Jump to content
Welcome to our new Citrix community!

Unable to get HA sync functioning with new netscalers

Gregory Moore

Recommended Posts

hey guys and gals...maybe someone can help my wrap my head around this issue.


I have two Netscalers, both have been upgraded to v13.x. They are:

* NS1 -

* NS2 -


I'm trying to put the pair into HA mode with the following command from cli: add ha node 1 -inc enabled


When I run this command via CLI or even if I do it via GUI, I get the error of "cannot log into" and the secondary node shows as UNKNOWN.


Here's what I've already done to make sure that communication is set:

the NSROOT password is the same for both boxes

The RPC secure node pw is the same as the NSROOT pw

Both boxes are on the same subnet and are literally next door neighbors so there should be no firewall issues

the ports for traffic are open

Secure access mode from the GUI is not enabled


Any suggestions would be helpful before I go charge the network team up and have them put in explicit firewall rules and/or call Citrix....


HARDWARE: MPX14030 devices


NOTE: the ip addresses are for conversation only; they are not real to my environment.


Link to comment
Share on other sites

Checking the basics first:

Have you add the nsip for each ADC on both netscalers?

NSA:  add ha node 1 <nsipB> -inc enabled

NSB:  add ha node 1 <NSIPA> -inc enabled


1) Both nodes have to know they are participating in HA to exchange info. (Just to be clear in the above)

2) The rpc node passwords do not have to be the same as the nsroot password BUT the rpc node password for nsipA has to have the same password on appliance A and B (and the nsipB rpc node password has to be the same on A and B).  You will not have the "remote" rpc node until after the ha node is added on each system.


If after this, they still aren't doing the initial config... other things to check


1) when you do an ha status, does either node show as NOT UP (unhealthy) and if so are in interfaces or channels listed as DOWN or as critical interfaces. These interfaces need to either be disabled if not in use OR fixed prior to joining ha pair. Or mark has -hamon disabled to ignore state until later.

on each system, run:

show ha node

(both nodes should be displayed and appropriate statuses on both systems)


2) if both nodes are participating in HA AND both nodes have an rpcnode for themselves AND their partner (both rpcnodes on both systems) and still they can't communicate, you need to check if you have ACLS on the ADC or on a firewall or other network security preventing the necessary nsip to nsip communication.


3) if inc mode is in use, then more parts of the config will remain independent and will have to be set on both systems manually and will not be propagated/sync. But you should still see initial ha sync working.




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...