Download - May 2013

Transcript
Page 1: May 2013

May 2013

SUM410Getting the Best Performance with Citrix NetScaler

Edward Targonski

Page 2: May 2013

© 2013 Citrix

Agenda

• Netscaler Model and Network Deployment Options• Performance Enhancing Features• Commonly Used Troubleshooting Tools and Commands

• Questions?• Conclusion

Page 3: May 2013

Netscaler Models

Page 4: May 2013

© 2013 Citrix

NetScaler VPX

NetScaler Models

NetScaler MPX

NetScaler SDX

Page 5: May 2013

© 2013 Citrix

Differences Between MPX and VPX

• Three main differences exist between MPX and VPX:ᵒ System capacityᵒ Performanceᵒ Tagged VLAN Configuration

• NetScaler VPX system capacity:ᵒ No hardware SSL accelerationᵒ Processing not offloaded to dedicated silicon

Page 6: May 2013

© 2013 Citrix

When to Use Which?

NetScaler Appliances NetScaler VPX

• Gig+ performance

• High volume SSL Offload

• >100 SSL VPN CCUs

• FIPS requirements

• Physical device security

• Labs/test environments

• Development environments

• “Datacenter-in-a-box”

• CPU-intensive workloads

• Frequently moved apps

• Fast/remote deployment

Page 7: May 2013

© 2013 Citrix

NetScaler SDX

• Instances, not partitions

• Complete CPU isolation

• Complete memory isolation

• Version independence

• High availability independence

• Lifecycle independence

Page 8: May 2013

© 2013 Citrix

Network TopologiesOne-Armed

If you are able to, one-armed topologies are the preferred method of deploying NetScaler in most environments.

Page 9: May 2013

© 2013 Citrix

Network TopologiesTwo-Armed

1. User Request

3. Response4. Response

2. User Request

Public/Front VLAN Private/Server

VLAN

The most common implementation of two-armed topologies are when a NetScaler is replacing another legacy two-armed device in a network

Page 10: May 2013

Performance Enhancing Features and Settings

Page 11: May 2013

© 2013 Citrix

TCP Connection without NetScaler

Server sees eleven packets

Client ServerSYN

ACK

SYN+ACK

GET

FIN

ACK

ACK

Data

DataData

FIN

Server de-allocates storage for the connection

Server allocates storage for connection

Page 12: May 2013

© 2013 Citrix

Transaction with NetScaler

Server sees

four packets

Client ServerNetScalerSYN

ACK

SYN+ACK

GET

FINACK

ACK

Data

DataData

GET

Data

DataData

FIN

Page 13: May 2013

Global Performance Settings

Page 14: May 2013

© 2013 Citrix

Global Settings

•Surge Protection

•Path MTU discovery

Page 15: May 2013

© 2013 Citrix

HTTP Parameters

• Client IP Insertion• Cookie Version • Requests/Responses:

ᵒ Drop invalid HTTP requestsᵒ Mark CONNECT request as invalidᵒ Mark HTTP/0.9 request as invalidᵒ Log HTTP error responses

• Server Header Insertion

Page 16: May 2013

© 2013 Citrix

TCP Parameters

• Window Scaling

• Selective Acknowledgments

• Nagle’s Algorithm

• SYN Attack Detection

Page 17: May 2013

© 2013 Citrix Citrix Confidential - Do Not Distribute

Performance Enhancing Features

Page 18: May 2013

© 2013 Citrix Citrix Confidential - Do Not Distribute

• Reduce Server Load

• Higher TPS

• Central Certificate Management

• Central Cipher Management

Performance Enhancing Features – SSL Offload

Page 19: May 2013

© 2013 Citrix

• In end-to-end, use low-level ciphers in NS-to-service communication

• Cipher selection depends on client-needs, and security considerations.

