Grab a handy cheat sheet to help you with configurations
NetScaler CLI Troubleshooting
“How Do I” Series
With this blog post, we are opening a series of “How Do I” posts about all sorts of technical tips and tricks that will help you co configure, support, troubleshoot and monitor various systems. The idea behind the “How Do I” series is to give you a handy cheat sheet that would be easy to use and contain important commands, paths, shortcuts, etc. that are available on the net, but it usually takes way too much time to find them. The truth is, we are actually creating this cheat sheets for ourselves to save time browsing the net, notes and bothering teammates 🙂
How Do I NetScaler CLI?
In this post, I am going to give you a list of helpful Citrix NetScaler Command Line Interface (CLI) commands that will help with your appliance support and troubleshooting. I find that in many cases NetScaler support falls in the Citrix XenApp/XenDesktop team’s hands as they inherit it from the initial XenApp install and NetScaler has that Citrix name attached to it 🙂 Sometimes these hard-core Windows guys are not big fans of CLI and other black screens; I feel your pain guys and I am one of you 🙂 In other cases, when NetScaler support falls under Networking team responsibility and CLI is not an issue for them if they can find the right commands. I’d like to tell both: don’t be afraid of CLI and CLI is easy! In fact, using CLI will save you lots of time comparing to trying to find things in GUI.
How do I connect?
Download Putty from www.putty.org, launch, punch your NetScaler IP in the Host Name (or IP address) field and click Open. Login with your NetScaler username and password. That’s it – welcome to NetScaler CLI 🙂
You will see some commands starting with ‘#’ – these are shell commands. To enter NetScaler’s shell mode (FreeBSD) type
to exit the shell mode type
It’s boring – let’s add some color
set cli mode -color ON
now errors are red and success is green – just the way we love it
Want to add username, hostname and current time?
set cli prompt %u@%h-%T
the result will be similar to this: stan@NetScalerHostname-10:32>
What’s my NetScaler?
Show me the current NetScaler firmware version
What’s your hostname
Show me your hardware details (including serial #)
Show me your interfaces
show interface -summary
Show me the SSL Summary
Show me the HA node configuration
Want more data?
# sysctl -a netscaler | more
this will give you lots of useful info such as your NetScaler model, description, platform it is running on, CPUs, etc.
Don’t forget to enter the shell for this one, type shell; to exit from shell (#) type exit
How’s NetScaler Configured?
IPs (SNIP, VIP, MIP)
show ns mode
Want is all?
this will give you NetScaler’s model, NSIP, config data, features and modes
License and Licensed Features
show run | more
Hey NetScaler, What’s Up?
NetScaler “Task Manager”
IPs (SNIP, VIP, MIP)
Ping, Traceroute, Telnet
Load Balancing (LB)
LB Virtual Servers
show lb vserver <vserver_name>
show lb vserver | more shows all virtual servers, which can create a mess 🙂
show service <service_name>
LB service groups
show servicegroup <servicegroup_name>
show monitor <monitor_name>
VPN (including NetScaler Gateway) Virtual Servers
show vpn vserver
Detailed VPN virtual server configuration including bound policies, portal theme, bookmarks, STAs, etc.
show vpn vserver <vpnvserver_name>
show aaa session
show aaa stats
stat lb vserver
stat cs vserver
Authentication Troubleshooting – Monitor Authentication Attempts in Real-Time
Switch to the shell prompt:
Start the debugging process:
Perform the authentication process that requires troubleshooting, such as a user logon attempt.
Monitor the output of the cat aaad.debug command to interpret and troubleshoot the authentication process.
Stop the debugging process with Ctrl + Z.
You can run the following command to record the output of aaad.debug to a log file:
cat aaad.debug | tee /var/tmp/<debuglogname.log>
Check Policy Hits
Run the following command from the shell prompt of the appliance to view the real-time hits on:
Authentication policies and session policies applied on the NetScaler Gateway virtual server:
nsconmsg –d current –g pol_hits
Rewrite policy bound at a global level or to a load balancing, content switching, or NetScaler Gateway virtual server:
nsconmsg –d current | egrep –i rewrite
Responder policy bound at a global level or to a load balancing, content switching, or NetScaler Gateway virtual server:
nsconmsg –d current | egrep –i responder
You are welcome to download a handy NetScaler CLI Troubleshooting – Cheat Sheet that summarizes all of the above commands and tricks.
Please feel free to leave your comments and suggestions here, contact me via LinkedIn, email or follow me on Twitter.
*If you are interested in NetScaler Native OTP and want to learn how to prevent the enrollment of additional devices externally check out the NetScaler Native OTP guide.