How to troubleshoot an issue related to TCP monitor down reported for services configured on NetScaler. 

• Check the error message shown on the monitor:

• Capture a network trace on the Netscaler, filtered by the service IP being monitored. You would notice the below mentioned behavior if you follow the TCP stream for the monitoring probe: 

a) SYN packet being sent from Netscaler SNIP but no SYN,ACK received. This means either the SYN packet never reached backend server and got dropped between Netscaler and backend server or backend server got the SYN packet and due to some issues didn't reply back.
b) SYN,ACK from backend server is received after long time.

If you look at the "Win=" attribute in the trace you will see "Win=8188" for a monitor probe. So in case if you have multiple TCP connections going to the backend server from SNIP and you want to figure out the monitor probes of it, you can do that by looking at the window size value that NS sends. 

You can use the filter "tcp.window_size_value == 8188 && ip.addr==<IP address of backend server>" to filter the monitoring traffic. 

Problem Cause