One of the methods available to make NetScalers redundant is the High Availability feature that is packed with all models and editions of NetScaler. High Availability works in an active/passive pair.
This means one NetScaler device acts as the active primary node and the second appliance sits passively waiting for the active node to go down. A maximum of two NetScalers (and a minimum for that matter) can be used for High Availability.
If you make a change on the primary appliance, the change is synchronized to the secondary node. You should not make changes on a secondary node as they will not be replicated to the primary. When you log on to a secondary node GUI you are presented with a warning as below.
Each NetScaler node monitors one another with heartbeats that are communicated through the pairs NSIP addresses. The NSIP is unique to each device, and you must make sure both devices can reach one another via their NSIP.
Your NetScaler appliances must be running the same model and build version to be supported by Citrix. If builds are different, synchronisation between both nodes is disabled. There will be times when builds are different, such as during upgrades, however this is temporary.
The following ports must be open between each NetScaler appliance in the pair:
- UDP 3003 – Heartbeat exchange communication.
- TCP 3008 – Secure high availability configuration synchronization.
- TCP 3009 – Secure command propogation and MEP (Metric Exchange Protocol).
- TCP 3010 – High availability configuration synchronization.
- TCP 3011 – Command propogation and MEP (Metric Exchange Protocol).
- SSH 22 – Used by rsync during file synchronization between primary and secondary appliance.
To set up High Availability, on your first node, navigate to System -> High Availability -> Add.
Enter the Remote Node IP Address, username and password. Keep the default options ticked as below. If your nodes are on different subnets for example differnet NSIP VLANs, tick the Turn on INC option. This ensures some networking settings are unique and maintained per node. Objects such as SNIPs, VLANs and static routes are not replicated between nodes when INC is used. Click Create.
Newer versions of NetScaler have a Secure Access checkbox which allows communication to travel over HTTPS.
Both NetScalers will now appear in the Nodes list. Any configurational setting on the primary node will synchronize across to the secondary node.
A refresh of the screen shows synchronization is a success on the secondary node.
If you click the Action button you can force synchronization and force failover between nodes.
Click on Statistics to get information on how many heartbeats have been sent and received. Also you can see the state of the current NetScaler you are currently logged on to which will either display Primary or Secondary.
Select the node you are logged on to and click Edit.
Here you can specify the node to stay primary, or disabled etc. You can also set a node to stay secondary. You will need to use these options when upgrading NetScaler’s in an HA pair.
The Hello Interval (msecs) field specifies how often a heartbeat is sent to the participating node over port UDP 3003. The default value is 200 but can be between 200 and 1000. The Dead Interval (secs) setting specifies how long heartbeat failures can occur before the NetScaler node is marked as down. The default value is 3 but can be between 3 and 60. The Default Interval must be set as a multiple of the Hello Interval.
You can also specify options such as maintaining one primary node even in the event that both nodes are unhealthy.
You can also configure and maintain high availabilty using the CLI.
show ha node shows high availability configuration information for each node.
force failover forces failover to the secondary node.
force ha sync forces a synchronization to occur. Files such as licenses and rc.conf are not synchronized between nodes. rc.conf contains the NetScaler hostname so must remain unique on each node.
set ha node -hasync disabled disables synchronization on the node you are running the command from.
Running the show ha node command confirms synchronization is disabled. We can enable synchronization again by using the set ha node -hasync enabled command.