• Can be combined with IC and Compression for maximum impact

Citrix Confidential - Do Not Distribute

Advanced Optimization: SSL Offload

Page 20: May 2013

© 2013 Citrix Citrix Confidential - Do Not Distribute

• Faster response

• Fewer bytes on-wire

• Better response for low-bandwidth clients

• Policy-based rules

Performance Enhancing Features – Compression

Page 21: May 2013

© 2013 Citrix

Compression

• NetScaler supports various ways of compressing traffic

• HTTP traffic can easily be compressed by NetScalerᵒ Less work for the web serverᵒ Client can understand and de-compress (accept-encoding header)

• Compression governed via policies

• Preconfigured policies exist

Page 22: May 2013

© 2013 Citrix Citrix Confidential - Do Not Distribute

• Reduce server load

• Faster response

• Policy-based controls

Performance Enhancing Features – Caching

Page 23: May 2013

© 2013 Citrix

• Use Content-Group settings to optimizefor min/max content size, or overallnumber of hits.

• Use parameterization to optimize cache retrieval or invalidation.

• Prioritize NO_CACHE policies before CACHE policies

• Use multiple Content-Groups to allow for specific cache-clearing

Citrix Confidential - Do Not Distribute

Advanced Optimization: Caching

Page 24: May 2013

© 2013 Citrix Citrix Confidential - Do Not Distribute

• Reduce server load

• Faster server response

• Full Traffic Optimization and Traffic Security Feature Sets

Performance Enhancing Features – TCP Session Mangement

Page 25: May 2013

Results of Performance Enhancing Feature Configuration

Page 26: May 2013

© 2013 Citrix

“Sharepoint” SSL+HTTP Load Balancing ConfigurationStandard HTTP Load Balancing

Citrix Confidential - Do Not Distribute

SSL Handling on Servers

Doc. Size Baseline

987 kB .doc 16.34s

5.29 MB .doc 89.86s

1.75 MB .pdf 28.62s

5.10 MB .pdf 80.28s

Source: Citrix Application Optimization for MOSS 2007 Performance Assessment - http://support.citrix.com/article/ctx120235

*Times based on 1.5mbps connection with 0.7%packet loss.

Page 27: May 2013

© 2013 Citrix

SSL-Offload + Compression Load Balancing ConfigurationSSL-Offloaded HTTP Load Balancing

Citrix Confidential - Do Not Distribute

SSL Handling on NetScalerStatic/Dynamic content

compressed

Doc. Size BaselineSSL Offload

+ Compress

987 kB .doc 16.34s 12.29s

5.29 MB .doc 89.86s 56.20s

1.75 MB .pdf 28.62s 18.87s

5.10 MB .pdf 80.28s 70.36s

Servers configured as plaintext HTTP

Source: Citrix Application Optimization for MOSS 2007 Performance Assessment - http://support.citrix.com/article/ctx120235

Page 28: May 2013

© 2013 Citrix

SSL offload + Compression + Integrated CachingLoad Balancing ConfigurationSSL-Offload + Cmp +Caching HTTP Load Balancing

Citrix Confidential - Do Not Distribute

Doc. Size BaselineSSL Offload

+ CompressCaching

987 kB .doc 16.34s 12.29s 8.62s

5.29 MB .doc 89.86s 56.20s 42.78s

1.75 MB .pdf 28.62s 18.87s 14.51s

5.10 MB .pdf 80.28s 70.36s 60s

SSL Handling on NetScaler + Compression with Integrated

Caching

*Cache object max. limit set to 10MB

Source: Citrix Application Optimization for MOSS 2007 Performance Assessment - http://support.citrix.com/article/ctx120235

Page 29: May 2013

Troubleshooting Tools and Commands

Page 30: May 2013

© 2013 Citrix

•Primary tool for detailed analysis

•NetScaler logs all statistics every 7 seconds

•Uses logs from /var/nslog

•Logfiles are gzipped (use zcat)

•Some stats now available via GUI(System > Diagnostics)

Citrix Confidential - Do Not Distribute

NSCONMSG

Page 31: May 2013

© 2013 Citrix

Scenario: Testing reports problems with SSL VIP earlier. What happened?

