Source IP/rule based persistency does not work after upgrading to NetScaler 10.1 in DSR setup and Load Balancing (LB) group with source IP persistence configuration.

Background

Tools Used: nsconmsg
Feature: LB Persistence
Description: Show persistentsessions returns no sessions
Relevent Config:

set lb group custSSL-ADMIN_persistGroup -persistenceType SOURCEIP -persistenceBackup NONE -backupPersistenceTimeout 2 -persistMask 255.255.255.255 -v6persistmasklen 128 -timeout 10
add serviceGroup custSSL_80-DSR_ADMIN ANY -td 0 -maxClient 0 -maxReq 0 -cacheable NO -cip DISABLED -usip YES -pathMonitor NO -pathMonitorIndv NO -useproxyport NO -healthMonitor YES -sc OFF -sp OFF -rtspSessionidRemap OFF -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO -maxBandwidth 0 -monThreshold 0 -state ENABLED -downStateFlush ENABLED -appflowLog ENABLED
ConLb output shows 0 persistence hits.
current time is Thu Dec 19 15:41:41 2013
-------------------------------------------------------
VIP(91.235.132.128:443:UP:LEASTCONNS): Hits(969) Pers(GROUP_SOURCEIP) PersHits(0:0%) Err(0:0%) Ovrride(0:0%)
S(10.203.4.20:443:UP) Hits(57:5%) PHits(0:0%) LbHits(57:100%)
S(10.203.4.19:443:UP) Hits(52:5%) PHits(0:0%) LbHits(52:100%)
S(10.203.4.18:443:UP) Hits(55:5%) PHits(0:0%) LbHits(55:100%)
S(10.203.4.17:443:UP) Hits(54:5%) PHits(0:0%) LbHits(54:100%)
S(10.203.4.16:443:UP) Hits(51:5%) PHits(0:0%) LbHits(51:100%)
S(10.203.4.15:443:UP) Hits(45:4%) PHits(0:0%) LbHits(45:100%)
S(10.203.4.14:443:UP) Hits(51:5%) PHits(0:0%) LbHits(51:100%)
S(10.203.4.13:443:UP) Hits(53:5%) PHits(0:0%) LbHits(53:100%)
S(10.203.4.12:443:UP) Hits(49:5%) PHits(0:0%) LbHits(49:100%)
S(10.203.4.11:443:UP) Hits(51:5%) PHits(0:0%) LbHits(51:100%)
S(10.203.4.10:443:UP) Hits(51:5%) PHits(0:0%) LbHits(51:100%)
S(10.203.4.9:443:UP) Hits(47:4%) PHits(0:0%) LbHits(47:100%)
S(10.203.4.8:443:UP) Hits(43:4%) PHits(0:0%) LbHits(43:100%)
S(10.203.4.7:443:UP) Hits(56:5%) PHits(0:0%) LbHits(56:100%)
S(10.203.4.6:443:UP) Hits(43:4%) PHits(0:0%) LbHits(43:100%)
S(10.203.4.5:443:UP) Hits(42:4%) PHits(0:0%) LbHits(42:100%)
S(10.203.4.4:443:UP) Hits(41:4%) PHits(0:0%) LbHits(41:100%)
S(10.203.4.3:443:UP) Hits(39:4%) PHits(0:0%) LbHits(39:100%)
S(10.203.4.2:443:UP) Hits(42:4%) PHits(0:0%) LbHits(42:100%)
S(10.203.4.1:443:UP) Hits(47:4%) PHits(0:0%) LbHits(47:100%)
VIP(91.235.132.128:0:Deviation(5.5:11.275%))
-------------------------------------------------------

Complete the following to resolve the issue:

• Run clear persistentsessions command and then check whether sessions are cleared, and the counter dht_ns_cur_entries is reduced (suggest to stop the traffic in case the persistence sessions are not seen).

  Or

• Check other VPX instances to add more cores based on customer requirements. This SDX box supports 12 cores. Currently, only six cores are used for this NetScaler VPX instance.

After trying the preceding options, change persistence timeout value to the default value. In the preceding case, persistent timeout value was 10 minutes. So, sessions are not cleared for 10 minutes, which also can build the session limit. Hence, use the default timeout value that is 2 minutes because of a large number of services.

set lb group custSSL-ADMIN_persistGroup -persistenceType SOURCEIP -timeout 10

If more sessions are required, set as follows: currently, 1 million owned session entries per Packet Engine (PE) are supported.

set lb parameter -sessionsthreshold <1000000*number of PE>

For a three PE system, it is as follows:

set lb parameter -sessionsthreshold 3000000

Problem Cause

This is an expected behavior. The maximum persistence session limit per packet engine is reached and the system limit is 250K Persistence Sessions for a single packet engine. If a box is running 5 packet engines, a maximum of 250K*5 is supported, that is 1250K persistence sessions. After reaching this limit, no other persistence is honored.