Netscaler Bad performance

Today I looked into a Netscaler VPX Gateway with network issues.

Response was slow and users reported this error when connecting to Citrix backend servers:

“Failed with status 1110″ When Launching Desktops or Apps Through NetScaler Gateway”

I checked the eventlog on the vpx with: shell nsconmsg -K /var/nslog/newnslog -d event  and found a log full of these errors:

2546 245 PPE-0 UP; Last response: Success – Probe to STA server succeeded. Tue Oct 25 06:53:13 2016
2547 484 PPE-0 DOWN; Last response: Failure – TCP connection successful, but application timed out Tue Oct 25 07:01:19 2016

After looking around in the Systems menu I disabled Mac Based Forwarding and enabled TCP Window Scaling  as per CTX121149.

The network issued were gone and no more application time-out failures in the eventlog…

More about Mac Based Forwarding  here.



Hits: 301

Watchguard tcp dump options

About TCP Dump Argumentlogo-small

When you run the TCP dump task, you must specify the interface on which to run the task. You an also include expressions in the task arguments to filter for specific traffic.

To specify the interface, you include the -i argument and the interface name and number.

For example:

– i eth1 — Physical interface #1

-i ath1 — Wireless interface #1

-i br1 — Bridge interface #1

-i la1 — Link aggregation interface #1

To build an expression to filter the traffic from the interface you specify, you can use any of the standard TCP dump keywords and operators. Some of the common keywords and operators are:

host — Only include traffic to or from the specified host IP address.

net — Only show traffic to or from the IP addresses in the specified subnet. For example, for, type 10.0.1.

port — Only show traffic with either a source or destination of the specified port.

portrange — Only show traffic from the specified range of ports.

ip proto — Only show traffic from the specified protocol. For example, for ESP packets, type 50.

src or dst — Use with the keywords host or port to specify the source or destination.

tcp or udp — Use with the keywords port or portrange to specify the protocol.

and / or — Use to combine expressions.

For a complete list of the available keywords, see the PCAP-Filter manpage at

Examples of TCP dump arguments:

-i eth1 host and dst port 80
Show only traffic on interface eth1, to or from with destination port 80.

-i eth0 tcp port 25
Show only traffic on interface eth0, to or from TCP port 25.

-i vlan1024
Show only traffic tagged with VLAN 1024.

-i eth0 udp port 500 or ip proto 50
Show all UDP port 500 or ESP packets for the eth0 interface.

-i eth2 src and dst
Show all traffic from to on the eth2 interface.

Hits: 3407

HP A-Series comware cli

enter config mode:

show running-config:
disp cur

set ntp:
ntp-service enable
ntp-service unicast-peer

check ntp:
disp ntp-service stat

Clock status: synchronized
Clock stratum: 5
System peer:
Local mode: sym_active
Reference clock ID:
Leap indicator: 00
Clock jitter: 0.000198 s
Stability: 0.000 pps
Clock precision: 2^-17
Root delay: 6.37817 ms
Root dispersion: 6.54602 ms
Reference time: db84e749.fba8a28a Thu, Sep 15 2016 9:24:25.983

save config:
s s f (save safely force)

show saved-config:
disp sav

exit terminal:


more examples here

Hits: 242

Factory Reset M-series

To reset a Firebox M200 or M300 to factory-default settings:Openlogo-small

Hits: 1652

Recommended Watchguard Firecluster IP addresses

logo-smallSelect IP Addresses for Cluster Interfaces

We recommend you make a table with the network addresses you plan to use for the cluster interfaces and interface for management IP address. To avoid conflict with routeable IP addresses, we recommend you allocate a dedicated private subnet to each cluster interface, or use link-local IP addresses that begin with 169.254. If you use link-local IP addresses, you might find it useful to define your cluster interface IP addresses like this:

169.254.<interface number>.<member number>/24 

The FireCluster setup wizard asks you to configure these settings individually for each cluster member. If you plan the interfaces and IP addresses in advance, it is easier to configure these interfaces with the wizard. For example, your table could look something like this:

Interface # and IP addresses for a FireCluster
Interface # IP address for Member 1 IP address for Member 2
Primary cluster interface 5
Backup cluster interface 6
Management interface 1

Hits: 315

Watchguard XTM HTTPS Deep Inspection with Active Directory

On the XTM:

Create FW CSR via Firebox Sytem Manager, use type Proxy Authority

On the Domain Controller:

– Upgrade DC Cert authority to issue sha-256 certs link

– Export root and intermediate certs type Base64

– Import FW CSR via http://DC-ip/certsrv, type subordinate ca

– Export FW Cert type Base64

On the XTM:

– First import root then intermediate certs type IPSEC, Web Server, Other

– Then import FW Cert type Proxy Authority


Create https proxy policy in Policy Manager

Content Inspection: Enable deep inspection, do not Allow SSLv3, action inspect

Domain Names: None matched: Inspect

Test to find out if the firewall issues the right certs in your browser:















Hits: 233