Topic: Http/1.1 NS Internal Server Error 21 (Read 11004 times)

vviudez · « **on:** April 28, 2008, 08:23:00 AM »

Hi guys,

I have a problem on a NetScaler 8.0 upgraded to Build 54.6.

I've defined two services for SSL VPN, one only for Secure Gateway method (Only ICA Proxy active and redirection to a WI Server)
and other for a SSLVPN service.

The first work great, but for the SSLVPN Service, I can log on, but the VPN homepage does not appears.
The response was an HTTP error 500, showing this message:

"Http/1.1 NS Internal Server Error 21"

Anybody has an idea that what's happening?

Thx!

jmelika · « **Reply #1 on:** April 28, 2008, 11:29:58 AM »

This is interesting. I've seen it back in the 6.1 days, but not in the 8.0. My understanding is that it was fixed.

I am trying to remember how I went about fixing it. Can you give us more details on your setup? As an example:
public IP address is x.x.x.1, internal IP address y.y.y.1, services created, your AAC (Application Access Controls) how they are enabled, etc.

Thanks!
JM

vviudez · « **Reply #2 on:** April 29, 2008, 04:41:30 AM »

Well. I post my "ns.conf" file:

Hope it helps!

------------------------------------------------------------------------------------------------------
#NS8.0 Build 54.6
# Last modified by `save config`, Mon Apr 28 15:33:10 2008
set ns config -IPAddress 1xx.2x.x.3 -netmask 255.255.0.0
set ns config -cip ENABLED CLIENT_IP
enable ns feature WL SP LB CS CMP PQ HDOSP SSLVPN SSL CF IC
enable ns mode FR L3 CKA TCPB Edge USNIP PMTUD
set lacp -sysPriority 32768
set system user nsroot 1d31300ff8a69d741b5918ae9aa6534ba014fcb76d6d0dc6d -encrypted
add system user ctxe 1d560a19b01328a2f5a09eccc13a921f435cdee7b9ab82a9f -encrypted
set interface 1/1 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor ON -trunk OFF -lacpMode DISABLED -throughput 0
set interface 1/2 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor ON -trunk OFF -state DISABLED -lacpMode DISABLED -throughput 0
set interface 1/3 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor ON -trunk OFF -state DISABLED -lacpMode DISABLED -throughput 0
set interface 1/4 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor ON -trunk OFF -state DISABLED -lacpMode DISABLED -throughput 0
set interface 1/5 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor ON -trunk OFF -state DISABLED -lacpMode DISABLED -throughput 0
set interface 1/6 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor ON -trunk OFF -state DISABLED -lacpMode DISABLED -throughput 0
set interface 1/7 -speed 1000 -duplex FULL -flowControl RXTX -autoneg ENABLED -haMonitor OFF -trunk OFF -state DISABLED -lacpMode DISABLED -throughput 0
set interface 1/8 -speed AUTO -duplex AUTO -flowControl RXTX -autoneg ENABLED -haMonitor ON -trunk OFF -state DISABLED -lacpMode DISABLED -throughput 0
add ns ip 1xx.2x.x.4 255.255.255.0 -type MIP -vServer DISABLED
add route 0.0.0.0 0.0.0.0 1xx.2x.x.1 65535
add route 1y.1y.0.0 255.255.255.0 1xx.2x.x.2
add snmp community public GET
add snmp community private ALL
set locationParameter -context geographic -q1label Continent -q2label Country -q3label Region -q4label City -q5label ISP -q6label Organization
add server PS4WI02 1y.1y.0.19
add server PS4WI01 1y.1y.0.16
add server AD01 1y.1y.0.12
add server AD02 1y.1y.0.3
add service WI01 PS4WI01 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED CLIENT_IP -usip NO -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB YES -CMP YES
add service WI02 PS4WI02 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED CLIENT_IP -usip NO -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB YES -CMP YES
add authentication ldapAction AD -serverIP 1y.1y.0.12 -ldapBase DC=mydomain,DC=local -ldapBindDn CN=ldapquery,cn=Users,DC=mydomain,DC=local -ldapBindDnPassword cd201cgghhj137e48867 -encrypted -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN
add vpn url Citrix Citrix http://www.citrix.es
add vpn intranetApplication route_migrate_1 ANY 1y.1y.0.0 -netmask 255.255.0.0 -destPort 1-65535 -interception TRANSPARENT
add vpn intranetApplication route_migrate_2 ANY 1xx.2x.x.0 -netmask 255.255.0.0 -destPort 1-65535 -interception TRANSPARENT
add vpn intranetApplication route_migrate_3 ANY 1y.1y.0.0 -netmask 255.255.255.0 -destPort 1-65535 -interception TRANSPARENT
add authentication ldapPolicy "Dominio" ns_true AD
add authorization policy "Tech-Group" ns_true ALLOW
add lb vserver vsrv-WI HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
add lb vserver vsrv-redirect HTTP 1xx.2x.x.5 80 -persistenceType NONE -redirectURL https://www2.mydomain.com -cltTimeout 180

