To use Subnet IP (SNIP) for GSLB Config SYNC between Local and Remote sites.

---

Instructions

** Please note that i have used Private IP addresses in my Lab setup **

Create a Subnet IP in a different subnet as NetScaler IP. Make this SNIP as the local GSLB Site IP.

> show ip
      Ipaddress        Traffic Domain  Type             Mode     Arp      Icmp     Vserver  State
      ---------        --------------  ----             ----     ---      ----     -------  ------
1)    10.107.100.131   0               NetScaler IP     Active   Enabled  Enabled  NA       Enabled
2)    10.232.252.39    0               SNIP             Active   Enabled  Enabled  NA       Enabled
3)    10.232.9.10      0               SNIP             Active   Enabled  Enabled  NA       Enabled
8)    172.16.98.10     0               SNIP|GSLB        Active   Enabled  Enabled  NA       Enabled
9)    10.107.100.143   0               ADNS             Active   Enabled  Enabled  NA       Enabled
19)    10.107.100.132   0               SNIP             Active   Enabled  Enabled  NA       Enabled


> show gslb site
1)    GSLB Local (172.16.98.10)    Site Type: LOCAL
    Metric exchange: ENABLED    Public IP: 172.16.98.10
    Network metric exchange: ENABLED    Persistence session exchange: ENABLED
    Trigger Monitors: ALWAYS
2)    GSLB Remote (192.168.10.10)    Site Type: REMOTE
    Metric exchange: ENABLED    Site Metric MEP Status: ACTIVE    Public IP: 192.168.10.10
    Network metric exchange: ENABLED    Persistence session exchange: ENABLED
    Network Metric/persistence MEP status: ACTIVE
    Trigger Monitors: ALWAYS


Now we need connectivity to this Remote Site IP through this new SNIP. This means making a route to the Remote IP using the Gateway IP of the Local Site IP subnet:

> show route
    Network          Netmask          Gateway/OwnedIP  State   Traffic Domain  Type
    -------          -------          ---------------  -----   --------------  ----
1)    0.0.0.0          0.0.0.0          10.107.100.129   UP      0              STATIC
2)    127.0.0.0        255.0.0.0        127.0.0.1        UP      0              PERMANENT
3)    10.107.100.128   255.255.255.192  10.107.100.131   UP      0              DIRECT
4)    10.232.9.0       255.255.255.0    10.232.9.10      UP      0              DIRECT
5)    10.232.252.0     255.255.255.0    10.232.252.39    UP      0              DIRECT
6)    172.16.0.0       255.255.0.0      172.16.98.10     UP      0              DIRECT
7)    10.232.0.0       255.255.0.0      10.232.9.1       UP      0              STATIC
8)    10.107.198.0     255.255.255.0    172.16.98.11     UP      0              STATIC
9)    192.168.10.10    255.255.255.255  172.16.98.11     UP      0              STATIC

Make sure there is connectivity to the gateway by checking your ARP table:

> show arp
    IP               MAC                Iface VLAN  Origin     TTL     Traffic Domain
    --               ---                ----- ----  ------     ---     --------------
1)    127.0.0.1        7e:57:xx:f3:20:xx  LO/1  1     PERMANENT  N/A    0     
2)    172.16.98.11     a6:fc:xx:cb:d6:xx  1/1   1     DYNAMIC    357    0     
3)    172.16.98.10     7e:xx:xx:f3:20:xx  LO/1  1     PERMANENT  N/A    0     
4)    10.232.252.39    7e:xx:xx:f3:20:cb  LO/1  1     PERMANENT  N/A    0     
5)    10.107.100.145   ca:73:xx:d0:b5:xx  1/1   1     DYNAMIC    624    0     
6)    10.107.100.131   7e:57:xx:f3:20:xx  LO/1  1     PERMANENT  N/A    0     
7)    10.107.100.129   00:1d:xx:99:91:xx  1/1   1     DYNAMIC    855    0     
8)    10.107.100.140   02:0d:xx:24:3e:xx  1/1   1     DYNAMIC    622    0 


If this configuration is in place we should see SYNC packets on port 3010 or 3008 using this SNIP:

09:43:33.099660 IP 172.16.98.10.9740 > 192.168.10.10.3010: Flags [S], seq 47246822, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 349507918 ecr 0], length 0
09:43:33.100040 IP 192.168.10.10.3010 > 172.16.98.10.9740: Flags [S.], seq 133784141, ack 47246823, win 8190, options [mss 1460,nop,wscale 4,nop,nop,sackOK], length 0
09:43:33.100096 IP 172.16.98.10.9740 > 192.168.10.10.3010: Flags [.], ack 1, win 8212, length 0


Important Note:
1) I have considered the Remote Site IP above as Public IP, so appropriate firewall rules need to be configured to allow this traffic. We need to open 3008 and 3010 ports from Local Site SNIP  to Remote Public Site IP on the firewall. Similar changes need to be done on the remote site too.
2) If multiple SNIP's are configured on the local site in same subnet for the route configured, then any one of the SNIP can be used as source IP for SYNC communication. Accordingly firewall rules need to be configured at both the sites.
 

By Default, NetScaler uses SNIP for MEP communication between the Local and Remote sites and NSIP for Config SYNC between the two devices. But there are some implementations where NSIP does not have internet access and hence cannot use this Auto-Sync feature.

To Manually start the config sync please refer to https://docs.citrix.com/en-us/netscaler/12/global-server-load-balancing/synchronizing-configuration-in-gslb-setup/manual-synchronization.html