Jump to content
Welcome to our new Citrix community!

Can ADC HA pair connect through direct cable??? (MPX5901)


Jessica Kang Jie

Recommended Posts

Hi Experts,

 

Does anyone has field experience, that can ADC HA pair(A/P) connect direct through a cable, not via switch???? Then to configure the heartbeat traffic goes through the specific interface that direct connect to the other ADC.

 

I've asked couple of Citrix guys, someone advice connect directly must not be done.

 

And someone figured it's OK, no problem.

 

I'm so confused. I hope I got lucky there's someone really had the experience and sharing the truth....

  

   ( Backgroud: Customer gonna to place an ADC HA pair in DMZ, connecting th INLINE IPS and then Firewall, they don't want heartbeat taffic gose to firewall and the inline IPS)

Link to comment
Share on other sites

It should NOT be done. The connection is expected to travel the network.

If you do crossover them together, rebooting one causes an interface "DOWN' state on other side as non-terminated and they both go down.

Also, it can result in a bridge loop.

There is at least one note saying not to do this here:  https://support.citrix.com/article/CTX109013

Link to comment
Share on other sites

Thanks for replay.

 

I agree with you that this may cause bridge loop, But I'm not sure that if  

 

  1. The bridge loop can be avoid by bind VLAN to specific interface? 
  2. And the one interface down then other crossover connected interface must be down, can be avoid by HA Fail-safe Mode configuration? 

It's like:

 

+---------------------------------------------+       
|   NSVLAN10       VLAN20       VLAN30  |   ADC Primary
|                      |                     |                        |     |
|bind to 1/1 x            1/2  x              1/3 x     |
+---------------------------------------------+    
                       |                     |                        |
         vlan10 |        vlan20|          vlan30|
                       |                      |                       |
+-------------------------------------------+       
|              1/1..x            1/2..x          1/3..x      |  Switch/Firewall
|                                                                         |
|              1/4..x          1/5..x           1/6..x      |
+-------------------------------------------+
                       |                     |                        |
         vlan10 |        vlan20|          vlan30|
                       |                      |                       |
+---------------------------------------------+    
|bind to 1/1 x            1/2  x              1/3 x     |  ADC Secondary
|                      |                     |                        |      |
|   NSVLAN10       VLAN20       VLAN30   | 
+---------------------------------------------+    

 

I don‘t have physical ADC can be tested,this makes me headache。。

 

Please help

Link to comment
Share on other sites

To reiterate, in the past this was definitely NOT SUPPORTED.  However, the only doc I can cite is the one I did (Look for "crossover" in that article and you'll find the reference). 

My understanding the config is still UNSUPPORTED and a BAD IDEA.  Whether anything has changed regarding support of this config is another matter.  

 

Your other issue is the HA pair is NSIP to NSIP communication and you would not want to restrict the  NSIP to the direct link only, which would probably be required to achieve this.

I'm also not sure HA failsafe mode is going to solve your problems if they both think the other is the problem (while split brain per se shouldn't be possible, you could still end up in a very weird/unexpected network flow.)

 

Hopefully, someone else can confirm.

 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...