Frequently Asked Questions
Before using any nsapimgr knob, consult with Citrix Customer Support.
The following is a list of different idle connection timeouts that can be set on Citrix ADC T1 virtual servers and services. Idle timeout set for client or server connections at the vserver or service level are applicable only for the connections in TCP ESTABLISHED state and are idle.
- Load Balancing virtual server cltTimeout parameter specifies the time in seconds that a connection from a client to a Load Balancing virtual server must be idle, before the appliance closes the connection.
- Service svrTimeout parameter specifies the time in seconds that a connection from the appliance to a service or server must be idle, before the appliance closes the connection.
- Service cltTimeout parameter specifies the time in seconds that a connection from a client to a service must be idle, before the appliance closes the connection.
When a service is bound to a Load Balancing virtual server, then the cltTimeout for the Load Balancing virtual server takes precedence, and the service cltTimeout for service is ignored.
In case of there is not service bound to Load Balancing virtual server, global idle timeout, namely tcpServer, is used for server side connections. It can be configured as follows:
set ns timeout –tcpServer 9000
Connections in other state have different timeout values:
- Half open connections idle timeout: 120 seconds (hardcoded value)
- TIME_WAIT connections idle timeout: 40 seconds (hardcoded value)
- Half close connections idle timeout. By default it is 10s and can be configured between 1s and 600s using the snippet
set ns timeout –halfclose 10
When half-close timeout is triggered, connection is moved to zombie state. When zombie timeout expires, zombie cleanup kicks in and T1 sends RST on both client and server side for given connection by default.
- Zombie timeout: Interval at which the zombie cleanup process must run to clean up inactive TCP connections. Default timeout value is 120s and can be configured between 1s and 600s.
set ns timeout –zombie 120
Maximum Segment Size Table
A Citrix ADC T1 appliance defends against SYN flood attacks by using SYN cookies instead of maintaining half-open connections on the system memory stack. The appliance sends a cookie to each client that requests a TCP connection, but it does not maintain the states of half-open connections. Instead, the appliance allocates system memory for a connection only upon receiving the final ACK packet, or, for HTTP traffic, upon receiving an HTTP request. This prevents SYN attacks and allows normal TCP communications with legitimate clients to continue uninterrupted. Specific function is enabled by default without option to disable.
However, there is caveat as standard SYN cookies limit connections to the use of only eight Maximum Segment Size (MSS) values. If connection MMS does not match with any predefined value, it will pick up the next available lower value towards both client and server side.
The predefined TCP Maximum Segment Size (MSS) values are the following and can be configured through a new nsapimgr knob.
The new MSS table:
- Need not contain Jumbo-Frame support. Even though by default 8 values are reserved in the MSS table for jumbo frames, the table settings can be modified to include standard Ethernet-sized frames only.
- Should have 16 values
- Should have values in descending order
- Should include 128 as the last value
If the new MSS table is valid, the table is stored and the old values are switched out at the SYN-cookie rotation time. Otherwise the new table returns an error. Changes are applied to new connections while existing connections preserve the old MSS table until the connections expire or are terminated.
To display the current MSS table in a Citrix ADC appliance, type the following command.
#nsapimgr -d mss_table
#nsapimgr -d mss_table
To change the mss table, type the following command:
#nsapimgr -s mss_table=<16 comma seperated values>
#nsapimgr -ys mss_table=9176,9156,8192,7168,6144,4196,3072,2048,1460,1400,1330,1212,956,536,384,128
# nsapimgr -d mss_table
An example using standard Ethernet-sized values is depicted below:
#nsapimgr -ys mss_table=1460,1440,1420,1400,1380,1360,1340,1320,1300,1280,1260,1212,956,536,384,128
# nsapimgr -d mss_table
To make this change permanent even after the Citrix ADC appliance restarts, include the command
#nsapimgr -ys mss_table=<16 comma seperated values> in the “/nsconfig/rc.netscaler” file. If the “rc.netscaler” file doesn’t exist, create it under the “/nsconfig” folder, and then append the command.
Memory Overload Protection
A Citrix ADC Packet Processing Engine (PPE) starts bypassing connections from TCP optimization if the memory in use by that one PPE is more than a specified high watermark value. If a PPE memory utilization goes above ~2.6GB, then it starts bypassing any new connections from optimization. The existing connections (ones admitted for optimization previously) continues getting optimization. This watermark value has been purposefully selected and is not recommended for tuning.
If you believe that there is a good reason to change that watermark value, contact Customer Support.
Support for Happy Eyeballs Clients
If the Citrix ADC appliance receives a SYN for a destination for which the state is unknown, the appliance first checks the reachability of the server and then acknowledges the client. This probing mechanism enables clients with dual IP stacks to discover the reachability of dual-stack internet servers. If the client discovers that both IPv6 and IPv4 access are available, it establishes a connection to the server that responds more quickly, and resets the other. For the connection for the Citrix ADC appliance receives a reset, it will reset the corresponding server side connection.
Note: This feature has no user configurable TCP settings to be disabled/enabled on the Citrix ADC appliance.
For more information on Happy Eyeballs support, see RFC 6555.