A single place to simplify delivery of Citrix technologies. Provide secure access to apps, data and IT tools. Deploy on any cloud or infrastructure. Don't have an account? Sign up and try it free. Enter your Citrix credentials. (Citrix.com, My Citrix, or Citrix Cloud) Remember me. Citrix CloudBridge Plug-in is not recommended for ICA Proxy deployments. Refer to CTX128581 - Citrix Branch Repeater Appliance and Access Gateway Enterprise Edition Appliance Supported Deployment Scenarios for more information. Citrix CloudBridge Crypto License to enable SSL traffic acceleration. The impact can be reduced if we activate more virtual cloudbridge instances. The installation was designed with an CB4000-310 for the first step (with citrix consulting). At the moment is the full licensed CB4000-1000 necessary to deal the sessions. A look in the datasheet shows that we under the written values for the CB4000-310.
Follow the steps outlined below to obtain the Host Id (MAC Address):
- Log onto the management console of the appliance and navigate to the “Manage Licenses” page where the “License Host Id” is displayed under 'License Information'.
- Log in to My Account to allocate and download the license file for the above obtained Host id.
- Follow the steps outlined below to install the license on Cloud Bridge Physical Appliance:
- Log into the web-based management console of the appliance.
- Navigate to the “Manage Licenses” page and click the “License Configuration” tab.
- Click “Add”.
- Click “Browse” to browse and select a license. Optionally, you can edit the license name.
- Click “Install” to complete the license installation.
To install licenses locally on Cloud Bridge VPX:
- Log onto the web-based management console of the Cloud Bridge VPX.
- Navigate to the “Manage Licenses” page and click the “License Server” tab.
- For “License Server Location”, select “Local”.
- Click on the “Local Licenses” tab
- Click “Add”.
- Browse and select the license file. Click “Install” to complete the license installation.
To configure Cloud Bridge VPX to consume licenses on a remote Citrix license server:
- Log into My Account and activate license using Mac Address of the License Server.
- Log onto the web-based management console of the Cloud Bridge VPX.
- Navigate to the “Manage Licenses” page and click the “License Server” tab.
- For “License Server Location”, select “Remote”.
- Enter the IP address of the remote Citrix license server and port (pre-populated with default).
- Select the license to consume (e.g. VPX-45).
- Click “Apply” to finish the configuration.
- NetScaler SD-WAN (CloudBridge)
Symptoms or Error
The CloudBridge GUI does not show any of the expected connections, in either the Accelerated Connections table or the Unaccelerated Connections table: CloudBridge > Monitoring > Connections > Accelerated Connections/Unaccelerated Connections. For more information, see Citrix eDocs - Connections.
Solution
CloudBridge not receiving data traffic could be caused by:
Data traffic not coming to NetScaler.
Traffic comes to NetScaler, but NetScaler does not forward it to CloudBridge.
Citrix Cloud Bridge
Verify if Data Traffic is Received by the NetScaler
On NetScaler, verify whether the traffic comes to the NetScaler. There are several ways to do this:
Using the CLI, verify connection tables using the command:
show connectiontable
Verify if there are connections from the remotes (127.x.y.z are internal, ignore these).Using the NetScaler CLI, verify packet statistics on interfaces using the command:
show interface
Verify if received packets count increases significantly (interfaces 0/1, 0/2, 0/3, 10/3, 10/4, LO/1 are internal, ignore these).
The following highlighted lines are an example of packet counts on two traffic interfaces:Alternatively, use the NetScaler GUI, to verify packet statistics on interfaces.
Verify if received packets count increases significantly (interfaces 0/1, 0/2, 0/3, 10/3, 10/4, LO/1 are internal, ignore these).The following highlighted line is an example of packet count on traffic interface.
Get NetScaler PCAP trace. From NetScaler GUI, Configuration > System > Diagnostics > Technical Support Tools > Start new trace.
If the data traffic is not received by NetScaler, then verify WCCP router configuration.
Verify WCCP Router Configuration
Access the router (or switch, if applicable) that is configured for WCCP. For more information see Citrix eDocs - WCCP Mode (Non-Clustered).
