Education: CNS-218-3I Citrix ADC 12.x Essentials

CNS-218-3I Citrix ADC 12.
x Essentials
Education
CNS-218-3I Citrix ADC 12.x
Essentials
Lab Manual
Version 3.01
1
CNS-218-3I Citrix ADC 12.x Essentials
PUBLISHED BY
Citrix Systems, Inc.
851 West Cypress Creek Road
Fort Lauderdale, Florida 33309 USA
http://www.citrix.com
Copyright © 2019 by Citrix Systems, Inc.
All rights reserved. Citrix, the Citrix logo are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries,
and may be registered with the U.S. Patent and Trademark Office and in other countries. [Citrix ADC.] All other marks
appearing herein are the property of their respective owners.
Citrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content or use of this
publication. Citrix specifically disclaims any expressed or implied warranties, merchantability or fitness for any
particular purpose. Citrix reserves the right to make any changes in specifications and other information contained
in this publication without prior notice and without obligation to notify any person or entity of such revisions or
changes.
No part of the publication may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, recording or information storage and retrieval systems, for any purpose other than the
purchaser’s personal use, without express written permission of.
2
Credits Page
Title Name
Architect Jesse Wilson
Product Managers Lissette Jimenez
Technical Solutions Developers Aman Sharma
Anton Mayers
Shruti V. Dhamale
Ravindra G Hunashimarad
Uma Upraity
Offering Manager Amit Ben-Chanoch
Instructional Designer Jayshree Nair
Graphics Designer Ryan Flowers
Publication Services Nicole Tacher
Special Thanks Layer8 Training
3
Contents
Credits Page ........................................................................................................................................................... 3
Lab Manual Overview ............................................................................................................................................. 5
Lab Environment Overview..................................................................................................................................... 6
Module 4: High Availability .................................................................................................................................... 9
Exercise 4-1: Configuring an HA Pair (GUI) ....................................................................................................... 11
Exercise 4-2: Managing an HA Pair (GUI) ......................................................................................................... 15
Exercise 4-1: Configuring an HA Pair (CLI) ........................................................................................................ 19
Exercise 4-2: Managing an HA Pair (CLI) ........................................................................................................... 23
4
Lab Manual Overview

In this Lab Manual, you will get valuable hands-on experience with Citrix ADC and its features. This Lab Manual
will enable you to work with product components and perform the required steps for initial configuration,
High Availability, Load Balancing, and SSL Offload.
Lab exercises are provided for the both the Citrix ADC Configuration Utility (GUI) and the Citrix ADC CLI.
Students only need to perform one set of labs, either all GUI or all CLI for a given module. The other set of
exercises may be used for reference. Identify how to connect to the Citrix ADCs for each set of lab exercises.
We recommend that you use Chrome to connect to the Citrix ADC Configuration Utility when using the GUI to
perform labs
When testing web content, any browser may be used. However, you may find it simpler to make management
connections in one browser, such as Chrome, and perform application testing in another browser, such as
Firefox.
When performing lab exercises from the CLI, you will need to connect to the Citrix ADC Management IPs
(above) using SSH. The lab environment uses PuTTY as the SSH client and WinSCP as the SFTP/SCP client.
Before starting exercises in each module, determine if you will be working in the GUI or CLI for that module.
You are encouraged to explore both versions of the lab exercises, but the exercises are written so that only
one set of exercises (GUI or CLI) can be performed at any one time, not both.
Each exercise will identify which Citrix ADC or Management IP to connect to and which account to use for
logon if not the default account (nsroot/nsroot). We also recommended that you save the configuration at the
end of each exercise unless the exercise states otherwise.
5
Lab Environment Overview

LAB DIAGRAM
SERVER LIST
Virtual Machine Domain FQDN IP Address Description

Name
NYC-ADS-001 NYC-ADS- 192.168.30.11 Domain Controller
001.workspacelab.com (Workspacelab.com)
NYC-ADS-002 NYC-ADS- 192.168.30.12 Domain Controller 2
002.workspacelab.com (Workspacelab.com)
NYC-LMP-001 NYC-LMP- 192.168.30.61 MYSQL Database Server
001.workspacelab.com
NYC-LMP-002 NYC-LMP- 192.168.30.62 MYSQL Database Server
002.workspacelab.com
6
NYC-WEB-RED NYC-WEB- 192.168.30.51 Web Server

