NetScaler sporadic fail to process RNAT traffic

book

Article ID: CTX695512

calendar_today

Updated On:

Description

NetScaler counters observed to increment when servers fail to access public internet usinf RNAT rules.

# nsconmsg -K var/nslog/newnslog -d stats -g natpcb_err_pkt_drop_dupnatpcb -g mcmx_err_rssf_add_failed -g rnat_portalloc_failed
Displaying current counter value information
NetScaler V20 Performance Data
NetScaler NS13.1: Build 59.22.nc, Date: Aug 20 2025, 17:02:43   (64-bit)

reltime: milliseconds between two records Mon Sep 22 16:50:32 2025
Index reltime     counter-value symbol-name&device-no
    1       0           1485365 rnat_portalloc_failed IPAddr_(x.x.x.x)
    3       0           1595469 rnat_portalloc_failed IPAddr_(x.x.x.x)
    9       0          11043518 natpcb_err_pkt_drop_dupnatpcb
   13       0          10660139 mcmx_err_rssf_add_failed

Environment

1.Registry Editor Changes: Use this disclaimer when instructing the readers to edit the registry. Before you mention the registry, add the following caution in the article body
  
Caution! Refer to the Disclaimer at the end of this article before using the Registry Editor.

Disclaimer:

"Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it."

Cause

We see the below config, where use proxy port is disabled.
add rnat [rnat_name] [acl_name] -td 0 -srcippersistency ENABLED -useproxyport DISABLED -connfailover ENABLED

When there are 2 different traffic with same port information at the same time, one of them will fail as the NAT won’t be aware of how to handle 2 different traffic with same port and NAT-IP information.

Counters confirming these problems caused by config:

natpcb_err_pkt_drop_dupnatpcb
mcmx_err_rssf_add_failed
rnat_portalloc_failed 

When -useproxyport is disabled, the RNAT won’t try to alter the port information. 

Resolution

Enable "-useproxyport" 

For example:

> set rnat [rnat_rule_name] -useproxyport ENABLED

Issue/Introduction

Internal servers fail to reach the internet sporadically.

NetScaler Config
======================
add ns acl DYNAMIC_10.10.12.2_10.10.15.254 ALLOW -srcIP = 10.10.12.1-10.10.15.254 -priority 1510 -kernelstate SFAPPLIED61
add rnat DYNAMIC_10.10.12.2_10.10.15.254 DYNAMIC_10.10.12.2_10.10.15.254 -srcippersistency ENABLED -useproxyport DISABLED -connfailover ENABLED
bind rnat DYNAMIC_10.10.12.2_10.10.15.254 [public_ip1]
bind rnat DYNAMIC_10.10.12.2_10.10.15.254 [public_ip2]

Additional Information

NetScaler RNAT KB

https://docs.netscaler.com/en-us/citrix-adc/current-release/networking/ip-addressing/configuring-network-address-translation/configuring-rnat

Powered by Wolken Software