Configuration Sync\Propagation and GSLB Metrics Exchange Might Fail After Upgrade to 13.0 64.x\12.1 61.x

Configuration Sync\Propagation and GSLB Metrics Exchange Might Fail After Upgrade to 13.0 64.x\12.1 61.x

book

Article ID: CTX292743

calendar_today

Updated On:

Description

Citrix ADC software version 13.0 build 64.x and later, and version 12.1 build 61.x and later have Secure RPC enabled by default. After upgrading to one of these versions from an older version, you may experience issues with configuration synchronization and propagation and/or GSLB metrics exchange (MEP) between ADC appliances which are configured to use HA, Clustering, or GSLB.

The two issues that may occur are:

Issue #1: Configuration synchronization and/or GSLB metrics exchange fail due to being blocked by firewalls:

  • Non-secure configuration synchronization and propagation for HA, clustering and GSLB communicate on TCP port 3010. In secure mode, this changes to TCP port 3008.

  • Non-secure GSLB Metrics Exchange Protocol (MEP) communicates on TCP port 3011. In secure mode, this changes to TCP port 3009.

Issue #2: Configuration synchronization and/or GSLB metrics exchange fail due to difference in RPC mode configuration on different ADCs:

  • All appliances participating in an HA, Clustered, or GSLB configuration must use the same RPC method (secure or non-secure). Synchronization failures and GSLB MEP failures will occur if some ADCs are configured with secure RPC and other ADCs are configured with non-secure RPC.

  • ADC running software versions older than 13.0 build 64.x or 12.1 build 61.x may still be configure to use non-secure RPC.

Note that both issues may occur simultaneously, and if so, multiple steps may be required to resolve both issues.

Resolution

If you wish to use Secure RPC (preferred)

  1. Modify firewall policies to allow TCP ports 3008 and/or 3009 as appropriate between ADCs which will now be using secure RPC to communicate.
  2. Configure all ADCs which must communicate using RPC to use secure RPC.

If you wish to use non-Secure RPC

Configure all ADCs which must communicate using RPC to use non-secure RPC. No firewall changes are necessary in this case as RPC communication will continue using the same TCP ports as before the upgrade.

Please note that disabling secure RPC to resolve either issue removes the security benefits of secure RPC.
For details on configuring the security mode of RPC nodes, please see CTX114087.

Problem Cause

Secure RPC is enabled by default in ADC software version 13.0 build 64.x and later, and version 12.1 build 61.x and later.
Powered by Wolken Software