How do I Generate a Trace for a Specific NetScaler Admin Partition?

This article describes how to generate a trace for a specific NetScaler admin partition.

Use Case

Kevin is a super administrator who wishes to be able to grant finer granularity of administrative control of applications to sub administrators. Using his NetScaler Application Delivery Controller (ADC) he creates admin partitions so that he can restrict a sub admin’s rights to perform operations, such as view/modify/create/delete objects, to a specific partition only.

While managing the application, for troubleshooting the admin would need to take packet trace on NetScaler. Because Admin Partition provides isolation, it is important the trace can be taken within Partition and it should not capture any packets which do not belong to the Partition.

Introduction to admin partitions on NetScaler

Admin Partitions help you create a ‘logical ADC’ where you can isolate ADC services, entities, configuration, network path etc. without getting into the hardware level details. It becomes very easy for administrators to manage their application deployment through partitions. Each application administrator gets his own login UI and can manage his app without knowing about the co-existence of other apps or administrators on same appliance.?? Configuration isolation is also taken care of as every Partition maintains its own configuration file (ns.conf). ?? Partitions can be created only by NetScaler super users. During creation they also need to specify the users for that partition. Only super users and users associated with a partition can access that admin partition. A maximum of 512 admin partitions can be configured on a NetScaler Appliance.

The nstrace operation can be performed on individual admin partitions of a NetScaler appliance if the firmware version is 11.0 or higher.

For firmware versions lower than 11.0, the nstrace operation is not partition specific. You can capture a trace on the default partition and then use a VLAN-ID based filter on the captured trace to view partition specific trace.

Taking a trace on a NetScaler partition is supported only via CLI.

The steps to capture a trace for a partition on NetScaler versions 11.0 and higher are listed below.

A user ‘sany’ exists with access to 2 NetScaler partitions: Partition1 and Partition2

Step 1: ?? Login to NetScaler and check if you are in the correct partition

On CLI: The prompt will indicate the partition you are in.

Step 2: ?? Switch to the correct partition if you are in a different partition currently

On CLI:
show system user <username>
switch ns partition <partitionName>

Example: ??
show system user sany

switch ns partition partition1

Step 3:?? Start a trace (just as you would do on a non-partitioned NetScaler)

On CLI:
start nstrace

Step 4:?? Locate the trace

The partition specific trace files can be found in the?? /var/partitions/<partitionName>/nstrace/ directory.

Please note that for isolation and security reasons, the trace files is stored into respective partition specific directory structure which can only be accessed by the partition admin or the super user.