Jump to content
Welcome to our new Citrix community!

Need help/guidance to setup full VPN with 2 Netscalers in a cluster


Recommended Posts

Hello All,

 

We are planning to put two NetScalers in a cluster and use them for full VPN solution.

 

I referred the below document: 

 

https://docs.citrix.com/en-us/legacy-archive/downloads/netscaler-12-0.pdf

 

It is mentioned that NetScaler Gateway (SSL VPN /full VPN and clientless VPN) and DHCP RA is configured at Node Level. - Page#1835.

 

So this means that we cannot deploy VPN solution with cluster setup? Just curious to know if my understanding is right or not, could we please help me?

 

If I am wrong, if we can use Netscaler cluster for Full VPN solution then can we use a single DHCP scope for leasing IP address for end users?

Link to comment
Share on other sites

If you only have two appliances, then an HA Pair is probably preferred:  2 appliances only, active/passive config, relatively simple to setup and maintain, and all features are supported.

A cluster (multi-active) config usually is best done at 3 or more nodes so you can have an N+1 plan for fault tolerance and allow scalout. While it can be done at only 2 appliances, you aren't doubling your capacity as you need to plan for an N+1 scenario where one appliance fails. If you need to scale out in the future, there is a consideration. But as you noted, NOT all features are supported in a cluster (some are fully supported and will scale out, some are node only and will not scale, and a few features are not supported at all) AND it is a more complicated config regarding cluster networking to set up.

 

IF you plan to use the gateway in full vpn mode, then it will be node only and will not scale in a cluster as a multi-node feature.  As a node-only config it can be deployed in cluster; but it will not scale to multiple nodes and basically be an active/passive/passive failover instead.  So same scale as HA but more complications.  So a vpn vserver in full vpn mode is supported in the cluster, but node-level only and will not be multi-node in the cluster.  Features listed as "NO" are not supported at all.

 

Also note that you can create an HA pair on an existing appliance without losing configuration (if you do it properly). Anytime you switch an appliance from standalone to cluster the entire config is wiped out and the appliance is reset to function as a cluster member. You lose any existing configuration.

 

Also, you should look at the 13.0 version of the cluster support admin guide for full feature and latest config:  https://docs.citrix.com/en-us/citrix-adc/current-release/clustering.html

 

 

So, are you sure you need a cluster for this or an HA pair?
 

 

 

 

Link to comment
Share on other sites

12 hours ago, Rhonda Rowland1709152125 said:

If you only have two appliances, then an HA Pair is probably preferred:  2 appliances only, active/passive config, relatively simple to setup and maintain, and all features are supported.

A cluster (multi-active) config usually is best done at 3 or more nodes so you can have an N+1 plan for fault tolerance and allow scalout. While it can be done at only 2 appliances, you aren't doubling your capacity as you need to plan for an N+1 scenario where one appliance fails. If you need to scale out in the future, there is a consideration. But as you noted, NOT all features are supported in a cluster (some are fully supported and will scale out, some are node only and will not scale, and a few features are not supported at all) AND it is a more complicated config regarding cluster networking to set up.

 

IF you plan to use the gateway in full vpn mode, then it will be node only and will not scale in a cluster as a multi-node feature.  As a node-only config it can be deployed in cluster; but it will not scale to multiple nodes and basically be an active/passive/passive failover instead.  So same scale as HA but more complications.  So a vpn vserver in full vpn mode is supported in the cluster, but node-level only and will not be multi-node in the cluster.  Features listed as "NO" are not supported at all.

 

Also note that you can create an HA pair on an existing appliance without losing configuration (if you do it properly). Anytime you switch an appliance from standalone to cluster the entire config is wiped out and the appliance is reset to function as a cluster member. You lose any existing configuration.

 

Also, you should look at the 13.0 version of the cluster support admin guide for full feature and latest config:  https://docs.citrix.com/en-us/citrix-adc/current-release/clustering.html

 

 

So, are you sure you need a cluster for this or an HA pair?
 

