Citrix NetScaler – GeoIP, Geo Fencing, GSLB Locations Stopped Working After an Upgrade

| | Comments are off for this post.

One of the reasons we love Citrix so much is that they would never let us be bored ๐Ÿ™‚

If you upgraded to the latest build of Citrix NetScaler (such as 11.1 build 53.13), you may be wondering why some of your services stopped working ๐Ÿ™‚ It took us some time to understand that this is, in fact, related to the Geo Fencing features we have enabled.

During the troubleshooting process, we figured out that the Geo-Fencing Responder policy would no longer detect the configured regions in the GeoIP database.

It turns out, Citrix have introduced a new feature, or to be exact, a fix – the wildcard lookup would be disabled by default after upgrade. So, if you happen to follow Citrix’s CTX130701, surprise – it would stop working for you ๐Ÿ™‚

After quite a bit of digging, we found this new change in the release notes of NetScaler 11.1 build 53.11
The GEO rule for wildcard qualifiers matched any other qualifier. With this fix, the matchWildcardtoany option in the set locationParameter command is set to NO and hence the wildcard qualifiers do not match any other qualifier, by default.
[# 665771]

So, all you need to do to fix the issue is run this command:
set locationParameter -matchWildcardtoany YES

Just in case you need the full and tested Geo-Fencing with NetScaler recipe:

How to Use NetScaler to Block Access to a Website Using a Location Database Based on User’s Country

1. Download the GeoLite Country database in CSV format from http://dev.maxmind.com/geoip/legacy/geolite/

2. Upload to the /var/geoip folder (create manually) on the NetScaler appliance

3. Run the following command to import the location file:
add locationfile /var/geoip/GeoIPCountryWhois.csv -format GeoIP-Country

4. Run the following command to verify if the file is imported:
show locationparameter
Output:
Static Proximity
—————-
Database mode: Internal
Flushing: Idle; Loading: Idle
Context: geographic
Qualifier 1 label: Continent
Qualifier 2 label: Country
Qualifier 3 label: Region
Qualifier 4 label: City
Qualifier 5 label: ISP
Qualifier 6 label: Organization
Location file (format: geoip-country):
/var/geoip/GeoIPCountryWhois.csv
Lines: 150241 Warnings: 0 Errors: 0
Current static entries: 150241 Current custom entries: 0
Done

5. Run the following command to create the Responder policy:
add responder policy Drop-Non-American-IPs_resppol "CLIENT.IP.SRC.MATCHES_LOCATION(\"*.US.*.*.*.*\").NOT && CLIENT.IP.SRC.MATCHES_LOCATION(\"*.CA.*.*.*.*\").NOT" DROP

6. Run the following command to bind the policy to a virtual server:
bind lb vserver -policyName Drop-Non-American-IPs_resppol -priority 100

7. Run the following command to allow wildcard lookups:
set locationParameter -matchWildcardtoany YES
! this step is missing from Citrix documents !

8. Optional: Add your local IPs to the Location -> Custom Entries:
add location 10.0.0.0 10.255.255.255 "North America.CA.*.*.*.*"

To save you some troubleshooting time in the future, and get users some info

To display a message to the user, similar to:
“Sorry, the IP address you are connecting from (192.168.168.168) is outside North America. Access to our systems from your location is not allowed.”

1. Create Responder Action:
add responder action display-blocked-page_respact respondwith "\"Sorry, the IP address you are connecting from (\"+CLIENT.IP.SRC+\") is outside North America. Access to our systems from your location is not allowed.\""

2. Create Responder Policy:
add responder policy Drop-Non-Americal-IPs_reppol "CLIENT.IP.SRC.MATCHES_LOCATION(\"*.US.*.*.*.*\").NOT && CLIENT.IP.SRC.MATCHES_LOCATION(\"*.CA.*.*.*.*\").NOT" display-blocked-page_respact

3. Bind the Responder Policy to LB vServer

4. Run the following command to allow wildcard lookups:
set locationParameter -matchWildcardtoany YES
! this step is missing from Citrix documents !

Happy NetScalering ๐Ÿ™‚

Useful data from iRangers Experts
right in your inbox

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.