Jump to content
Welcome to our new Citrix community!

ADC - Gateway takes too much time after failover


Prakash V

Recommended Posts

We have two VPX appliance in HA Pair hosted on vmware,  the problem is the gateway url take more than 2 hours to resume back after force failover.the HA node shows up and it failover from GUI and all green, Checking the upstream network device arp table for the gateway VIP shows the mac of former primary device and if we leave the device as it is for 2 to 3 hrs the gateway url is accessible again. ( arp table show correct Mac when the site is accessible) 

 

Changed the default grap response to reply but no luck

 

set network L2Param -garpReply enabled 

 

Network team analysed the packets and informed no arp Or grap packet is triggered for the gateway vip IP. 

 

Analysing the ns trace files in wireshark also confirm no arp request for the Gateway VIp was observed, however see arp packets for other VIP loadbalanced like storefront and other websites. 

 

( I really not sure if Gateway VIP Ip will have arp Or grap packets after switch over) 

 

Vmac is not possible in our environment as the security team rejected to enable the promiscuous prerequisite in vmware. 

 

Any thoughts

 

 

 

 

 

 

Link to comment
Share on other sites

Normally, vmac is how you solve that problem, but I see you can't use it.

 

Do other lb vservers garp appropriately after failover and just the vpn vserver is delayed in sending out the new Garp request (which might be product bug)?

If other apps do work, can you configure a lb vserver on the HTTP:VIP of gateway vpn vserver. Its purpose is just to listen to port 80 requests and perform redirects to HTTPS. But if the vpn vserver doesn't garp does the lb vserver on the same address solve the problem?  (I wouldn't expect this to be a problem; because the IP setting would usually affect all vservers.)

 

Did you check the IP address settings for settings? Network > IPs > <specific IP>.

Is the arp enabled disabled on the IP settings for the IP assigned as the VIP, because this may be preventing the Gateway specifically, instead of other applications.  I would check the per ip setting before changing the global behavior.

show ip <IPaddress>

Look for the -arp setting.

https://support.citrix.com/article/CTX208384/behavior-of-address-resolution-protocol-arp-and-gratuitous-arp-on-the-netscaler-device

 

https://support.citrix.com/article/CTX112701/faq-the-firewall-does-not-update-the-address-resolution-protocol-table

Also note in this article, the command must be set manually on both PRIMARY and SECONDARY appliances and saved to go into effect on secondary.  (This is one of the network settings that is per appliance). When you made the change above, did you apply to both appliances or primary only?

 

Finally, do you use vlans to limit IPs to interfaces or channels at all?

  • Like 1
Link to comment
Share on other sites

Thanks a lot Rhonda, grap is not working only for the gateway vip, For other VIP Ips I can see arp packets sent from the former secondary device after fail over. 

 

Arp is enabled for the gateway Ip. 

 

We already using the gateway Ip as virtual server to redirect http to https but no luck. 

 

I can see arp packets sent out for other vip's using same Mac address

 

Even we have a GSLB virtual server Ip configured in the same subnet as gateway vip and could see arp packets for GSLB Ip. 

 

We use only default vlan 

Link to comment
Share on other sites

If you are using GSLB, you might be affected by cached lookups between client and the new location.  Shouldn't affect ownership of current appliance with IP through ha failover, though.

 

If Gateway vips are not providing garps, then it may be a bug that needs to be logged with support.  vMacs would solve the problem but again, I recognize your limitation there. 

----

The only other thing I can thing of from a config standpoint and not a bug would be the following:

On the IP Address properties, what are the following values:

 

Drop Down list:  ARP Response:  None, One, or All?

Because, if you have the VIP assigned to both the gateway vpn vserver AND the "down" lb vserver for the http to https redirects, then the value needs to be either: None (not controlled by vservers at all) or One (responds if at least one vserver using vip is UP). IF its set to "ALL VSERVERS" then every vserver using the VIP must be UP and your lb vserver for http to https methods would have to be UP with responder policies and not DOWN with "redirect url" protection method.

In addition to ARP check box under "options".

 

 

Link to comment
Share on other sites

  • 2 months later...

Really sorry for getting back on this very late, my mobile crashed and lost my access to Citrix support forum due to MFA authentication, The issue with a HA failure is resolved caused due to incorrect subnet mask configured for different VIP IP's changing it resolved the problem for us. Learned a lot during troubleshooting and I would like to thank everyone who tried helping me during this issue. Post this solution so it will be helpful to someone.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...