NetScaler : Configuring High Availability

HA1

In a NetScaler Load Balancing Exchange 2010 I covered deployment of a NetScaler device to Load Balance Exchange 2010, this is an extension fo that article – illustrating how to configure a second NetScaler device in a High Availability Pair.

In this article I’ll illustrate how to add a secondary NetScaler device and configure High Availability to ensure you have a resiliant NetScaler deployment.

Environment

Depending on how you decided to configure your NetScaler devices, either in a single-arm or two-arm topology, review the IP addressing information below as it is used in the configuration example.

 

Single Arm Topology

The following IP afddresses are assigned to the primary NetScaler:

    • 192.168.0.230 – NS1
    • 192.168.0.235 – NS1 MIP
    • 192.168.0.240 – SSL and EAS vServer
    • 192.168.0.241 – RPC vServer
    • 192.168.0.245 – SMTP vServer

A second NetScaler device, “NS2,” has been deployed (as per instruction in NetScaler Deployment) with the following IP addresses:

    • 192.168.0.231 – NS2
    • 192.168.0.236 – NS2 MIP

 

Two-Arm Topology

The following IP afddresses are assigned to the primary NetScaler:

    • 192.168.0.230 – NS1
    • 192.168.0.235 – NS1 MIP
    • 192.168.209.240 – SSL and EAS vServer
    • 192.168.209.241 – RPC vServer
    • 192.168.209.245 – SMTP vServer

A second NetScaler device, “NS2,” has been deployed (as per instruction in NetScaler Deployment) with the following IP addresses:

    • 192.168.0.231 – NS2
    • 192.168.0.236 – NS2 MIP 

 No additional configuration is required on the secondary NetScaler as the HA wizard will install any SSL certificates and configure the secondary NetScaler to be a carbon copy of the primary.

Pre-Reqs

In order to ensure that the HA pair functions as expected confirm that:

  • The nsroot username and password match on both NetScaler devices

 

Single-Arm Differences

For single-arm deployments ONLY; disable (in the NetScaler configuration utility) any unused Interfaces – if you are using a single-arm topology the likelyhood is that you won’t be using one of the two NICs created by default.

 

HA Configuration

On the original NetScaler browse to System > High Availability, then click ‘Add…’ at the bottom of the Window to define the secondary NetScaler device:

  • Enter the IP address of NS2; 192.168.0.231
  • Ensure the “Configure Remote System to participate in High Availability Setup” option is enabled
  • Enable the “Turn off HA Monitor if interfaces/channels are down

HA1

When you click OK on the above window you’ll be presented with the High Availability window showing the Primary NetScaler (NS1) in an ENABLED state, and the secondary NetScaler in a “IN PROGRESS” state – this is because the secondary NetScaler is being configured as per the Primary.

HA2

Leave some time for the HA pair to synchronise, the status of NS2 should then read “SUCCESS”: 

HA3

You can verify the configuration by inspecting the Monitors, Service Groups and Virtual Servers  now exist on the Secondary NetScaler device. Also, under Network > IPs the secondary NetScaler will list the IP addresses assigned to the Primary as “Passive”:

HA5

Note that you will be unable to configure HA Monitoring on any Interfaces, if you try you will receive an error “Operation not permitted” – this is by design on NetScaler VPX devices.

Finally, SAVE your configuration on NS1!

Failover Testing

Initiating a Failover

Now lets perform some failover testing; I disconnected the NIC in use on NS1 to cause a failover to NS2. The status of NS1 becomes UNKNOWN on NS2, and NS2 becomes the Primary device:

HA6

The IP Addresses also change from PASSIVE to ACTIVE on NS2:

HA8

If I run a constant ping when failing over the devices I drop around 2 packets:

HA10

 

What About Fail-back?

When NS1 is re-connected to the network it Synchronises with NS2 and will NOT automatically become the Primary device again. You can force failback by right-clicking NS1 under System > High Availability and selecting Force Failover.

Alternatively use the following command from the console to force a failover: forcefailover

Again, you’ll drop a couple of packets during the failover.

 

Using VMACs with High Availability

It is also possible to utilse VMAC’s with HA; using VMACs ensures that there is no need to update the CAM table in any switches to which the NetScaler connects to. This will, in all likelyhood, mean that fewer packets are dropped during failover events.

Article to follow on configuring VMAC’s.

 

Troubleshooting HA

From the command line use the following command to view the HA status of each NetScaler: show ha node