RED.workspacelab.com
NYC-WEB-BLU NYC-WEB- 192.168.30.52 Web Server
BLU.workspacelab.com
NYC-WEB-GRN NYC-WEB- 192.168.30.53 Web Server
GRN.workspacelab.com
NYC-WEB-REMOTE NYC-WEB- 172.22.15.41 Web Server
REMOTE.workspacelab.com
Student Desktop - 192.168.10.254 Hyper-V host and landing
desktop. All labs performed from
this system.
Citrix ADC List
Virtual Machine NSIP Address Subnet IP (SNIP) Address Description

Name
NYC-ADC-001 192.168.100.1 /16 N/A Citrix ADC initial configuration starts
(Initial) as an “out-of-box” MPX appliance
with the default NSIP address
specified. This will be changed in the
first exercise.
NYC-ADC-001 192.168.10.101 SNIP1: 192.168.10.111 (traffic) NYC-ADC-001 is the principal Citrix
SNIP2: 192.168.10.103 (mgmt) ADC for most exercises. It will be in
an HA Pair with NYC-ADC-002, and
they will be managed using the
shared SNIP 192.168.10.103.
NYC-ADC-002 192.168.10.102 Secondary member of HA Pair with
NYC-ADC-001.
CREDENTIALS LIST: Training Domain Users and Groups
User Name Groups Password Description
administrator Domain Admins Password1 Domain administrator account which

can be used to access domain
controllers. Otherwise, not needed in
class.
trainNSAdmin Training_NSAdmins Password1 Domain account used in Citrix ADC
delegated administration exercise.
trainNSOperator Training_NSOperators Password1 Domain account used in Citrix ADC
delegated administration exercise.
trainADUser Domain Users Password1 Domain account used as LDAP BindDN
service account.
training\Contractor Contractors Password1 Domain account available for Citrix
ADC demonstrations.
7
CREDENTIALS LIST: Citrix ADC Local Accounts
User Name Delegated Admin Password Description

Role
nsroot superuser nsroot Built-in Citrix ADC account that will be

used for all exercises.
testuser custom Password1 Test account for delegated
administration.
padmin1 Partition Admin Password1 Test account for Admin Partitions
exercise.
padmin2 Partition Admin Password1 Test account for Admin partitions
exercise.
8
Module 4: High Availability
Introduction:
Now that NYC-ADC-001 is configured with an NSIP address, licensing, and is fully configured
on the Network, your job is to configure NYC-ADC-001 and NYC-ADC-002 in a High-
Availability pair with NYC-ADC-001 as the primary Citrix ADC.
In this module, you will perform hands-on exercises to create a High-Availability pair.
Requirements for this scenario:
 Configure an HA Pair using NYC-ADC-001 (192.168.10.101) and NYC-ADC-002

(192.168.10.102).
 Use NYC-ADC-001 as the authoritative Citrix ADC during the initial creation of the HA
pair so that its settings are used as the primary configuration.
 Configure a management SNIP for the HA pair which can be used to administer the
current primary Citrix ADC in the pair. Restrict this SNIP to management access only.
The purpose of the High-Availability exercise is to allow students to not just configure the
HA Pair but to also continue working with and administering the HA pair throughout the rest
of the course. Both members will be kept as active members of the HA pair during upcoming
exercises (except for during the troubleshooting exercise). You will not need to break the HA
Pair during the course.
After completing this lab module, you will be able to:
 Configure an HA pair and manage which Citrix ADC is primary.

 Adjust HA settings to control failover, synchronization, and propagation.
 Manage an HA pair using a shared SNIP address.
The module contains the following exercises using the Citrix ADC Configuration Utility GUI
and the Citrix ADC CLI:
 Exercise: Configuring an HA Pair

 Exercise: Managing an HA Pair
Before you Begin:

