How to maximize your virtual Citrix NetScaler Access Gateway performance

How to maximize your virtual Citrix NetScaler Access Gateway performance.

When you are reading this article you have probably been reading another article which is called NetScaler Access Gateway VPX user scalability numbers explained If you haven’t read this article I advice you to do so before continuing.

In the article mentioned above I focused on explaining why there are so many different “facts” about the amount of users you can facilitate on a virtual Citrix NetScaler Access Gateway. In this follow up article I will try to go into a bit more technical detail about CPU resource consumption and most importantly how you can make sure to get every single possible user sessions out of the virtual appliance.

CPU resource consumption

The bottleneck when we talk about concurrent user sessions on a virtual CAG is CPU. To optimize your experience we first need to know what’s using all of these CPU resources.

  1. The easiest one is normal Linux OS and application CPU cycles which we would see on any other platform
  2. On a virtual appliance we, obviously, use a virtual network card. A virtual network card doesn’t have offload possibilities like a physical network card. All of the packet handling is therefor CPU intensive.
  3. Virtual networking uses, becoming captain obvious by now, CPU resources on the hypervisor without the possibility of at least some offloading just like the virtual NIC.
  4. Last and anything but least SSL transactions. A physical CAG appliance uses special Cavium SSL Offload chips instead of the CPU which is being used by the virtual CAG. These Cavium chips are more capable of performing SSL transactions than normal CPU’s, so this is essentially what influences the amount of concurrent user sessions.

So after three articles of teasing I’m now finally going to tell you how to get the most out of your virtual Access Gateway performance!

As the CPU is our main bottleneck the first and easiest advice I can give you is to use a physical server with a recent CPU architecture. Faster is better!

My second advice is to be absolutely sure you are not over committing on CPU’s, if you decide to do so at least reserve a lot of CPU cycles for your virtual CAG! Each and every CPU wait will cause visible delays for your users so they will thank you!

Add CPU resources to your virtual appliance by adding one or more vCPUs. You should only be doing this when you don’t over commit, if you don’t you will end up with more delays! If you want to know why I’d recommend you read this article by Gabrie van Zanten.

Please do share any thoughts or ideas as a comment! I will make sure to add new tips to this article!

Tagged , , . Bookmark the permalink.

About Barry Schiffer

Barry is an IT Architect with 15 years of IT experience. He has gained both a broad and deep knowledge in the sphere of IT. Throughout the years, Barry has developed into a specialist in the field of Microsoft Windows, Server Based Computing, desktop and server virtualisation.Barry is co-founder and member of the Board of the Dutch Citrix User Group.Barry is awarded with the Citrix Technology Professional award in 2015 and received the RES Software Valued Professional award in 2012.

8 Responses to How to maximize your virtual Citrix NetScaler Access Gateway performance

  1. Martijn Hoogenbosch says:

    Okay, so adding more vCPU is a way to maximize performance and you can add memory as well. In the documents i found a VPX requires 5GB RAM. When you deploy the VPX it only has 2vCPU and 2GB RAM. If i would add more of both, would the VPX consume it all?

    • That depends on what hypervisor you are running on. If the VPX is not using the memory and hypervisor integration tools are running you theoreticaly should be able to use some sort of memory ballooning.

    • Jose Restrepo says:

      my thoughts are deeper on how the virtual device works with the hypervisor. should we install updated hypervisor tools and also add more network cards?

      also is there a bandwidth limitation in the netscalers for when doing ICA proxying?

      • Each NetScaler, VPX and MPX, is limited on bandwidth. That’s why they sell different VPX licenses 10/200/1000/3000 mbit/s.

        I wouldn’t advise on installing updated hypervisor tools and just wait for a Citrix release.

        I guess by know every hypervisor system offers at least 1 Gbit/s of throughput, if you need more than that just for ICA users …. get your self a MPX.

        • Jose Restrepo says:

          correct regarding 1gbit but depending on what type of virtual adapter you use cpu resources can be taxed. In vmware, an e1000 card will use 30% more cpu and resources than a VNX3 card. installing updated tools might also allow use of a faster disc controller, etc.

          • Jose that’s correct! Normally Citrix is pretty fast with new releases for new hypervisor versions. Like I said I would advice on waiting for a Citrix supported version rather than doing it yourself.

  2. antal says:

    KVM = Cavium, right?

Leave a Reply