How to turn off/on Auto-Sync on NetScaler High Availability Node after testing safely confirms new configuration?

Pkafkas
Pkafkas used Ask the Experts™
on
How can we use the secondary Citrix NetScaler Server, in an H.A. pair to safely test out new configurations before the same changes are propagated to the other NetScaler?

We have 2 x version 12.0 Citrix NetScaler Servers in our environment.  They both are setup for auto-sync and propagation by default; but according to websites:

- https://support.citrix.com/article/CTX124439 
- https://docs.citrix.com/zh-cn/netscaler/11/system/high-availability-introduction/configuring-command-propagation-high-availability.html

There are commands to that can be executed to turn the HA Sync and HA Propagation off and then back on later.  At my company we would like to test out a 2 factor authentication option (during a planned maintenance window) and see how that works before it is available for all of the users.  I am thinking of doing the following:

1.  Enable the 2 factor authentication settings on the Authentication server.
       a.  Whatever it may be, that is a separate topic from this question.

2.  Then after the Authentication server is ready, disable auto-sync and auto-propagation on the NetScaler HA-Pair.

3.  Then configure the secondary NetScaler to work with the 2nd factor Authentication server.
        a.  Then plan a maintenance window to temporarily make the secondary NetScaler Server into the new primary NetScaler Server.
        b.  When I fail over the primary server, the secondary server will then become the new 'primary' server automatically.

4.  Then test out the 2 factor authentication, during the maintenance window, and see if it works well.
        a.  If it works well, great then keep that NetScaler server as the primary.
        b.  If it does not work well, then fail back over to the other NetScaler Server before the maintenance window is over.

My question is, if the NetScaler testing proves to work correctly, how can I propagate the changes from that NetScaler server to the other automatically?  Or must I manually make the same changes on the other NetScaler server and test again at a later time?  

Keep in mind that the HA-Sync would have been disabled before the testing is completed.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
i would create a second vServer for testing 2FA.

do you use active/passive or active/active HA?
PkafkasNetwork Engineer

Author

Commented:
We we currently have 2 x virtual NetScaler servers in an HA pair.  My questions are:

1.  If the NetScaler testing proves to work correctly, on the test HA Node, how can I propagate the changes from that NetScaler server to the other automatically?  

2.  Or must I manually make the same changes on the other NetScaler server and test again at a later time?  

I am not sure what you are asking for regarding: active/passive or active/active HA?  Maybe the blow display will help:

Node ID:      0
Node State: UP
        Master State: Secondary
        Fail-Safe Mode: OFF
        INC State: DISABLED
        Sync State: SUCCESS
        Propagation: ENABLED
        Enabled Interfaces : 0/1 1/1
        Disabled Interfaces : None
        HA MON ON Interfaces : None
        HA HEARTBEAT OFF Interfaces : None
        Interfaces on which heartbeats are not seen : None
        Interfaces causing Partial Failure: None
        SSL Card Status: NOT PRESENT
        Hello Interval: 200 msecs
        Dead Interval: 3 secs

Node ID:      1
Node State: UP
        Master State: Primary
        Fail-Safe Mode: OFF
        INC State: DISABLED
        Sync State: ENABLED
        Propagation: ENABLED
        Enabled Interfaces : 0/1 1/1
        Disabled Interfaces : None
        HA MON ON Interfaces : None
        HA HEARTBEAT OFF Interfaces : None
        Interfaces on which heartbeats are not seen : None
        Interfaces causing Partial Failure: None
Best is to disable sync first.
set HA node -haSync DISABLED | ENABLED
https://support.citrix.com/article/CTX124439
Make the device you test authentication primary.
https://support.citrix.com/article/CTX122346

after testing you may enable HA-Sync
set HA node -haSync DISABLED | ENABLED
https://support.citrix.com/article/CTX124439

you may force sync:
sync ha files <mode>
https://support.citrix.com/article/CTX138748
PkafkasNetwork Engineer

Author

Commented:
So, Mr. Dirk Kotte:

Regarding my question:  How can I propagate the changes from that NetScaler server to the other automatically?  Or must I manually make the same changes on the other NetScaler server and test again at a later time?  

Is the answer, yes there is a way to automatically propagate the changes over to the secondary node?  The process includes:

1.  Disable HA Sync.
2.  Bring the test NetScaler into primary position.
3.  Test and after you confirm, enable HA-Sync.
4.  Force Sync.
       a.  Type> sync ha files all <enter>

Then watch the magic happen?  Did I understand the process correctly?
If you don't disable HA / sync the config should be synced immediately.
If you prefer to disrupt the sync process you have to reenable them and may force the sync on time.
PkafkasNetwork Engineer

Author

Commented:
Thank you very much for verifying my understanding is correct.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial