Q: How does LB slow start work with persistence? When is the slow start exited?

A: By default a newly configured virtual server remains in a Slow Start mode for Startup RR Factor of 100.

If there are 2 services bound to the LB VIP, the LB vServer will exit the slow-start mode after 200 hits. The calculation is PE(n) X service(n) X 100 = 1 X 2 X 100 = 200 (assuming there is one PE).

When Source IP based persistency is configured, the client connections need to hit the LB VIP with different source IP's. In the above case, if 200 connections are initiated from the same source IP, the counter will only decrement by 1 (with 199 connections remaining). The rest of the 199 connections need to be from unique source IP's for the NetScaler to exit the slow-start mode and come back to the configured load balancing method

root@netscaler# nsconmsg -K newnslog -d current -s disptime=1 -g vsvr_do_next_rrreq | more
Displaying performance information
NetScaler V20 Performance Data
NetScaler NS11.1: Build 51.21.nc, Date: Dec 22 2016, 12:32:24

     14  427000            200        200       28 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 10:55:59 2017
     15  322000            199         -1        0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 11:01:21 2017
     16 1938995           198         -1        0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 13:15:31 2017
     17   14000             197         -1        0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 13:15:45 2017

If the persistence is set to NONE, irrespective of the Source IP's, once the number of connections reaches 200, the slow start is exited

      2  223997          200          1        0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 10:46:46 2017
      3   49000           199         -1        0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 10:47:35 2017
      4    7000            176        -23       -3 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 10:47:42 2017
      5    7001            163        -13       -1 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 10:47:49 2017
      6    6999            132        -31       -4 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 10:47:56 2017
      7    7000            109        -23       -3 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 10:48:03 2017
      8    7000              89        -20       -2 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 10:48:10 2017
      9    7000              57        -32       -4 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 10:48:17 2017
     10    7000             25        -32       -4 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 10:48:24 2017
     11    7001             23         -2        0 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 10:48:31 2017
     12   14000            13        -10       -1 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 10:48:45 2017
     13    6999               0        -13       -1 vsvr_do_next_rrreq vserver_lb_172.16.181.146:80(LB) Fri Jul  7 10:48:52 2017

Refer to https://support.citrix.com/article/CTX108886 to know more about Slow-Start

Q: A persistence RULE is configured with a persistence timeout of 10 minutes. When "show persistent sessions" command is run for that particular load balancing vServer, many entries with a timeout of 0 (expired) are still see in the output table. What causes this persistence table entries to show even though the timeout  has expired?

A: The "show persistence session" output only displays entry from master core and not from peer cores where persistence session is cached.
Even if the timeout value is set to 0 on the master core, the other core still has this session entry with non-zero value due to which the master core does not remove this from its table immediately after it times out.
By design, after the connection is idle and deleted and the persistence timeout has passed, in addition to remaining for 2 minutes due to the relationship between the master core and the peer core, there may be a case in which 120-330 seconds remain for synchronization between NSPPE and internal processing.

Q: LB vServer (HTTP) does not load balance the hits on the vServer correctly when LB method is Least Connection. Uneven number of hits seen on the 2 load balanced backend services.

A: In the "Least Connection" method of load balancing, the number of connections per service is the value that we take into account, not the number of hits to the service.

Q: Does the TCP profile bound on the CS VIP or the corresponding LB VIP takes precedence?

A: NetScaler will use the TCP profile bound on the Content Switch vServer for front-end/client connection
The TCP profile bound to the Load Balancing vServer will not be used if the connection is made through the Content Switching vServer
The TCP profile bound to the Load Balancing vServer will be applied only if the client establishes the connection with the Load Balancing VIP directly
If no TCP profile is bound to the Content Switch vServer, the default TCP profile will be used

Q: Can a VIP address be bound to netprofile/ ipset in Cluster?

A: This is currently not allowed. You will see the error "ERROR: Operation not permitted" while trying to do this. This is supported starting from 11.1 build 58.x and 12.0 build 33.x (Issue ID: 664024)

Q: Are active sessions dropped while disabling a service or a member of a service group?

A: Yes, the active connections are dropped if we do not do a "Graceful" disable of the service. Active connections are maintained if the "Graceful" checkbox is selected.
Traffic Management ->LB-> ServiceGroup-> Manage Member -> Select member then click disable -.> Check Graceful and click ok 

Q: What does the "Graceful" option do while disabling a service?

A: This checkbox indicates graceful shutdown of the service. System will wait for all outstanding connections to this service to be closed before disabling the service.

Gracefully disabled services will maintain all current connections until these have timed-out/gracefully closed. All new connections will be sent to the enabled services.

Just disabling the services, will migrate all existing connections to the enabled service

Q: NS 10.5: NetProfile does not work intermittently and traffic is sourced from the wrong SNIP

A: This has been identified as an issue in the build of 10.5 and is fixed in 11.1 (Issue ID: 536377)

Q: Why does SSL VIP use HTTP/1.1 despite configuring HTTP/2 in the HTTP profile bound?

A: In the SSL handshake, we see in the client hello that client supports http2 over TLS (h2), however the VIP chooses HTTP 1.1.
HTTP/2 only supports TLS version 1.2 or higher for HTTP/2 over TLS (h2). HTTP/2 doesn't support any of the ciphers suites that are listed in the following article.
https://http2.github.io/http2-spec/#BadCipherSuites
Ensure that HTTP/2 supported Ciphers are bound to the VIP

Q: Can we view SSL counters/ statistics specific to a vServer or a VIP?

A: This is currently not possible. An enhancement request with the Product management has been raised for this:
ENH0234441: Display of per vServer/service stats with "stat ssl” command
ENH0234442: SSL per vServer/service stats should be displayed with nsconmsg -s ConSSL output

Q: What does the spillover count (SO) for a vServer in the ConLb output indicate?

A: If you have spillover configured or have a backup vServer and spillover occurs, they will be sent to the backup and the counter will increment. If you do not have spillover configured or a backup vServer configured, then the connection is reset and the spillover counter will still increment. The incrementing counter is indicative of requests being reset when you have no spillover configured.

When you do have spillover configured and requests are actually being spilled over, the counter is going to increment. Thus the counter increments in either scenario. Hence, if you know you don’t have spillover configured and you see spillover hits, then you should consider setting up spillover so that requests are processed instead of being reset.

Q: What are the ways to protect a Load Balancing vServer against Failure when it goes DOWN?

A: "Disable Primary When Down":  If you want the backup virtual server to remain in control until you manually enable the primary virtual server even if the primary virtual server comes back up, select "Disable Primary When Down". For more information on "Configuring a Backup Load Balancing Virtual Server" refer docs:
http://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-protect-configuration/config-backup-vserver.html

"Connection fail over": Connection fail over helps prevent disruption of access to applications deployed in a distributed environment. In a NetScaler High Availability (HA) setup, connection fail over (or connection mirroring-CM) refers to keeping active an established TCP or UDP connection when a fail over occurs. The new primary NetScaler appliance has information about the connections established before the fail over and continues to serve those connections. After failover, the client remains connected to the same physical server. Setup supported for connection failover are Service type --> ANY, UDP, TCP, FTP, SSL_BRIDGE.

For more information on "Connection failover" refer
http://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-protect-configuration/connection-failover.html

Other methods can be viewed in the following link: https://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-protect-configuration.html

Q: Can we integrate MFA with LB vServer?

A: Yes, this can be done by configuring AAA vserver which can be configured as SAML SP. Microsoft MFA can be configured as SAML IDP if it has access to the LDAP/Radius.