add vpn vserver ssl-vpn SSL 1xx.2x.x.5 443 -authentication OFF -maxAAAUsers 100 -downStateFlush DISABLED
add vpn vserver sslvpn-nac SSL 1xx.2x.x.6 443 -maxAAAUsers 100

set ns rpcNode 1xx.2x.x.3 -password ************** -encrypted -srcIP 1xx.2x.x.3
set responder param -undefAction NOOP
set rewrite param -undefAction NOREWRITE
bind lb vserver vsrv-WI WI01
bind lb vserver vsrv-WI -policyName ns_cmp_content_type
bind lb vserver vsrv-WI -policyName ns_cmp_msapp
bind lb vserver vsrv-WI -policyName ns_cmp_mscss
bind lb vserver vsrv-WI -policyName ns_nocmp_mozilla_47
bind lb vserver vsrv-WI -policyName ns_nocmp_xml_ie

add dns nameServer 1y.1y.0.3
add dns nameServer 1y.1y.0.12

set snmp alarm HA-STATE-CHANGE -severity Informational
set snmp alarm CPU-USAGE -thresholdValue 90 -normalValue 60 -severity Informational
set snmp alarm ENTITY-STATE -severity Informational
set snmp alarm SERVICE-MAXCLIENTS -severity Warning
set snmp alarm SSL-CERT-EXPIRY -severity Warning
set snmp alarm INTERFACE-THROUGHPUT-LOW -severity Warning
set dns parameter -nameLookupPriority DNS
add dns suffix mydomain.local
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key
add ssl certKey mydomain-ns -cert mydomain_ns.cer -key mydomain_rsa.key -inform DER

set ssl service nshttps-1xx.2x.x.4-443 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nsrpcs-1xx.2x.x.4-3008 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nskrpcs-127.0.0.1-3009 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nshttps-127.0.0.1-443 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nsrpcs-127.0.0.1-3008 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED

set cache parameter -memLimit 512 -via "NS-CACHE-8.0: 1" -verifyUsing HOSTNAME_AND_IP -maxPostLen 0 -prefetchMaxPending 4294967294 -enableBypass YES
set cache contentGroup BASEFILE -relExpiry 86000 -maxResSize 256 -memLimit 2
set cache contentGroup DELTAJS -relExpiry 86000 -insertAge NO -maxResSize 256 -memLimit 1 -pinned YES
set aaa parameter -maxAAAUsers 365

set aaa ldapParams -serverIP 1y.1y.0.12 -ldapBase DC=mydomain,DC=local -ldapBindDnPassword cd201c4446yf137e48867 -encrypted

set ssl vserver sslvpn-nac -cipherRedirect DISABLED -sslv2Redirect DISABLED

add vpn sessionAction SG -defaultAuthorizationAction ALLOW -icaProxy ON -wihome http://192.168.0.16/Citrix/NS/auth/login.aspx -ntDomain mydomain
add vpn sessionAction VPN -splitDns BOTH -sessTimeout 30 -splitTunnel ON -localLanAccess OFF -killConnections OFF -transparentInterception ON -windowsClientType AGENT -defaultAuthorizationAction ALLOW -clientCleanupPrompt ON -clientOptions all -clientConfiguration all -SSO ON -windowsAutoLogon ON -icaProxy ON -iipDnsSuffix mydomain.local -ntDomain mydomain

add vpn sessionPolicy UseSG ns_true SG
add vpn sessionPolicy UseVPN ns_true VPN

set aaa preauthenticationparameter -preauthenticationaction ALLOW -rule ns_true
set vpn parameter -splitDns BOTH -splitTunnel ON -killConnections OFF -proxy OFF -proxyLocalBypass DISABLED -forceCleanup all -clientOptions all -clientConfiguration all -SSO ON -windowsAutoLogon ON -clientDebug OFF -homePage none -icaProxy ON -ClientChoices OFF -epaClientType PLUGIN -ntDomain ctxe

bind tunnel global ns_tunnel_cmpall_gzip

bind vpn global -intranetDomain mydomain.local
bind vpn global -staServer http://1y.1y.0.16:1020
bind vpn global -staServer http://1y.1y.0.19:1020

bind vpn vserver ssl-vpn -staServer http://1y.1y.0.16:1020
bind vpn vserver ssl-vpn -staServer http://1y.1y.0.19:1020
bind ssl vserver ssl-vpn -certkeyName ctxe-ns
bind vpn vserver ssl-vpn -policy UseSG

bind vpn vserver sslvpn-nac -intranetIP 1y.1y.0.0 255.255.255.0
bind vpn vserver sslvpn-nac -intranetIP 1xx.2x.x.0 255.255.0.0
bind vpn vserver sslvpn-nac -staServer http://1y.1y.0.19:1020
bind vpn vserver sslvpn-nac -staServer http://1y.1y.0.16:1020
bind vpn vserver sslvpn-nac -policy "Dominio"
bind vpn vserver sslvpn-nac -urlName Citrix
bind vpn vserver sslvpn-nac -intranetApplication route_migrate_1
bind vpn vserver sslvpn-nac -intranetApplication route_migrate_2
bind vpn vserver sslvpn-nac -intranetApplication route_migrate_3
bind ssl vserver sslvpn-nac -certkeyName ctxe-ns
bind vpn vserver sslvpn-nac -policy UseVPN

set lb sipParameters -addRportVip ENABLED
bind ssl service nshttps-1xx.2x.x.4-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-1xx.2x.x.4-3008 -certkeyName ns-server-certificate
bind ssl service nskrpcs-127.0.0.1-3009 -certkeyName ns-server-certificate
bind ssl service nshttps-127.0.0.1-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-127.0.0.1-3008 -certkeyName ns-server-certificate

set ns hostName ns
------------------------------------------------------------------------------------------------------

jmelika · « **Reply #3 on:** April 29, 2008, 11:52:41 AM »