Citrix Confidential - Do Not Distribute

NSCONMSG – Examples

nsconmsg –K newnslog –g ssl_err –d stats

Displaying current counter value informationNetScaler V20 Performance DataNetScaler NS9.3: Build 57.53.nc, Date: Jul 20 2012, 07:26:39

reltime:mili second between two records Fri Feb 5 10:31:31 2010Index reltime counter-value symbol-name&device-no 0 0 0 ssl_err_ssl3_badversion 1 0 0 ssl_err_cavium_random_seed_failed 2 0 0 ssl_err_ubsec_card_reset 3 0 0 ssl_err_ssl3_send_server_hello 4 0 0 ssl_err_ssl3_send_server_certificate 5 0 0 ssl_err_ssl3_send_server_key_exchange 6 0 0 ssl_err_ssl3_send_certificate_request 7 0 0 ssl_err_ssl3_send_server_done

Current logfile

Grep for ‘ssl_err’

View initial statistics

Page 32: May 2013

© 2013 Citrix

Scenario: Testing reports problems with SSL VIP earlier. What happened?

Citrix Confidential - Do Not Distribute

NSCONMSG – Examples

nsconmsg –K newnslog –s disptime=1 –g ssl_err_ssl3 –d current

Index rtime totalcount-val delta rate/sec symbol-name&device-no&time 108 0 78 1 0 ssl_err_ssl3_get_client_hello Fri Feb 5 12:01:06 2010 109 14000 11 2 0 ssl_error_cvm_bad_record Fri Feb 5 12:01:20 2010 110 7000 79 1 0 ssl_err_ssl3_badversion Fri Feb 5 12:01:27 2010 111 0 79 1 0 ssl_err_ssl3_get_client_hello Fri Feb 5 12:01:27 2010 112 28000 81 2 0 ssl_err_ssl3_badversion Fri Feb 5 12:01:55 2010 113 0 81 2 0 ssl_err_ssl3_get_client_hello Fri Feb 5 12:01:55 2010 114 7000 83 2 0 ssl_err_ssl3_badversion Fri Feb 5 12:02:02 2010

View historic statistics

View timestamps

Page 33: May 2013

© 2013 Citrix

Scenario: Testing reports problems with SSL VIP earlier. What happened?NSCONMSG – Examples

nsconmsg –K newnslog -s csv=1 –g ssl_err_ssl3_badversion –d current > sslv3.csv

Grep specific counter

Output to csv

Write to file

Page 34: May 2013

© 2013 Citrix

Checking for distribution and performance

Citrix Confidential - Do Not Distribute

NSCONMSG – Examples

nsconmsg –K newnslog –s ConLb=3 –d distrconmsg

VIP(1.1.1.1:636:UP:WEIGHTEDRR): Hits(2506) Pers(OFF) PersHits(0:0%) Err(0:0%) Ovrride(0:0%)S(1.1.1.100:636:UP) Hits(835:33%) PHits(0:0%) LbHits(835:100%)S(1.1.1.101:636:UP) Hits(836:33%) PHits(0:0%) LbHits(836:100%)S(1.1.1.102:636:UP) Hits(835:33%) PHits(0:0%) LbHits(835:100%)VIP(2.2.2.2:389:UP:WEIGHTEDRR): Hits(6) Pers(OFF) PersHits(0:0%) Err(0:0%) Ovrride(0:0%)S(2.2.2.100:389:UP) Hits(2:33%) PHits(0:0%) LbHits(2:100%)S(2.2.2.101:389:UP) Hits(2:33%) PHits(0:0%) LbHits(2:100%)S(2.2.2.102:389:UP) Hits(2:33%) PHits(0:0%) LbHits(2:100%)VIP(3.3.3.3:123:UP:WEIGHTEDRR): Hits(180) Pers(SOURCEIP) PersHits(180:100%) Err(0:0%) Ovrride(0:0%)S(3.3.3.100:123:UP) Hits(42:23%) PHits(42:100%) LbHits(0:0%)S(3.3.3.101:123:UP) Hits(49:27%) PHits(49:100%) LbHits(0:0%)S(3.3.3.102:123:UP) Hits(46:25%) PHits(46:100%) LbHits(0:0%)S(3.3.3.103:123:UP) Hits(43:23%) PHits(43:100%) LbHits(0:0%)

