Ns Usage Test

This test monitors the workload on the NetScaler appliance and the usage of its CPU resources.

Target of the test : A Citrix NetScaler Appliance

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every Citrix NetScaler being monitored

Configurable parameters for the test
  1. TEST PERIOD – How often should the test be executed
  2. Host – The host for which the test is to be configured
  3. Port – Refers to the port used by the Citrix NetScaler appliance. By default, this is NULL.
  4. snmpport - The port number through which the monitored component exposes its SNMP MIB.
  5. SNMPVERSION – By default, the eG agent supports SNMP version 1. Accordingly, the default selection in the snmpversion list is v1. However, if a different SNMP framework is in use in your environment, say SNMP v2 or v3, then select the corresponding option from this list.
  6. SNMPCommunity – The SNMP community name that the test uses to communicate with the target device. This parameter is specific to SNMP v1 and v2 only. Therefore, if the snmpversion chosen is v3, then this parameter will not appear.
  7. username – This parameter appears only when v3 is selected as the snmpversion. SNMP version 3 (SNMPv3) is an extensible SNMP Framework which supplements the SNMPv2 Framework, by additionally supporting message security, access control, and remote SNMP configuration capabilities. To extract performance statistics from the MIB using the highly secure SNMP v3 protocol, the eG agent has to be configured with the required access privileges – in other words, the eG agent should connect to the MIB using the credentials of a user with access permissions to be MIB. Therefore, specify the name of such a user against the username parameter. 
  8. authpass – Specify the password that corresponds to the above-mentioned username. This parameter once again appears only if the snmpversion selected is v3.
  9. confirm password – Confirm the authpass by retyping it here.
  10. authtype – This parameter too appears only if v3 is selected as the snmpversion. From the authtype list box, choose the authentication algorithm using which SNMP v3 converts the specified username and password into a 32-bit format to ensure security of SNMP transactions. You can choose between the following options:

    • md5 – Message Digest Algorithm
    • sha – Secure Hash Algorithm
  1. encryptflag – This flag appears only when v3 is selected as the snmpversion. By default, the eG agent does not encrypt SNMP requests. Accordingly, the encryptflag is set to No by default. To ensure that SNMP requests sent by the eG agent are encrypted, select the Yes option. 
  2. encrypttype – If the encryptflag is set to Yes, then you will have to mention the encryption type by selecting an option from the encrypttype list. SNMP v3 supports the following encryption types:

    • des – Data Encryption Standard
    • AES – Advanced Encryption Standard
  1. encryptpassword – Specify the encryption password here.
  2. confirm password – Confirm the encryption password by retyping it here.
  3. timeout – Specify the duration (in seconds) beyond which the SNMP query issues by this test should time out. The default period is 10 seconds.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

New client connections

Indicates the number of new client connections to the NetScaler device in the last measurement period.



New server connections

Indicates the number of new connections established between servers and the NetScaler device in the last measurement period.



Tcp offload factor

This factor monitors the connections from the NetScaler device to servers as a factor of the connections it receives from clients.


One of the key benefits of the NetScaler device is its ability to offload TCP connection processing from the servers to the NetScaler device itself. By doing so, the NetScaler device allows the existing server infrastructure to support a larger workload. The lower the value of this metric, the greater the benefits of the NetScaler device.

Current client connections

Indicates the number of connections currently established by clients to the NetScaler device.



Current server connections

Indicates the number of connections currently established by the NetScaler device to servers.



Client connections refused

Indicates the number of connections from clients that were refused by the NetScaler device during the last measurement period.


This value should be close to 0 for ideal operation.

Cookie sequence mismatch rejects

Indicates the number of connections rejected because of syn cookie sequence number mismatch.


Normal SYN cookies contain encoded information that makes it near impossible to request a connection to a host from a forged (spoofed) originating address. In this scenario, the attacker must guess a valid TCP sequence number used by that server to connect to some other legitimate host. The cryptographic protection in the standard SYN cookie makes this attack possible with as few as one million guesses, which is not impossible for a determined attacker. NetScaler uses an enhanced SYN cookie protection scheme that is fully compatible with the TCP/IP protocol, but have rendered the “forged connection” technique obsolete. Each new connection is unrelated to previous connections, and knowing a valid sequence number used for a previous connection will not enable an attacker to forge a connection.

A large value of this measure could indicate failed attempts made to hack into a network. Further investigation is hence, necessary.

Cookie signature mismatch rejects

Indicates the number of connections rejected because of syn cookie signature mismatch.



Unacknowledged SYNs received

Indicates the number of connections dropped because of unacknowledged SYN packets.


When a client attempts to establish a TCP connection to a server, the client and server exchange a set sequence of messages. This connection technique applies to all TCP connections (for example, Telnet, web, E-mail, and so on). The sequence for the TCP connections are:

  • The client sends a SYN message to the server.
  • The server acknowledges the SYN message by sending a SYN-ACK message to the client.
  • The client finishes establishing the connection by responding to the server with an ACK message

When the sequence is complete, the connection between the client and server is open, and service-specific data can be exchanged between the client and server. The potential for attack arises at the point when the back-end server has sent an acknowledgment (SYN-ACK) to the client but has not received the ACK message from the client; this is referred to as a half-open connection in the server.

A high value of this measure indicates that too many such half-open connections exist in the server, which could consume excessive system memory, causing the server system to crash or hang, or deny service to legitimate clients.

Open connections to servers

Indicates the number of connections established with servers.



Server connection hits

Indicates the number of client transactions in the last measurement period that used the server connection in the reuse pool.


NetScaler appliances support a 'Connection Keep-Alive' feature that is enabled for HTTP protocols, so that persistent connections are available between the system and the client over the WAN link and also between the system and the server. This is achieved by mimicking HTTP “connection-persistence” behavior to both the client and server. The server always perceives that it is communicating with a persistent client (even if the client is not persistent) and the client always thinks it is communicating with a persistent server (even if the server is configured not to do keep-alive; for example, the server is configured to do one request per connection). One of the key benefits of this feature to a server is the creation and maintenance of a pool of ready-to-go fast server connections (i.e., the reuse pool). This pool ensures that connection requests from clients are serviced by the pool itself without having to open actual connections on the server, and thus greatly reduces the connection-burden on the server.

If the value of the Server connection hits measure is very low or the Server connection misses measure is very high, it indicates that the pool is not been effectively utilized. A very low Server connection pool hit ratio is also indicative of the same. If such a situation persists, it can only result in more physical connections been opened on the server, and consequently, excessive CPU and memory erosion at the server-level. You can counter this abnormal event by ensuring that the Connection Keep-Alive feature is always enabled.

Server connection misses

Indicates the number of new connections made during the last measurement period because the server connection was unavailable in reuse pool.


Server connection pool hit ratio

This metric is a measure of the efficiency of the server reuse pool.


CPU usage

Indicates the current CPU usage of the NetScaler device.


Ideally, this value should be low.