24
running on it to be stopped. The other servers will detect that the VMs are no longer running and the VMs
will be restarted according to the restart priorities assign to them. The fenced server will enter a reboot
sequence, and when it has restarted it will try to re-join the resource pool.
Configuration RequirementsTo use the HA feature, you need:
• Shared storage, including at least one iSCSI or Fibre Channel LUN of size 356MB or greater - the
heartbeat SR. The HA mechanism creates two volumes on the heartbeat SR:
4MB heartbeat volume
Used for heartbeating.
256MB metadata volume
Stores pool master metadata to be used in the case of master failover.
If you are using a NetApp or EqualLogic SR, manually provision an iSCSI LUN on the array to use as
the heartbeat SR.
• A XenServer pool (this feature provides high availability at the server level within a single resource pool).
• Enterprise licenses on all hosts.
• Static IP addresses for all hosts.
Warning:
Should the IP address of a server change while HA is enabled, HA will assume that the host's network has
failed, and will probably fence the host and leave it in an unbootable state. To remedy this situation, disable
HA using the host-emergency-ha-disable command, reset the pool master using pool-emergency-reset-
master, and then re-enable HA.
For a VM to be protected by the HA feature, it must be agile. This means that:
• it must have its virtual disks on shared storage (any type of shared storage may be used; the iSCSI or
Fibre Channel LUN is only required for the storage heartbeat and can be used for virtual disk storage if
you prefer, but this is not necessary)
• it must not have a connection to a local DVD drive configured
• it should have its virtual network interfaces on pool-wide networks.
Citrix strongly recommends the use of a bonded management interface on the servers in the pool if HA is
enabled, and multipathed storage for the heartbeat SR.
If you create VLANs and bonded interfaces from the CLI, then they may not be plugged in and active despite
being created. In this situation, a VM can appear to be not agile, and cannot be protected by HA. If this
occurs, use the CLI pif-plug command to bring the VLAN and bond PIFs up so that the VM can become
agile. You can also determine precisely why a VM is not agile by using the xe diagnostic-vm-status CLI
command to analyze its placement constraints, and take remedial action if required.
Restart prioritiesVirtual machines are assigned a restart priority and a flag that indicates whether they should be protected
by HA or not. When HA is enabled, every effort is made to keep protected virtual machines live. If a restart
priority is specified, any protected VM that is halted will be started automatically. If a server fails then the
VMs on it will be started on another server.
The possible restart priorities are: