ADC

Synchronize the configuration in a GSLB setup

Typically, a GSLB setup has a few data centers with a GSLB site configured for each data center. In each Citrix ADC, participating in GSLB, configure one GSLB site as a local site and the others as remote sites. When you add another GSLB site at a later point, you must ensure that the configuration across all GSLB sites is identical. You can use the Citrix ADC’s GSLB configuration synchronization option to synchronize the configuration across the GSLB sites.

The Citrix ADC appliance from which you use the synchronization option is referred to as the ‘main node’ and the GSLB sites on which the configuration is copied as ‘subordinate nodes’. When you synchronize a GSLB configuration, the configurations on all the GSLB sites participating in the GSLB setup are made similar to that on the main node.

Synchronization (also referred to as ‘auto sync’) is carried out in the following manner:

  • The main node finds the differences between the configuration of the main node and subordinate node, and changes the configuration of the subordinate node to make it similar to the main node.
    If you force a synchronization (use the ‘force sync’ option), the appliance deletes the GSLB configuration from the subordinate node and then configures the subordinate to make it similar to the main node.
  • During synchronization, if a command fails, synchronization is not aborted and the error message are logged into a .err file in the /var/netscaler/gslb directory.
  • Synchronization is done only on the parent sites. GSLB child sites’ configuration is not affected by synchronization. This is because the parent site and the child site configurations are not identical. The child sites configuration consists only of its own and its parent site’s details. Also, GSLB services are not always required to be configured in the child sites.
  • If you disable the internal user login, the GSLB auto sync uses the SSH keys to synchronize the configuration. But, to use GSLB auto sync in a partition environment, you must enable the internal user login and make sure that the partition user name in the local and remote GSLB sites is the same.
  • For enhanced security, Citrix recommends that you change the internal user account and RPC node passwords. Internal user account password is changed through RPC node password. For details, see Change an RPC node password.

Note

  • On the remote GSLB site RPC node, configure the firewall to accept auto-sync connections by specifying the remote site IP (cluster IP address for cluster setup) and port (3010 for RPC and 3008 for secure RPC). If the default route to reach the remote sites is in an management subnet, as in most cases, then NSIP is used as the source IP address.

    To configure a different source IP address, you must have the GSLB site IP address and the SNIP in a different subnet. Also, you must have an explicit route defined to the remote site IP address through the GSLB site IP subnet.

  • The source IP address cannot be synchronized across the sites participating in GSLB because the source IP address for an RPC node is specific to each Citrix ADC appliance. Therefore, after you force a synchronization (using the sync gslb config -forceSync command or by selecting the ForceSync option in the GUI), you have to manually change the source IP addresses on the other Citrix ADC appliances.
  • Port 22 is also required for synchronizing the database files to the remote site.

If you use the saveconfig option, the sites that participate in the synchronization process automatically save their configuration, in the following way:

  1. The main node saves its configuration immediately before it initiates the process of synchronization.
  2. After the process of synchronization is complete, the subordinate nodes save their configuration. A subordinate node saves its configuration only if the configuration difference was applied successfully on it. If synchronization fails on a subordinate node, you must manually investigate the cause of the failure and take corrective action.

To improve the time taken for configuration synchronization on all GSLB sites

Configure the TCP profile settings at the command prompt as follows:


set tcpprofile nstcp_internal_apps -bufferSize 4194304 -sendBuffsize 4194304 -tcpmode ENDPOINT
<!--NeedCopy-->

Limitations of synchronization

  • On the main node, the names of the remote GSLB sites must be identical to the names of sites configured on the Citrix ADC appliances hosting those sites.
  • During the synchronization, traffic disruptions may occur.
  • Citrix ADC is tested to synchronize up to 200,000 lines of the configuration.
  • Synchronization may fail:
    • If the spill over method is changed from CONNECTION to DYNAMIC CONNECTION.
    • If you interchange the site prefix of the GSLB services bound to a GSLB virtual server on the main node and then try to synchronize.
    • If the RPC node passwords are different for NSIP and loopback IP address.
    • If you perform synchronization on GSLB sites that are configured in different partitions of the same Citrix ADC appliance.
  • If you have configured the GSLB sites as High Availability (HA) pairs, the RPC node passwords of primary and secondary nodes must be the same.
  • If you rename any GLSB entity that is part of your GSLB configuration (use “show gslb runningConfig” command to display the GSLB configuration). You must use the force sync option to synchronize the configuration to other GSLB sites.

Note: To overcome the limitations due to some settings in the GSLB configuration, you can use the force sync option. But, if you use the force sync option the GSLB entities are removed and readded to the configuration and the GSLB statistics are reset to zero. Hence the traffic is disrupted during the configuration change.

Points to note before starting the synchronization of a GSLB setup

Before you start the synchronization of a GSLB setup, make sure that:

  • On all the GSLB sites including the main node, management access and SSH should be enabled for the IP address of the corresponding GSLB site. The IP address of a GSLB site must be an IP address owned by the Citrix ADC appliance. For more information about adding the GSLB site IP addresses and enabling Management Access, see “Configuring a Basic GSLB Site”.
  • The GSLB configuration on the Citrix ADC appliance that is considered as the main node is complete and appropriate to be copied on all the sites.
  • If you are synchronizing the GSLB configuration for the first time, all the sites participating in GSLB must have the GSLB site entity of their respective local sites.
  • You are not synchronizing sites that, by design, do not have the same configuration.
  • The main node and the subordinate nodes run the same Citrix ADC versions. Starting from release 12.1, build 50.x, the appliance checks for the firmware version on main and subordinate nodes before initiating synchronization. If the main and the subordinate nodes run different versions, the synchronization is aborted for that remote site to avoid pushing any incompatible changes across the versions. Also, an error message displaying the site details on which the synchronization aborted appears.

    The following figures display sample error messages from the CLI and the GUI.

SyncIncompatibility1

SyncIncompatibility2

Important

The following directories are synchronized as part of the GSLB configuration synchronization.

  • /var/netscaler/locdb/
  • /var/netscaler/ssl/
  • /var/netscaler/inbuilt_db/
Synchronize the configuration in a GSLB setup