Estimated time to complete this lab: 30 minutes
Virtual Machines required for this module
For Module 4, connect to your assigned Hyper-V Manager console and verify that the
following virtual machines are running. If any of the virtual machines are not running, use
9
Hyper-V Manager to turn them on. Otherwise, Hyper-V Manager will not be needed for the
rest of the module.
 NYC-ADC-001
 NYC-ADC-002
10
Exercise 4-1: Configuring an HA Pair (GUI)
Introduction:
In this exercise, you will learn to configure an HA Pair. NYC-ADC-001 has initial
configurations related to networking that need to be preserved. The procedure in this
exercise will demonstrate how to create the HA Pair and control which system is identified
as Primary in the initial configuration. You will use the Citrix ADC Configuration Utility GUI to
perform this exercise.
In this exercise, you will perform the following tasks to configure the HA pair:
 Preparation: Ensure that both Citrix ADCs have an NSIP address configured and are
properly licensed. Also ensure that each Citrix ADC is of the same platform (VPX,
MPX, or SDX instance), model, and Citrix ADC firmware version.
 Set the intended secondary Citrix ADC to StaySecondary prior to creating the HA
Pair.
 On the intended primary Citrix ADC, configure the HA Pair and point to the
secondary Citrix ADC's NSIP. Through the GUI, the secondary Citrix ADC is also
configured to join the pair.
 Verify that both Citrix ADCs are in the HA pair and that HA synchronization is
successful.
 Perform firmware upgrade of the HA pair.
 Remove the StaySecondary option from the secondary Citrix ADC and restore it to
normal HA participation (HA Status is enabled).
 Test failover to confirm HA operation.
 Save the configuration.
At the end of this exercise, both members will be ongoing, participatory members in the HA
pair and failover could occur freely. For the next couple of exercises, take note of whether
you are connected to the Primary or Secondary member of the HA pair. Citrix ADC device in
the Secondary state will always give following pop up whenever the user logs in:
11
During this exercise, configuration commands will be issued to two different Citrix ADCs. Pay
attention to which system each lab step or group of steps refers to. For best results, open
two different browser windows and arrange them side-by-side or so that you can easily
switch back and forth between the Citrix ADCs.
Step Action
1. Open two different web browser windows:
 In the first browser, connect to the Citrix ADC NYC-ADC-001 Configuration Utility at
http://192.168.10.101.
Log on as nsroot / nsroot.
 In the second browser, connect to the Citrix ADC NYC-ADC-002 Configuration Utility at
http://192.168.10.102.
Log on as nsroot / nsroot.
Note: If you get a pop up to save the password in Google Chrome, Click Save.
2. NYC-ADC-002 - Click Skip to exit the Citrix User Experience Improvement Program.
3. NYC-ADC-002 - The Initial Configuration Wizard is displayed since some essential settings are
not yet configured. Bypass the wizard:
 Click Continue
4. NYC-ADC-001 - Prepare for HA by viewing initial settings:
Identify current Citrix ADC-owned IP addresses:

 Browse to System > Network > IPs.
 Take note of the NSIP, SNIP, and VIP already configured.
View the current node state for a standalone Citrix ADC:

 Browse to System > High Availability > Nodes.
 Confirm that only one node is listed (Node 0) and this is assigned the NSIP of NYC-
ADC-001 (192.168.10.101).
5. NYC-ADC-002 - Prepare for HA by viewing initial settings:
Identify current Citrix ADC-owned IP addresses:

 Take note that the NSIP is the only configured IP address.
View the current node state for a standalone Citrix ADC:

 Browse to System > High Availability > Node
 Confirm that only one node is listed (Node 0) and this is assigned the NSIP of NYC-
ADC-002 (192.168.10.102).
6. NYC-ADC-002 - Configure Citrix ADC NYC-ADC-002 to StaySecondary:
 Browse to System > High Availability > Nodes
 Select Node 0 (192.168.10.102) and click Edit.
 Select STAY SECONDARY (Remain in Listen Mode) in the High Availability Status drop-
down list box.
 Click OK.
Node State displays Staysecondary.
The StaySecondary setting is used before joining the HA pair to ensure that this system will not
become the authoritative member of the configuration and overwrite settings from NYC-ADC-
001. If an interface fails on the intended primary, the wrong Citrix ADC could take over and an
unexpected configuration could result. With StaySecondary configured, if the intended primary
does not take over in the Primary role, then no Citrix ADC does until the issue is resolved.
Alternatively, an administrator can choose to configure the High Availability Status of the NYC-
ADC-001 as STAY PRIMARY.
12
7. NYC-ADC-001 - Configure the HA Pair by adding NYC-ADC-002 to the NYC-ADC-001

configurations.
 Click Add.
Create HA Node:
 Type 192.168.10.102 in the Remote Node IP Address field. (This is the NSIP of NYC-
ADC-002).
 Select the Configure remote system to participate in High Availability setup
checkbox.
 Select the Turn off HA Monitor interface/channels that are down checkbox.
 Clear the Turn on INC (Independent Network Configuration) mode on self-node
checkbox.
 Type nsroot in the User Name field (under Remote System Login Credential).
 Type nsroot in the Password field.
 Click Create.
In the GUI, the Create HA Node wizard can configure the partner system in one step when the
"Configure remote system to participate" setting is enabled. From the CLI, this requires an
"add ha node" command to be issued on each Citrix ADC separately.
8. Verify initial HA status.
The High-Availability summary page initially displays Node 1 (192.168.10.102) as Unknown.
Click Refresh to update the display.
Verify that NYC-ADC-002 (192.168.10.102) is listed as:

