If the SSL feature does not work as expected after you have configured it, you can use some common tools to access NetScaler resources and diagnose the problem.

Resources for troubleshooting

For best results, use the following resources to troubleshoot an SSL issue on a NetScaler appliance:

  • The relevant ns.log file
  • The latest ns.conf file
  • The messages file
  • The relevant newnslog file
  • Trace files
  • A copy of the certificate files, if possible
  • A copy of the key file, if possible
  • The error message, if any

In addition to the preceding resources, you can use the Wireshark application customized for the NetScaler trace files to expedite troubleshooting.

Troubleshooting SSL issues

To troubleshoot an SSL issue, proceed as follows:

  • Verify that the NetScaler appliance is licensed for SSL Offloading and load balancing.
  • Verify that SSL Offloading and load balancing features are enabled on the appliance.
  • Verify that the status of the SSL virtual server is not displayed as DOWN.
  • Verify that the status of the service bound to the virtual server is not displayed as DOWN.
  • Verify that a valid certificate is bound to the virtual server.
  • Verify that the service is using an appropriate port, preferably port 443.

CRL refresh does not happen on the secondary node in an HA setup

The refresh does not happen because the CRL server is accessible only to the primary node through a private network.

Workaround: Add a service on the primary node with the IP address of the CRL server. This service acts as a proxy for the CRL server. When the configuration is synchronized between the nodes, CRL refresh works for both primary and secondary nodes through the service configured on the primary node.