Jump to content
Welcome to our new Citrix community!

Best practice HA settings


tohadlock

Recommended Posts

So we started out getting a ton of alerts because the NIC types between the nodes were different and we were on an older version of NS.

Both nodes now have the VMXNET 3 NIC and the latest version of NS.

 

Even after those changes and upgrades we still continue to get emails from the ADM.

Is there anything you see that we should look at or change? (attached)

 

 

NS Alerts.gif

NetScaler Node Info.gif

Link to comment
Share on other sites

You realy have 5 virtual NICs in use?

Ensure that only used interfaces are enabled.
 

HAMon is not enabled on any interface?

Enable monitoring for the interfaces whose failure should cause a failover.

 

But I think your problem is that no interface is configured to send HAHeartBeats.

 

show interface <ID>

set interface <ID> [-HAHeartBeat ( ON | OFF )]

 

If a node does not receive the heartbeat messages on an enabled interface, it sends critical alerts to the specified Command Center and SNMP managers. These critical alerts give false alarms and draw unnecessary attention from the administrators for interfaces that are not configured as part of the connections to the peer node.

 

Link to comment
Share on other sites

33 minutes ago, Martin Meier said:

You realy have 5 virtual NICs in use?

Ensure that only used interfaces are enabled.
 

HAMon is not enabled on any interface?

Enable monitoring for the interfaces whose failure should cause a failover.

 

But I think your problem is that no interface is configured to send HAHeartBeats.

 

show interface <ID>

set interface <ID> [-HAHeartBeat ( ON | OFF )]

 

If a node does not receive the heartbeat messages on an enabled interface, it sends critical alerts to the specified Command Center and SNMP managers. These critical alerts give false alarms and draw unnecessary attention from the administrators for interfaces that are not configured as part of the connections to the peer node.

 

 

Well, I'm certainly not an expert but I was thinking "HA HEARTBEAT OFF Interfaces: NONE" means there are no interfaces without a heartbeat.

However, the attached image below is showing that "HA monitoring" is disabled on all interfaces.

 

 

NetScaler GUI Interfaces.gif

Link to comment
Share on other sites

Look at your show int properties specifically for interface 1/4 on appliance 2 and 1/1 on appliance 1.

 

Are all 5 of your interfaces in use and connected (assuming vpx) to an apprpriate hypervisor network?

Are all 5 of your interfaces on appropriate separate virtual switch/vlans and any aggregation in use is done by hypervisor and no the VPX?

 

If any interfaces are not in use they need to disabled or set to -hamon off.

 

Check nslog for specific networking issues that might indicate if you have a misconfiguration somewhere such as a bridge loop or something else. Again its possible there's something wrong with the networking, which is exacerbating the problem.

shell

cd /var/nslog

nsconmsg -K newnslog -d 

 

Quick explanations:

HAMon: on/off determines whether that interface is included in ha monitoring. If hamon is OFF changes in that interface from UP to DOWN do NOT trigger failover as the interface is non-critical. If its ON, then any failure of the interface will trigger HA failover.

 

HAHeartbeat:  ON | OFF:  This is an indication if any of the interfaces have had ha heartbeat messages disabled.

By default ha heartbeats are sent on all interfaces.   If heartbeats are not observed, then alerts are generated.  However, you typically only should see heartbeats on the interface(s)/vlan(s) involved in NSIP to NSIP communication.  So you can turn off hahearbeat participation on interaces/channels that are not used in the nsip to nsip communication.

The summary HA Heartbeats Off: none (indicates that no interface has been disabled from heartbeat particpation).  But you are getting alerts for interfaces when this traffic is NOT observed.   This setting can be used to limit which interfaces send ha heartbeats.  (Interface/channel properties are per appliance an not synced).

 

Determine which interfaces are involved in NSIP to NSIP communication and adjust the HA heartbeat to just the required interfaces. 

If the network is requiring all traffic to be tagged or if you need to force nsvlan traffic to use a vlan other than vlan 1, you may have to take other steps.  

(and/or adjust the NSVLAN and interface bindings - though you would have to break and reconfigure ha to change this...so proceed cautiously).  IF this is the problem, you need to be sure you understand the fix before implementing (and how to backup config to restore)).  

 

See notes here: about the heartbeat message:

https://docs.citrix.com/en-us/citrix-adc/current-release/system/high-availability-introduction/managing-ha-heartbeat-messages.html

 

Here for notes on changing nsvlan (though see admin guide too):  https://support.citrix.com/article/CTX201788

 

As Martin suggested, check your vlan and interface properties:

show int

show int <intnum>

show vlan

 

or

show ns runningconfig | grep vlan -i

show ns runningconfig | grep "set int" -i

 

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...