I hope you don't mind but I had to edit your post to remove your IP addresses for your protection.

Now to answer your question, I see the only ns ip assigned to your netscaler is here (remember I removed the real IPs)

Quote from: vviudez on April 29, 2008, 04:41:30 AM

add ns ip 1xx.2x.x.4 255.255.255.0 -type MIP -vServer DISABLED

Now this IP does not seem to have management enabled "-mgmtAccess Enabled -gui Enabled", or "-mgmtAccess ENABLED -gui SECUREONLY" for HTTPS.

What is the URL you're trying to access which you're receiving the HTTP 1.1 error for? Could you paste that please? Is it an IP address on the NetScaler? Because I don't see any IP's or subnets assigned to the NetScaler aside from the public one. Everything else seems to be routed elsewhere.

Thanks,
JM

vviudez · « **Reply #4 on:** April 30, 2008, 12:40:42 AM »

Sorry for showing the IPs, but there are internal IPs.

I only use the NSIP to access management, I don't need to use a MIP:

Quote

set ns config -IPAddress 1xx.2x.x.3 -netmask 255.255.0.0

This NS is in a DMZ, and a Firewall does the necessary NATs. The NS Gateway is the Firewall.

The question is that when I try to access to the vserver SSLVPN defined like:

Quote

add vpn vserver ssl-vpn SSL 1xx.2x.x.5 443 -authentication OFF -maxAAAUsers 100 -downStateFlush DISABLED

I can connect witouth problems, like an old SG. It redirect to a Web Interface directly.

But whe I try to connect throught the vserver SSLVPN-NAC defined like:

Quote

add vpn vserver sslvpn-nac SSL 1xx.2x.x.6 443 -maxAAAUsers 100

I can't reach to the internal pages of Netscaler. I wnat to use this vserver to test some NAC conditions.

Hope I explained it better...

Regards,
VV

TheOracle · « **Reply #5 on:** April 30, 2008, 12:12:33 PM »

Some features do still need a MIP--I would check to see if adding a MIP helps resolve the issue.

The Oracle

vviudez · « **Reply #6 on:** May 01, 2008, 12:42:31 PM »

I have a MIP already configured:

Quote

add ns ip 1xx.2x.x.4 255.255.255.0 -type MIP -vServer DISABLED

When I connect throught the vserver SSLVPN-NAC, using is IP (to test from lan) or throught Intenet (Netscaler is behind a firewall using a NAT to this vserver IP)....

Quote

add vpn vserver sslvpn-nac SSL 1xx.2x.x.6 443 -maxAAAUsers 100

I reach to the logon page in both cases, and Netscaler authenticates my user using the defined connection with our Active Directory, but when the browser redirects to internal pages, it gives the error.

TheOracle · « **Reply #7 on:** May 02, 2008, 08:08:32 AM »

which policy is being implemented? I noticed:

set vpn parameter -splitDns BOTH -splitTunnel ON -killConnections OFF -proxy OFF -proxyLocalBypass DISABLED -forceCleanup all -clientOptions all -clientConfiguration all -SSO ON -windowsAutoLogon ON -clientDebug OFF -homePage none -icaProxy ON -ClientChoices OFF -epaClientType PLUGIN -ntDomain ctxe

In this case, you have ICA proxy configured, but no web interface URL, which could be causing the error.

The Oracle

vviudez · « **Reply #8 on:** May 05, 2008, 07:52:48 AM »

Ok... it's true Oracle, seems that ICA Proxy option enabled without no WebInterface URL defined is causing this problem.

I'm reconfiguring this Netscaler a I will try this new config tonight.

I keep you informed.

Thanks!

Netscaler Knowledgebase

News:

Author Topic: Http/1.1 NS Internal Server Error 21 (Read 11004 times)

vviudez

Http/1.1 NS Internal Server Error 21

jmelika

Re: Http/1.1 NS Internal Server Error 21

vviudez

Re: Http/1.1 NS Internal Server Error 21

jmelika

Re: Http/1.1 NS Internal Server Error 21

vviudez

Re: Http/1.1 NS Internal Server Error 21

TheOracle

Re: Http/1.1 NS Internal Server Error 21

vviudez

Re: Http/1.1 NS Internal Server Error 21

TheOracle

Re: Http/1.1 NS Internal Server Error 21

vviudez

Re: Http/1.1 NS Internal Server Error 21