 Master State: Secondary.
 Node State: Staysecondary.
9. NYC-ADC-002 - Verify partner system.
Refresh the display of the System > High Availability screen. Verify the following:
 Both nodes in the HA pair are listed.
 Node 0: 192.168.10.102 (NYC-ADC-002) is listed as Staysecondary.
 Node 1: 192.168.10.101 (NYC-ADC-001) is listed as Primary.
10. NYC-ADC-002 - Verify that HA settings are synchronized:
View Features:
 Browse to System > Settings.
 Click Configure Basic Features.
 Verify that all features from the earlier configuration on NYC-ADC-001 are enabled.
 Click OK.
View Modes:
 Click Configure Modes.
 Verify that MAC-based forwarding mode is enabled if it is not Enable now.
 Click OK.
View Routes:
 Browse to System > Network > Routes.
 Verify that the default route is present: 0.0.0.0 0.0.0.0 192.168.10.254
View Citrix ADC-owned IP addresses:

 Verify that the NSIP is still unique: 192.168.10.102.
 Verify that the NYC-ADC-002 has the VIP and SNIP from NYC-ADC-001.
13
11. NYC-ADC-001 - Test Failover (Attempt 1)

 Browse to System > High Availability>Nodes.
 Select Node 0 192.168.10.101
 Click Action > Force Failover.
 Click Yes to confirm.
Confirm: An error was received saying, "Operation is not possible due to invalid peer state."
Reason: A node-set to StaySecondary cannot take over as a Primary Citrix ADC, even with the
force failover command. Therefore, the current Primary will not voluntarily failover.
12. NYC-ADC-002 - Disable STAYSECONDARY and enable normal HA participation.
 Select Enabled (Actively Participate in HA) in the High Availability Status drop-down
list box.
 Click OK.
13. NYC-ADC-002 - Test Failover (Attempt 2)
 Select Node 0 (192.168.10.102)
 Click YES to confirm failover.
 Click OK in Failover started successfully message.
Note: The Force Failover command can be issued from either Citrix ADC regardless of its
current role as Primary or Secondary. The command will always make the current Secondary
the new Primary unless the node state or node health prevents the failover.
14. Verify failover:
 Refresh the Citrix ADC Configuration Utility on both Citrix ADCs to verify failover state.
 Either Citrix ADC will list 192.168.10.102 (NYC-ADC-002) as the current Primary
member of the HA pair.
15. NYC-ADC-001 - Perform failover again to restore NYC-ADC-001 to the Primary role:
 Browse to System > High Availability > Nodes.
 Click Yes to confirm failover.
 Click OK in Failover started successfully message.
Verify that 192.168.10.101 (NYC-ADC-001) is restored as the Primary Citrix ADC in the HA pair.
16. NYC-ADC-001 - Save the Citrix ADC configuration and confirm.
Right-click the Save icon in the right-hand corner of the Citrix ADC GUI
Click Yes when prompted.
Note: The save configuration command will propagate to the secondary system, saving
configurations on both Citrix ADCs.
14
Key Takeaways:
 Configuring an HA Pair will result in two Citrix ADCs with a shared configuration that
can be managed as a single entity from the Primary Citrix ADC.
 Using StaySecondary when creating the HA Pair can help administrators guarantee
which member is authoritative in the pair and prevent unexpected failovers due to
unforeseen issues during the initial setup phase.
 Once in an HA Pair, configuration changes will propagate from Primary to Secondary,
including commands like save ns config. As a result, administrators must pay
attention to which Citrix ADC is primary when performing administration using the
NSIP addresses.
Exercise 4-2: Managing an HA Pair (GUI)
Introduction:
In this exercise, you will learn to add a SNIP to the Citrix ADC HA Pair and restrict the SNIP to
management communication only. This is useful because the Management SNIP is a shared
IP address in the HA Pair and always connects to the current Primary node. You will use the
Citrix ADC Configuration Utility GUI to perform this exercise.
In this exercise, you will perform the following tasks:
 Create a SNIP in the HA pair for management traffic (192.168.10.103/24).

 Enable management communication on this SNIP. Allow HTTP, HTTPS, and SSH.
 Manage the HA Pair using this SNIP going forward to ensure connectivity to the
primary Citrix ADC.
Step Action
1. Keep both browsers open to the Citrix ADC Configuration Utilities of both Citrix ADCs.
 NYC-ADC-001: http://192.168.10.101
 NYC-ADC-002: http://192.168.10.102
15
2. NYC-ADC-001 (Primary) - Add a second SNIP enabled for Management Access.

