NetScaler VPX monitor error – Timeout during SSL handshake stage


I came across this by accident while setting up NetScaler GSLB for a Citrix solution for one of my customers. The service groups in NetScaler were giving an error message for the monitoring probes – https and CITRIX-XD-DDC (both secure). The NetScaler was VPX running 11.1.63.9nc firmware.

Last response: failure – Time out during SSL handshake stage

How do you troubleshoot such issues? There are a couple of options.

Wireshark can be a good tool or you could use the built-in nstrace utility in NetScalers. Additionally, you will also need to make sure that the required ports are open between your NetScaler and the backend servers/services.

If you run a trace and look at it, you can see the below

TLSv1 Record Layer: Alert (Level: Fatal, Description: Unsupported Certificate)
Content Type: Alert (21)

The certificate that was installed on the DDCs and Storefront servers were created with a key size of 4096 and that was the issue.

Fix was to generate a fresh certificate with 2048 key size and the issue will be gone. Also, note that this issue is only prevalent in VPX versions of NetScaler. NetScaler MPXs will NOT exhibit this issue due to their built-in SSL chips.

Hope, this helps somebody out there.

3 thoughts on “NetScaler VPX monitor error – Timeout during SSL handshake stage

  1. Hello,

    Thank you for sharing this interesting bit of information. I am building a lab environment for training and testing and was thinking of using 4096k certs but decided to stick with 2048.

    You seem to be quite familiar with GSLB, i want to configure a 2 site Xendesktop site simulation in my lab Active/Passive and Active/Active. But i can’t seem to find any step by step guides to configure the Netscalers and or the Xendesktop.

    Any information you can share on the above will be greatly appreciated.

    Thanks,
    MP

      • Hello Lal,
        Thank you so much for your reply.

        I have in the past scanned through Carl’s articles on GSLB but kind of shy’ed away due to so many settings involved and not fully grasping some of the DNS concepts.

        I will take a look at the information on the particular link you have mentioned and see if i can build my lab setup.

        What i have built is 2 identical xendesktop sites on two separate esx hosts but i am using a single pfsense router to connect the VLans between the two hosts. So the Xendesktop site on each host is working in terms of being able launch a session using Storefront from each site.

        I am at a point where i need to configure the VPXs at each site and be able to use the Gateway ICA Proxy, which is quite straightforward. So upto that point i can do. I have been struggling to move past this stage.

        No worries, i will wait for you to find the time to do a guide and now that you have given me some inspiration, in the meantime i will try and see how i can move forward. If i get stuck i will ping you a message.

        Thanks,
        MP

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.