- Release notes
- What's new
- Updating and Upgrading to NetScaler SD-WAN 9.3
- Single-Step Upgrade for SD-WAN Appliances
- Before You Begin
Getting Started by Using NetScaler SD-WAN
- NetScaler SD-WAN Management Web Interface
- One Touch Start
- Installing the SD-WAN Appliance Packages on the Clients
- Preparing the SD-WAN Appliance Packages on the MCN
- Connecting the Client Appliances to Your Network
Setting up the SD-WAN Appliances
- Setting up the Appliance Hardware
- Setting the Management IP Addresses for the Appliances
- Setting the Management IP Address for a SD-WAN Appliance
- Setting the Date and Time on an SD-WAN Appliance
- Setting the Console Session Timeout Interval (Optional)
- Uploading and Installing the SD-WAN Software License File
- Troubleshooting DHCP Management IP Address Configuration
- Configuring Alarms
- Configuration Rollback
- About SD-WAN VPX Standard Edition
- Installing and Deploying a SD-WAN VPX Standard Edition on VMware ESXi
Setting up the Master Control Node (MCN) Site
- Master Control Node (MCN)
- How to Switch the Management Web Interface to MCN Console Mode
- How to Add the MCN Site
- How to Configure Virtual Interface Groups for the MCN Site
- How to Configure Virtual IP Addresses for the MCN Site
- How to Configure GRE Tunnels for the MCN Site (Optional)
- How to Configure WAN Links for the MCN Site
- How to Configure Routes for the MCN Site
- How to Configure High Availability (HA) for the MCN Site (Optional)
- How to Enable and Configure Virtual WAN Security and Encryption (Optional)
- Naming, Saving, and Backing Up the MCN Site Configuration
Adding and Configuring the Branch Sites
- How to Add the Branch Site
- How to Configure Virtual Interface Groups for the Branch Site
- How to Configure Virtual IP Addresses for the Branch Site
- How to Configure GRE Tunnels for the Branch Site
- How to Configure WAN Links for the Branch Site
- How to Configure Routes for the Branch Site
- How to Configure High Availability (HA) for the Branch Site (Optional)
- How to Clone the Branch Site (Optional)
- How to Resolve Configuration Audit Alerts
- How to Save the Completed Sites Configuration
Deployment use Cases
- Deploying SD-WAN in Gateway Mode
- Deploying SD-WAN in PBR mode (Virtual Inline Mode)
- Building a SD-WAN Network
- Dynamic Paths for Branch to Branch Communication
- Configuring Static WAN Paths
- Routing Support for LAN Segmentation
- Utilizing Enterprise Edition Appliance to Provide WAN Optimization Services Only
- SD-WAN SE/EE Appliance in Hairpin Deployment Mode
- Two Box Mode
- SD-WAN Overlay Routing
- High Availability Deployment
- Basic Configuration Mode
Virtual Routing and Forwarding
- How To Configure Routing Domain
- How To Configure Routes
- How To Select Routing Domain for Intranet Service
- How To Configure Interface Groups
- How To Configure Virtual IP Addresses
- How To Configure Virtual IP Address Identity
- How To Configure GRE Tunnels
- How To Configure Access Interface
- How to Customize Classes
- How to Add Rule Groups and Enable MOS
- How to Create Rules
- How To Configure Firewall Segmentation
- Dynamic routing
- Route Filtering
- Network Objects
- Application Classification
- QoS Fairness With Random Early Detection (RED)
- Application QoS Rules
- MPLS QoS Queues
- Application Quality of Experience (QoE)
- Link State Propagation
- Metering and Standby WAN Links
- Multiple Net Flow collectors
- IPSec Tunnel Termination
- Stateful Firewall and NAT Support
- Configuring Multicast Groups
- NetScaler SD-WAN and Zscaler - Using GRE Tunnels and IPsec Tunnels
- Enabling FIPS Compliance Mode in NetScaler SD-WAN
- Configuring Virtual WAN IPsec for FIPS Compliant Operation
- Firewall Traffic Redirection Support by Using Forcepoint in NetScaler SD-WAN
- Internet Service
- DHCP Server and DHCP Relay Agent
- DHCP Client for Data Port (WAN Link IP Address Learning)
- Adaptive Bandwidth Detection
- Active Bandwidth Testing
- Diagnostic Tool
- Monitoring Your Virtual WAN
Auto Secure Peering and Manual Secure Peering
- Auto Secure Peering to an EE appliance from a Standalone WANOP / SDWAN SE/WANOP on the DC site
- Auto Secure Peering Initiated from EE Appliance at DC Site and Branch Site EE Appliance
- Auto Secure Peering Initiated from EE Appliance at DC Site and Branch with WANOP/SE Appliance
- Manual Secure Peering Initiated from EE Appliance at DC Site and Branch EE Appliance
