How to Troubleshoot NetScaler AppFirewall aslearn Issues
Article ID: CTX223403
Updated On:
Description
This article describes how to troubleshoot NetScaler AppFirewall aslearn issues.
Background
In some cases AppFirewall learning may stop or may work intermittently. In such cases the troubleshooting steps listed in this article will be helpful to diagnose and resolve the issue.
Instructions
Complete the following steps to troubleshoot NetScaler AppFirewall aslearn issues:
-
Verify if the aslearn process is running.
root@ns# ps -aux | grep aslearn
root 1412 0.0 0.2 24428 3312 ?? Ss 20Mar17 0:08.84 /netscaler/aslearn -start -f /netscaler/aslearn.conf
-
Examine the aslearn.log file which is located in the /var/nslog folder. If there is some issue with aslearn process then it will be recorded in this log file.
root@ns# cd /var/nslog
root@ns# ls -lth | grep learn
-rw-r--r-- 1 root wheel 19k Mar 20 14:28 aslearn.log
root@ns# more aslearn.log
@(#)Netscaler Learning Server (aslearn) NS11.0: Build 66.11, Date: May 7 2016, 20:21:20 (release) [FreeBSD]
-
Isolate the profile for which the issue occurs. Check the database size for this profile using the same name. The database size should not exceed 20 MB, else learning will stop.
-
Verify the Violation ID for rules that are not learnt by matching the expression and entering it into the database file.
Run query to match the expression and check the violation ID:
sqlite> select * from t1 where url="https://abc.com" and count_value > 0 and field="_test_";
id violation_id url field field_type value_expr value_type min_value max_value count_value
262 https://abc.com test_ 4 6 2087 -
Verify the count of a violation ID. If 2000 learn items (per protection) are reached then aslearn will stop learning further.
sqlite> select count(*) from t1 where violation_id=262;
176
-
If the issue is with intermittent learning then examine if the following counter is incrementing:
var/nslog]$ nsconmsg110 -K newnslog -d current -g as_num_learn_dropped_msgs -s time=06Apr2017:10:05:00 -s disptime=1 | more
Display start time set to Thu Apr 6 10:05:00 2017
Displaying performance information
NetScaler V20 Performance Data
NetScaler NS11.0: Build 68.12.nc, Date: Oct 5 2016, 19:59:03
reltime:mili second between two records Thu Apr 6 10:05:10 2017
Index rtime totalcount-val delta rate/sec symbol-name&device-no&time
0 1015015 350995411 27 3 as_num_learn_dropped_msgs Thu Apr 6 10:05:10 2017
1 21000 350995883 472 67 as_num_learn_dropped_msgs Thu Apr 6 10:05:31 2017
2 7000 350995968 85 12 as_num_learn_dropped_msgs Thu Apr 6 10:05:38 2017
3 14000 350995977 9 1 as_num_learn_dropped_msgs Thu Apr 6 10:05:52 2017
4 21001 350996165 188 26 as_num_learn_dropped_msgs Thu Apr 6 10:06:13 2017
5 28000 350996236 71 10 as_num_learn_dropped_msgs Thu Apr 6 10:06:41 2017
6 21001 350996284 48 6 as_num_learn_dropped_msgs Thu Apr 6 10:07:02 2017
7 7000 350996297 13 1 as_num_learn_dropped_msgs Thu Apr 6 10:07:09 2017
8 7000 350996309 12 1 as_num_learn_dropped_msgs Thu Apr 6 10:07:16 2017 -
If the preceding counters are incrementing then check the LearnRateLimit setting and if required increase its value.
Primary> show appfw settings
DefaultProfile: APPFW_BYPASS UndefAction: APPFW_BLOCK SessionTimeout: 900 LearnRateLimit: 400
SessionLifetime: 0 SessionCookieName: cni ImportSizeLimit: 134217728 SignatureAutoUpdate: ON
SignatureUrl: "https://s3.amazonaws.com/NSAppFwSignatures/SignaturesMapping.xml" CookiePostEncryptPrefix: ENC
LogMalformedReq: ON GeoLocationLogging: OFF CEFLogging: ON EntityDecoding: OFF
UseConfigurableSecretKey: OFFNote that this is a global limit and not limited to a specific profile. If increasing it to the highest value too does not help, then deploy the current learnt rules.
Issue/Introduction
