Sunday, December 16, 2012

Configure Citrix NetScaler 10.0 for High Availability

Having configured a few Citrix NetScaler 9.x appliances in high availability in the past, I noticed that I haven’t actually written a blog post so this serves to demonstrate the steps required to configure a pair of NetScaler 10.0 in HA for redundancy.  The appliances I’ll be using for the demonstration are NetScaler VPX 1000s hosted on VMware vSphere hosts.

Note that if you would like to read more into Citrix’s documentation, you can do so in the following URL:

Configuring High Availability
http://support.citrix.com/proddocs/topic/ns-system-10-map/ns-nw-ha-cnfgrng-ha-con.html

Preparation and Prerequisites

Prior to beginning the configuration, you’ll need to ensure you have the following:

Licenses:

As per the following blog post:

NetScaler Licensing Dissected
http://blogs.citrix.com/2011/04/12/netscaler-licensing-dissected/

image

… two NetScaler licenses are required for the an HA configuration so make sure you’ve allocated and downloaded 2 licenses for the NetScaler HA pairs.

NetScaler IP Addresses and Names:

Decide on whether you’re configuring a single or two armed configuration and configure each node’s IP addresses as required.  For the purpose of this example, we’ll be using a 2 armed configuration so the IP addresses will be as follow:

Node 1
Name –
SVR-CNS-01
NetScaler IP Address – 172.16.36.65
Mapped IP Address – 172.16.36.66

image

Node 2
Name –
SVR-CNS-02
NetScaler IP Address – 172.16.36.68
Mapped IP Address – 172.16.36.69

image

SSL Certificates:

If you’re publishing a Citrix Web Interface Server for remote access clients, ensure that you have requested and installed a SSL certificate onto the first node appliance.

image

Access Gateway Virtual Server IP and Servers:

If you’re going to be publishing a Citrix Web Interface Server for remote access clients, configure the virtual IPs you’ll be using as well as the virtual server:

imageimage

Remove Unnecessary Default Routes:

As this is a 2 armed topology, a default route would be added for the internal and external leg segments which would cause incorrect traffic routing so remove the default route for the internal leg’s network and added static routes for networks in your internal network that you would like the NetScalers to access.

Configure Remote Pair

With all of the prerequisites configured, begin by logging onto your first node with the virtual server configured and navigate to System –> High Availability:

image

Click on the Add button:

image

Enter the NetScaler IP of the second node:

imageimage

Then click on the OK button to allow the first node to initiate an HA pairing with the second node:

image

Once the pairing completes successfully, you would be presented with the following message:

High Availability pair has been setup.

For functional High Availability setup, please make sure that RPC passwords are same for both primary and secondary nodes.

image

You should also now see the second node listed in the GUI:

image

Ensure that the Synchronization State is labeled as SUCCESS to validate the second node is synchronized with the settings:

image

With both nodes paired in a HA configuration, you should be able to navigate to Network –> IPs and be able to see the same NetScaler, Mapped and Virtual IP addresses:

image

You’ll also notice that when you log onto the secondary node’s management GUI, you’ll receive the following message:

You are connected to a secondary node; configuration chanes made in this session will not be propagated to, or saved on, other nodes (primary node IP address)

image

With this in mind, ensure that you don’t accidentally make any changes on this node.

Now that we’ve verified that the pairing was a success, proceed with saving the configuration on the active node:

image

Forcing Failover

It’s always important to test your HA pair now that you’ve completed the configuration and there are 2 ways to do this.  The first way is to use the Force Failover button in System –> High Availability:

image

The second method is to actually reboot the NetScaler and I recommend to try doing both because your NetScalers are most likely not in production and now is probably the best time to test this.  You’ll notice that the failover is almost instantaneous when using the Force Failover button while actually rebooting the appliance will show the Master State and Node State and others as UNKNOWN:

image

As soon as the rebooted node comes back online, the UNKNOWN states should revert back to normal.

Through the testing that I’ve done with several NetScalers, I’ve noticed that I would only lose 1 ping packet when performing a failover regardless of the method.  I won’t go as far as to say that everyone would experience the same but the failover is fairly quick.

Extra Items to Check

One of the first items I check at this point is that the virtual servers are still up as I’ve had a few situations where both nodes would lose the certificate I installed which leaves you with your virtual servers in a Down state:

image

If this is the case, you should be able to regenerate the certificate with the keys you previously used.  See the following blog post if you need more information:

Recreating SSL certificate on a Citrix NetScaler VPX 1000 with the private key and CA issued certificate crt file
http://terenceluk.blogspot.com/2012/06/recreating-ssl-certificate-on-citrix.html

4 comments:

Anonymous said...

Yah Right Like you know. YAWN

Anonymous said...

Thank you for sharing

Dani said...

Hi..

thanks a lot for your information. Did you ever try to make a HA Installation with one NS on a VMWare Host an the other one on a Hyper-V? Does it works? Is it supported?
Kind regards,
Dani

Shishir said...

Hey Terence ... your posts are really helpful ... I configured the HA pair using your steps but it seems that the "Host Name" field does not populate the other nodes' details. From primary I can see the primary's "Host Name" on the HA page ... and vice versa on the secondary. However I cannot see the "Host Name" of let's say secondary from the primary node. Is that normal? Is there something that can be done about this?