GSLB Remote Site MEP status is DOWN.

GSLB Remote Services are marked DOWN.

An nstrace shows the local NetScaler sending TCP SYN packets to the remote site on port 3009, but no SYN-ACK is received.

NetScaler ADC GSLB configurations utilizing secure MEP.

Metric Exchange Protocol (MEP) is responsible for sharing site metrics (load, persistence, etc.) between GSLB sites to make intelligent load-balancing decisions.

• Incorrect Source IP Address (IP Spoofing/Routing): The local site is initiating the MEP 3009 request using the SNIP (Subnet IP) instead of the NSIP (NetScaler IP). The remote site is configured to listen for MEP connections specifically from the peer's NSIP; packets from any other IP are dropped by the internal security logic.

• Internal Service Failure (SSL/TLS): Secure MEP requires an encrypted handshake. If the internal service nshttps-127.0.0.1-443 is DOWN (often due to a missing or unlinked ns-server-certificate), the NetScaler cannot successfully process the secure MEP exchange.

Reset the MEP State

Attempt to toggle the Metric Exchange Protocol on the local site to re-initiate the handshake:

• Command: set gslb site <siteName> -metricExchange DISABLED

• Command: set gslb site <siteName> -metricExchange ENABLED

Verify and Fix Internal Service Status

The internal HTTPS service must be active for secure MEP to function.

1. Check the status of the internal service: nshttps-127.0.0.1-443.

2. If the status is DOWN, check the certificate bindings.

3. Action: Navigate to the service > Edit > Certificates tab.

4. Link the "ns-server-certificate" to this service.

This article addresses an issue where the Global Server Load Balancing (GSLB) Metric Exchange Protocol (MEP) status shows as DOWN. In this scenario, the local site attempts to initiate a connection on port 3009, but the remote site fails to respond to the TCP SYN packets, causing GSLB services to be marked as DOWN.