Cisco ASA – Packet Tracer Fails VPN:Encrypt:Drop

KB ID 0001198

Problem

Sometimes when troubleshooting VPN traffic, you may choose to use the ‘packet-tracer’ command to simulate interesting traffic. I did this today and got;

[box]

Phase: {number}
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
Drop-reason: (acl-drop) Flow is denied by configured rule

[/box]

I replicated the error on the test bench.

Solution

Below is the full packet trace;

[box]

Petes-ASA(config)# packet-tracer input inside tcp 192.168.254.1 www 10.254.254.10 www

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.254.254.10/80 to 10.254.254.10/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outbound in interface inside
access-list outbound extended permit ip any any
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.254.1/80 to 192.168.254.1/80

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

[/box]

This is an annoying error, that is difficult to solve. The reason you are seeing this error is because the ACL that defines the ‘interesting traffic’ for the VPN, does not a MIRROR IMAGE ACL on the OTHER VPN endpoint. As soon as this was rectified the packet-trace ran successfully.

[box]

Petes-ASA(config)# packet-tracer input inside tcp 192.168.254.1 www 10.254.254.10 www

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.254.254.10/80 to 10.254.254.10/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outbound in interface inside
access-list outbound extended permit ip any any
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.254.1/80 to 192.168.254.1/80

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 359, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

[/box]

Related Articles, References, Credits, or External Links

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

MAC OSX – Connecting to Cisco IPSEC VPN

KB ID 0001197 

Problem

Here we are dealing with the older IPSEC VPN method of remote VPNs, NOT AnyConnect. There is/was a VPN client for Mac OSX which you can still download. But modern versions of OSX have the Cisco IPSec VPN client built into them. 

I’m assuming you have already configured the firewall, if not see the article below;

Cisco ASA5500 Client IPSEC VPN Access

Solution

Open your network preferences and add in a new connection > Interface = VPN > VPN Type = Cisco IPSec > Service Name = A sensible name you will recognise, (like connection to work, or home  etc.)

 

Server address is the public IP, (or name if you have DNS setup*) of your Cisco Firewall  > Enter your VPN username > I don’t put in the password, so I will have to type in in manually > Click Authentication Settings.

*For DNS you will need a static public IP, and a registered domain name. The ASA DOES NOT support DNS updates to online services like DynDNS or No-IP etc. It does support DDNS but means the server that leases you your public address is supposed to update your DNS for you, and unless you are your own ISP, and you host your own public DNS records, this wont work!

Here you need to supply the ‘shared secret’ for the VPN tunnel, and the Group Name. Your firewall admin should give these to you.  If they don’t know, tell them to run ‘more system:running-config’ on the firewall and give you the shared secret and ‘group-policy’/’tunnel-group’ name for this remote VPN  > OK.

Nearly every time you use DHCP, the firewall with either lease you an address from a ‘pool’ of VPN addresses, or broker the connection, and use your internal DHCP server.

Now to connect the VPN, select the icon shown, and click your Cisco VPN, (in the picture I have two).

If you didn’t put your password in during setup, you will be prompted to enter it to continue.

It does not work?

With all things Cisco, if there’s a problem your easiest way to a solution, is to run a ‘debug’ on the firewall. Execute the following two commands on the firewall, and attempt to connect again, this should point you in the right direction.

[box]

debug crypto isakmp 127
debug crypto ipsec 127

[/box]

Related Articles, References, Credits, or External Links

iPhone and iPad – Configure the Cisco VPN Client

Cisco ASA – Converting IKEv1 VPN Tunnels to IKEv2

KB ID 0001196 

Problem

We’ve had IKEv2 support on Cisco ASA for a while, (since  version 8.4). I tend to setup site to site VPN tunnels at command line, and on the rare occasions I’m using the ASDM I normally just ignore the IKEv2 settings. Like all techies I know a way that works, so I will keep doing it that way.

What’s the difference between IKEv1 and IKEv2?

IKE version 2 is a lot more efficient and has a smaller network overhead, this is because it uses less messages to establish secure peers. Back with IKEv1 we had main mode (9 messages), and aggressive mode (6 messages), but IKEv2 only has one mode and that has only 4 messages. Back with IKEv1 both ends of the tunnel needed to use the same method of authentication (usually a shared secret (PSK) or an RSA Signature (Digital certificate). But with IKEv2 each end of the tunnel can use a different authentication method. Nat Traversal is automatically taken care of, and DoS Attacks can be mitigated by built in anti-replay, and cookie support to defend against flood attacks.