Page 35: May 2013

© 2013 Citrix

Checking for distribution and performance

Citrix Confidential - Do Not Distribute

NSCONMSG – Examples

nsconmsg –K newnslog –s ConLb=3 –d oldconmsg

current time is Thu Apr 8 14:45:28 2010-------------------------------------------------------NATSession : Free(19644)A(21845)InUse(2201)NATSession: Cur(Tcp[194] Udp[2007] Icmp[0] Other[0])NATSession: Op/s(Tcp[3] Udp[436] Icmp[1] Other[0])Session: A:9187 F:4604 IUse:4583 SEs: SIP:4582 C:0 SSL:0 Svr:1 UserId:0 SIPDIP:0 DIP:0 SO:0SSF: Conn (Srvr 0 Clnt 1) U:0CM: Conn (Srvr 0 Clnt 1) Sessions PCB 0 NATPCB 0Z(SIP[68307], C[0], SSL[0] Server[22] SIPDIP[0] DIP[0] SO[0])Mon: Probes: 24303862, Failed: 3757181

Page 36: May 2013

© 2013 Citrix

Checking for distribution and performance

Citrix Confidential - Do Not Distribute

NSCONMSG – Examples

nsconmsg –K newnslog –s Con???=3 –d oldconmsg

ConDebug - DebuggingConLb - Load BalancingConMon - Monitoring ProbesConMEM - Memory ManagementConCSW - Content SwitchingConSSL - SSL OffloadConCMP - CompressionConIC - Integrated Caching

Page 37: May 2013

© 2013 Citrix

• Nstrace supports filtering beginning in 9.x

Citrix Confidential - Do Not Distribute

nstrace.sh

http://support.citrix.com/article/ctx121166

nstrace -size 0 -filter "SOURCEIP == 10.1.2.3 && SOURCEPORT == 8080" -link ENABLE

Packet-size limit Filters in standard NS policy format

Automatically capture linkedclient/server connections

Filter on: SOURCEIPSOURCEPORTDESTIPDESTPORTSVCNAMEVSVRNAMESTATE

Booleans supported!

Page 38: May 2013

© 2013 Citrix

• nstrace files now officially supported in Wireshark!

• Available in latest Stable release

• Includes ns.pdevno and ns.l_pdevno filtering

Citrix Confidential - Do Not Distribute

Wireshark

Page 39: May 2013

Citrix AutoSupport Introduction

Page 40: May 2013

© 2013 Citrix

Citrix AutoSupport Analysis

Page 41: May 2013

© 2013 Citrix

Graph Generated by AutoSupport Tools

Page 42: May 2013

Resources

Page 43: May 2013

© 2013 Citrix

Resources

• Netscaler HTTP Profiles

• Netscaler TCP Profiles

• Tune NetScaler TCP Stack

• Netscaler Advanced SSL Settings

• Nsconmsg to Excel Tool

• Netscaler SSL Offload

Page 44: May 2013

© 2013 Citrix

Resource – 2

• Netscaler Integrated Caching

• Netscaler Compression

• Netscaler CPU Profiling

• Citrix AutoSupport (TaaS)

• Netscaler Datasheet - Models and Specs

• Citrix Application Optimization for MOSS 2007 Performance Assessment

Page 45: May 2013

© 2013 Citrix

Conclusion

Page 46: May 2013

© 2013 Citrix

Question

Page 47: May 2013

© 2013 Citrix

Before you leave…

52

•Conference surveys are available online at www.citrixsynergy.com starting Friday, May 24 at 9:00 a.m. PT

ᵒ Provide your feedback by 4:00 p.m. PT that day and you’ll receive a $30 Amazon.com gift card via email

•Download presentations starting Monday, June 3, from your My Conference Planning tool located within the My Account section

Page 48: May 2013

Work better. Live better.


Top Related