ADC

CloudBridge Connector tunnel diagnostics and troubleshooting

If you have problems with a CloudBridge Connector tunnel configuration, make sure that all prerequisites were observed before the tunnel was set up. If they were, the problem might be with the tunnel end-point IP addresses, a NAT configuration, the way the tunnel was set up, or with the data traffic.

Troubleshooting a CloudBridge Connector tunnel

If your CloudBridge Connector tunnel does not function properly, the issue could be with tunnel establishment or with the data traffic. If you are unsure which type of problem you have, look for an error message in the log file and see if the error message is in the list of tunnel-establishment issues. If you do not find your error message, check the list of possible issues related to data traffic.

After the requirements for configuring the IPSec tunnel are met and the CloudBridge Connector tunnel is configured, if the status of the tunnel is not UP, look for debugging information in the iked.log file on one or both Citrix ADC appliances configured as the tunnel end points.

On either appliance, type the following command at the Citrix ADC shell prompt:

`cat /tmp/iked.debug tee /var/iked.log’

The Troubleshooting pdf lists some common errors and their solutions.

If the data in the CloudBridge Connector tunnel are not exchanged properly between the tunnel end points, do the following.

  • For a CloudBridge Connector tunnel that uses GRE and IPSec protocols:
    • Make sure that L2 mode is enabled on both of the CloudBridge Connector tunnel end points. To enable L2 mode, type the following command at the Citrix ADC command line interface:

      enable mode L2

      • If one of the CloudBridge Connector tunnel end points is a CloudBridge virtual appliance (VPX) and is provisioned on a VMware ESXi hypervisor, make sure that Promiscuous mode is set to Accept for the vSwitch associated with the CloudBridge VPX appliance.
    • If  a VLAN is extended through a CloudBridge Connector tunnel, verify one-to-one mapping on the extended VLAN entity on each of the tunnel end points
    • Make sure that the IP tunnel entity is bound to the correct netbridge entity in each of the tunnel end points.
    • Verify that the ARP entry for the peer CloudBridge Connector tunnel end point exists on the local tunnel end point, by typing the following command at the Citrix ADC command line interface:

      `show arp’

    • If the output shows an incomplete ARP entry, bidirectional traffic is not flowing through the tunnel. If bidirectional traffic is flowing, the ARP entry shows the name of tunnel interface for the devices on the other side of the tunnel.
    • Remove the IP tunnel entities from both tunnel end points and add them again with the same parameters, but with the IPSec profile set to NONE, so that the tunnel uses only the GRE protocol.

      After verifying the following in the IP tunnel (that uses GRE protocol), configure the tunnel with IPSec parameters by specifying a valid IPSec profile to the respective IP tunnel entities on each of the tunnel end points.

      Proper PING or TCP flow through the tunnel. Proper flow of data traffic through the tunnel.

      After the configured tunnel (that uses GRE and IPSec protocols) is in UP state, if the data traffic does not flow properly through the tunnel, and if a NAT device was deployed in front of any or both of the tunnel end points, analyze the ingress and egress packets on the NAT devices.

  • If a Citrix ADC appliance is used as Router or Gateway.
    • Make sure that L3 mode is enabled on the Citrix ADC appliance. To enable L3 mode, run the following command in the CloudBridge command line.
    • enable mode L3
    • If subnets are bound to a netbridge entity, make sure that correct IP tunnel entity is also bound to the netbridge.
    • Run the following command in the Citrix ADC command line to see where the packets (Input and Output)are getting dropped:

      stat ipsec counters

    • Make sure that the correct routes are configured on both the tunnel end points.
    • If no NAT device is deployed in front of the Citrix ADC appliance, make sure that the firewalls are configured to allow any ESP (IP protocol number 50) packets and any UDP packets for port 4500.

If none of the above measures result in successful exchange of traffic between the tunnel end points, contact Citrix Technical Support.

Checklist before contacting Citrix technical Support

For a speedy resolution, make sure that you have the following items ready before contacting Citrix Technical Support.

  • Details of the deployment and network topology.
  • Log file collected by typing the following command at the Citrix ADC shell prompt.
    cat /tmp/iked.debug | tee /var/log/iked.log

  • Tech support bundle captured by typing the following command at the Citrix ADC command line.
    show techsupport
  • Packet traces captured on both CloudBridge Connector tunnel end points. To start a packet trace, type the following command at the Citrix ADC command line.
    start nstrace -size 0

    To stop packet trace, type the following command at the Citrix ADC command line. stop nstrace

  • Output of the following command typed at the Citrix ADC command prompt.
    show arp
CloudBridge Connector tunnel diagnostics and troubleshooting