The following are some troubleshooting commands for router configuration:
Note: It is strongly recommended to engage Cisco TAC to validate the router(s) configuration.
show ip wccp
show running-config | i wccp
show ip wccp <service group>
show access-lists
show ip wccp
For more information, see Citrix eDocs - WCCP Testing and Troubleshooting.
- Notice that no packets are redirected.
- Notice that there is no access-list, but keep in mind that an ACL might not be required.
Verify if Redirect Statements are properly configured using command:
show running-config | i wccp- Notice the absence of redirect statements.
- Configure the appropriate interface(s) with the appropriate redirect statements.
For example, it might be best to define 'ip wccp 51 redirect in' on the WAN interface and also on each of the LAN interfaces that the traffic is expected to be redirected.
Or in case there are numerous LAN interfaces, you might prefer not to define 'ip wccp 51 redirect in' on all the interested interfaces, hence another option would be to use both 'ip wccp 51 redirect in' and 'ip wccp 51 redirect out' on just the WAN interface. However, keep in mind that the use of 'ip wccp 51 redirect out' forces the router to use software level WCCP instead of hardware level WCCP, and that software level WCCP introduces significant overhead on the router, which many times can be a detrimental to performance.
Citrix Cloudbridge Vpx
If the Redirect Statements are correctly configured, verify if the ACLs are correctly configured for the intended traffic.
In this example, the client is 30.0.1.100 and the server is 30.0.2.200, make a note of the ACL name for corresponding traffic.
Verify if the same ACL name is in use in the WCCP configuration of the interface.
Notice that the ACL in use is a wrong ACL. Modify the ACL name by using the following command:
Initiate connection(s) that would expect to be WCCP redirected to the CloudBridge.
Now notice that after the preceding modification, the traffic gets redirected to the correct ACL as shown from the router results:
show access-listsAlso now the CloudBridge shows connection in the Accelerated Connections table. For more information, see Citrix eDocs - Connections.
NetScaler Does Not Forward Traffic to CloudBridge
If traffic gets to NetScaler but NetScaler does not forward it to CloudBridge, the possible reasons for this are:
Citrix Cloudbridge 3000
Virtual server is down: This can be found from NetScaler GUI, Configuration > Traffic Management > Load Balancing > Virtual Servers. It can be re-enabled by selecting the load balancing (LB) policy, right-clicking it and selecting Enable.
Service is down: This can be found from NetScaler GUI, Configuration > Traffic Management > Services. To re-enable it, right-click the service that is down, and select Enable.
Misconfigured LB policy: The following are the default policies added by the SVM when you run the initial setup wizard, and their purposes.
Vserver Name Purpose BR_LB_VIP_1 Catches all accelerated (TCP options) TCP traffic coming from remote sites where CloudBridges/Plugins are installed.
Note: NetApp traffic (TCP ports - 10565, 10566) will not hit this Vserver.BR_LB_VIP_2 Catches all TCP traffic coming from LAN and unaccelerated traffic coming from remote branches.
Note: NetApp traffic (10565, 10566) will not hit this Vserver.BR_LB_VIP_NETAPP Catches only the NetApp traffic (10565, 10566). BR_LB_VIP_SIG Catches Signaling connections coming from CloudBridge Plug-ins. BR_LB_VIP_UDP Catches all UDP traffic. Follow the steps of 'Virtual server is down' to find the policies through NetScaler GUI. Click the arrow to the left of the policy name to see the details of the policy.
Or, it can be found through NetScaler CLI command:
show lb vserver to show all policies, or show lb vserver <name> to show a specific policy, like show lb vserver BR_LB_VIP_1.Verify if the State is UP.
Verify Vserver statistics:
Verify Vserver statistics using the following command and go through each policy:
stat lb vserver xxxVerify if traffic hits the expected policy.
Connections that are not fully established will show in connection table for a brief time and then time out. Default time out value is 60 seconds.
Failed TCP handshake can be caused by CloudBridge4000/5000 not returning the SYN to router. From release 7.2, on CloudBridge 4000/5000, ReturnToEthernetSender must be enabled.
To enable ReturnToEthernetSender through NetScaler GUI navigate to, Configuration > Network > Configure Layer 2 Parameters and check the box next to Return To Ethernet Sender.
Problem Cause
Redirect statements are configured incorrectly.
Misconfiguration of ACLs.
Misconfiguration of NetScaler.