NetScaler BLX limitations and usage guidelines
The following limitations and usage guidelines are related to NetScaler BLX.
High availability
-
High availability is not supported in any public cloud platform, such as Amazon Web Services (AWS) and Oracle Cloud Infrastructure (OCI).
-
High availability is not supported if the
nsinternal
user login is disabled. -
High availability is supported only in dedicated mode.
NetScaler BLX cluster
- CLAG-based traffic distribution is not supported.
NetScaler Gateway
- MAC and Linux SSO VPN clients are not supported.
- The RDP Proxy functionality is not supported.
LA and LACP channels
-
LA/LACP channels are not supported in shared mode.
-
LA/LACP channels are supported only between the dedicated NIC interfaces or DPDK NIC interfaces.
-
LA/LACP channels are not supported for
blx1
andns1
virtual interfaces.
SNMP
- SNMP is supported only for BLX in dedicated mode.
Web Application Firewall (WAF)
- Web Application Firewall (WAF) is supported only for NetScaler BLX in dedicated mode.
- When Web Application Firewall (WAF) is enabled, the BLX Gateway is not accessible.
NetScaler BLX with DPDK ports
-
BLX with DPDK ports might fail to start if the Linux host is running on some older CPU models, such as Intel(R) Xeon(R) CPU E5-2690 v4 @ 2.60 GHz and CPU E5504 @ 2.00 GHz.
-
The Linux host might crash if you unbind NIC ports bound to the DPDK module when BLX is running.
-
BLX with DPDK ports takes a little more time to restart than BLX without DPDK ports.
-
All DPDK-bound Linux ports are automatically dedicated to BLX and cannot be used for other DPDK Linux applications.
-
For VMXNET3 DPDK ports supported by BLX, you must specify the number of worker processes in the power of 2 (2ⁿ). For example, 1, 2, 4, 8, and so on.
-
BLX supports trunk mode or VLAN tagging only for DPDK ports.
Mellanox ports
-
BLX supports only one type of DPDK port at a time. For example, either all Mellanox ports or all Intel ports.
-
BLX supports only the MLX5 DPDK driver for Mellanox ports.
-
For more information about the MLX5 DPDK driver and its limitations, see the official MLX5 DPDK documentation.
-
For more information about Mellanox NICs and its limitations, see the official Mellanox documentation.
Other limitations and guidelines
-
When you set the host name of BLX using the
set ns hostname
command, the host name of the Linux host is also changed. -
When you restart BLX configured with the BLX managed host feature, all the active SSH sessions to the Linux host are closed. To restore the connection, you must retry connecting to the host.
-
In dedicated mode, the management HTTP or HTTPS port (
mgmt-http-port
ormgmt-https-port
) specified in theblx.conf
file is ignored. By default, 80 and 443 port numbers are dedicated for HTTP and HTTPS management access. To change these ports for BLX in dedicated mode, you must use the following NetScaler CLI command:set ns param (-mgmthttpport <value> | -mgmthttpsport <value>)
Example: The following command changes the management HTTP port to 2080.
set ns param -mgmthttpport 2080
-
If the firewall is enabled on the Linux host, you might have to add exceptions for the BLX management and SYSLOG ports.
-
BLX might take up to 45 seconds to start.
-
BLX configuration is stored in the
/nsconfig/ns.conf
file. For the configuration to be available across sessions, you must save the configuration after every configuration change.-
To view the running configuration by using the NetScaler CLI
At the command prompt, type the following:
show ns runningConfig
-
To save configurations by using the NetScaler CLI
At the command prompt, type the following:
save ns config
-
-
BLX configuration in the
/nsconfig/ns.conf
file takes precedence over the configuration in the/etc/blx/blx.conf
file. -
BLX does not start if the memory allocated is less than 1 GB per worker process.
-
When you install BLX, the
ip_forward
parameter is set to 1 on the Linux host. -
After you uninstall BLX, the configuration file (
blx.conf
) is retained and backed up asblx.conf.rpmsave
. To apply this backup configuration file to a newly installed BLX on the same Linux host, you must manually rename the file back toblx.conf
. -
We do not recommend running BLX on the following Ubuntu version because BLX might run into some packet drop-related issues.
Ubuntu version 16.04.5 with kernel version 4.4.0-131-generic
-
BLX supports a maximum of nine NIC ports (DPDK NIC ports, non-DPDK NIC ports, or a combination of both).
-
BLX might not start or function properly if the following condition is met:
-
SELinux
policy is enabled on the Linux host. SELinux prevents thesystemd
process from running some BLX system files.Workaround: Disable
SELinux
on the Linux host.
Note:
From NetScaler BLX 14.1-17.x, when you install BLX on Red Hat based Linux host, it applies an SELinux policy if the SELinux module is available on the Linux host. This policy allows BLX to run on the Linux host. For more information about SELinux policy, see SELinux policy.
-
-
NetScaler BLX 14.1-25.x cannot start in the full tunnel mode because the
pluginlist.xml
file is not present in the/var/netscaler/gui/vpn
directory.