- Manual Secure Peering initiated from EE appliance at DC site to Branch WANOP/SDWAN-SE Appliance
- Domain Join and Delegate User Creation
- SNMPv3 Polling and Trap Capability
- Zero Touch Deployment
- Configure 210-SE LTE
- NetScaler SD-WAN WANOP 9.3
The WANOP Client Plug-in
- Hardware and software requirements
- How the WANOP plug-in works
- Deploying appliances for use with plug-ins
- Customizing the plug-in MSI file
- Deploying plug-ins on Windows systems
- WANOP plug-in GUI commands
- Updating the WANOP plug-in
- Troubleshooting WANOP plug-in
- Configuring Service Class Association with SSL Profiles
- Standard MIB Support
- Best Practices - Security
- Reference Material
- Installing SD-WAN SE Virtual Appliances (VPX) in Linux-KVM Platform
- SD-WAN Standard Edition Virtual Appliance (VPX) HA Support for AWS
- SD-WAN Standard Edition Virtual Appliance (VPX) in Hypervisor on HyperV 2012 R2 and 2016
- SD-WAN Standard Edition Virtual Appliance (VPX) HA Support for Microsoft Azure
- XenServer 6.5 Upgrade for SD-WAN Standard Edition Appliances
High Availability Deployment
Apr 12, 2018
This topic covers the High Availability (high availability) deployments and configurations supported by SD-WAN appliances (Standard Edition and Enterprise Edition).
SD-WAN appliances can be deployed in high availability configuration as a pair of appliances in Active/Standby roles. There are three modes of high availability deployment:
- Parallel Inline high availability
- Fail-to-Wire high availability
- One-Arm high availability
These high availability deployment modes are similar to Virtual Router Redundancy Protocol (VRRP) and use a proprietary SD-WAN protocol. Both Client Nodes (Clients) and Master Control Nodes (MCNs) within an SD-WAN network can be deployed in a high availability configuration as long as the selected SD-WAN platform model supports high availability.
In high availability configuration, one SD-WAN appliance at the site is designated as the Active appliance and is continuously monitored by the Standby appliance. Configuration is mirrored across both appliances. When the Standby appliance loses connectivity with the Active appliance for a defined period, the Standby appliance assumes the identity of the Active appliance and takes over the traffic load. Depending on the deployment mode, this fast failover has minimal impact on the application traffic passing through the network.
In One-Arm mode, the high availability appliance pair is outside of the data path. Application traffic is redirected to the appliance pair with Policy Based Routing (PBR). One-Arm mode is implemented when a single insertion point in the network is not feasible or to counter challenges of fail-to-wire. In the following illustration, the Standby appliance can be added to the same VLAN or subnet as the Active appliance and the router.
In One-Arm mode, it is recommended that the SD-WAN appliances do not reside in the data network subnets. The virtual path traffic does not have to traverse the PBR and avoids route loops. The SD-WAN appliance and router have to be directly connected, either through an Ethernet port or be in the same VLAN.
IP SLA Monitoring for Fall Back
The active traffic flows even if the virtual path is down, as long because one of the SD-WAN appliances is active. The SD-WAN appliance redirects traffic back to the router as Intranet traffic. However, if both active/standby SD-WAN appliances become inactive, the router tries to redirect traffic to the appliances. IP SLA monitoring can be configured at the router to disable PBR, if the next appliance is not reachable. This allows the router to fall back to perform a route lookup and forward packets appropriately.
Parallel Inline high availability mode:
In Parallel Inline high availability mode, the SD-WAN appliances are deployed alongside each other, inline by using the data path. Only one path through the Active appliance is used. It is important to note that bypass interface groups are configured to be fail-to-block and not fail-to-wire so that you don’t get bridging loops during a failover.
The high availability state can be monitored through the inline interface groups, or through a direct connection between the appliances. External Tracking can be used to monitor the reachability of the upstream or downstream network infrastructure. For example; switch port failure) to direct high availability state change, if needed.
