Citrix Cloud Bridge



A single place to simplify delivery of Citrix technologies. Provide secure access to apps, data and IT tools. Deploy on any cloud or infrastructure. Don't have an account? Sign up and try it free. Enter your Citrix credentials. (Citrix.com, My Citrix, or Citrix Cloud) Remember me. Citrix CloudBridge Plug-in is not recommended for ICA Proxy deployments. Refer to CTX128581 - Citrix Branch Repeater Appliance and Access Gateway Enterprise Edition Appliance Supported Deployment Scenarios for more information. Citrix CloudBridge Crypto License to enable SSL traffic acceleration. The impact can be reduced if we activate more virtual cloudbridge instances. The installation was designed with an CB4000-310 for the first step (with citrix consulting). At the moment is the full licensed CB4000-1000 necessary to deal the sessions. A look in the datasheet shows that we under the written values for the CB4000-310.

downloadWhy can't I download this file?

Follow the steps outlined below to obtain the Host Id (MAC Address):

  1. Log onto the management console of the appliance and navigate to the “Manage Licenses” page where the “License Host Id” is displayed under 'License Information'.
  1. Log in to My Account to allocate and download the license file for the above obtained Host id.
  1. Follow the steps outlined below to install the license on Cloud Bridge Physical Appliance:
    1. Log into the web-based management console of the appliance.
    2. Navigate to the “Manage Licenses” page and click the “License Configuration” tab.
    3. Click “Add”.
    4. Click “Browse” to browse and select a license. Optionally, you can edit the license name.
    5. Click “Install” to complete the license installation.

To install licenses locally on Cloud Bridge VPX:

  1. Log onto the web-based management console of the Cloud Bridge VPX.
  2. Navigate to the “Manage Licenses” page and click the “License Server” tab.
  3. For “License Server Location”, select “Local”.
  4. Click on the “Local Licenses” tab
  5. Click “Add”.
  6. Browse and select the license file. Click “Install” to complete the license installation.

To configure Cloud Bridge VPX to consume licenses on a remote Citrix license server:

Citrix cloudbridge vpx
  1. Log into My Account and activate license using Mac Address of the License Server.
  2. Log onto the web-based management console of the Cloud Bridge VPX.
  3. Navigate to the “Manage Licenses” page and click the “License Server” tab.
  4. For “License Server Location”, select “Remote”.
  5. Enter the IP address of the remote Citrix license server and port (pre-populated with default).
  6. Select the license to consume (e.g. VPX-45).
  7. Click “Apply” to finish the configuration.
downloadWhy can't I download this file?
  • NetScaler SD-WAN (CloudBridge)

Symptoms or Error

The CloudBridge GUI does not show any of the expected connections, in either the Accelerated Connections table or the Unaccelerated Connections table: CloudBridge > Monitoring > Connections > Accelerated Connections/Unaccelerated Connections. For more information, see Citrix eDocs - Connections.

Solution

CloudBridge not receiving data traffic could be caused by:

  • Data traffic not coming to NetScaler.

  • Traffic comes to NetScaler, but NetScaler does not forward it to CloudBridge.

Citrix Cloud Bridge

Verify if Data Traffic is Received by the NetScaler

On NetScaler, verify whether the traffic comes to the NetScaler. There are several ways to do this:

  • Using the CLI, verify connection tables using the command:
    show connectiontable
    Verify if there are connections from the remotes (127.x.y.z are internal, ignore these).

  • Using the NetScaler CLI, verify packet statistics on interfaces using the command:
    show interface
    Verify if received packets count increases significantly (interfaces 0/1, 0/2, 0/3, 10/3, 10/4, LO/1 are internal, ignore these).
    The following highlighted lines are an example of packet counts on two traffic interfaces:

  • Alternatively, use the NetScaler GUI, to verify packet statistics on interfaces.
    Verify if received packets count increases significantly (interfaces 0/1, 0/2, 0/3, 10/3, 10/4, LO/1 are internal, ignore these).

    The following highlighted line is an example of packet count on traffic interface.

  • Get NetScaler PCAP trace. From NetScaler GUI, Configuration > System > Diagnostics > Technical Support Tools > Start new trace.

    If the data traffic is not received by NetScaler, then verify WCCP router configuration.

Verify WCCP Router Configuration

Access the router (or switch, if applicable) that is configured for WCCP. For more information see Citrix eDocs - WCCP Mode (Non-Clustered).

The following are some troubleshooting commands for router configuration:
Note: It is strongly recommended to engage Cisco TAC to validate the router(s) configuration.

3000
  • show ip wccp

  • show running-config | i wccp

  • show ip wccp <service group>

  • show access-lists

  • show ip wccp

    For more information, see Citrix eDocs - WCCP Testing and Troubleshooting.

    • Notice that no packets are redirected.
    • Notice that there is no access-list, but keep in mind that an ACL might not be required.
  • Verify if Redirect Statements are properly configured using command:
    show running-config | i wccp

    • Notice the absence of redirect statements.
    • Configure the appropriate interface(s) with the appropriate redirect statements.

      For example, it might be best to define 'ip wccp 51 redirect in' on the WAN interface and also on each of the LAN interfaces that the traffic is expected to be redirected.

      Or in case there are numerous LAN interfaces, you might prefer not to define 'ip wccp 51 redirect in' on all the interested interfaces, hence another option would be to use both 'ip wccp 51 redirect in' and 'ip wccp 51 redirect out' on just the WAN interface. However, keep in mind that the use of 'ip wccp 51 redirect out' forces the router to use software level WCCP instead of hardware level WCCP, and that software level WCCP introduces significant overhead on the router, which many times can be a detrimental to performance.

Citrix Cloudbridge Vpx

  • If the Redirect Statements are correctly configured, verify if the ACLs are correctly configured for the intended traffic.

    In this example, the client is 30.0.1.100 and the server is 30.0.2.200, make a note of the ACL name for corresponding traffic.

    Verify if the same ACL name is in use in the WCCP configuration of the interface.

    Notice that the ACL in use is a wrong ACL. Modify the ACL name by using the following command:

    Initiate connection(s) that would expect to be WCCP redirected to the CloudBridge.

    Now notice that after the preceding modification, the traffic gets redirected to the correct ACL as shown from the router results:
    show access-lists

    Also now the CloudBridge shows connection in the Accelerated Connections table. For more information, see Citrix eDocs - Connections.

NetScaler Does Not Forward Traffic to CloudBridge

If traffic gets to NetScaler but NetScaler does not forward it to CloudBridge, the possible reasons for this are:

Citrix Cloudbridge 3000

  • Virtual server is down: This can be found from NetScaler GUI, Configuration > Traffic Management > Load Balancing > Virtual Servers. It can be re-enabled by selecting the load balancing (LB) policy, right-clicking it and selecting Enable.

  • Service is down: This can be found from NetScaler GUI, Configuration > Traffic Management > Services. To re-enable it, right-click the service that is down, and select Enable.

  • Misconfigured LB policy: The following are the default policies added by the SVM when you run the initial setup wizard, and their purposes.

    Vserver NamePurpose
    BR_LB_VIP_1Catches all accelerated (TCP options) TCP traffic coming from remote sites where CloudBridges/Plugins are installed.
    Note: NetApp traffic (TCP ports - 10565, 10566) will not hit this Vserver.
    BR_LB_VIP_2Catches all TCP traffic coming from LAN and unaccelerated traffic coming from remote branches.
    Note: NetApp traffic (10565, 10566) will not hit this Vserver.
    BR_LB_VIP_NETAPPCatches only the NetApp traffic (10565, 10566).
    BR_LB_VIP_SIGCatches Signaling connections coming from CloudBridge Plug-ins.
    BR_LB_VIP_UDPCatches all UDP traffic.

    Follow the steps of 'Virtual server is down' to find the policies through NetScaler GUI. Click the arrow to the left of the policy name to see the details of the policy.

    Or, it can be found through NetScaler CLI command:
    show lb vserver to show all policies, or show lb vserver <name> to show a specific policy, like show lb vserver BR_LB_VIP_1.

    Verify if the State is UP.

  • Verify Vserver statistics:
    Verify Vserver statistics using the following command and go through each policy:
    stat lb vserver xxx

    Verify if traffic hits the expected policy.

    Connections that are not fully established will show in connection table for a brief time and then time out. Default time out value is 60 seconds.

    Failed TCP handshake can be caused by CloudBridge4000/5000 not returning the SYN to router. From release 7.2, on CloudBridge 4000/5000, ReturnToEthernetSender must be enabled.

    To enable ReturnToEthernetSender through NetScaler GUI navigate to, Configuration > Network > Configure Layer 2 Parameters and check the box next to Return To Ethernet Sender.

Problem Cause

  • Redirect statements are configured incorrectly.

  • Misconfiguration of ACLs.

  • Misconfiguration of NetScaler.