How to HA Citrix PVS TFTP services via NetScaler 10.1 using RNAT

August 13, 2014 Leave a comment

I was recently working on a project to migrate a pair of NetScalers from FW 9.3 to a new set of MPX appliances running 10.1: Build 122.17.nc

I was very pleased to know that Citrix deployed a native way to load balance TFTP traffic via NetScaler 10.1, primarely to HA PVS TFTP traffic.  You can read on how to do this on this post by Adam Gamble.

Be cautious! Citrix confirmed this is an issue on 10.1, however it has been fixed in version 10.1 build 123.x or later. Their suggestion is to  upgrade it to the latest 10.1 version(build 128.8) (Did not test with 10.5 yet).  This occurs due to the Packet Process Engine crash when TFTP traffic is triggered through the Netscaler, which will cause your NetScaler to reboot, and in some cases corrupt the NetScaler config file  (ns.conf)

Below is a way to get the darn TFTP process to work via UDP load balancing using an RNAT and utilizing USIP mode

Environment

  • MPX 8200 NetScaler 10.1: Build 122.17.nc

Solution:

In my case I created a new subnet for this.  Reason is because as you may already know, the source IP of traffic is usually your SNIP, however when using an RNAT you will see Source IP coming from the configured RNAT IP and not the SNIP.  So this is up to you.  Where I work now SourceIP is a big deal.

For this example lets use a random 172.16.88.0/24 Subnet

1. Create new NetScaler SNIP for the new Subnet 172.16.88.0/24 under NetScaler> System > Network > IPV4s

Then create your VIP that you will use for your DHCP Option 066 reservation.

SNIP: 172.16.88.99 

VIP: 172.16.88.35

TFTP SNIP

2. Let create a new VLAN 999 (your VLAN TAG) for the 172.16.88.0/24 subnet (Yes you can shrink the subnet size, just using this as an example :))  and in my case TAG the interface 1/1 to save some ports.  You can do this under NetScaler> System > Network > VLAN (Interface 1/1 is set up with full Trunk)

VLAN TFTP

3. To be safe I like to ensure a new DIRECT route is created for the new Subnet to utilize the new SNIP.  This is under  NetScaler> System > Network > Routes > Basic

In this case, it would be Network: 172.16.88.0 Netmask 255.255.255.0 Gateway (Your SNIP): 172.16.88.99

TFTP Route SNIP

 

4. Create RNAT under NetScaler> System > Network > Routes > RNAT

set ns rnat <Host/ Subnet IP> <Host/Subnet Mask> -natip <VIP IP>

In this case Network: 172.16.88.0 Netmask: 255.255.255.0 NatIP (Your VIP that will load balance that TFTP process) 172.16.88.35

TFTP RNAT

 

 

5. Ok the hard part is done.  Lets now create TFTP Servers under NetScaler > Traffic Management > Load Balancing > Servers

TFTP01 = 172.16.88.212

TFTP02 = 172.16.88.213

TFTP Servers

6. Create your Service Groups under NetScaler > Traffic Management > Load Balancing > Service Groups. Under Advanced ensure “User Proxy Port” is set to “No” and “USIP” mode is set.  If this is not set, your TFTP traffic will not function

TFTP Service Group

 

TFTP USIP PROXY NO

7. Create VIP (172.16.88.35) under NetScaler > Traffic Management > Load Balancing > Virtual Servers

Bind Service Group previously created

TFTP Service bind

 

 

 

8. Ok no more NetScaler work, since we are using “Use Source IP” we need to set the default gateway on the TFTP servers (TFTP01/02) to be set to the NetScaler SNIP 172.16.88.99

9. Lastly change your DHCP scope to include the Boot Server Host Name under option 066 to your VIP 172.16.88.35

Your are all set, now to update to 10.5 I guess 😛

TFTP Boot

 

 

 

 

 

Advertisement

Filed under Citrix, NetScaler, PVS Tagged with ,