Hits(180) Pers(SOURCEIP) PersHits(180:100%) Err(0:0%) Ovrride(0:0%)

S(3.3.3.100:123:UP) Hits(42:23%) PHits(42:100%) LbHits(0:0%)

S(3.3.3.101:123:UP) Hits(49:27%) PHits(49:100%) LbHits(0:0%)

S(3.3.3.102:123:UP) Hits(46:25%) PHits(46:100%) LbHits(0:0%)

S(3.3.3.103:123:UP) Hits(43:23%) PHits(43:100%) LbHits(0:0%)

Citrix Confidential - Do Not Distribute


Nsconmsg examples4

NSCONMSG – Examples

Checking for distribution and performance

nsconmsg –K newnslog –s ConLb=3 –d oldconmsg

current time is Thu Apr 8 14:45:28 2010

-------------------------------------------------------

NATSession : Free(19644)A(21845)InUse(2201)

NATSession: Cur(Tcp[194] Udp[2007] Icmp[0] Other[0])

NATSession: Op/s(Tcp[3] Udp[436] Icmp[1] Other[0])

Session: A:9187 F:4604 IUse:4583 SEs: SIP:4582 C:0 SSL:0 Svr:1 UserId:0 SIPDIP:0 DIP:0 SO:0

SSF: Conn (Srvr 0 Clnt 1) U:0

CM: Conn (Srvr 0 Clnt 1) Sessions PCB 0 NATPCB 0

Z(SIP[68307], C[0], SSL[0] Server[22] SIPDIP[0] DIP[0] SO[0])

Mon: Probes: 24303862, Failed: 3757181

Citrix Confidential - Do Not Distribute


Nsconmsg examples5

NSCONMSG – Examples

Checking for distribution and performance

nsconmsg –K newnslog –s Con???=3 –d oldconmsg

ConDebug - Debugging

ConLb - Load Balancing

ConMon - Monitoring Probes

ConMEM - Memory Management

ConCSW - Content Switching

ConSSL - SSL Offload

ConCMP - Compression

ConIC - Integrated Caching

Citrix Confidential - Do Not Distribute


Nstrace sh

nstrace.sh

  • Nstrace supports filtering beginning in 9.x

nstrace -size 0 -filter "SOURCEIP == 10.1.2.3 && SOURCEPORT == 8080" -link ENABLE

Packet-size limit

Booleans supported!

Filters in standard NS policy format

Automatically capture linkedclient/server connections

Filter on:

SOURCEIPSOURCEPORTDESTIPDESTPORTSVCNAMEVSVRNAMESTATE

http://support.citrix.com/article/ctx121166

Citrix Confidential - Do Not Distribute


Wireshark

Wireshark

  • nstrace files now officially supported in Wireshark!

  • Available in latest Stable release

  • Includes ns.pdevno and ns.l_pdevno filtering

Citrix Confidential - Do Not Distribute


May 2013

Citrix AutoSupport Introduction


Citrix autosupport analysis

Citrix AutoSupport Analysis


Graph generated by autosupport tools

Graph Generated by AutoSupport Tools


May 2013

Resources


Resources

Resources

  • Netscaler HTTP Profiles

  • Netscaler TCP Profiles

  • Tune NetScaler TCP Stack

  • Netscaler Advanced SSL Settings

  • Nsconmsg to Excel Tool

  • Netscaler SSL Offload


Resource 2

Resource – 2

  • Netscaler Integrated Caching

  • Netscaler Compression

  • Netscaler CPU Profiling

  • Citrix AutoSupport (TaaS)

  • Netscaler Datasheet - Models and Specs

  • Citrix Application Optimization for MOSS 2007 Performance Assessment


Conclusion

Conclusion


Question

Question


Before you leave

Before you leave…

  • Conference surveys are available online at www.citrixsynergy.com starting Friday, May 24 at 9:00 a.m. PT

    • Provide your feedback by 4:00 p.m. PT that day and you’ll receive a $30 Amazon.com gift card via email

  • Download presentations starting Monday, June 3, from your My Conference Planning tool located within the My Account section


  • Login