NetScaler® ingress controller

Troubleshooting NetScaler node controller issues

January 7, 2026

Contributed by:

This topic explains how to troubleshoot issues that you might encounter while using the node controller. You can collect logs to determine the causes and apply workarounds for some of the common issues related to the configuration of the node controller.

To validate node controller and the basic node configurations, refer to the image on the deployment page.

Router pods not starting

If kube-nsnc-router pods are not starting then it might be due to certain cluster restrictions that prevent privileged pods to be deployed by non-admin users/privileges.

As a workaround, perform one of the following:

Use kube-system namespace to deploy node controller.
Assign cluster-admin role to node controller clusterrolebinding.

Note:

If you choose option 1, then you cannot create multiple instances of node controller in a single cluster as only one kube-system namespace available per cluster.

Service status DOWN

To debug the issues when the service is in the “down” state, perform the following steps:

Verify the logs of the node controller pod by using the following command:
```
kubectl logs <nsnc-pod> -n <namespace> 

```
Check for any ‘permission’ errors in the logs. node controller creates kube-nsnc-router pods, which require NET_ADMIN privilege to perform the configurations on nodes. Therefore, the node controller service account must have the NET_ADMIN privilege and the ability to create host mode kube-nsnc-routerpods.
Verify the logs of the kube-nsnc-router pod by using the following command:
```
kubectl logs <kube-nsnc-pod> -n <namespace> 

```
Check for any errors in the node configuration. The following is a sample router pod log:
Verify the kube-nsnc-router ConfigMap output by using the following command:
```
 kubectl get configmaps -n <namespace> kube-nsnc-router -o yaml 
 
```
Check for an empty field in the “data” section of the ConfigMap. The following is a sample two-node data section:
Verify the node configuration and ensure that:
- node controller interface nsncvxlan<md5_of_namespace> is created.
  - The assigned VTEP IP address is the same as the corresponding router gateway entry in NetScaler.
  - The status of the interface is functioning.
- iptable rule port is created.
  - The port is the same that of VXLAN created on NetScaler.

Service status is up and operational, but the ping from NetScaler is not working

This issue might occur due to the presence of a PBR entry, which directs the packets from NetScaler with SRCIP as NSIP to the default gateway. This issue does not impact any functionality.

You can use the VTEP of NetScaler as source IP address using the -S option of ping command in the NetScaler command line interface. For example:

ping <serviceIP> -S <vtepIP> 
<!--NeedCopy-->

Note:

If it is necessary to ping with NSIP itself then you must remove the PBR entry or add a PBR entry for the endpoint with high priority.

cURL to the pod endpoint or VIP is not working

Though, services are in up state, if you cannot cURL to the pod endpoint, means that the stateful TCP session to the endpoint is failing. One reason might be that the ns mode ‘MBF’ is set to enable. This issue depends upon deployments and might occur only on certain versions of NetScaler.

To resolve this issue, you must disable MBF ns mode or bind a netprofile with the netprofile disabled to the service group.

Note:

If disabling the MBF resolves the issue, then you must continue to set MBF to disabled.

Customer support

For general support, when you raise issues with the customer support, provide the following details, which help for faster debugging. cURL or ping from NetScaler to the endpoint and get the details for the following:

For the node, provide the details for the following commands:

tcpdump capture on node controller interface on nodes.

tcpdump -i nsncvxlan<hash_of_namesapce> -w nsncvxlan.pcap 
<!--NeedCopy-->

tcpdump capture on node Mgmt interface, for example, “eth0”.
```
 tcpdump -i eth0 -w mgmt.pcap 
 
```
tcpdump capture on CNI interface, for example, “vxlan.calico”.
```
 tcpdump -i vxlan.calico -w cni.pcap 
 
```
output of ifconfig -a on the node.
output of iptables -L on the node.

For NetScaler, provide the details for the following show commands:

show ip
show vxlan <vxlan_id>
show route
show arp
show bridgetable
show ns pbrs
show ns bridgetable
show ns mode

Try to capture nstrace by using ping/cURL:

start nstrace -size 0 -mode rx new_rx txb tx -capsslkeys enABLED 
<!--NeedCopy-->

stop nstrace 
<!--NeedCopy-->

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

NetScaler Secure Deployment Guide

Troubleshooting NetScaler node controller issues

January 7, 2026

Contributed by:

January 7, 2026

Contributed by:

Troubleshooting NetScaler node controller issues

Router pods not starting

Service status DOWN

Service status is up and operational, but the ping from NetScaler is not working

cURL to the pod endpoint or VIP is not working

Customer support

In this article