[NetScaler] Service State doesn't sync to Secondary node in HA setup

[NetScaler] Service State doesn't sync to Secondary node in HA setup

book

Article ID: CTX561262

calendar_today

Updated On:

Description

When you build NetScaler HA pair with VPX on SDX platform. You may observe the issue that Primary doesn't sync service UP/DOWN events to Secondary node.
The issue can impact SDX platforms: SDX 8900, SDX 15000, SDX 15000-50G, SDX 26000, and SDX 26000-50S. 

Resolution

  1. Upgrade both SVM & VPX to 13.1 Build 24.38 or higher. 
Release Note:
https://docs.netscaler.com/en-us/citrix-adc/current-release/citrix-adc-release-notes/release-notes-13-1-24-38.html
After upgrading a NetScaler SDX appliance to release 13.1 build 21.50 or later, SSL decryption and MAC comparison might fail. As a result, you might see SSL handshake failures, VPX status flapping, unavailability of the VPX instance GUI, and virtual servers and application going down.
Note: This issue is observed on the SDX 8900, SDX 15000, SDX 15000-50G, SDX 26000, and SDX 26000-50S platforms.
[ NSHELP-31672 ]
 
Note:
The BUG may cause a lot of different symptoms because lots of modules call Intel Coleto SSL card. 

Problem Cause

Service state sync messages are carried on SecureRPC channel (Port 3009). The issue is observed because there is no valid SecureRPC channel. Everytime when Primary node tries to re-establish it, Secondary node RESET Primary node with code: 9811. Which is caused by SSL module. 
Reference: Citrix ADC (NetScaler) Reset Codes reference

Checking counters, you may observe the followings when issue happened:

  108    0     66395     1    0 ssl_err_card_process_fail_rst Thu Apr 20 10:11:37 2023
  109    0     66395     1    0 ssl_err_coleto_decmsg_auth_failures Thu Apr 20 10:11:37 2023
  110    0     66395     1    0 ssl_err_coleto_dec_msg Thu Apr 20 10:11:37 2023
Powered by Wolken Software