Having configured a few Citrix NetScaler 9.x appliances in high availability in the past, I noticed that I haven’t actually written a blog post so this serves to demonstrate the steps required to configure a pair of NetScaler 10.0 in HA for redundancy. The appliances I’ll be using for the demonstration are NetScaler VPX 1000s hosted on VMware vSphere hosts.
Note that if you would like to read more into Citrix’s documentation, you can do so in the following URL:
Configuring High Availability
Preparation and Prerequisites
Prior to beginning the configuration, you’ll need to ensure you have the following:
As per the following blog post:
NetScaler Licensing Dissected
… two NetScaler licenses are required for the an HA configuration so make sure you’ve allocated and downloaded 2 licenses for the NetScaler HA pairs.
NetScaler IP Addresses and Names:
Decide on whether you’re configuring a single or two armed configuration and configure each node’s IP addresses as required. For the purpose of this example, we’ll be using a 2 armed configuration so the IP addresses will be as follow:
Name – SVR-CNS-01
NetScaler IP Address – 172.16.36.65
Mapped IP Address – 172.16.36.66
Name – SVR-CNS-02
NetScaler IP Address – 172.16.36.68
Mapped IP Address – 172.16.36.69
If you’re publishing a Citrix Web Interface Server for remote access clients, ensure that you have requested and installed a SSL certificate onto the first node appliance.
Access Gateway Virtual Server IP and Servers:
If you’re going to be publishing a Citrix Web Interface Server for remote access clients, configure the virtual IPs you’ll be using as well as the virtual server:
Remove Unnecessary Default Routes:
As this is a 2 armed topology, a default route would be added for the internal and external leg segments which would cause incorrect traffic routing so remove the default route for the internal leg’s network and added static routes for networks in your internal network that you would like the NetScalers to access.
Configure Remote Pair
With all of the prerequisites configured, begin by logging onto your first node with the virtual server configured and navigate to System –> High Availability:
Click on the Add button:
Enter the NetScaler IP of the second node:
Then click on the OK button to allow the first node to initiate an HA pairing with the second node:
Once the pairing completes successfully, you would be presented with the following message:
High Availability pair has been setup.
For functional High Availability setup, please make sure that RPC passwords are same for both primary and secondary nodes.
You should also now see the second node listed in the GUI:
Ensure that the Synchronization State is labeled as SUCCESS to validate the second node is synchronized with the settings:
With both nodes paired in a HA configuration, you should be able to navigate to Network –> IPs and be able to see the same NetScaler, Mapped and Virtual IP addresses:
You’ll also notice that when you log onto the secondary node’s management GUI, you’ll receive the following message:
You are connected to a secondary node; configuration chanes made in this session will not be propagated to, or saved on, other nodes (primary node IP address)
With this in mind, ensure that you don’t accidentally make any changes on this node.
Now that we’ve verified that the pairing was a success, proceed with saving the configuration on the active node:
It’s always important to test your HA pair now that you’ve completed the configuration and there are 2 ways to do this. The first way is to use the Force Failover button in System –> High Availability:
The second method is to actually reboot the NetScaler and I recommend to try doing both because your NetScalers are most likely not in production and now is probably the best time to test this. You’ll notice that the failover is almost instantaneous when using the Force Failover button while actually rebooting the appliance will show the Master State and Node State and others as UNKNOWN:
As soon as the rebooted node comes back online, the UNKNOWN states should revert back to normal.
Through the testing that I’ve done with several NetScalers, I’ve noticed that I would only lose 1 ping packet when performing a failover regardless of the method. I won’t go as far as to say that everyone would experience the same but the failover is fairly quick.
Extra Items to Check
One of the first items I check at this point is that the virtual servers are still up as I’ve had a few situations where both nodes would lose the certificate I installed which leaves you with your virtual servers in a Down state:
If this is the case, you should be able to regenerate the certificate with the keys you previously used. See the following blog post if you need more information:
Recreating SSL certificate on a Citrix NetScaler VPX 1000 with the private key and CA issued certificate crt file