 Click Add.
Create an IP address:
 Type 192.168.10.103 in the IP Address field.
 Type 255.255.255.0 in the Netmask field.
 Verify that Subnet IP is selected in the IP Type field.
Under Application Access Controls (at the bottom):
 Enable Enable Management Access to support the applications listed below.
 Disable Telnet. Disable FTP.
 Enable SSH.
 Enable SNMP.
 Enable GUI.
 Enable Allow access only to management applications.
 Click Create.
Save the configuration and Confirm.
3. Connect to the Citrix ADC HA Pair Configuration Utility using the management SNIP (ADC-
MGMT SNIP) at http://192.168.10.103.
Log on to the utility using the following credentials:
User Name: nsroot

Password: nsroot
If you receive a popup asking Do you want Google Chrome to save the password for this
site? Click Save.
4. Determine which Citrix ADC the management SNIP is active on:
Method1
 Go to the System Page in System Information section
 Check the NetScaler IP Address.
Method 2:
 Navigate to System > High Availability> Nodes.
 Identify which Citrix ADC is Node 0 (self-node).
The NSMGMT SNIP is always active on the current Primary member of the HA pair. Currently,
this is NYC-ADC-001 (192.168.10.101).
5. Force failover:
 Navigate to System > High Availability > Node
 Click OK.
6. Click Refresh icon next to the save icon
Click OK on the Error.
16
7. The NSMGMT SNIP (192.168.10.103) is now active on the NEW Primary (NYC-ADC-002). As a
result, your existing management session has expired and you must log on to the new
console.
Reconnect to the Citrix ADC Configuration Utility using the NSMGMT SNIP:
http://192.168.10.103.
User Name: nsroot

Password: nsroot
If you receive a popup asking Do you want Google Chrome to save password for this site?
Click Save.
8. Determine which Citrix ADC the management SNIP is active on:
 Navigate to System > High Availability > Node
 Identify which Citrix ADC is Node 0 (self-node).
Method 2 :
 Navigate to System node (root node)
 Observe that the Citrix ADC IP Address is 192.168.10.102
The ADC-MGMT SNIP is now active on NYC-ADC-002 (192.168.10.102).

9. Perform a final HA failover to restore NYC-ADC-001 (192.168.10.101) as the primary Citrix
ADC.
 Navigate to System > High Availability >Node (if not already done)
 Click OK.
10. Reconnect to the Citrix ADC Configuration Utility using the ADC-MGMT SNIP:
http://192.168.10.103.
User Name: nsroot

