Rich's blog

Citrix ADC In Service Software Upgrade

Posted on by user

With the release of the version 13 firmware for the Citrix ADC a new feature is now available that allows for In Service Software Upgrades. During the normal upgrade process, at some point, both nodes run different firmware builds. If these builds have different high availability version numbers, connection failover (even if it is enabled) for existing connections is not supported. This means that existing data connections are interrupted during the “force failover” step in the migration, which leads to down time.

The new In Service Software Upgrade capability of Citrix ADC eliminates this downtime by allowing all communications to flow to the new Primary node, but it will then forward all existing connections back to the original node utilizing a SYNC VLAN GRE tunnel. The traffic is then returned from the original ADC node to the destination. Once all existing connections have terminated normally, the failover is complete, and the second node can be upgraded. This allows for a zero downtime upgrade capability that was not there prior to the new version 13 firmware.

There are a few requirements for this feature to be able to be utilized

  • It requires the establishment of a SYNC VLAN
  • ISSU is not supported in Azure, as Microsoft Azure does not support GRE tunneling
  • High Availability config propagation and synchronization do not work during ISSU (much like they did in the normal upgrade process)
  • ISSU is not supported for IPv6 high available setups
  • ISSU is not supported for Jumbo Frames, IPv6 Sessions, and Large Scale NAT (LSN)

Once you have met these requirements, you can utilize the ISSU instead of force failover to perform the upgrade process. From the CLI you would run

start ns migration

If you run in to an issue while the migration is still occurring (found a problem with the firmware etc.) you can stop the migration similarly with

stop ns migration

You can also perform this function from the GUI utilizing the “Migration” button on the System Information page. You can stop the migration in progress from the same location. Once all existing connections are ended normally, you can proceed with the upgrade of the second node.

Image showing the Migration Button as it appears on the System Information page in the NetScaler GUI. For the In Service Software Upgrade of the ADC

Instructions on how to perform the ISSU upgrade can be found here.

Instructions on setting up the HA SYN VLAN can be found here.

My NetScalers were already at the latest build, so I am looking forward to using this method in the future.

Leave a Reply

Your email address will not be published. Required fields are marked *