1.1 NetScalerHigh Availability Overview
we know that in high availability environments, it is common to need 2 devices of the same model to complete the construction of a high-availability environment. The construction of a high availability environment ensures that the NetScaler does not become a single point of failure of the system and that the backend services can provide uninterrupted service access. when building a highly available (HA) cluster between two NetScaler devices , two NetScaler devices detect heartbeat information over UDP. NetScaler A primary node and a secondary node exist in a highly available cluster, the master node takes over all traffic and manages all the shared IP addresses of the NetScaler . The secondary node is responsible for monitoring the health of the primary node to ensure that the primary node's service is up and running. If there is a problem, that is, the primary node fails, then the secondary node takes over all the traffic and takes over all the shared IP addresses of NetScaler , ensuring that access to the backend services is not interrupted.
1.2 NetScaler HASystem Structure
the following is a generic NetScaler HA Architecture:
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7A/83/wKiom1aq8b2yxbmBAABT6gENwsA185.png "title=" 1.png " alt= "Wkiom1aq8b2yxbmbaabt6genwsa185.png"/>
NetScaler all IP addresses are floating IP addresses , and members are shared through Ha, the only non-shared IP address in Ha is each the NSIP address of the NetScaler device , which is the NetScaler management IP. the packet exchange of the front-end request is communicated to a specific requested server by SNIP or by a MIP and a backend server.
only the Lord's NetScaler(pictured in NetScaler 1) is used. NetScaler 2 will be in standby mode and wait for the primary node to fail. These two node-switched packets (HA synchronization) are monitored for health.
1.3 Arp/garp/vmac
Netscalersuse as other network devicesArpparsing (Address Resolution Protocol)Macaddress to find other devices located on the LAN. For example,NetScalerset up a virtualIpAddress (Vip). All theVipthe request packet will arriveNetScalerto run thisVipService ofVServerGateway, this timeNetScalerwill check its ownArpCache (located in a pre-resolvedIpaddress) corresponds to theMacaddress. If the cache is empty, the gateway passes through theLANSendArpbroadcast package. The correspondingIpaddress of the device will reply to the gateway containing itsMacthe address of the packet. The gateway will then take this forIpand theMacaddress correspondence is put into your ownArpthe cache.
can be done by NetScaler the command to view ARP table:
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/7A/83/wKiom1aq8i3xuX5CAAAD1qiYLzE367.png "title=" 1.png " alt= "Wkiom1aq8i3xux5caaad1qiylze367.png"/>
in the In an HA environment, especially at the time of failover, the previous MAC address in the Gateway ARP Cache table is the MAC address of the NetScaler primary device before . This can cause problems. To resolve this issue, the new master device sends all NetScaler HA- owned IP addresses (VIP,nsips, etc.) GARP( Gratuitous ARP) broadcast packets. The gateway will receive these packets and update its own ARP cache table.
listed below are several cases of sending GARP packet conditions:
It is important to note that some firewalls do not support GARP traffic, so we need to configure VMAC for deployment. When using VMAC,the Mac address is shared between two nodes, so it is not using GARP to update the Mac table.
If the primary node is closed or if it stops responding to the request, the secondary node will take over so the request continues to service. A heartbeat is used between the primary and secondary nodes to monitor each other, sending through the IP address of each node .
By default, there are ports that need to open firewall rules to allow for high availability settings, NetScaler communication between nodes, the port is as follows:
-
Udp port 3003 communication for exchanging heartbeat up or Down port 3008 is a high availability configuration for security synchronization
-
Tcp port 3009 for safe command propagation and Metric Exchange protocol ( mep
-
Tcp port 3010 is for high availability configuration synchronization
-
Tcp port 3011 is used for command transmission and MEP
NetScaler High Availability This feature requires that we have two identical models and versions of the same system. when you run HA , if the model inconsistency can cause problems, for example, a MPX5550 and a VPX. If there is a problem with this configuration, Citrix does not perform technical support.
1.4 Netscaler HASET Options Description
Node state
Stayprimary: This option forces the NetScaler device to stay in the master node mode.
Staysecondary: This option forces the NetScaler device to remain in secondary node mode.
ENABLED: This is the default option. This option enables NetScaler high availability to fail over NetScaler devices based on high availability events .
DISABLED: This option disables the High availability engine.
Fault protection
fault-protected mode checks the health of two nodes to ensure that a node is always the primary node. The fault protection mode is also used to ensure that when a primary node is only partially available, the backup node can handle the traffic as much as possible. The HA fail-safe mode needs to be configured on each node.
The following is the resulting node state the behavior of HA.
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/7A/83/wKiom1aq8l-zliUJAAB6pwmLhmo592.png "title=" 001. PNG "alt=" Wkiom1aq8l-zliujaab6pwmlhmo592.png "/>
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/7A/83/wKioL1aq8s6DTZcKAAB4cSn0eoY037.png "title=" 1.png " alt= "Wkiol1aq8s6dtzckaab4csn0eoy037.png"/>
Default configuration
The master node is responsible for all traffic.
two nodes have their own Nsips But shares most of the configuration, including VIPs, SNIP, and MIP.
changes on the primary node are replicated to the secondary node. (enabled by default)
Heartbeat ( Hello interval time) is 200ms.