 

Solution

Migrating your tunnels from IKEv1 to IKEv2 is probably the easiest job you’ve been given, (it can be done with one command). But doing something, and understanding whats happening are two different things.

I usually use AES-256 and SHA for site to site VPNs so a typical config I would deploy would look like this;

[box]

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
object network OBJ-MainSite
subnet 10.0.0.0 255.255.255.0
object network OBJ-RemoteSite
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside

[/box]

Assuming both sites are OK and the tunnel is up, if we look to see what’s happening with ISAKMP we see something like this.

[box]

Petes-ASA(config)# show crypto isakmp
IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 123.123.123.123
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

[/box]

You do the entire conversion with one command ‘migrate l2l’, or if these are client to site VPNS you can use ‘migrate remote-access’

[box]

Petes-ASA(config)# migrate ?

configure mode commands/options:
  l2l            Migrate IKEv1 lan-to-lan configuration to IKEv2
  overwrite      Overwrite existing IKEv2 configuration
  remote-access  Migrate IKEv1 remote-access configuration to IKEv2/SSL
  
Petes-ASA(config)# migrate l2l
Petes-ASA(config)#

[/box]

Now ensure you do the same at the other end, (or ensure the other vendor supports IKEv2). BE AWARE: By default if you configure IKEv1 and IKEv2 the ASA will fall back to IKEv1 if it cannot negotiate IKEv2. At this point we already have a tunnel established, so we need to ‘bounce’ the tunnel to get it to re-esablish.

[box]

PetesASA(config)# clear crypto isakmp
PetesASA(config)# show cry isa
There are no IKEv1 SAs
IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 87787277       123.123.123.123/500      2.2.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/7 sec
Child sa: local selector  10.0.0.0/0 - 10.0.0.255/65535
          remote selector 10.0.3.0/0 - 10.0.3.255/65535
          ESP spi in/out: 0xa5034be1/0x6c5de26e

[/box]

We are now running over IKEv2, to see how that’s changed the config see the differences below, highlighted in blue.

[box]

!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
!
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
object network OBJ-MainSite
subnet 10.0.0.0 255.255.255.0
object network OBJ-RemoteSite
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-3DES-SHA
 protocol esp encryption 3des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-128-MD5
 protocol esp encryption aes
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-AES-192-SHA
 protocol esp encryption aes-192
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-128-SHA
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-3DES-MD5
 protocol esp encryption 3des
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-AES-192-MD5
 protocol esp encryption aes-192
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-DES-MD5
 protocol esp encryption des
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-DES-SHA
 protocol esp encryption des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-MD5
 protocol esp encryption aes-256
 protocol esp integrity md5
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
!

[/box]

 

Related Articles, References, Credits, or External Links

Cisco ASA 5500 Site to Site VPN (From CLI)

VMware Upgrading the vSphere Virtual Center Appliance

KB ID 0001193 

Problem

I had a vCenter 6.0.0.1 appliance on my test network and wanted to update it to version 6.0.0.2. But I didn’t want to reinstall the whole thing from scratch.

Solution

Let’s assume it’s going to go wrong! Take a snapshot off the appliance first.

Go to the patch update site and get the latest patch for your version of vCenter.

Upload the ISO file into your vSphere storage, and present it to your vCenter appliance.

SSH into your appliance (you can enable this from DCUI, but mine was enabled). Issue the following commands;

[box]

shell.set --enabled True
software-packages install --iso --acceptEulas

[/box]

Go get a coffee it takes about 15-20 minutes, when complete it should say ‘Packages upgraded successfully’. You then need to reboot the appliance to complete the upgrade.

[box]

shutdown reboot -r Updated

[/box]

Related Articles, References, Credits, or External Links

Deploying The vCenter Server 6 Appliance

Citrix NetScaler – SSL Offloading

KB ID 0001192 

Problem

What is SSL Offloading?

If you run https services (Note: I say services, this does not have to be a website), the actual security is handled by SSL/TLS, one of the things this does is encrypt the traffic between the client and server. (This is why your online banking and shopping is done over https and not http.)

