Jump to content
Welcome to our new Citrix community!

Cant upgrade adc from 13.0 90.7 to 13.0 90.11


nlffel439

Recommended Posts

I tried to update from 13.0 90.7 to 13.0 90.11 today regarding the existing security holes.

We are running a HA federation and like HA upgrade instructions, I am updating the secondary node first. 

However, this time when I start ./installns the following message appears:

"The NetScaler software is at version NS13.0, build 90.11, but /nsconfig/ns.conf is from build 90.7."

Do you want to load another configuration? y/n (N) 
I confirm this with "N" of course

After that the known installation starts normally, the secondary node is restarted again.

 

when the secondary node is restarted, the first thing I notice is that HA Sync is not disabled. So I disable it and on the primary as well. 

If I now want to make the secondary primary via "force failover".

 

The patched node freezes as soon as it tries to establish a session (gateway).

After a 5 sec. freez it responds again, but is again secondary node

Link to comment
Share on other sites

Just wondering what are you trying to achieve by manually disabling the HA sync in the first place ?

BTW,  do you have "Session Reliability on HA failover" checked in system\setting\ica parameters ? if so try uncheck it and see if the problem remains...

 

  • Like 1
Link to comment
Share on other sites

Check if you use http2 and disable it. We also have problem when updating to the latest 13.0-90.11 and/or 13.1-45.63 on an instance. As soon as I failover to the updated node it crashes. We got a note from the support now that this is related to a http2 problem. So since we disabled that the node just works! Seems to be an open and known issue with the latest version.

  • Like 1
Link to comment
Share on other sites

when the secondary node is restarted, the first thing I notice is that HA Sync is not disabled.

Correct i witness the same from 90.7 to 90.11. 

 

Normally we always see: Sync State: AUTO DISABLED

except this release 90.11 on the secondary appliance i said this time:

Sync State: Success

 

My steps to solve this: on the secondary appliance, after the install and reboot steps:

> show ha node

[ Sync State: Success ]  

> set node-hasync disable

[ Sync State: Disabled ]

>force failover

>quit and yes

 

Start now with the primary appliance

Do all the normal steps but don't forget at the last step.

> set node -hasync enable

> show ha node

[ Sync State: Enabled ] @ primary  

[ Sync State: Success ]  @ secondary 

> quit and yes.

 

Link to comment
Share on other sites

90.11 replaces 90.7 as it's stated on the download page. So I assume internally it's the same with the security fix and so the devices will not disable sync here. They basically "think" they are running the same version. Same was seen for 13.0-88.14 and 13.0-88.16 which also was a replacement of the version.

Link to comment
Share on other sites

I'm also seeing this on the upgrade from 13.0-88.14 to 13.0-90.11.  I suspect I'm hitting this bug:
https://docs.netscaler.com/en-us/citrix-adc/13/citrix-adc-release-notes/release-notes-13-0-90-11.html

 

A Citrix ADC appliance might crash when an HTTP/2 enabled virtual server generates a response for an HTTP/2 request, instead of forwarding the request to the back-end service.

Workaround: Disable HTTP2 in the HTTP profile bound to the virtual server.

[ NSBASE-18162, NSHELP-35288 ]

 

I've upgraded 10+ Netscalers and the only one that appears to be crashing is the one that has HTTP2 enabled on a VIP via http profile.

 

I've got a case created with Citrix to confirm.

 

The symptoms I'm seeing:  Failover event to 13.0-90.11.  Within 15 seconds the appliance crashes.

Link to comment
Share on other sites

14 hours ago, Josh Slaney said:

A Citrix ADC appliance might crash when an HTTP/2 enabled virtual server generates a response for an HTTP/2 request, instead of forwarding the request to the back-end service.

Workaround: Disable HTTP2 in the HTTP profile bound to the virtual server.

[ NSBASE-18162, NSHELP-35288 ]

NSHELP-35288 is the same number I got from support last week.

 

Same for 13.1-45.63
https://docs.netscaler.com/en-us/citrix-adc/current-release/citrix-adc-release-notes/release-notes-13-1-45-63.html

  • Like 1
Link to comment
Share on other sites

On 5/9/2023 at 3:40 PM, nlffel439 said:

I tried to update from 13.0 90.7 to 13.0 90.11 today regarding the existing security holes.

We are running a HA federation and like HA upgrade instructions, I am updating the secondary node first. 

However, this time when I start ./installns the following message appears:

"The NetScaler software is at version NS13.0, build 90.11, but /nsconfig/ns.conf is from build 90.7."

Do you want to load another configuration? y/n (N) 
I confirm this with "N" of course

After that the known installation starts normally, the secondary node is restarted again.

 

when the secondary node is restarted, the first thing I notice is that HA Sync is not disabled. So I disable it and on the primary as well. 

If I now want to make the secondary primary via "force failover".

 

The patched node freezes as soon as it tries to establish a session (gateway).

After a 5 sec. freez it responds again, but is again secondary node

Sometimes the HA sync works with minor code upgrades. It all depends on if they HA version # with the various codes they release match or not. Most of the time when you do a code upgrades the HA versions are different, but often times with minor code upgrades they match and continue to do the config sync.  For example, I was running 13.0-88.14 a while back and had to rebuild a netscaler standby appliance. I could only find the 13.0-88.16 on the download site.  So I built the standby VPX with 13.0-88.16 and paired it up with 13.0-88.14.  The HA versions matched so the config sync worked.  I usually check this when doing upgrades to confirm the type of impact to be expected with the failover. If the HA versions correctly sync you get some benefits with that sync from a connection failover standpoint.

Link to comment
Share on other sites

On 5/17/2023 at 7:31 AM, Jens Beyer1709152176 said:

NSHELP-35288 is the same number I got from support last week.

 

Same for 13.1-45.63
https://docs.netscaler.com/en-us/citrix-adc/current-release/citrix-adc-release-notes/release-notes-13-1-45-63.html

 

New updated firmwares have just been released last night for 13.0 and 13.1 to correct those http/2 issues

From Release notes =>  Build 13.0-90.12 includes the fix for NSBASE-18162 (NSHELP-35288), along with all enhancements and bug fixes available in Build 13.0-90.11.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...