Rapidly migrate your NetScalers in under an hour using ADM

Rapidly migrate your NetScalers in under an hour using ADM Service

NetScaler migration

Have you bought a new NetScaler with more throughput or is it time to refresh? Are you migrating from old NetScalers to new ones? Sounds difficult? Then you've stumbled across the right article. Installing new NetScalers into production and migrating services may seem like a complicated process, but once you know how to do it, it's much easier than you might think. This blog post will walk you through the steps needed.

In this article, we will assume that you have an existing source NetScaler that's running in production and a new target NetScaler that you want to prepare in a non-production environment and migrate to under a change control process.

Prepare for the migration (existing NetScaler)

ADM Service's migration feature requires NetScaler firmware version 13.1.17 or above. To prepare for the upcoming migration, upgrade your existing NetScalers to 13.1.17 firmware so that both the source and target NetScaler have the same firmware version and support for ADM Service's migration feature.

NetScaler recommends upgrading to the same firmware on the source and target NetScalers to minimize the number of changes during the migration and, in the unlikely event of any issues, to identify the cause more easily.

You can upgrade your existing NetScaler to 13.1 firmware using the instructions here.

Prepare for the migration (target NetScaler)

First, install your new target NetScaler into a non-production environment without a connection to the production network. Ensuring the non-production and production networks are isolated from each other will prevent unintended interactions such as IP address conflicts.

Once you have installed the new NetScaler, connect it to ADM Service. To do this, you need to add an ADM Agent into the non-production environment. You can install a new ADM Agent using the instructions here and add you can connect the new NetScaler to ADM Service using these instructions.

Next, install a license onto your new NetScaler. You can apply a pooled license to your new NetScaler using the instructions here.

Replicate the configuration

After ensuring that the new NetScaler is not connected to any production networks, follow these steps to replicate the configuration.

1. Select Infrastructure, Instances, NetScaler, and NetScaler form factor

In the screenshot, we have selected the "VPX" form factor and can see two NetScalers, "192.168.6.30" and "192.168.1.230".

In this article, we will use "192.168.6.30" as the source NetScaler and will replicate its configuration onto the target NetScaler on "192.168.1.230".

2. Tick the source NetScaler, click "Select Action", and then choose "Replicate Configuration"

3. Move the target NetScaler instance from the "Available" to "Configured" window using the arrow button and click "Create"

ADM Service will now replicate the configuration from your source to target NetScaler.

Note: Any existing configuration on the target instance will be erased and replaced with the configuration of the source NetScaler. The source and target NetScalers should be on separate networks to prevent IP conflicts.

Validate the network configuration on the target NetScaler

Although the source and target NetScalers will now have the same configuration, the management NSIP and network interface layout may differ.

If you installed your new NetScaler into the non-production environment using a network interface layout that you don't want to use in production, you should change they layout now.

To change the network configuration, log into the target NetScaler and ensure:

1. That all unused interfaces are disabled
2. That you have created LACP channels as you require
3. That a SNIP is bound to each VLAN
4. That each VLAN is bound to an interface or channel using your intended network layout

You can find instructions detailing how to disable unused interfaces, create LACP channels, and how to bind SNIPs and VLANs here.

Replace the NSIP on the target NetScaler

If you installed your new NetScaler into the non-production environment using an NSIP that differs from production and would prefer it was the same at the point of migration, you should change the NSIP now.

You can change the NSIP using the following steps.

Note: If you are migrating an HA pair, you must perform the commands below on both nodes at the same time and shutdown both nodes at the same time.

1. Select the target NetScaler within the "Infrastructure, Instances, NetScaler" menu of ADM, choose "SNMP" from "Select Action", then disable SNMP.

Note: We are disabling these services to ensure they are not configured to communicate with the pre-production ADM Agent, we will re-enable them after the migration is complete.

