How to HA Citrix PVS TFTP services via NetScaler 10.1 using RNAT

I was recently working on a project to migrate a pair of NetScalers from FW 9.3 to a new set of MPX appliances running 10.1: Build

I was very pleased to know that Citrix deployed a native way to load balance TFTP traffic via NetScaler 10.1, primarely to HA PVS TFTP traffic.  You can read on how to do this on this post by Adam Gamble.

Be cautious! Citrix confirmed this is an issue on 10.1, however it has been fixed in version 10.1 build 123.x or later. Their suggestion is to  upgrade it to the latest 10.1 version(build 128.8) (Did not test with 10.5 yet).  This occurs due to the Packet Process Engine crash when TFTP traffic is triggered through the Netscaler, which will cause your NetScaler to reboot, and in some cases corrupt the NetScaler config file  (ns.conf)

Below is a way to get the darn TFTP process to work via UDP load balancing using an RNAT and utilizing USIP mode


  • MPX 8200 NetScaler 10.1: Build


In my case I created a new subnet for this.  Reason is because as you may already know, the source IP of traffic is usually your SNIP, however when using an RNAT you will see Source IP coming from the configured RNAT IP and not the SNIP.  So this is up to you.  Where I work now SourceIP is a big deal.

For this example lets use a random Subnet

1. Create new NetScaler SNIP for the new Subnet under NetScaler> System > Network > IPV4s

Then create your VIP that you will use for your DHCP Option 066 reservation.




2. Let create a new VLAN 999 (your VLAN TAG) for the subnet (Yes you can shrink the subnet size, just using this as an example :))  and in my case TAG the interface 1/1 to save some ports.  You can do this under NetScaler> System > Network > VLAN (Interface 1/1 is set up with full Trunk)


3. To be safe I like to ensure a new DIRECT route is created for the new Subnet to utilize the new SNIP.  This is under  NetScaler> System > Network > Routes > Basic

In this case, it would be Network: Netmask Gateway (Your SNIP):



4. Create RNAT under NetScaler> System > Network > Routes > RNAT

set ns rnat <Host/ Subnet IP> <Host/Subnet Mask> -natip <VIP IP>

In this case Network: Netmask: NatIP (Your VIP that will load balance that TFTP process)




5. Ok the hard part is done.  Lets now create TFTP Servers under NetScaler > Traffic Management > Load Balancing > Servers

TFTP01 =

TFTP02 =

TFTP Servers

6. Create your Service Groups under NetScaler > Traffic Management > Load Balancing > Service Groups. Under Advanced ensure “User Proxy Port” is set to “No” and “USIP” mode is set.  If this is not set, your TFTP traffic will not function

TFTP Service Group



7. Create VIP ( under NetScaler > Traffic Management > Load Balancing > Virtual Servers

Bind Service Group previously created

TFTP Service bind




8. Ok no more NetScaler work, since we are using “Use Source IP” we need to set the default gateway on the TFTP servers (TFTP01/02) to be set to the NetScaler SNIP

9. Lastly change your DHCP scope to include the Boot Server Host Name under option 066 to your VIP

Your are all set, now to update to 10.5 I guess 😛