Some of you may know that I ended up buying a Citrix ADC SDX off eBay, paying USD 425 for the privilege (with FREE shipping!). Before digging into the experience and all the caveats on doing this, let me first give you my particular opinion about the Citrix ADCs in general (no matter its form, be it a VPX, a BLX, etc).
Yes, this week it was hell in the ADC world. That exploit is serious and can do quite a bit of damage (from little things like getting your AD bind account and password – what honestly I could not care less as if you did it right that account has no other rights AND is not used anywhere else, to being able to download your wildcard cert with the private key what is indeed a much serious issue). That said, we need to step back in remember this is software. Written by humans. And therefore prone to errors. No matter what it is, if humans touched it, there will be issues. Guaranteed.
Could Citrix have done a better job communicating the issue? Certainly. But in that respect almost all vendors have issues in that respect. This week if you do remember, NSA had to assist Microsoft disclosing another major exploit… So let’s move on in that respect and make sure we all learned our lesson here: keep a very close eye on what is happening in the wild, act FAST when big shit like this shows up AND do not leave your devices running firmware from the 80s, even though you are from the 80s and you like the 80s like I do.
With that out of the way, what do I think about the ADCs? IMHO it is the best device of its class, hands down. It is simply the swiss knife of the networking world. It does pretty much every single thing you can imagine, from simple load balancing to crazy bat shit stuff that I do not even know (for that you need Thorsten Rood, not me).
Now you may be asking, with the virtual appliances available (VPX) and even the bare-metal one that runs on Linux (BLX), why did you buy an used SDX? Well, first of all, it was cheap. I like cheap. Secondly, many customers do have these in place and being able to work on one at anytime, trying whatever crazy setup/upgrade/configuration before I even show up at a customer is a big plus. Sure these things new run for a lot of money, like USD 70,000 for some models (more and less for others of course). But used, at USD 425, four benjies and change, I will take it. And that I did.
When I got it, first thing I notice was the device did have its original SSD and HD, in the original trays in the back. All that information with diagrams is available here. Great. Once it was cabled (just used one cable to the management port 0/1), I connected a laptop to the same switch and put an IP in the same subnet (192.168.100.X/16) and tried to reach the management VM (SVM) on 192.168.100.1 and boom I was able to login to the SVM. That meant my appliance was good and with everything I needed in place. Well that is what I thought…
The problem is licensing. You still need that in place to run some virtual machines (yes, VPXs after all the SDX is a server running XenServer!). But that device is out of support, out of everything. So how do you fix that? Well let me first explain what you need to look for when buying one and then how to get it going.
Before buying it:
- Check with the vendor if the appliance does come with the original SSD/Hard Disk. If it does, you should be fine. If it is not there you will need to buy these (common hardware like Samsung SSDs) AND get an image from someone with an SDX. Reason is you will need to load this image on the SSD and once it is done, it will boot fine. Ask around, I am sure someone will have an image…
- If you plan to use the SFP+ ports (what you should as you can then test ANYTHING on the appliance), you can indeed buy SFP+ cables from other vendors. I bought mine from Ubiquiti (as my switch is a 10Gb one from them) and paid like USD 20 per cable. They work perfectly and no warnings anywhere.
After buying it:
- The software may be severely outdated, like mine was. It was running 9.3. Yes, from the 80s. I did SDX upgrades before but on newer firmware so this one was a bit different. Main problem I found is the Citrix documents contradict themselves. Some say you must do in a certain order, others in a different way. After talking to other people and trying different ways this is what I learned:
- First of all, you must upgrade the SVM to the latest 10.5 build. You can download it here.
- Once the SVM is running that build, from the same link above download the NetScaler SDX Platform Image 10.5 Build 8.2 and from the SVM GUI, do a PLATFORM UPGRADE.
- Finally, get the Single Bundle Upgrade for the latest version you want to use (i.e. 13.0, 12.1, etc) and once you upload the image to the appliance, do another SVM upgrade. This time the SVM will upgrade and reboot but then, automatically, it will start the upgrade of everything else (i.e. the XenServer hypervisor). This will take like thirty minutes or even more. Be patient. If you do need step-by-step instructions on how to perform these upgrades, Carl Stalhood has you covered.
Ok so far so good eh? Now, what about the licenses? Well, that is where a partner will have to step in. But, but, aren’t these devices out of everything? Yep. But the newer platforms, are the same in many ways so the trick is to get a demo license for a Citrix ADC SDX 18500 or 20500! Once that demo license is issued, you simply upload it to the appliance and you are ready to get licenses for your VPX instances (a separate license, but also possible to be issued).
That is how I got my SDX 11500 back to life, now showing up as a 18500 and with plenty of VPX licenses so I can test whatever I want and need to. After all, as I said, nothing beats a damn real physical appliance running in your living room with your wife screaming to turn it off. What of course you cannot hear so…
By the way, PATCH/UPGRADE the damn thing as soon as you get it and BEFORE exposing it to the wild. You have been warned.
1,202 total views, 3 views today