Discovery: Citrix NetScaler SDX returns only a subset of hosted resources when shell access is blocked<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Issue When shell access is restricted on a Citrix NetScaler SDX appliance, Discovery successfully creates the parent SDX CI (after the read-only CLI workaround is applied) but only enumerates a subset of the hosted resources rather than the full set. The pattern completes without errors, yet the CMDB reflects fewer hosted instances than actually exist on the appliance. Symptoms The SDX CI is created successfully and the discovery pattern reports completion with no errors.Fewer hosted resources are visible in the CMDB than the customer's SME confirms exist on the appliance (for example, 2 discovered out of 4 expected).The discovery account has read-only CLI access only; shell access is restricted by customer policy.The pattern is running under the read-only CLI workaround (with sysctl -a replaced by show systemstatus and show hostname). Cause The Citrix NetScaler SDX discovery pattern depends on shell-level commands — specifically sysctl -a in Step 11 ("Create Interactive Shell") — to enumerate the complete set of hosted instances. When shell access is blocked, the read-only CLI workaround keeps the pattern running and successfully creates the parent SDX CI, but the read-only CLI commands do not return the same level of resource enumeration that sysctl -a provides. As a result, only the hosted resources that surface through the read-only CLI commands are discovered. Resolution Confirm the discovery account is operating under read-only CLI access and that shell access is blocked.Confirm the discovery pattern is using the read-only CLI workaround (no sysctl -a invocation).Set expectations with the customer: the gap between expected and discovered resources is a direct result of the shell-access restriction, not a pattern defect.If full enumeration is required, partner with the customer's NetScaler/security team to grant shell access to the discovery service account — even time-limited shell access during discovery cycles will close the gap.As an alternative for environments where shell will never be permitted, capture the missing resources via the read-only CLI manually and consider scripted CI creation or import for the remaining resources.Document the shell-access restriction in the customer's discovery design so future audits do not flag the partial enumeration as a discovery failure. Step 1 — Open the patternURL on <Cient instance>:$sn_pattern_designer.do?sys_id=0b021d10db54d05078a9ef92ca9619acPattern name: **Citrix Netscaler SDX**.### Step 2 — Edit step `Get Managed device data`Navigate to the first identification step `Get Managed device data` (Operation: *Parse Command Output*, Command: `show vmdevice`).In the **2. Define Parsing → Exclude Lines** field (currently empty), enter exactly the following one line:```Image Name:```Leave the **Include Lines** field unchanged (`Name:| IP Address`). Do **not** modify any other step (do not touch `Set device data in one line`, do not touch the failover regex steps).### Step 3 — Save and bundle into an update set1. Save the pattern.### Step 4 — Re-run discovery and verify Or ********* Import the Update set.sys_remote_update_set_a21e24bf2f24431485d4fe4fafa4e3d6.xml