If both active and standby SD-WAN appliances are disabled or fail, a tertiary path can be used directly between the switch and router. This path must have a higher spanning tree cost than the SD-WAN paths so that it is not used under normal conditions. Failover in parallel inline high availability mode is very quick and nearly hitless, because no physical state change occurs. Fallback to the tertiary path is not hitless and can block traffic for 5-30 seconds depending on the spanning tree configuration. If there are out of path connections to other WAN Links, both appliances must be connected to them.
In more complex scenarios, where multiple routers might be using VRRP, non-routable VLANs are recommended to ensure the LAN side switch and routers are reachable at layer 2.
In fail-to-wire mode, the SD-WAN appliances are inline in the same data path. The bypass interface groups must be in the fail-to-wire mode by using the Standby appliance in a passthrough or bypass state. A direct connection among the two appliances on a seperate port must be configured and used for the high availability interface group.
- High availability switchover in fail-to-wire mode takes longer period, approximately 10–12 seconds because of delay in ports to recover from Fail-to-Wire state.
- When the high availability connection between the appliances fails, both appliances go into Active state and cause a service interruption. This can be mitigated by assigning multiple high availability connections so that there is no single point of failure.
- It is imperative that in high availability Fail-to-Wire Mode, a seperate port be used in the hardware appliance pairs for high availability control exchange mechanism to assist in state convergence.
- Because of a physical state change if the SD-WAN appliances switch over from Active to Standby, failover can cause partial loss of connectivity depending on how long the auto-negotiation takes on the Ethernet ports.
- It is recommended that Fail-to-Wire mode be used on ports that are auto‐negotiated, because this increases failover time.
The following illustration shows an example of the Fail-to-Wire deployment.
The One-Arm high availability configuration or Parallel Inline high availability configuration is recommended for data centers or Sites that forward a high volume of traffic to minimize disruption during failover.
If minimal loss of service is acceptable during a failover, then Fail-to-Wire high availability mode is a better solution. The Fail-to-Wire high availability mode protects against appliance failure and parallel inline high availability protects against all failures. In all scenarios, high availability is valuable to preserve the continuity of SD-WAN network during a system failure.
To configure high availability:
1. In the Configuration Editor, navigate to Sites > site name > High Availability. Select Enable High Availability.
2. Type values for the following parameter:
- High availability Appliance Name: This is the name of the high availability (secondary) appliance.
- Failover Time: This specifies the wait time (in milliseconds) after contact by using the primary appliance is lost, before the standby appliance becomes active.
- Shared Base MAC: This is the shared MAC address for the high availability pair appliances. If a failover occurs, the secondary appliance has the same virtual MAC addresses as the failed primary appliance.
- Swap Primary/Secondary: When this is selected, if both appliances in the high availability pair come up simultaneously, the secondary appliance becomes the primary appliance, and takes precedence.
- Primary Reclaim: If this is selected, the designated primary appliance reclaims control upon restart after a failover event.
- HA Fail-to-Wire Mode: Choose this for Fail-to-wire high availability deployment mode.
For hypervisor and cloud based platforms an extra parameter Disable Shared Base MAC is available. Choose this to disable the shared virtual MAC address.
For hypervisor based platforms ensure that the promiscuous mode is enabled on the hypervisors to allow packet sourcing from high availability shared MAC address. When promiscuous mode is not enabled, you can enable Disable Shared Base MAC. option.
3. Click + next to HA IP Interfaces to configure interface groups. Enter Values for the following parameters:
- Virtual Interface – This is the Virtual Interface to be used for communication among the appliances in the high availability pair. This interface monitors the Active appliance for reachability. For One-Arm high availability mode, only one interface group is required.
- Primary – This is the unique Virtual IP address for the primary appliance. The secondary appliance uses this for communication by using the primary appliance.
- Secondary – This is the unique Virtual IP address for the secondary appliance. The primary appliance uses this for communication by using the secondary appliance.
For Inline high availability mode, extra interface groups are required for External Tracking to monitor the upstream or downstream network infrastructure. For example. Switch port failure, to detect when high availability change state is required.
4. Click + to the left of the new HA IP Interfaces entry. In the External Tracking IP Address field, enter the IP Address of the external device that responds to ARP requests to determine the state of the primary appliance.
5. Choose Apply.
To monitor high availability configuration:
Log in to the SD-WAN web management interface for the Active and Standby appliance’s for which high availability is implemented. View high availaiblity status under the Dashboard tab.
For Network Adapter details of Active and Standby high availability appliances, navigate to Configuration > Appliance Settings > Network Adapters > Ethernet tab.