By Lal Mohan

,

NetScaler VPX monitor error – Timeout during SSL handshake stage

I came across this by accident while setting up NetScaler GSLB for a Citrix solution for one of my customers. The service groups in NetScaler were giving an error message for the monitoring probes – https and CITRIX-XD-DDC (both secure). The NetScaler was VPX running 11.1.63.9nc firmware.

Last response: failure – Time out during SSL handshake stage

How do you troubleshoot such issues? There are a couple of options.

Wireshark can be a good tool or you could use the built-in nstrace utility in NetScalers. Additionally, you will also need to make sure that the required ports are open between your NetScaler and the backend servers/services.

If you run a trace and look at it, you can see the below

TLSv1 Record Layer: Alert (Level: Fatal, Description: Unsupported Certificate)
Content Type: Alert (21)

The certificate that was installed on the DDCs and Storefront servers were created with a key size of 4096 and that was the issue.

Fix was to generate a fresh certificate with 2048 key size and the issue will be gone. Also, note that this issue is only prevalent in VPX versions of NetScaler. NetScaler MPXs will NOT exhibit this issue due to their built-in SSL chips.

Hope, this helps somebody out there.

3 responses to “NetScaler VPX monitor error – Timeout during SSL handshake stage”

  1. Manoj Avatar
    Manoj

    Hello,

    Thank you for sharing this interesting bit of information. I am building a lab environment for training and testing and was thinking of using 4096k certs but decided to stick with 2048.

    You seem to be quite familiar with GSLB, i want to configure a 2 site Xendesktop site simulation in my lab Active/Passive and Active/Active. But i can’t seem to find any step by step guides to configure the Netscalers and or the Xendesktop.

    Any information you can share on the above will be greatly appreciated.

    Thanks,
    MP

    Reply
    1. Lal Mohan Avatar
      Lal Mohan

      Hey Manoj,
      Yes, you are right. Citrix’s documentation on GSLB is pretty poor and useless. The best that I have seen myself is from Carl’s site. I have done quite a few GSLB deployments in the past, but have never done a blog on it yet. I will do one soon though (in 2 weeks time). For the time being, please refer here https://www.carlstalhood.com/global-server-load-balancing-gslb-netscaler-12/
      See if the above help, else let me know.
      Lal

      Reply
      1. Manoj Avatar
        Manoj

        Hello Lal,
        Thank you so much for your reply.

        I have in the past scanned through Carl’s articles on GSLB but kind of shy’ed away due to so many settings involved and not fully grasping some of the DNS concepts.

        I will take a look at the information on the particular link you have mentioned and see if i can build my lab setup.

        What i have built is 2 identical xendesktop sites on two separate esx hosts but i am using a single pfsense router to connect the VLans between the two hosts. So the Xendesktop site on each host is working in terms of being able launch a session using Storefront from each site.

        I am at a point where i need to configure the VPXs at each site and be able to use the Gateway ICA Proxy, which is quite straightforward. So upto that point i can do. I have been struggling to move past this stage.

        No worries, i will wait for you to find the time to do a guide and now that you have given me some inspiration, in the meantime i will try and see how i can move forward. If i get stuck i will ping you a message.

        Thanks,
        MP

        Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.