Thats great, but encrypting and decrypting all that traffic takes a lot of processing cycles, if you have http servers doing that work it will divert a lot of CPU/vCPU time away from its normal job of providing web services. If you have a very busy site, you may start to scale those servers out, and load balance them, but the http servers themselves will still need the extra grunt to do the decryption/encryption work.

You can install SSL accelerators, (often refereed to as Crypto Offload Cards,) into your servers to hand-off that workload, but in a modern virtual datacenter, that does not scale well at all.

So what if you get your ‘load-balancer’ to decrypt the traffic coming in, and re-encrypt it on its way out? The https servers no longer have to do the ‘heavy lifting’. Whats more, if you put an SSL accelerator in your load balancer, that makes it run more efficiently. Thats exactly what Citrix have done, their hardware NetScalers have a Cavium CN1620-NFBE3- 2.0-G or Cavium CN1120-NFB accelerator card in them, to take this job on. (Note: This does not apply to the virtual appliance, (obviously) but that can still perform SSL offloading).

Put Simply: Your forward facing services are HTTPS, your ‘back-end’ services are HTTP.

Solution

Before you start, I’m assuming you already have your back end servers setup in NetScaler, and have those servers presented as either a ‘service group’ or as individual ‘services’. If you are unsure how to do this, follow the article below, (all the way to setting up the Virtual Server.)

Citrix NetScaler – Simple HTTP Site Load Balancing

I’m also assuming you have uploaded into the NetScaler, the certificate you are going to present publicly, and the CA-Root certificate, (and any intermediate CA certificates if required).  If you are using ‘self-signed’ certificates you might want to see the following article;

Citrix NetScaler – ‘Certificate is not a server certificate’

Citrix NetScaler Deploying SSL Offload

Log into the NetScaler > Configuration > Traffic Management > Virtual Servers > Add.

Give the Virtual Server a name > Protocol will be SSL > Set the IP (VIP) > The port will be 443 > OK.

Now add in your service group (or service(s)). I have two http servers setup in a service group, (see the article above). Click ‘No Load Balancing Virtual Server Service Group (or Service) Binding.

Search arrow.

Locate and tick your back end service group > Select.

Bind

Continue.

At this point you can upload the certificate and CA certificate.

Done.

It can take a little while to ‘go-green’ if there is a problem, click the drop down error on the left for more information. If this is a new deployment you may encounter the following problem;

NetScaler – SSL Virtual Server State: Down Effective State: Down

So now if you hit the VIP the NetScaler is presenting on https, it converts it to http and load balances across the back end servers for you.

Related Articles, References, Credits, or External Links

NA

Citrix NetScaler – ‘Certificate is not a server certificate’

KB ID 0001191 

Problem

While attempting to bind a certificate to a Virtual Server on my NetScaler this happened;

Error
Certificate is not a server certificate

 

Solution

Before you proceed, delete the problem certificate to avoid confusion!

I had generated this certificate with Microsoft Certificate Services, and I had made a wildcard certificate like so;

Certificate Services – Create a ‘Wildcard Certificate’

Remember if you use the standard ‘Web Server’ template then this does not allow you to export the private key of a certificate, so clone your template and allow the private key to be exported, then use that cloned template to create your wildcard cert.

Open the certificate on a Windows machine  > Install Certificate.

Select ‘Local Machine’  > Next.

Manually put the certificate in the ‘Personal’ container > OK > Next.

Now open an MMC console (Start > Run > mmc {enter}) File > Add Remove Snap-in > Certificates > Select ‘Local Computer’ > Open Personal > Certificates > Locate your cert > All Tasks > Export.

Note: Make sure there is a small key icon over the cert, if not create a new one or follow this article.

Yes ‘Export the private key’, (if you don’t see this page, then you have done something wrong).

Export as PKCS 12 (PFX) > Next.

Set a password, (you will need this in a minute, so don’t forget it) > Next.

Save the exported cert with a pfx extension > Next.

OK

Now EXPORT THE CERT AGAIN, this time you DO NOT want to export the private key. This time you want to export it as Base 64 (CER) > Follow the wizard and save it in the same location as the PFX file you exported earlier.

So now you should have two exported certificates like this;

Log into the NetScaler > Configuration > Traffic Management > SSL > Import PKCS#12.

Set the Output Name file to have a .key extension and call it something sensible > Browse to your PFX file > Enter the import password > set a PEM Passphrase, (set it the same as the export password for simplicity) > OK.