Password: nsroot
11. Save the Citrix ADC configuration and confirm.
IMPORTANT: The Citrix ADCs NYC-ADC-001 and NYC-ADC-002 will remain in an HA pair for the
rest of this course. The reason is to allow students to administer an HA Pair as they would in
production. While NYC-ADC-001 should be the primary Citrix ADC for the rest of the course,
this cannot be guaranteed. As a result, you will need to use the shared management SNIP
(NSMGMT SNIP: 192.168.10.103) when connecting to the Citrix ADC GUI or CLI for the rest
of the exercises, unless instructed otherwise.
Key Takeaways:
 SNIPs can be set up for management communication in addition for application
traffic or they can be restricted to management access only.
 If a management SNIP is configured and restricted to management communication
only, then an additional SNIP or SNIPs for application traffic must be configured as
well.
17
 SNIPs are shared IP addresses in an HA configuration and therefore are always active
on the Primary Citrix ADC. As a result, a dedicated management SNIP is a preferred
method for making configuration changes, while in an HA Pair as it guarantees an
administrator is always connected to the current Primary Citrix ADC.
 Node-specific settings should still be applied by connecting to the specific NSIP
address.
18
Exercise 4-1: Configuring an HA Pair (CLI)
Introduction:
In this exercise, you will learn to configure an HA Pair. NYC-ADC-001 has initial
configurations related to networking that need to be preserved. The procedure in this
exercise will demonstrate how to create the HA Pair and control which system is identified
as Primary in the initial configuration. You will use the command-line interface to perform
this exercise.
In this exercise, you will perform the following tasks to configure the HA pair:
 Preparation: Ensure both Citrix ADCs have NSIP address configured and are properly
licensed. Also ensure that each Citrix ADC is of the same platform (VPX, MPX, or SDX
instance), model, and Citrix ADC firmware version.
 Set the intended secondary Citrix ADC to StaySecondary prior to creating the HA
Pair.
 On the intended primary Citrix ADC, configure the HA Pair and point to the NSIP of
the secondary Citrix ADC. Through the GUI, the secondary Citrix ADC is also
configured to join the pair.
 Verify that both Citrix ADCs are in the HA pair and that HA synchronization is
successful.
 Remove the StaySecondary option from the Secondary Citrix ADC and restore it to
normal HA participation (HA Status is enabled).
 Test failover to confirm HA operation.
 Save the configuration.
At the end of this exercise, both members will be ongoing, participating members in the HA
pair and failover could occur freely. For the next couple of exercises, take note of whether
you are connected to the Primary or Secondary member of the HA pair.
Note: The Citrix ADC in secondary HA prompt will always give the following popup
whenever the user logs in to indicate that it is a secondary device in the HA pair and
configuration changes should not be performed on this device
19
During this exercise configuration, commands will be issued to two different Citrix ADCs. Pay
attention to which system each lab step or group of steps refers to. For best results, open
two SSH sessions using PuTTY and arrange them side-by-side or so that you can easily switch
back and forth between the Citrix ADCs.
Step Action
1. Open two SSH sessions using PuTTY:
 Connect to Citrix ADC NYC-ADC-001 (192.168.10.101) using SSH (PuTTY). Log on as
nsroot/nsroot.
nsroot/nsroot.
For best results in this exercise, arrange the PuTTY windows side-by-side so you can switch back
and forth easily between sessions and compare settings as needed.
2. NYC-ADC-001 - Prepare for HA by viewing initial HA settings:
show ha node
Verify that NYC-ADC-001 is in a standalone configuration since it is the only node identified (by
NSIP).
Identify which interfaces are present on the Citrix ADC and which ones are critical interfaces.
Notice that the current Node State and Master State are UP and Primary.
3. NYC-ADC-001 - Prepare for HA by viewing initial Citrix ADC-owned IP addresses:
show ns ip
Identify the current configuration for:

 NSIP
 SNIP(s) if any
 VIP(s) if any
4. NYC-ADC-001 - Prepare for HA by verifying version:
show ns version
5. NYC-ADC-002 - Prepare for HA by viewing initial HA settings:
show ha node
Verify that NYC-ADC-002 is in a standalone configuration since it is the only node identified (by
NSIP).
Identify which interfaces are present on the Citrix ADC and which ones are critical interfaces.
Notice that the current Node State and Master State are UP and Primary.
6. NYC-ADC-002 - Prepare for HA by viewing initial Citrix ADC-owned IP addresses:
show ns ip
Identify the current configuration for:

 NSIP
 SNIP(s) if any
 VIP(s) if any
7. NYC-ADC-002 - Prepare for HA by verifying version:
show ns version
Verify that the version is the same as NYC-ADC-001.
20
8. NYC-ADC-002 - Set node to STAYSECONDARY:

set ha node -haStatus STAYSECONDARY
Verify node state:

show ha node
The StaySecondary setting is used before joining the HA pair to ensure that this system will not
become the authoritative member of the configuration and overwrite settings from NYC-ADC-001.
If an interface fails on the intended primary, the wrong Citrix ADC could take over and an
unexpected configuration could result. With StaySecondary configured, if the intended primary
does not take over in the Primary role, then no Citrix ADC will until the issue is resolved.
9. NYC-ADC-001 - Configure the primary member of the HA pair and identify its partner system:
add ha node 1 192.168.10.102
View HA Status:
show ha node
Verify node status:

 Verify Node ID 0 (192.168.10.101) is indicated as Primary.
 Notice that Node ID 1 (192.168.10.102) is still unknown. This will not change status until
the NYC-ADC-002 is also configured to participate in the HA pair.
10. NYC-ADC-002 - Join the HA Pair as a secondary member:
add ha node 1 192.168.10.101
View HA status:
show ha node
Verify that status is received for both nodes (self-node, node 0) and partner node (node 1):
 NS_VPX_0 (192.168.10.101) is listed as Primary.
 NS_VPX_1 (192.168.10.102) is listed as Secondary with a Node State set to
STAYSECONDARY.
Sync State may be listed as “In Progress” until it successfully completes, in which case it then
displays success.
11. NYC-ADC-001 - Confirm HA configuration was successful:
show ha node
12. Verify HA Settings are synchronized.
NYC-ADC-001 - Run the following commands to view configuration details:

show ns ip
NYC-ADC-002 - Run the following commands to verify configuration details are in sync:
show ns ip
Confirm that NYC-ADC-002 retains its unique NSIP address (192.168.10.102), but all other SNIPs
and VIPs are inherited from the NYC-ADC-001 configuration.
NYC-ADC-001 - Run the following commands to view features:

show ns feature
NYC-ADC-002 - Run the following commands to verify that features are in sync:
show ns feature
Confirm that NYC-ADC-002 has the same list of enabled features as NYC-ADC-001.
21
13. Test HA Failover.

Currently, NYC-ADC-001 is Primary. NYC-ADC-002 is StaySecondary.
NYC-ADC-001 - Attempt to force a failover:

force ha failover -force
Confirm - Following error is received
14. NYC-ADC-002 - Remove the StaySecondary setting and return the node to normal HA participation:
set ha node -hastatus ENABLED
Confirm settings:
show ha node
Verify that NYC-ADC-002 (192.168.10.102) is now identified with Node State UP and Master State
Secondary.
15. Test HA Failover (2).
This time, NYC-ADC-001 is still Primary. NYC-ADC-002 is Secondary.
NYC-ADC-001 - Attempt to force a failover:

Confirm - Failover occurs successfully without error.
Verify HA State:
show ha node
NYC-ADC-001 (192.168.10.101) is now Secondary; synchronization may be in progress.

NYC-ADC-002 (192.168.10.102) is now Primary.
16. Repeat failover to return NYC-ADC-001 to Primary role:
NYC-ADC-001 - Force a failover:

Confirm - Failover occurs successfully without error.
Verify HA State:
show ha node
NYC-ADC-001 (192.168.10.101) is now Primary.
NYC-ADC-002 (192.168.10.102) is now Secondary.
22
17. Save the Citrix ADC configuration.
NYC-ADC-001 (192.168.10.101) as Primary:

save ns config
Note: The save configuration command will propagate to the secondary system, saving
configurations on both Citrix ADCs.
Key Takeaways:
 Configuring an HA Pair will result in two Citrix ADCs with a shared configuration that
can be managed as a single entity from the Primary Citrix ADC.
 Using the Staysecondary setting when creating the HA Pair can help administrators
guarantee which member is authoritative in the pair and prevent unexpected
failovers due to unforeseen issues during the initial setup phase.
 Once in an HA Pair, configuration changes will propagate from Primary to Secondary,
including commands like save ns config. As a result, administrators must pay
attention to which Citrix ADC is primary when performing administration using the
NSIP addresses.
Exercise 4-2: Managing an HA Pair (CLI)
Introduction:
In this exercise, you will learn to add a SNIP to the Citrix ADC HA Pair and restrict the SNIP to
management communication only. This is useful because the Management SNIP is a shared
IP address in the HA Pair and always connects to the current primary node. You will use the
command-line interface to perform this exercise.
In this exercise, you will perform the following tasks:
 Create a SNIP in the HA pair for management traffic (192.168.10.103/24).

 Enable Management communication on this SNIP. Allow HTTP, HTTPS, and SSH.
 Manage the HA Pair using this SNIP going forward to ensure connectivity to the
primary Citrix ADC.
Step Action
1. Open two separate SSH sessions using PuTTY:
nsroot/nsroot.
nsroot/nsroot.
For best results in this exercise, arrange the PuTTY windows side-by-side so you can switch
back and forth easily between sessions and compare settings as needed.
2. Identify which Citrix ADC is Primary.
show ha node
Confirm it is NYC-ADC-001.
23
3. NYC-ADC-001 (Primary) - Add a second SNIP that will be enabeled for managment access:
add ns ip 192.168.10.103 255.255.255.0 -type SNIP -mgmtAccess enabled -
restrictAccess enabled -telnet disabled -ftp disabled
4. Connect to the Citrix ADC HA Pair using the management SNIP (ADC-MGMT SNIP) at
192.168.10.103 using SSH (PuTTY).
User Name: nsroot

Password: nsroot
5. Determine which Citrix ADC the session is connected to:
show ha node
The session is connected to the current primary member of the HA Pair. (NYC-ADC-
001:192.168.10.101).
6. Force HA failover:
7. Reconnect to the Citrix ADC HA Pair using the ADC-MGMT SNIP (192.168.10.103) using SSH
(PuTTY).
User Name: nsroot

