HA sync fails and HTTPs access to GUI fails due to missing of ns-server-certificate binding configuration

book

Article ID: CTX337136

calendar_today

Updated On:

Description

Unable to access NetScaler GUI through HTTPs.
High Availability synchronization failure on NetScaler appliance.
From GUI: Traffic Management - Services - Internal Services, observe that all the SSL internal services shown down status.

From CLI: show service -internal, all the SSL internal services marked down as certificate binding go missing.

> show service -internal
1)      nsrpcs-127.0.0.1-3008 (192.168.100.1:3008) - SSL_TCP
        State: DOWN
        Last state change was at Thu Aug 12 09:25:30 2021
        Time since last state change: 0 days, 00:15:28.740
[Certkey not bound]     Server Name: #ns-internal-127.0.0.1#
        Server ID :     Monitor Threshold : 0
        Clear Text Port: 3010
        Max Conn: 0     Max Req: 0      Max Bandwidth: 0 kbits
        Use Source IP: YES              Use Proxy Port: NO
        Client Keepalive(CKA): NO
        Access Down Service: NO
        TCP Buffering(TCPB): NO
        HTTP Compression(CMP): NO
        Idle timeout: Client: 9000 sec  Server: 9000 sec
        Client IP: DISABLED
        Cacheable: NO
        SC: OFF
        SP: OFF
        Down state flush: DISABLED
        Monitor Connection Close : NONE
        Appflow logging: DISABLED
        TCP profile name: nstcp_internal_apps
        Process Local: DISABLED
        Traffic Domain: 0

Resolution

To resolve the issue manually, perform the following stes:

1. run the following command to install and bind ns-server certificate to the SSL internal services:

> add ssl certkey ns-server-certificate -cert ns-server.cert -key ns-server.key

2. Run the following command to verify if the status of each SSL internal service marked up.

 > show service -internal -summary
---------------------------------------------------------------------------------------------
      Name        State           IP Addr           Port  Protocol   MaxClients  MaxReqs
---------------------------------------------------------------------------------------------
1     nsrp...3008 UP              #ns-int....0.0.1# 3008  SSL_TCP    0           0
2     nsht...-443 UP              #ns-int....0.0.1# 443   SSL        0           0
3     nsrp...3008 UP              #ns-int...l-::1l# 3008  SSL_TCP    0           0
4     nsht...-443 UP              #ns-int...l-::1l# 443   SSL        0           0
5     nskr...3009 UP              #ns-int....0.0.1# 3009  RPCSVRS    0           0
6     nsrn...5061 UP              #ns-int....0.0.1# 5061  SIP_SSL    0           0
7     nsrp...3008 UP              #ns-int...8.3.20# 3008  SSL_TCP    0           0
8     nsht...-443 UP              #ns-int...8.3.20# 443   SSL        0           0

Refer to https://docs.citrix.com/en-us/citrix-adc/current-release/ssl/ssl-certificates/bind-cert-virtual-server.html.

Problem Cause

This issue is observed in new ADC after manufacturing on some platforms, the ns-server certificate binding configuration is missing in ns.conf which cause all the SSL internal services marked down. That furtherly causes users are not able to access ADC with https and HA sync failure. We will fix this issue in later build.

Additional Information

https://docs.citrix.com/en-us/citrix-adc/current-release/ssl/ssl-certificates/bind-cert-virtual-server.html

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"