This article describes how to set up a High Availability pair on ADC appliance.

Points to Consider

Disable any unused ports when one network adapter is configured within a ADC high availability configuration. Refer to CTX101810 - Communication Ports Used by Citrix Technologies for detailed list of communication ports used between the secondary and primary ADC appliance.

The primary and the secondary appliance of the high availability setup use the NSIP address for communication between the appliances. NSIP addresses for the appliance is used to configure the ADC  HA within the following procedures.

When configuring HA, the configured appliances must have same password for the nsroot account.

For a detailed list of points to consider to High Availability Setup refer to Citrix Documentation - Points to Consider for a High Availability Setup

To complete this procedure from ADC Gateway GUI, refer to Citrix Documentation - Configuring Settings for High Availability.
 

• How to upgrade Citrix ADC using Citrix ADM service (Video)
• Simplified Citrix ADC Upgrade via Citrix Application Delivery Management Service(Video)

Instructions

Set Up ADC High Availability

Note: Secure Shell (SSH) connection is used to execute the commands within this article.
Complete the following procedure to setup High Availability pair on ADC appliance:

1. Log in to the primary ADC appliance and run the following command from CLI:
   set ha node -hastatus STAYPRIMARY

2. Log in to the secondary ADC appliance and run the following command from CLI:
   set ha node -hastatus STAYSECONDARY

3. Run the following command on both primary and secondary ADC appliance to disable any network interface that is not connected to the network:
   disable interface <interface_num>

4. From the primary ADC appliance run the following command from CLI to specify the ID and the NSIP address of the secondary appliance:
   add HA node <id> <ipAddress>

   Note: The maximum node ID for appliances in a high availability setup is 64. It can be any number. For example, you can use the number 2 for the secondary appliance. The number 64 does not indicate that you can have 64 nodes in a high availability setup. It is just a variable value. The high availability setup is always created from two appliances.

5. Log into the secondary ADC appliance and run the following command in the CLI to specify the ID and the NSIP address of the primary appliance:
   add HA node <id> <ipAddress>.

6. The RpcNode password must be set on both the appliances. The passwords must be the same on each appliance. The primary appliance must be aware of the secondary RpcNode password and the secondary appliance must be aware of the primary RpcNode password.
   Note: The ADC nsroot password must also be the same on each node.  The RpcNode password does not have to be the same as the nsroot password.

   On the primary ADC Gateway appliance, run the following command from the command line interface:
   set ns rpcnode <ipAddress> -password <string>
   The IP address must be the IP address of the primary appliance. For more information on the ns rpcNode command refer to Citrix Documentation.

7. Run the same command and specify the IP address of the secondary appliance. Use the same password.

8. Repeat the action and specify both RpcNode passwords with same commands on the secondary ADC Gateway appliance.

9. After you specify the RpcNode password on the primary and the secondary appliances, run the following command to check the setting:
   show ns rpcnode

10. After the node and rpcnode password on both appliances are set up correctly, verify the node status with following command: 
    show ha node
    If the RpcNode password is set correctly on both appliances, then the status of the second appliance appears correctly. Else, you can get UNKNOWN status results of the remote node.

    a.      Node ID:      0
            IP: x.x.x.x.x (ns)
            Node State: UP
            Master State: Primary
            INC State: DISABLED
            Sync State: ENABLED
            Propagation: ENABLED
            Enabled Interfaces : 1/1
            Disabled Interfaces : 0/1 1/3 1/2 1/4
            HA MON ON Interfaces : 1/1
            Interfaces on which heartbeats are not seen :
            SSL Card Status: UP
            Hello Interval: 200 msecs
            Dead Interval: 3 secs
    
    b.      Node ID:      2
            IP: x.x.x.x.x
            Node State: UP
            Master State: Secondary
            INC State: DISABLED
            Sync State: SUCCESS
            Propagation: ENABLED
            Enabled Interfaces : 1/1
            Disabled Interfaces : 0/1 1/3 1/2 1/4
            HA MON ON Interfaces : 1/1
            Interfaces on which heartbeats are not seen :
            SSL Card Status: UP
    

11. Use the sync HA files command on the Primary appliance to force file synchronization from the primary appliance to the secondary appliance. This command synchronizes all the SSL Certificates, SSL CRL lists, and VPN bookmarks. The primary appliance is considered authoritative and files are copied from the primary to the secondary appliance overwriting all differences.
    sync ha files all

12. To enable HA setup run the following command on both the primary and secondary ADC appliances:
    set ha node -hastatus ENABLED

13. In case you added a new appliance to an already existing appliance to form an HA pair, then go to the new appliance and remove the duplicate default route (0.0.0.0/0). Pairing adds the default route defined on the already existing appliance, but does not remove the default route configured on the new appliance.

14. After all files are synchronized and the communication between the secondary and primary appliance is working properly, test the failover scenario. The following command fully simulates a failover situation where the role of primary and secondary appliance switch between the appliances, the secondary appliance takes full control of all dedicated traffic and becomes the primary appliance.
    force HA failover

    

15. When the high availability failover works successfully and you would like to return the primary appliance to its original state, use the command again to force the failover back.

Stay Secondary Appliance

The secondary appliance automatically becomes the primary appliance when the primary appliance is restarted and the connection between them is interrupted. The heartbeat will fail. You can have the secondary node stay as the secondary appliance when the primary appliance will not be accessible as the secondary appliance.

This could be very helpful in some specific maintenance scenarios, when the secondary appliance fails and must be replaced. For example, if the secondary appliance is replaced, then the high availability setup can be set up but the configuration cannot be synchronized and the primary appliance fails or cannot be accessible for any reason. The secondary appliance becomes active without the proper configuration and cause problems in the infrastructure. In some scenarios it could overwrite the configuration of the previous primary appliance if the communication between the secondary and primary appliances is established again.

Run the following command from the command line interface on the secondary appliance to keep it as the secondary:
set node -hastatus STAYSECONDARY

To remove the STAYSECONDARY setting, run the following command:
set node -hastatus ENABLE

• Citrix Documentation - Configuring Settings for High Availability
• CTX127455 - How to Upgrade Software on NetScaler Appliances in High Availability Setup
• CTX138748 - File Synchronization in NetScaler High Availability Setup
• CTX109013 - Troubleshooting the NetScaler High Availability Issue
• CTX115853 - FAQ: NetScaler High Availability Pair