Use the port 3003 of the UDP packet .
the expiration Time is 3 seconds.
a failover occurs when the heartbeat packet is lost after 3 seconds.
Fault protection is turned off by default, and it needs to be configured on each node.
By default, communication is not encrypted and does not take the secure channel and protocol:
-
Ha sync occurs on port 3010 ( tcp
-
security ha sync occurs on port 3008 ( tcp
-
command propagation occurs on port 3011 ( tcp).
-
Security command propagation occurs on port 3009 ( tcp).
1.5 netscaler ha config
to build a high-availability master-slave node, we need to know its IP Address and default system: User name and password. They are required to have the same RPC connection username and password, and by default all NetScaler must be the same. To establish a high availability pair, go to System | High availability| Nodes, and then click Add from one of the nodes. Here we present the following options:
Remote IP Address (NSIP of other nodes )
Configuring remote systems to participate in high availability settings
Close the interface HA Monitor
Open from Node INC(Standalone network configuration)
Credentials for the remote system
All we need to do is type in IP Address, configure remote NetScaler System Information, close the HA monitor for the interface,and enter the NetScaler username and password.
close on Interface Ha monitor means thatthe NetScaler does not use an HA probe sent from one node to another node in the interface .
The last option is to INC, if the device is on a different subnet, then a separate network configuration is required because the regular HA option uses the same network configuration. After we have filled in the information and clicked OK, the master node will begin to propagate its information and configuration with the secondary node, setting up a high availability pair, as follows:
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/7A/83/wKiom1aq8syw4kNbAABznEkGX6A866.png "title=" 1.png " alt= "Wkiom1aq8syw4knbaabznekgx6a866.png"/>
It will also start synchronizing files, such as SSL Certificate and application fire,XML file; You can view files that are synchronized, and different file processes access the following KB http://support.citrix.com/article/CTX138748.
It is important to note that there are several projects that are synchronized , and these are the files in the license and ns.conf,rc.conf . You can use the command to verify the SSL synchronization situation, using CLI commands:
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/7A/83/wKioL1aq8zOAgN11AAAD6_lowuk579.png "title=" 1.png " alt= "Wkiol1aq8zoagn11aaad6_lowuk579.png"/>
because it is built HA pairs, the operations and configuration changes made to the master node are propagated to the secondary node.
we can see from GUI or use the following command to view the nodes of HA:
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/7A/83/wKiom1aq8wejMyX1AAAESQkgNOo487.png "title=" 1.png " alt= "Wkiom1aq8wejmyx1aaaesqkgnoo487.png"/>
The command line displays the information that appears if the node's interface is active, indicating that the node is the primary (active) node.
We can also use the failover interface to view; NetScaler has multiple network interfaces connected to different switches, which can be used to fail over to another interface.
For example, if our The NetScaler uses two interfaces, where interface 1 is connected to switch 1, andinterface 2 is connected to switch 2, and we can use the failover interface to set up failover from NIC1 to the NIC 2, for example, switch 1 shuts down. In a large environment, there are often automatic transfer tunnels that span multiple switches to automatically process.
in the In the GUI , we can right-click on each node and configure such as synchronous or forced failover. Forced failover allows us to perform manual failover, which is typically done manually when we need to upgrade.
by default, when the primary node fails, the secondary node takes over and automatically becomes the primary node, and when the primary primary node comes back online, the original primary node is demoted to the secondary node. If there is a problem with our HA synchronization status in an environment, the secondary node itself is not synchronized to the newly changed information, then at this time, we have to upgrade, for the sake of insurance, we can upgrade the secondary node when the secondary node is set to The Staysecondary state, which forces the NetScaler device to remain in secondary node mode. This will ensure that the master node remains the primary node, the secondary node, and the secondary node after the audit restart.
If you are using HA function When there are some problems, we can use the nsconmsg function. By running the command nsconmsg–devent, we can get information about events that occur in the console.
NetScaler use Gratuitous Arp ( garp address. Some vendors such as Cisco and some older firewall vendors such as Juniper Networks do not accept garp the type of the request packet. So, if you have an environment that does not support garp NetScaler The packet needs to go through the network device, then you need to use the Vmac netscaler CLI and Run command set network L2 param – Garpreplyenabled
if our firewall or router does not support GARP, we can configure NetScaler to use VMAC. VMAC allows NetScaler to have a floating MAC address, thus bypassing the GARP problem. This can be done through the System | Network | VMAC is configured.
Here we define a virtual router ID, such as 100, and bind it to an interface, so that the VIP request will come from that address. The virtual router ID is only used as an identifier in VMAC. After doing so, the HA node will replicate this virtual address for use, and the Mac used between HA nodes is shared with the same one. We can go to the Network | Interfaces Look at the VMAC panel, the virtual Mac used by Ha is displayed in it.
This article is from "I take fleeting chaos" blog, please be sure to keep this source http://tasnrh.blog.51cto.com/4141731/1739809
Citrix NetScaler HA (high availability) Resolution