NetScaler Load Balancing Does Not Honor Persistence Under Certain Conditions

NetScaler Load Balancing Does Not Honor Persistence Under Certain Conditions

book

Article ID: CTX226583

calendar_today

Updated On:

Description

Users sessions start timing out and they face connectivity issues.
For websites with authentication, users may be asked to login again or will receive Forbidden Error message.

Persistence appears to be broken as NetScaler sends users based on Load Balancing Methods and does not honor persistence under certain conditions like:

  1. Network level congestion between the HA pair nodes.
  2. High rps on the vsever, particularly when almost each request is creating a new persistence session leading to session buildup.

In newnslog, we can see the below counters increasing:

dht_ns_tot_max_limit_exceeds dht_ns:LB_SESSION
The above counters indicate that the NetScaler has hit the total limit for persistent sessions.

dht_err_unable_to_put_replica_del_msg
The above counters indicate that the NetScaler is unable to sync/clear the session information on secondary.

lb_sess_dht_ssf_pcb_backed_up_err 
This indicates that the SSF connection between the primary and secondary NetScaler is facing issues.

Refer to the following table to find the limits of persistency:

NETSCALER VERSION10.010.1/10/511.0/11.112.0/12.1
Default Limit of PERSISTENCEnCore: 150,000/Packet
Engine
nCore:250,000/Packet EnginenCore:250,000/Packet EnginenCore:250,000/Packet Engine
Maximum Limit of PERSISTENCE1,000,000/Packet Engine*
*To set the Maximum Limit to this value, you must alter the value using this CLI command, where the number is 1000000 * Number of Packet Engines. Example for 4 PEs:

set lb parameter -sessionsThreshold 4000000

Resolution

This is a known issue. The code fix for this issue will be included from NetScaler versions 12.0.53.x, 11.1.56.x and 11.0.70.x. Upgrade to one of these versions to apply the fix for this issue. 

Workaround

Enable Nagle's algorithm and disable Window Scaling parameter on the nstcp_internal_apps profile.

Run the following command from NetScaler CLI to configure these changes:
set ns tcpProfile nstcp_internal_apps -WS DISABLED -nagle ENABLED


Problem Cause

In a high availability setup, an unusually large spike in the number of persistent connections might result in under performance of the Secure Socket Funneling channel between the primary node and the secondary node. The under performance can eventually lead to session buildup on the primary node and cause persistence to fail.

Issue/Introduction

Persistence appears to be broken as NetScaler sends users based on Load Balancing Methods and does not honor persistence under certain conditions.