ADC

Points to Consider before Configuring LSN

Consider the following points before configuring LSN on a Citrix ADC appliance:

  • Make sure that you understand the different components of Large Scale NAT, described in RFCs 6888, 5382, 5508, and 4787.
  • Endpoint independent mapping (EIM) and endpoint independent filtering (EIF) are disabled by default. These options must be enabled for proper functioning of VoIP and peer-to-peer (P2P) applications.
  • Logging LSN: Following are the consideration points for logging LSN information:
    • Citrix recommends logging the LSN information on external log servers instead of on the Citrix ADC appliance. Logging on external servers facilitates optimal performance when the appliance creates large numbers of LSN log entries (in order of millions).
    • Citrix recomends using SYSLOG over TCP, or NSLOG. By default SYSLOG uses UDP, and NSLOG uses only TCP to transfer log information to the log servers. TCP is more reliable than UDP for transferring complete data.
    • The following limitations apply to SYSLOG over TCP:
      • The Syslog over TCP solution does not provide authentication, integrity check, and privacy.
      • The Citrix ADC appliance relies on the TCP protocol to provide confirmation of SYSLOG message delivery to external log servers.
  • High Availability: Following are the consideration points for high availability of Citrix ADC appliances for LSN:
    • Citrix recommends configuring the LSN feature in a high availability deployment of two Citrix ADC appliances for uninterrupted and seamless operation of all LSN sessions.
    • In a high availability deployment, Citrix recommends:
      • Setting the SYNC VLAN parameter for dedicating a VLAN for all HA related communication.
      • Synchronizing the symmetric RSS key of the primary node to the secondary node for stateful synchronization of a large number of LSN mappings and sessions.
      • Binding the subnet of LSN IP addresses to a VLAN to avoid flooding of GARP broadcasts on all VLANs after a failover.
    • In a high availability deployment of Citrix ADC appliances, ALG-related sessions are not mirrored to the secondary appliance.
  • Application Layer Gateways (ALGs): Following are the consideration points related for ALGs on a Citrix ADC appliance:
    • The following are not supported for SIP ALG:
      • Multicast IP addresses
      • Encrypted SDP
      • SIP messages over TLS
      • FQDN translation in SIP messages
      • Authentication of SIP messages
      • Traffic domains, admin partitions, andCitrix ADC clusters.
      • SIP messages with multipart bodies.
    • The following are not supported for RTSP ALG:
      • Multicast RTSP sessions
      • RTSP session over UDP
      • Citrix ADC traffic domains, admin partitions, andCitrix ADC clusters
    • The Citrix ADC appliance does not support ALG for the IPSec protocol.
  • If you disable the LSN feature when some LSN sessions exist on the Citrix ADC appliance, these sessions continue to exist for the duration of the configured timeout interval.
  • LSN takes precedence over RNAT. If a packet from a specified LSN subscriber also matches a RNAT rule, the packet is translated according to the LSN configuration.
  • Forwarding of packets related only to the LSN sessions is based on the Citrix ADC appliance’s routing table.
  • Unlike with subnet IP addresses, selection of an LSN NAT IP address for a subscriber’s connection is not based on the routing entry for the destination IP address.
  • For inbound packets, static LSN mappings take precedence over dynamic LSN mappings.
  • For outbound packets, LSN application profiles take precedence over static mapping.
  • When a large number of LSN sessions (> 1 million) exist on the Citrix ADC appliance, Citrix recommends displaying selected LSN sessions instead of all of them. In the command line interface or the configuration utility, use the selection parameters for showing LSN session operation.
  • To reduce the amount of active memory allocated to the LSN feature, you must warm restart the Citrix ADC appliance after changing the configured-memory setting. Without a warm restart, you can only increase the amount of active memory.
Points to Consider before Configuring LSN