Q: What happens on the NetScaler appliance when you enable the Use Source IP (USIP) address mode on the appliance?

A: When you enable the USIP address mode of a NetScaler appliance, the appliance forwards each packet to the appropriate back end server with the client IP address. In the default mode, when the USIP address mode is not enabled, the appliance changes the source IP address of the packet to the Mapped IP (MIP) or Subnet IP (SNIP) address of the appliance before forwarding the packet to the back end server.

Enabling the USIP address mode on the appliance adds flexibility to the appliance to use the client IP address, available in the IP header, when communicating to the server. By enabling this mode, the appliance opens server connections with the client IP address and also factors the client IP address in connection reuse. Therefore, this mode facilitates limited reuse per client based on client IP address.

Note: By enabling this mode, you compromise the client-to-server reuse ratio because the appliance cannot reuse the connections for other clients. The appliance only reuses the connection for the same client. Therefore, this mode is more useful in an environment where the appliance is deployed in a non-obtrusive manner, yet provides core benefits of syn-attack, surge protection, and WAN latency.

Q: What are the applications of the USIP address mode?

A: The USIP address mode of a NetScaler appliance is useful in the environments where the appliances are deployed in a non-intrusive manner. The applications in such environments are sensitive to the IP address of the client and appliance deployment still provide the core benefits of the appliance, such as, syn-attack, surge protection, and WAN latency.

You can also use this mode in e-Commerce applications that require the client IP address to be recorded in the logs. However, if the client IP address is required only for logging purposes, there are certain workarounds available:

• Use the client IP address insertion in the HTTP header.

• Use the web logging module of the NetScaler appliance.

Q: How does the NetScaler appliance work when the USIP address mode is enabled on it?

A: When you enable the USIP address mode on a NetScaler appliance, the following are the internal workings of the appliance:

• Monitoring probes are still sent with the Source IP address as an MIP or SNIP address.

• The appliance reuse pool for connections is still maintained for each server but the reuse pool itself is fragmented by the client IP address. In addition to other parameters, such as domain and mss, the reuse pool lookup mechanism now factors the client IP address during the lookup.

• Idle client connection stays until a background timer, the zombie timeout process, decides to close the connection. The default value for the timeout for idle server connections is three minutes. Therefore, this mode is not recommended in an environment where client browsing to a particular site is infrequent.

For example, the following scenario explains the internal working of the NetScaler appliance when the USIP address mode is enabled on it:

Consider that eth client C1 initiates 10 connections to the server S1. The NetScaler appliance multiplexes client requests across 10 server connections and when C1 has finished browsing, these connections are put in the shared pool. Only client C1 can now use these shared pool connections, whenever it decides to access the site again. These connections are timed out after three minutes of inactivity. The appliance cannot reuse connection of C1 for other clients; instead, it opens a new connection to the server for other clients. The reuse pool is now fragmented based on the client IP address. As a result, this feature dramatically reduces the client-server total connection difference.

Q: What are the restrictions or limitations of the USIP address mode on a NetScaler appliance?

A: The following are the restrictions or limitations of the USIP address mode on a NetScaler appliance:

• For HTTP protocols, this feature must be used with surge-protection OFF. For non-HTTP protocols, such as service type TCP, FTP, and others, this restriction is not applicable.

• Surge protection works on the total number of server connections and with source IP set to ON, the appliance has a lot of shared pool connections for HTTP protocols. A large reuse pool, therefore, artificially inflates the total server connections. The surge protection feature does not work as expected because it aggressively throttles the server opens per second.

• By default, the reused server connections are kept in the available server pool for three minutes, which increases the total number of server connections. These connections also cannot be reused by other clients. This behavior can be changed by changing the "-svrtimeout" value on the service.

• Restriction for HTTP protocols: Due to the restrictions in NetScaler appliance port manipulation, this option only works for 64,000 simultaneous server connections. The source IP address of the client is retained but the source port is changed to that of the appliance owned IP address so that connection reuse can be achieved. This restriction is not applicable for the non-HTTP protocols.

Q: What are the various configuration options available for the USIP address mode on a NetScaler appliance?

A: On a NetScaler appliance, two configuration options are available for the USIP address mode. One at the global level that you configure by enabling the NetScaler appliance USIP mode and the other at the service level by setting the service USIP option to Yes.

When you enable USIP address mode globally, by default, all services created after enabling the mode have USIP ON. However, all previously created services remain as they were. The same is applicable when you disable the USIP address mode on the appliance.

However, when you enable this mode at the service level, these settings have precedence over global settings. If USIP is disabled globally but is enabled for a service, the service level setting take precedence and USIP mode is enabled for that service. Similarly, if USIP is enabled globally but disabled for a service, the USIP mode is disabled for the service.

Q: How does the USIP address mode work with the other features of the NetScaler appliance?

A: The following is the list of the various features of the NetScaler appliance with respect to the USIP address mode:

• The USIP address mode with Path Maximum Transmission Unit (PMTU): In the USIP address mode, when the appliance receives an Internet Control Message Protocol (ICMP) error message, the NetScaler Switch translates it and sends it to the back end server. The back end server updates the MTU for that destination, and subsequent datagram are sent with the lowered MTU. The MTU value for that client is also updated in the appliance. All new connections then use the lowered MTU.

• The USIP address mode is mandatory with the Direct Server Return (DSR) mode: You must enable the USIP address mode with the DSR mode because the return packets have to go directly to the clients from the back end server. If the source IP address is changed on the appliance from the client IP address to that of MIP or SNIP address of the appliance, the packets cannot be sent to the client directly from the back end server.

• The USIP address mode is mandatory with Session-Less VServer: In the DSR mode or for Intrusion Detection System (IDS), servers maintaining sessions are not required as the appliance only performs switching and forwarding functionality. To avoid creation of sessions, the user has to configure Session-Less VServer on the appliance. The USIP address mode is required as in DSR mode the back end server needs to respond directly to the client. In IDS load balancing it is required because the IDS load balancing works in the transparent mode and the Source/Destination IP addresses need to be retained.

• The USIP address mode with the Use Subnet IP (USNIP) address mode: If both the USIP and USNIP address modes are enabled on the appliance, the USIP address mode takes precedence over the USNIP address mode.

• The USIP address mode with the Reverse Network Address Translation (RNAT) mode: If both the USIP address and RNAT modes are enabled on the appliance, the RNAT mode takes precedence over the USIP address mode.

• The USIP address mode with the Connection Mirroring or Connection Failover features: You must configure the USIP mode on the services bound to the Connection Failover VServer.

• The Global Server Load Balancing (GSLB) Persistence using Connection Proxy: This does not work with the USIP address mode because in such a case, if a DNS query is received on the other site, a connection is initiated from one site to another.

CTX233036 - [NetScaler Trace Study] - How USIP Looks in a Network Trace