Now navigate to Configuration > Traffic Management > SSL > Certificates > Add.

 

Again give it a sensible name that you can identify like the FQDN, call it certificate and you will have problems down the line when you have loads of certificates! For ‘Certificate File Name’ browse to the .CER file you exported earlier. For ‘Key File Name’ browse the appliance and select the .KEY file you created above. Type in the PEM password > Install.

You can now assign this certificate without error.

 

Related Articles, References, Credits, or External Links

NA

NetScaler – SSL Virtual Server State: Down Effective State: Down

KB ID 0001190

Problem

When trying to setup SSL Offloading on a NetScaler Virtual Server. I was unable to get the State and Effective State to ‘go green’.

Solution

If you hit the ‘down arrow’ to the left it will give you a little more information, it also says  ‘SSL feature disabled’.

Log directly into the appliance and issue the following command;

[box]

enable feature SSL

[/box]

Hit the ‘refresh’ button and, (providing you set it up correctly,) it should burst into life.

Related Articles, References, Credits, or External Links

NA

Firefox Error – SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY

KB ID 0001189 

Problem

Firefox is what I use when Opera does not work, so when I tried to connect to some management servers that did not support Opera this happened;

 

Secure Connection Failed
An error occurred during a connection to {FQDN). SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY)

 

Solution

Navigate to ‘about:config’ > I’ll be careful, I promise!

In the search bar type ssl3.dhe_rsa_aes_128_sha > change its value to false.

In the search bar type ssl3.dhe_rsa_aes_256_sha > change its value to false.

 

Related Articles, References, Credits, or External Links

NA

Citrix NetScaler – Simple HTTP Site Load Balancing

KB ID 0001188 

Problem

Here is the simplest load balancing scenario I can think of, I’ve got two web servers, (on http port 80) and I’m presenting them though my NetScaler as an HTTP (Virtual Server).

 

Solution

First we add the ‘back-end’ servers. Connect to the management IP of your NetScaler and login > Configuration > Traffic Management  > Load Balancing > Servers > Add.

Define a name for the first server and enter its IP address > Create.

Repeat to add the second internal web server. 

Now I’m going to group these servers together in a ‘service group’, (you don’t have to, you can present them individually to the virtual server you will create in a minute if you prefer). Configuration > Traffic Management  > Load Balancing > Service Groups > Add.

Name the group and set the protocol to HTTP  > OK.

When created, you will see it says ‘No Service Group members’  > Click there.

Select ‘Server Based’ > Click the search arrow.

Tick them all > Select.

Set the port (HTTP is TCP port 80) > Create.

OK.

Now we need to add a monitor, this is what the NetScaler will use to monitor the service availability of your ‘back-end’ servers on TCP port 80 (HTTP). Click Monitors.

This confused me for a while, selecting things on the right, drops them at the bottom of the main page > Click ‘No service Group Monitor Binding’.

NetScaler has a monitor for http pre-configured, so I’m going to use that > Click the search arrow.

Click ‘http’  > Select.

Bind.

Done.

Now we tie all that together in a ‘Virtual Server’ > Configuration > Traffic Management  > Load Balancing > Virtual Servers > Add.

Give the Virtual Server a name > Protocol is HTTP > Specify the IP address (this will be the VIP the NetScaler presents to the outside world)  > Port 80 > OK.

Now we need the add the group we created earlier, click where it says ‘No load balancing Virtual Servers Service Group Binding’.

 

Click the search arrow.

Click the group you created earlier > Select.

Bind.

Continue.

Done.

Save your hard work.

You should be green across the board.

To test this I put a different web ‘welcome’ page on both of the servers, that way as I refresh the page I can see that the NetScaler is doing its job and balancing the requests across both back-end web servers.

 

Related Articles, References, Credits, or External Links

NA

NetScaler – Locate the Host ID

KB ID 0001187 

Problem

To apply a license to your NetScaler you need the supply the Host ID to the licensing portal. A quick internet search yielded the commands, but the were not working?

Solution

Note: If this is a new installation, the username and password will both be set to nsroot.

Whatever I was reading, didn’t tell me I needed to drop to shell mode!

[box]

shell
lmutil lmhostid

[/box]

As you can see this ones 0050569d5a96, (which I saw listed elsewhere are the appliances MAC address, however pinging the device yelled a different (similar) MAC address.

 

Related Articles, References, Credits, or External Links

NA