Password: nsroot
8. Verify that you are connected to the NEW Primary Citrix ADC (NYC-ADC-002:192.168.10.102):
show ha node
9. Perform a final HA failover to return NYC-ADC-001 to the Primary role:
After forcing failover, you need to reconnect:
10. From the ADC-MGMT SNIP, save the config:
save ns config
IMPORTANT: The Citrix ADCs NYC-ADC-001 and NYC-ADC-002 will remain in an HA pair for the
rest of this course in order to allow students to administer an HA Pair as they would in
production. While NYC-ADC-001 should be the primary Citrix ADC for the rest of the course,
this cannot be guaranteed. As a result, you will need to use the shared management SNIP
(ADC-MGMT SNIP: 192.168.10.103) when connecting to the Citrix ADC GUI or CLI for the
rest of the exercises, unless instructed otherwise.
Key Takeaways:
 SNIPs can be set up for management communication in addition to application
traffic, or they can be restricted to management access only.
 If a management SNIP is configured and restricted to management communication
only, then an additional SNIP or SNIPs for application traffic must be configured as
well.
 SNIPs are shared IP addresses in an HA configuration and therefore are always active
on the Primary Citrix ADC. As a result, a dedicated management SNIP is a preferred
24
method for making configuration changes while in an HA Pair as it guarantees an

administrator is always connected to the current Primary Citrix ADC.
 Node-specific settings should still be applied by connecting to the specific NSIP
address.
25

Education: CNS-218-3I Citrix ADC 12.x Essentials

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Education: CNS-218-3I Citrix ADC 12.x Essentials

Uploaded by

Copyright:

Available Formats

CNS-218-3I Citrix ADC 12.

Copyright © 2019 by Citrix Systems, Inc.

Lab Manual Overview

Lab Environment Overview

Virtual Machine Domain FQDN IP Address Description

NYC-WEB-RED NYC-WEB- 192.168.30.51 Web Server

Citrix ADC List

Virtual Machine NSIP Address Subnet IP (SNIP) Address Description

CREDENTIALS LIST: Training Domain Users and Groups

User Name Groups Password Description

administrator Domain Admins Password1 Domain administrator account which

CREDENTIALS LIST: Citrix ADC Local Accounts

User Name Delegated Admin Password Description

nsroot superuser nsroot Built-in Citrix ADC account that will be

Module 4: High Availability

Requirements for this scenario:

 Configure an HA Pair using NYC-ADC-001 (192.168.10.101) and NYC-ADC-002

 Configure an HA pair and manage which Citrix ADC is primary.

 Exercise: Configuring an HA Pair

Before you Begin:

Exercise 4-1: Configuring an HA Pair (GUI)

Identify current Citrix ADC-owned IP addresses:

View the current node state for a standalone Citrix ADC:

Identify current Citrix ADC-owned IP addresses:

View the current node state for a standalone Citrix ADC:

7. NYC-ADC-001 - Configure the HA Pair by adding NYC-ADC-002 to the NYC-ADC-001

The High-Availability summary page initially displays Node 1 (192.168.10.102) as Unknown.

Click Refresh to update the display.

Verify that NYC-ADC-002 (192.168.10.102) is listed as:

View Citrix ADC-owned IP addresses:

11. NYC-ADC-001 - Test Failover (Attempt 1)

Click Yes when prompted.

Exercise 4-2: Managing an HA Pair (GUI)

In this exercise, you will perform the following tasks:

 Create a SNIP in the HA pair for management traffic (192.168.10.103/24).

2. NYC-ADC-001 (Primary) - Add a second SNIP enabled for Management Access.

Log on to the utility using the following credentials:

User Name: nsroot

Log on to the utility using the following credentials:

User Name: nsroot

The ADC-MGMT SNIP is now active on NYC-ADC-002 (192.168.10.102).

Log on to the utility using the following credentials:

User Name: nsroot

Exercise 4-1: Configuring an HA Pair (CLI)

Identify the current configuration for:

Identify the current configuration for:

Verify that the version is the same as NYC-ADC-001.

8. NYC-ADC-002 - Set node to STAYSECONDARY:

Verify node state:

Verify node status:

NYC-ADC-001 - Run the following commands to view configuration details:

NYC-ADC-001 - Run the following commands to view features:

13. Test HA Failover.

NYC-ADC-001 - Attempt to force a failover:

Confirm - Following error is received

This time, NYC-ADC-001 is still Primary. NYC-ADC-002 is Secondary.

NYC-ADC-001 - Attempt to force a failover:

Confirm - Failover occurs successfully without error.

NYC-ADC-001 (192.168.10.101) is now Secondary; synchronization may be in progress.

NYC-ADC-001 - Force a failover:

Confirm - Failover occurs successfully without error.

17. Save the Citrix ADC configuration.

NYC-ADC-001 (192.168.10.101) as Primary: