490 likes | 742 Vues
SUM410. Getting the Best Performance with Citrix NetScaler. Edward Targonski. May 2013. Agenda. Netscaler Model and Network Deployment Options Performance Enhancing Features Commonly Used Troubleshooting Tools and Commands Questions? Conclusion. Netscaler Models. NetScaler Models.
 
                
                E N D
SUM410 Getting the Best Performance with Citrix NetScaler Edward Targonski May 2013
Agenda • Netscaler Model and Network Deployment Options • Performance Enhancing Features • Commonly Used Troubleshooting Tools and Commands • Questions? • Conclusion
NetScaler Models NetScaler MPX NetScaler VPX NetScaler SDX
Differences Between MPX and VPX • Three main differences exist between MPX and VPX: • System capacity • Performance • Tagged VLAN Configuration • NetScaler VPX system capacity: • No hardware SSL acceleration • Processing not offloaded to dedicated silicon
When to Use Which? NetScalerAppliances NetScalerVPX • Gig+ performance • High volume SSL Offload • >100 SSL VPN CCUs • FIPS requirements • Physical device security • Labs/test environments • Development environments • “Datacenter-in-a-box” • CPU-intensive workloads • Frequently moved apps • Fast/remote deployment
NetScaler SDX Instances, not partitions Complete CPU isolation Complete memory isolation Version independence High availability independence Lifecycle independence
Network TopologiesOne-Armed If you are able to, one-armed topologies are the preferred method of deploying NetScaler in most environments.
Network TopologiesTwo-Armed The most common implementation of two-armed topologies are when a NetScaler is replacing another legacy two-armed device in a network
Client Server FIN SYN+ACK SYN ACK ACK ACK FIN GET Data Data Data TCP Connection without NetScaler Server allocates storage for connection Server sees eleven packets Server de-allocates storage for the connection
Client NetScaler Server ACK SYN+ACK SYN ACK FIN ACK GET GET Data Data Data Data Data Data FIN Transaction with NetScaler Server sees four packets
Global Settings • Surge Protection • Path MTU discovery
HTTP Parameters • Client IP Insertion • Cookie Version • Requests/Responses: • Drop invalid HTTP requests • Mark CONNECT request as invalid • Mark HTTP/0.9 request as invalid • Log HTTP error responses • Server Header Insertion
TCP Parameters • Window Scaling • Selective Acknowledgments • Nagle’s Algorithm • SYN Attack Detection
Performance Enhancing Features Compression SSL Offload Caching TCP Session Management Citrix Confidential - Do Not Distribute
Performance Enhancing Features – SSL Offload SSL Offload Compression • Reduce Server Load • Higher TPS • Central Certificate Management • Central Cipher Management Caching TCP Session Management Citrix Confidential - Do Not Distribute
Advanced Optimization: SSL Offload • In end-to-end, use low-level ciphers in NS-to-service communication • Cipher selection depends on client-needs, and security considerations. • Can be combined with IC and Compression for maximum impact Citrix Confidential - Do Not Distribute
Performance Enhancing Features – Compression SSL Offload Compression • Faster response • Fewer bytes on-wire • Better response for low-bandwidth clients • Policy-based rules Caching TCP Session Management Citrix Confidential - Do Not Distribute
Compression • NetScaler supports various ways of compressing traffic • HTTP traffic can easily be compressed by NetScaler • Less work for the web server • Client can understand and de-compress (accept-encoding header) • Compression governed via policies • Preconfigured policies exist
Performance Enhancing Features – Caching SSL Offload Compression • Reduce server load • Faster response • Policy-based controls Caching TCP Session Management Citrix Confidential - Do Not Distribute
Advanced Optimization: Caching • Use Content-Group settings to optimizefor min/max content size, or overallnumber of hits. • Use parameterization to optimize cache retrieval or invalidation. • Prioritize NO_CACHE policies before CACHE policies • Use multiple Content-Groups to allow for specific cache-clearing Citrix Confidential - Do Not Distribute
Performance Enhancing Features – TCP Session Mangement SSL Offload Compression • Reduce server load • Faster server response • Full Traffic Optimization and Traffic Security Feature Sets Caching TCP Session Management Citrix Confidential - Do Not Distribute
Standard HTTP Load Balancing “Sharepoint” SSL+HTTP Load Balancing Configuration SSL Handling on Servers *Times based on 1.5mbps connection with 0.7% packet loss. Source: Citrix Application Optimization for MOSS 2007 Performance Assessment - http://support.citrix.com/article/ctx120235 Citrix Confidential - Do Not Distribute
SSL-Offloaded HTTP Load Balancing SSL-Offload + Compression Load Balancing Configuration SSL Handling on NetScalerStatic/Dynamic content compressed Servers configured as plaintext HTTP Source: Citrix Application Optimization for MOSS 2007 Performance Assessment - http://support.citrix.com/article/ctx120235 Citrix Confidential - Do Not Distribute
SSL-Offload + Cmp +Caching HTTP Load Balancing SSL offload + Compression + Integrated CachingLoad Balancing Configuration SSL Handling on NetScaler + Compression with Integrated Caching *Cache object max. limit set to 10MB Source: Citrix Application Optimization for MOSS 2007 Performance Assessment - http://support.citrix.com/article/ctx120235 Citrix Confidential - Do Not Distribute
NSCONMSG • Primary tool for detailed analysis • NetScaler logs all statistics every 7 seconds • Uses logs from /var/nslog • Logfiles are gzipped (use zcat) • Some stats now available via GUI(System > Diagnostics) Citrix Confidential - Do Not Distribute
NSCONMSG – Examples Scenario: Testing reports problems with SSL VIP earlier. What happened? nsconmsg –K newnslog –g ssl_err –d stats Current logfile Displaying current counter value information NetScaler V20 Performance Data NetScaler NS9.3: Build 57.53.nc, Date: Jul 20 2012, 07:26:39 reltime:mili second between two records Fri Feb 5 10:31:31 2010 Index reltime counter-value symbol-name&device-no 0 0 0 ssl_err_ssl3_badversion 1 0 0 ssl_err_cavium_random_seed_failed 2 0 0 ssl_err_ubsec_card_reset 3 0 0 ssl_err_ssl3_send_server_hello 4 0 0 ssl_err_ssl3_send_server_certificate 5 0 0 ssl_err_ssl3_send_server_key_exchange 6 0 0 ssl_err_ssl3_send_certificate_request 7 0 0 ssl_err_ssl3_send_server_done Grep for ‘ssl_err’ View initial statistics Citrix Confidential - Do Not Distribute
NSCONMSG – Examples Scenario: Testing reports problems with SSL VIP earlier. What happened? View timestamps nsconmsg –K newnslog –s disptime=1 –g ssl_err_ssl3 –d current View historic statistics Index rtimetotalcount-val delta rate/sec symbol-name&device-no&time 108 0 78 1 0 ssl_err_ssl3_get_client_hello Fri Feb 5 12:01:06 2010 109 14000 11 2 0 ssl_error_cvm_bad_record Fri Feb 5 12:01:20 2010 110 7000 79 1 0 ssl_err_ssl3_badversion Fri Feb 5 12:01:27 2010 111 0 79 1 0 ssl_err_ssl3_get_client_hello Fri Feb 5 12:01:27 2010 112 28000 81 2 0 ssl_err_ssl3_badversion Fri Feb 5 12:01:55 2010 113 0 81 2 0 ssl_err_ssl3_get_client_hello Fri Feb 5 12:01:55 2010 114 7000 83 2 0 ssl_err_ssl3_badversion Fri Feb 5 12:02:02 2010 Citrix Confidential - Do Not Distribute
NSCONMSG – Examples Scenario: Testing reports problems with SSL VIP earlier. What happened? Output to csv nsconmsg –K newnslog -s csv=1 –g ssl_err_ssl3_badversion –d current > sslv3.csv Grep specific counter Write to file
NSCONMSG – Examples Checking for distribution and performance nsconmsg –K newnslog –s ConLb=3 –d distrconmsg VIP(1.1.1.1:636:UP:WEIGHTEDRR): Hits(2506) Pers(OFF) PersHits(0:0%) Err(0:0%) Ovrride(0:0%) S(1.1.1.100:636:UP) Hits(835:33%) PHits(0:0%) LbHits(835:100%) S(1.1.1.101:636:UP) Hits(836:33%) PHits(0:0%) LbHits(836:100%) S(1.1.1.102:636:UP) Hits(835:33%) PHits(0:0%) LbHits(835:100%) VIP(2.2.2.2:389:UP:WEIGHTEDRR): Hits(6) Pers(OFF) PersHits(0:0%) Err(0:0%) Ovrride(0:0%) S(2.2.2.100:389:UP) Hits(2:33%) PHits(0:0%) LbHits(2:100%) S(2.2.2.101:389:UP) Hits(2:33%) PHits(0:0%) LbHits(2:100%) S(2.2.2.102:389:UP) Hits(2:33%) PHits(0:0%) LbHits(2:100%) VIP(3.3.3.3:123:UP:WEIGHTEDRR): Hits(180) Pers(SOURCEIP) PersHits(180:100%) Err(0:0%) Ovrride(0:0%) S(3.3.3.100:123:UP) Hits(42:23%) PHits(42:100%) LbHits(0:0%) S(3.3.3.101:123:UP) Hits(49:27%) PHits(49:100%) LbHits(0:0%) S(3.3.3.102:123:UP) Hits(46:25%) PHits(46:100%) LbHits(0:0%) S(3.3.3.103:123:UP) Hits(43:23%) PHits(43:100%) LbHits(0:0%) Citrix Confidential - Do Not Distribute
NSCONMSG – Examples Checking for distribution and performance nsconmsg –K newnslog –s ConLb=3 –d oldconmsg current time is Thu Apr 8 14:45:28 2010 ------------------------------------------------------- NATSession : Free(19644)A(21845)InUse(2201) NATSession: Cur(Tcp[194] Udp[2007] Icmp[0] Other[0]) NATSession: Op/s(Tcp[3] Udp[436] Icmp[1] Other[0]) Session: A:9187 F:4604 IUse:4583 SEs: SIP:4582 C:0 SSL:0 Svr:1 UserId:0 SIPDIP:0 DIP:0 SO:0 SSF: Conn (Srvr 0 Clnt 1) U:0 CM: Conn (Srvr 0 Clnt 1) Sessions PCB 0 NATPCB 0 Z(SIP[68307], C[0], SSL[0] Server[22] SIPDIP[0] DIP[0] SO[0]) Mon: Probes: 24303862, Failed: 3757181 Citrix Confidential - Do Not Distribute
NSCONMSG – Examples Checking for distribution and performance nsconmsg –K newnslog –s Con???=3 –d oldconmsg ConDebug - Debugging ConLb - Load Balancing ConMon - Monitoring Probes ConMEM - Memory Management ConCSW - Content Switching ConSSL - SSL Offload ConCMP - Compression ConIC - Integrated Caching Citrix Confidential - Do Not Distribute
nstrace.sh • Nstrace supports filtering beginning in 9.x nstrace -size 0 -filter "SOURCEIP == 10.1.2.3 && SOURCEPORT == 8080" -link ENABLE Packet-size limit Booleans supported! Filters in standard NS policy format Automatically capture linkedclient/server connections Filter on: SOURCEIPSOURCEPORTDESTIPDESTPORTSVCNAMEVSVRNAMESTATE http://support.citrix.com/article/ctx121166 Citrix Confidential - Do Not Distribute
Wireshark • nstrace files now officially supported in Wireshark! • Available in latest Stable release • Includes ns.pdevno and ns.l_pdevno filtering Citrix Confidential - Do Not Distribute
Resources • Netscaler HTTP Profiles • Netscaler TCP Profiles • Tune NetScaler TCP Stack • Netscaler Advanced SSL Settings • Nsconmsg to Excel Tool • Netscaler SSL Offload
Resource – 2 • Netscaler Integrated Caching • Netscaler Compression • Netscaler CPU Profiling • Citrix AutoSupport (TaaS) • Netscaler Datasheet - Models and Specs • Citrix Application Optimization for MOSS 2007 Performance Assessment
Before you leave… • Conference surveys are available online at www.citrixsynergy.com starting Friday, May 24 at 9:00 a.m. PT • Provide your feedback by 4:00 p.m. PT that day and you’ll receive a $30 Amazon.com gift card via email • Download presentations starting Monday, June 3, from your My Conference Planning tool located within the My Account section