 

 

 

Hi Rhonda,

 

Thank you so much for responding!

 

Actually, we are just checking if we can use VPN service with cluster setup. But seems like there is no use as VPN can be applied at Node level only.

 

If we go ahead with Active/Passive setup, we can use same DHCP scope (to lease IP addresses to VPN users) as both Active and passive nodes will have same configuration. Correct?

 

Now let's say we are using 10.10.0.0/19 subnet for VPN users, now a VPN user wants to communicate with one of our server:

 

Incoming traffic:

 

VPN user --> Active Citrix Gateway --> Distribution layer --> Spine switch --> Leaf Switch --> Server

 

Return traffic:

 

Server --> Leaf Switch --> Spine Switch --> Distribution layer --> Active Citrix Gateway --> VPN User

 

To pass the return traffic our distribution layer should know that, to reach 10.10.0.0/19 network, it should forward traffic to Active box.

 

To exchange routes we should run on OSPF on Netscaler and distribution switches right? Static routes is not a good option because the next hop IP address (Active Netscaler IP) changes based on the availability of the Netscaler.

Link to comment
Share on other sites

If you are using the vpn vserver in ICA Proxy mode only, then it can be used in a cluster (multi-active node config). If you are using the other vpn features (full vpn vserver or clientless connections), then it is node-only in a multi-node cluster.

 

HA info is here:  https://docs.citrix.com/en-us/citrix-adc/current-release/system/high-availability-introduction.html

When you configure High Availability (listed under the System section of the admin guide), your two appliances share a single shared configuration.  One system is primary (active) and the other system (same location) is secondary (passive).  They retain unique NSIP addresses and ha node settings. But most other settings are shared: features/modes/routes/vserver/services/policies for example.  All config is made singly on the primary system and pushed to the secondary.

So you will have only one VIP per vpn vserver regardless of which system is "primary".  You will have only one dhcp scope etc.  If you deploy two vpn vservers, they will both be hosted on a the primary ADC. During failover the secondary system will take ownership of the shared ips previously owned by the primary.

 

20 minutes ago, Sharath Babu1709162854 said:

To pass the return traffic our distribution layer should know that, to reach 10.10.0.0/19 network, it should forward traffic to Active box.

 

This should be addressed by my previous statements, but just to restate.

In an HA pair, NSA and NSB retain their NSIP (ADCIP) as a unique IP address.

All other IPS such as SNIPs and VIPs are shared. Only the primary system takes ownership (GARPs) these IPs with its mac addresses (owns its own NSIP and any SNIP/VIPs and other shared ips.). The Secondary system takes ownership of its NSIP (NSIPB in this case) only. It has the config of the other IPs (and all other entities) but doesn't take ownership in passive mode so as to avoid an IP conflicts.

 

IF the primary fails, the secondary now takes active ownership of the SNIPs/VIPs too by sending out GARPs with these IPs and its mac addresses.

 

Return traffic will always be owned by the current primary as these VIPs and SNIPs are only owned/active on a single node at one time.

 

You then made this statement:

24 minutes ago, Sharath Babu1709162854 said:

To pass the return traffic our distribution layer should know that, to reach 10.10.0.0/19 network, it should forward traffic to Active box.

 

To exchange routes we should run on OSPF on Netscaler and distribution switches right? Static routes is not a good option because the next hop IP address (Active Netscaler IP) changes based on the availability of the Netscaler.

 

The IPs DO NOT change unless you've deployed the ADC/NS HA pair in INC mode (independent networking config mode). But there's no indication in the description so far that this is necesary. Assuming this is off and you are deploying a standard HA pair. The only unique IPs are the respective NSIP addresses AND THESE are not used in traffic flow like VIPs and SNIPs are which are shared IPs.

 

While OSPF can be used in some cases, unless INC Mode is in use, you DO NOT need it for traffic failover with an ha pair under normal operations.

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...