How Do I – Citrix NetScaler CLI

Grab a handy cheat sheet to help you with configurations
NetScaler CLI Troubleshooting

“How Do I” Series

With this blog post, we are opening a series of “How Do I” posts about all sorts of technical tips and tricks that will help you co configure, support, troubleshoot and monitor various systems. The idea behind the “How Do I” series is to give you a handy cheat sheet that would be easy to use and contain important commands, paths, shortcuts, etc. that are available on the net, but it usually takes way too much time to find them. The truth is, we are actually creating this cheat sheets for ourselves to save time browsing the net, notes and bothering teammates 🙂

How Do I NetScaler CLI?

In this post, I am going to give you a list of helpful Citrix NetScaler Command Line Interface (CLI) commands that will help with your appliance support and troubleshooting. I find that in many cases NetScaler support falls in the Citrix XenApp/XenDesktop team’s hands as they inherit it from the initial XenApp install and NetScaler has that Citrix name attached to it 🙂 Sometimes these hard-core Windows guys are not big fans of CLI and other black screens; I feel your pain guys and I am one of you 🙂 In other cases, when NetScaler support falls under Networking team responsibility and CLI is not an issue for them if they can find the right commands. I’d like to tell both: don’t be afraid of CLI and CLI is easy! In fact, using CLI will save you lots of time comparing to trying to find things in GUI.

How do I connect?
Download Putty from, launch, punch your NetScaler IP in the Host Name (or IP address) field and click Open. Login with your NetScaler username and password. That’s it – welcome to NetScaler CLI 🙂
You will see some commands starting with ‘#’ – these are shell commands. To enter NetScaler’s shell mode (FreeBSD) type
to exit the shell mode type
It’s boring – let’s add some color
set cli mode -color ON
now errors are red and success is green – just the way we love it
Want to add username, hostname and current time?
set cli prompt %u@%h-%T
the result will be similar to this: stan@NetScalerHostname-10:32>
What’s my NetScaler?
Show me the current NetScaler firmware version
show version
What’s your hostname
show hostname
Show me your hardware details (including serial #)
show hardware
Show me your interfaces
show interface -summary
Show me the SSL Summary
stat ssl
Show me the HA node configuration
show node
Want more data?
# sysctl -a netscaler | more
this will give you lots of useful info such as your NetScaler model, description, platform it is running on, CPUs, etc.
Don’t forget to enter the shell for this one, type shell; to exit from shell (#) type exit
How’s NetScaler Configured?
show ip
show feature
show ns mode
Want is all?
show info
this will give you NetScaler’s model, NSIP, config data, features and modes
License and Licensed Features
show license
Running configuration
show run | more
By the way, if you’re like me and want to make your config digging easier, download Notepad++ and use Kenny Baldwin’s instructions to make NetScaler config pretty in it.
Hey NetScaler, What’s Up?
NetScaler “Task Manager”
shell top
# uptime
Networking Stuff
Routing table
show route
show ip
ARP table
show arp
show vlan
Ping, Traceroute, Telnet
# ping
# traceroute
# telnet
Load Balancing (LB)
LB Virtual Servers
show lb vserver <vserver_name>
show lb vserver | more shows all virtual servers, which can create a mess 🙂
LB services
show service <service_name>
LB service groups
show servicegroup <servicegroup_name>
LB monitors
show monitor <monitor_name>
Persistent sessions
show persistentsessions
VPN (including NetScaler Gateway) Virtual Servers
show vpn vserver
Detailed VPN virtual server configuration including bound policies, portal theme, bookmarks, STAs, etc.
show vpn vserver <vpnvserver_name>
Authentication sessions
show aaa session
Authentication statistics
show aaa stats
stat ns
stat cpu
stat interface
stat lb vserver
stat cs vserver
stat service
stat ssl
stat dns
stat http
Authentication Troubleshooting – Monitor Authentication Attempts in Real-Time
Switch to the shell prompt:
Start the debugging process:
cat /tmp/aaad.debug
Perform the authentication process that requires troubleshooting, such as a user logon attempt.
Monitor the output of the cat aaad.debug command to interpret and troubleshoot the authentication process.
Stop the debugging process with Ctrl + Z.
You can run the following command to record the output of aaad.debug to a log file:
cat aaad.debug | tee /var/tmp/<debuglogname.log>
Check Policy Hits
Run the following command from the shell prompt of the appliance to view the real-time hits on:
Authentication policies and session policies applied on the NetScaler Gateway virtual server:
nsconmsg –d current –g pol_hits
Rewrite policy bound at a global level or to a load balancing, content switching, or NetScaler Gateway virtual server:
nsconmsg –d current | egrep –i rewrite
Responder policy bound at a global level or to a load balancing, content switching, or NetScaler Gateway virtual server:
nsconmsg –d current | egrep –i responder

_ _ _

You are welcome to download a handy NetScaler CLI Troubleshooting – Cheat Sheet that summarizes all of the above commands and tricks. If you are interested in NetScaler Native OTP and want to learn how to prevent the enrollment of additional devices externally check out the NetScaler Native OTP guide.

Please feel free to leave your comments and suggestions here, contact me via LinkedIn, email or follow me on Twitter.

By Stan Demburg

Explore how iRangers are changing the game by designing Virtualization technology solutions adjusted to real business needs.

Leave a Reply

Your email address will not be published. Required fields are marked *