2. Using the same process as "step 1" (above), disable Syslog and Analytics on the target NetScaler.

3. Select the source NetScaler and repeat steps one and two (above) to disable SNMP, Syslog, and Analytics.

4. Log into the target NetScaler's command line interface using SSH. You can find details of how to use SSH here.

5. Change the NSIP of the target NetScaler using the commands shown in red.

1. shell
2. cd /nsconfig
3. cp ns.conf ns.old
4. sed -i -e 's/192.168.1.230/192.168.6.30/g' ns.conf

6. Change references to the NSIP of the other HA node if applicable

1. sed -i -e 's/192.168.1.231/192.168.6.31/g' ns.conf

7. Shutdown the NetScaler

1. shutdown now

The output will look like the text below.

Note: In this example, we have included an example HA node with an NSIP of 192.168.1.231 that needs to be replaced with 192.168.6.31 - the replacement needs to be executed on both HA nodes.

###############################################################################

#                                                                             #

#        WARNING: Access to this system is for authorized users only          #

#         Disconnect IMMEDIATELY if you are not an authorized user!           #

#                                                                             #

###############################################################################

Password:

Last login: Mon Dec  6 14:26:05 2021 from 192.168.6.20

Done

nsroot@-Primary> shell

Copyright © 1992-2013 The FreeBSD Project.

Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994

       The Regents of the University of California. All rights reserved.

root@ns# cd /nsconfig

root@ns# cp ns.conf ns.old

root@ns# sed -i -e 's/192.168.1.230/192.168.6.30/g' ns.conf

root@ns# sed -i -e 's/192.168.1.231/192.168.6.31/g' ns.conf

root@ns# shutdown now

Shutdown NOW!

shutdown: [pid 8140]

root@ns#                                                                               

*** FINAL System shutdown message from root@ns ***                          

System going down IMMEDIATELY                                                 

System shutdown time has arrived

Connection to 192.168.6.30 closed by remote host.

Replace the NetScaler under change control

With the existing source and target NetScalers now having identical configurations, you can replace them in compliance with your change control procedures.

Many customers achieve that change using a two-stage replacement process.

In the first stage, they work with their network teams to connect the new NetScalers to network switch ports that are administratively disabled or offline.

In the second stage, during a change control window, the network team places the switch ports to the old NetScalers into a disabled or offline state, brings the interfaces connecting the new NetScalers online, and flushes the ARP cache on their router.

The effect is that all hardware installation and readiness activities can be completed in-advance and the change control window to move from the old to new appliances is completed in minutes. This approach also provides an excellent rollback strategy as the network could disable the interfaces connecting the new NetScaler and reenable those for the old, which are still powered on and running without modification.

Re-establish connectivity to ADM Service

You have now replaced the source NetScaler with the target. ADM will show the source as online (as the target is using the source NetScaler's NSIP) and the target's old NSIP as offline.

You should now complete the following steps to ensure the migrated NetScaler is correctly communicating with ADM Service.

1. To ensure ADM is communicating with the new NetScaler that has taken over the NSIPs of the source, select the source NetScaler within "Infrastructure, Instances, NetScaler" menu of ADM and, choose "Rediscover" from "Select Action".

2. After the rediscovery completes, re-enable the SNMP, Analytics, or Syslog capabilities that you disabled at step one of "Replace the NSIP on the target NetScaler". To enable each, select the NSIP of the source NetScaler and the capability under "Select Action".

3. If you are using pooled licensing on the new NetScaler, you must also ensure it is using the production ADM Agent as its license server. To do this, log into the new NetScaler using SSH and enter the following commands:

sh nslicenseserver

4. If the new NetScaler is not using the production ADM Agent as its license server, you can correct the license server to production ADM using the following commands:

add nslicenseserver <prod_agent_ip> -port 27000 -forceUpdateIP

5. Remove the target NetScaler's old NSIP from ADM by ticking the old NSIP within the "Infrastructure, Instances, NetScaler" menu of ADM and pressing "Remove".

Next steps

You have now finished migrating from your old to new NetScalers and can begin using them in production.