In a NetScaler Load Balancing Exchange 2010 I covered deployment of a NetScaler device to Load Balance Exchange 2010, this is an extension fo that article – illustrating how to configure a second NetScaler device in a High Availability Pair.
In this article I’ll illustrate how to add a secondary NetScaler device and configure High Availability to ensure you have a resiliant NetScaler deployment.
Environment
Depending on how you decided to configure your NetScaler devices, either in a single-arm or two-arm topology, review the IP addressing information below as it is used in the configuration example.
Single Arm Topology
The following IP afddresses are assigned to the primary NetScaler:
-
- 192.168.0.230 – NS1
- 192.168.0.235 – NS1 MIP
- 192.168.0.240 – SSL and EAS vServer
- 192.168.0.241 – RPC vServer
- 192.168.0.245 – SMTP vServer
A second NetScaler device, “NS2,” has been deployed (as per instruction in NetScaler Deployment) with the following IP addresses:
-
- 192.168.0.231 – NS2
- 192.168.0.236 – NS2 MIP
Two-Arm Topology
The following IP afddresses are assigned to the primary NetScaler:
-
- 192.168.0.230 – NS1
- 192.168.0.235 – NS1 MIP
- 192.168.209.240 – SSL and EAS vServer
- 192.168.209.241 – RPC vServer
- 192.168.209.245 – SMTP vServer
A second NetScaler device, “NS2,” has been deployed (as per instruction in NetScaler Deployment) with the following IP addresses:
- 192.168.0.231 – NS2
- 192.168.0.236 – NS2 MIP
No additional configuration is required on the secondary NetScaler as the HA wizard will install any SSL certificates and configure the secondary NetScaler to be a carbon copy of the primary.
Pre-Reqs
In order to ensure that the HA pair functions as expected confirm that:
- The nsroot username and password match on both NetScaler devices
Single-Arm Differences
For single-arm deployments ONLY; disable (in the NetScaler configuration utility) any unused Interfaces – if you are using a single-arm topology the likelyhood is that you won’t be using one of the two NICs created by default.
HA Configuration
On the original NetScaler browse to System > High Availability, then click ‘Add…’ at the bottom of the Window to define the secondary NetScaler device:
- Enter the IP address of NS2; 192.168.0.231
- Ensure the “Configure Remote System to participate in High Availability Setup” option is enabled
- Enable the “Turn off HA Monitor if interfaces/channels are down
When you click OK on the above window you’ll be presented with the High Availability window showing the Primary NetScaler (NS1) in an ENABLED state, and the secondary NetScaler in a “IN PROGRESS” state – this is because the secondary NetScaler is being configured as per the Primary.
Leave some time for the HA pair to synchronise, the status of NS2 should then read “SUCCESS”:
You can verify the configuration by inspecting the Monitors, Service Groups and Virtual Servers now exist on the Secondary NetScaler device. Also, under Network > IPs the secondary NetScaler will list the IP addresses assigned to the Primary as “Passive”:
Note that you will be unable to configure HA Monitoring on any Interfaces, if you try you will receive an error “Operation not permitted” – this is by design on NetScaler VPX devices.
Finally, SAVE your configuration on NS1!
Failover Testing
Initiating a Failover
Now lets perform some failover testing; I disconnected the NIC in use on NS1 to cause a failover to NS2. The status of NS1 becomes UNKNOWN on NS2, and NS2 becomes the Primary device:
The IP Addresses also change from PASSIVE to ACTIVE on NS2:
If I run a constant ping when failing over the devices I drop around 2 packets:
What About Fail-back?
When NS1 is re-connected to the network it Synchronises with NS2 and will NOT automatically become the Primary device again. You can force failback by right-clicking NS1 under System > High Availability and selecting Force Failover.
Alternatively use the following command from the console to force a failover: forcefailover
Again, you’ll drop a couple of packets during the failover.
Using VMACs with High Availability
It is also possible to utilse VMAC’s with HA; using VMACs ensures that there is no need to update the CAM table in any switches to which the NetScaler connects to. This will, in all likelyhood, mean that fewer packets are dropped during failover events.
Article to follow on configuring VMAC’s.
Troubleshooting HA
From the command line use the following command to view the HA status of each NetScaler: show ha node