Workaround: Run the following commands:-
enable ns feature RESPONDER <!--NeedCopy-->
-
add responder action pluginlist_respond respondwith q{"HTTP/1.1 200 OK\r\nDate: Thu, 30 May 2024 12:00:51 GMT\r\nServer: Apache\r\nX-Frame-Options: SAMEORIGIN\r\nLast-Modified: Thu, 30 May 2024 11:45:52 GMT\r\nETag: \"60b-619aa68c07aea\"\r\nAccept-Ranges: bytes\r\nContent-Length: 1547\r\nFeature-Policy: camera 'none'; microphone 'none'; geolocation 'none'\r\nReferrer-Policy: no-referrer\r\nX-XSS-Protection: 1; mode=block\r\nX-Content-Type-Options: nosniff\r\nContent-Type: application/xml; charset=utf-8\r\nKeep-Alive: timeout=15, max=100\r\nConnection: Keep-Alive\r\nCache-Control: no-cache, no-store\r\nPlugin-Upgrade: epa_win:Never;epa_mac:Never;epa_linux:Never;vpn_win:Never;vpn_mac:Never;vpn_linux:Never;\r\n\r\n<repositories>\n\t<repository name=\"default\" >\n\t\t<plugin\n\t\t\tname=\"Netscaler Gateway EPA plug-in for Windows (32 bit)\" type=\"WIN-EPA\"\n\t\t\tversion=\"23.8.1.11\" path=\"/epa/scripts/win/nsepa_setup.exe\"\n\t\t\tcompatibleFrom=\"12.1.0.0\" compatibleTill=\"\"\n\t\t/>\n\n\t\t<plugin\n\t\t\tname=\"Netscaler Gateway EPA plug-in for Windows (64 bit)\" type=\"WIN-EPA64\"\n\t\t\tversion=\"23.8.1.11\" path=\"/epa/scripts/win/nsepa_setup.exe\"\n\t\t\tcompatibleFrom=\"12.1.0.0\" compatibleTill=\"\"\n\t\t/>\n\n\t\t<plugin\n\t\t\tname=\"Netscaler Gateway VPN plug-in for Windows\" type=\"WIN-VPN\"\n\t\t\tversion=\"23.8.1.11\" path=\"/vpns/scripts/vista/AGEE_setup.exe\"\n\t\t\tcompatibleFrom=\"12.1.0.0\" compatibleTill=\"\"\n\t\t/>\n\n\t\t<plugin\n\t\t\tname=\"EPA scanning Engine (Opswat) for Windows\" type=\"WIN-EPA-ENGINE\"\n\t\t\tversion=\"23.8.1.11\" path=\"/epa/scripts/win/epaPackage.exe\" opswatVersion=\"4.3.3635.0\"\n\t\t/>\n\n\t\t<plugin\n\t\t\tname=\"Netscaler Gateway EPA plug-in for Mac\" type=\"MAC-EPA\"\n\t\t\tversion=\"22.11.3\" path=\"/epa/scripts/mac/Citrix_Endpoint_Analysis.dmg\"\n\t\t\tcompatibleFrom=\"22.11.3\" compatibleTill=\"\"\n\t\t/>\n\n\t\t<plugin\n\t\t\tname=\"Netscaler Gateway VPN plug-in for Mac\" type=\"MAC-VPN\"\n\t\t\tversion=\"4.4.8 (518)\" path=\"/vpns/scripts/mac/Citrix_Access_Gateway.dmg\"\n\t\t\tcompatibleFrom=\"4.4.8 (518)\" compatibleTill=\"\"\n\t\t/>\n\n\t\t<plugin\n\t\t\tname=\"EPA scanning Engine (Opswat) for Mac\" type=\"MAC-EPA-ENGINE\"\n\t\t\tversion=\"1.3.5.7\" path=\"/epa/scripts/mac/MacLibs.zip\" opswatVersion=\"4.3.2138.0\"\n\t\t/>\n\n\t\t<plugin\n\t\t\tname=\"Netscaler Gateway RfWeb GUI\" type=\"RFWEB-GUI\"\n\t\t\tversion=\"23.8.1.11\" path=\"/logon/logonPoint/\"\n\t\t/>\n\t</repository>\n</repositories>\n"} <!--NeedCopy-->
-
add responder policy pluginlist_respond_pol "HTTP.REQ.URL.CONTAINS(\"pluginlist.xml\")" pluginlist_respond <!--NeedCopy-->
-
bind vpn vserver <VSERVER_NAME> -policy pluginlist_respond_pol -priority 1 -gotoPriorityExpression END -type AAA_REQUEST <!--NeedCopy-->
- Once you start BLX in the non-root nsroot mode, you cannot go back to the root nsroot user mode.
To do so, you must reinstall BLX.
To run the
showtechsupport
command, you must log in to a host as root and then run theshowtechsupport.pl
script.
-
Unsupported NetScaler features in NetScaler BLX
- Admin partition
- Content optimization
- Hardware SSL offload
- Intermediate System-to-Intermediate System (IS-IS) routing protocol
- IPSec
- Jumbo frames
- Precision Time Protocol (PTP)
- Quality of Service (QoS)
- Routing Information Protocol (RIP)
- Routing Information Protocol Next Generation (RIPng)
- URL filtering