Citrix NetScaler

How to update your Citrix NetScaler firmware

I’m doing some firmware updates on Citrix Netscaler appliances today and thought I would give you guys a quick guide on how to do this. This applies to all legacy appliances, MPX appliances, and VPX appliances. You use the same procedure for both Classic and nCore firmware packages. It is very easy to do. 🙂

1. Login to MyCitrix at http://citrix.com/English/mycitrix/index.asp and download the firmware .tgz package. Make sure to check compatability with your appliance before downloading.

2. Use WinSCP to transfer the package to the /var/nsinstall directory on your appliance.

3. SSH into your appliance using Putty and type “shell” to enter the shell

4. Type cd /var/nsinstall

5. Type ls to list the contents of the directory and verify your newly uploaded firmware package is there

6. Now type “tar -zxvf build-xxxxxxxx.tgz” to unzip the package

7. Then type “installns” to begin the install. Should take about 30 seconds to copy to flash and install.

8. Reboot the appliance once prompted for it (just type Y).

9. Login via the web GUI and verify the firmware version in the top right corner is the same as the package you were trying to apply.

14 Comments

  1. Scott

    July 20, 2010 at 12:03 PM

    Hello,

    What is the correct process for upgrading an HA cluster?

  2. Jason Samuel

    July 20, 2010 at 5:55 PM

    @Scott

    Hi Scott,

    Here is what I do when I update Netscaler firmware in an HA cluster. This is all from memory so please let me know if something needs clarification:

    1. First thing is read the release notes and see what all changes are happening with the update. You always want to be aware of what kind of impact an update will have on features you might be dependent on. You will also know what to test after the update and verify if it’s all still working or not.

    2. Test the firmware update on your Test environment if you have one. VPX Express edition is a FREE download from Citrix and is perfect for testing on. Set them up in an HA pair and practice if this is your first time updating an HA environment. They work on both XenServer and VMware ESX/vSphere just fine.

    3. Schedule a maintenance window for your Production environment. Firmware updates have been pretty seamless for me but I always like to make sure I have a scheduled maintenance window incase anything goes wrong. The less traffic through the Netscaler, the better.

    4. Go to your secondary Netscaler (passive node that is not handling traffic). Go to System > High Availability > then click on your Secondary node to bring up the Properties dialog box. Click “STAY SECONDARY (Remain in Listen mode)”. I also like to uncheck HA Synchronization and HA Propagation. Then press OK and hit Save. What this does is prevent your Secondary node you are going to be working on from becoming primary by accident during the firmware update.

    5. Go to your primary Netscaler (active node that is handling traffic). Go to System > High Availability > and select “STAY PRIMARY”. This is just a precaution I always do. The likelihood of working on the passive node causing a failover from the active node to the passive node is pretty slim but I always like to be careful.

    6. Now that your HA failover and synchronization is effectively “paused”, we can begin the update on the passive node. I just want to point out to you that in an HA pair, if you have 2 different firmware versions running, it will detect an HA version mismatch and the node with the most current firmware will automatically become secondary (listen mode). So we always want to make sure and update the secondary node first before moving onto the active node with live traffic on it. Just as a precaution, open command prompt and start a continuous ping on one of your VIP IPs and leave it minimized. This way you will know if you have an outage. You shouldn’t, but just do it to be cautious and keep an eye on things during the update process.

    7. Now begin your firmware update on the passive node as described in my article. Make sure to verify the firmware version in the top right corner reflects the update and the system is still secondary after the reboot. Once you have verified everything, turn HA, synch, and propagation back on. In my experience, I have come across firmware updates where I couldn’t failover via the GUI and had to do it via command line. Here are these commands you’ll need to control HA just incase:

    To put the node in STAY SECONDARY
    set node -hastatus STAYSECONDARY

    To put the node in STAY PRIMARY:
    set node -hastatus STAYPRIMARY

    To put the node back in HA
    set node -hastatus ENABLE

    8. Now go back to your primary node and enable HA that you had disabled in step 5 above.

    9. Now you have an option. The first option is that you can update the primary node next. Most people do this step next. I prefer to do it later once I have passed some traffic through the newly updated Netscaler and verify everything is good. This is because I want to have the option of failing back to the old firmware immediately if I have an issue. If you want to go with option 1, just skip to step 11 below. If you want to go the route I take and test it first, move onto step 10 below.

    10. Do a forced failover making your newly updated Netscaler the primary node. Traffic will immediately begin passing through it. Watch your traffic and do testing! Verify all your services are up, all your VIPs are up, all your apps are responding normally, your traffic looks good, etc. This is the only chance you have to failback to the node with the old firmware so it is critical you test everything. I have gone as long as a week running new firmware on a primary node without updating the passive node just so I have a safety net and give application owners time to test their apps.

    11. When you are finally ready to update the primary node, perform the same steps as above you did on the passive node. Yes you can do the update while there is traffic on your node. Nothing will happen to the traffic until you tell it to reboot. When you reboot, it will automatically failover to the passive node (just make sure you don’t disable HA like you did above earlier). There should be no outage (verify this in the command prompt where you are still pinging your VIP). Once the node is back up, verify everything looks good and do a manual failback. Now both your nodes should be updated and the node that was originally primary when you began the update process is back to being primary again.

    That’s it! Let me know if you have any questions. I urge you to setup 2 VPX Express appliances in an HA pair and test this before doing it on your production Netscalers just to make sure you have the process down and don’t have any surprises. Also don’t forget to take a backup of your ns.conf before beginning any firmware updates just incase. Let me know how it goes for you.

