Migrating a Citrix ADC /NetScaler config to an other box

I recently tried to migrate an existing configuration from one Citrix ADC (NetScaler) to the other. Both of them had been the same hardware (VPX running on KVM), used the same type of license (premium).

If you move to different hardware please continue reading from here


How to do

Basically, it’s just the /flash/nsconfig/ns.conf file to be copied. But if you do you’ll face some serious problems. This does, of course, not copy admin partitions, as their configuration is in /flash/nsconfig/partitions/<partition-name>. Same it does neither copy certificates nor SSH keys. And some more. So this won’t copy everything.


Issues

after copying /flash/nsconfig/ns.conf all your SSL vServers will be down due to missing certificate files. DNS config may be empty. Partitions are missing. There are several more things missing. So it’s not enough.


Resolution

You’ll have to copy all content from /flash/nsconfig from one Citrix ADC / NetScaler to the other. If you don’t want to loose logs behind, you’ll also have to copy /var/log and /var/nslog, both including all subdirectories.

But you’ll face an other problem: Citrx ADC’s SSH demon won’t start. That’s because you should not copy following files/ from /flash/nsconfig/ssh

  • ssh_host_dsa_key
  • ssh_host_dsa_key.pub
  • ssh_host_rsa_key
  • ssh_host_rsa_key.pub

So leave them alone!


SSH demon not starting

So we copied the whole /flash/nsconfig directory from one Citrix ADC / NetScaler to the other.

All the configuration is entirely working fine! Well, not entirely, … One small function still holds out against our migration: The SSH demon refuses to work.

What’s wrong? Reboot the box, problem isn’t gone. Reboot again? Won’t solve the problem. If you’re able to connect to the console you’ll see alert messages about ssh not running.

You see following error messages, if you’re able to connect to the console

What’s gone wrong?

Citrix tells you in CTX121565. SSH demon refuses to start due to permissions on files being wrong.

so change to BSD shell and type:

cd /flash/nsconfig/ssh
chmod 600 ssh_host_dsa_key
chmod 600 ssh_host_rsa_key

You should now be able to start the ssh demon by typing

/usr/sbin/sshd –f /etc/sshd_config


Potential problems

If you move to an other type of hardware you’ll probably run into troubles about interfaces. The type of interfaces is one of the first lines in a ns.conf file.

Interfaces on a Citrix ADC / NetScaler MPX box may be like that:

set interface 0/1 -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype "Intel 8247X" -ifnum 0/1

while interfaces on a VPX will look like that:

set interface 1/1 -state DISABLED -throughput 0 -bandwidthHigh 0 -bandwidthNormal 0 -intftype "Xen Virtual" -ifnum 1/1

(funny enough, there is no difference about type of hypervisor, all network cards are XEN) You’ll have to change the interface type to the ones used in the existing ns.conf file


I hope you find this useful. Please tell me what you think

Leave a Reply

Your email address will not be published. Required fields are marked *