    Jason

  3. Ron

    September 21, 2010 at 1:32 AM

    nice info, thx

    i would suggest you also download the documentation tar file what belongs to the release you just downloaded. put it in the same folder on the cag and don’t unpack it.
    when you run the installer to update the cag, it will also do the install of the documantation so that is updated too

    Ron

  4. trey

    November 5, 2010 at 7:51 AM

    Thanks for the post! I was struggling but your article hooked me up! Thanks man.

  5. Scott Barnwell

    February 21, 2012 at 5:10 AM

    Just used this to upgrade a HA pair from 9.2 to 9.3 and worked perfectly. Thanks.

  6. Prabhu

    December 5, 2012 at 5:04 AM

    Thanks Jason. This worked absolutely fine for me. Good Work!!

  7. senthilkumar

    October 8, 2014 at 12:58 PM

    I am plan to upgrade MPX 7500 9.2 build52.8 cl and mpx 7500 9.5 build 50.4 to 10.5 is it supported upgrade path ?

  8. Adityakumar Pagadala

    August 1, 2015 at 9:58 PM

    Hi Jason, thank you somuch for your blog.
    Today I have upgraded firmware on MPX 7500 HA Pairs ( Total 4 devices) from Version 10.1 Build 120.13 to 10.1.132.8. It went successfully.Your blog helped me alot to perform my task successfully.
    Here I am briefing how I was completed my task.

    1. Take backup of necessary files, in my case ns.conf, Licenses and SSL folder after saving configuration
    • /nsconfig/ns.conf
    • /nsconfig/license/*
    • /nsconfig/ssl/*
    • /var/nslog/*
    Incase if you have customized something take those backup also, for example
    • /nsconfig/monitors/*.pl
    • /nsconfig/htmlinjection/*
    • /nsconfig/rc.netscaler

    2. Create a folder in /var/nsinstall path via WinSCP and Upload firmware software to that folder
    3. Login to NetScalers (both Primary and Secondary) and disable HA propagation and Synchronization
    4. Type ls to list the contents of the directory and verify your newly uploaded firmware package is there
    5. Now type “tar -zxvf build-xxxxxxxx.tgz” to unzip the package (refer exact package name)
    6. Then type “./installns” to begin the install. Should take about 30 seconds to copy to flash and install
    7. Reboot the appliance once prompted for it (just type Y).
    Login via the web GUI and verify the firmware version in the top right corner is the same as the package you were trying to apply
    8. Now use force HA failover command to make secondary as primary and test the traffic, if testing successful the repeat the installation on Primary (pending one)
    9. After rebooting the second one ( it was primary before upgradation) make that one as primary using force HA failover command
    10. Enable synchronization and propagation
    11. Done

  9. def

    January 19, 2016 at 3:24 AM

    Hi Jason, thank you very much for the upgrade procedure. I do have a question though, I did the the upgrade on an HA pair and the upgrade was successful, all configurations are still there, but there is a problem. All the load balancing vServers appear as down on the secondary node. Is this normal? HA is disabled, primary node is set to STAY PRIMARY, secondary to STAY SECONDARY and sync is disabled. It was my first upgrade so any suggestion is helpful :). Load balacing is licensed and enabled on the node.

    Cheers!

  10. Andreas Molsen

    March 9, 2017 at 10:20 AM

    Hi Jason,
    how i do a Upgrade from my Netscaler Gateway 11.0 63.16 to 11.1 52.13? In my Citrix Account i have only virt. Appliances to Download like .mf, ovf,.vmdk Files, no tgz-Files for Firmware-Updates! And i can not find any BestPractis in Citrix eDocs. Wich way i must use to Upgrade my Netscaler Gateway? I have no Netscaler Enterprise!
    Thanks for your Answer.
    Best Regards
    Andreas

  11. Eric

    April 8, 2017 at 8:46 PM

    Can you direct me to legacy 9.3 firmware versions?

  12. abrar

    July 16, 2020 at 10:19 AM

    hi sam,

    How do i upgrade the VPx instance on the SDX appliance? which firmware too use..?I m aware about upgrading the HA apair NS(in MPX)…any specific thinhgs for VPXs upgrades on SDX appliance?where to download teh Firmware for VPX NS on SDX appliance?

  13. Sagar Chhabria

    May 3, 2021 at 8:36 AM

    Hi Jason,

    Thanks for the wonderful post. I want to upgrade from 12.1 to 13.0, shall I still follow the similar steps or are there any additional steps for such major upgrades.

  14. Kurushi

    January 27, 2022 at 10:47 AM

    Hi Sagar,

    Have you upgraded your Netscaler on 13.0 ?
    Have you still support on it for doing upgrade ?

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Exchange 2003

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...

Cloud Design Architecture

The community-driven paperback book initiated by my friends Bas van Kaam and Christiaan Brinkhoff is available for sale on Amazon. If you haven’t picked...

JasonSamuel.com began in 2008 as a way for me to give back to the IT community. This website features the latest news and how-to's on enterprise mobility, security, virtualization, cloud architecture, and other technologies I work with. This website has evolved over time to become a go-to reference hub for these technologies. It receives hundreds of thousands of unique visitors from all over the world each month. More details on the About Me page.
Copyright © 2008-2023 JasonSamuel.com

Exit mobile version