I recently had to troubleshoot why around 50% of Android users could not connect successfully using Receiver for Android to a NetScaler Gateway vserver on a NetScaler that was recently updated from 10.5 to 11.0. The message the users were getting within Receiver after typing their credentials and attempting to authenticate was:
An error has occurred while connecting. Check your server address and data connection.
I had never seen behavior like this before on any other NetScalers but this particular NetScaler had a pretty good load on it so I had a very large segment of device data and traffic metrics to parse through. There was no pattern to the failures. I examined the version of Android Receiver, Android OS, and even the phone models. There was no correlation at all. The only thing I found is that it was consistent on every authentication attempt if your device was one of the unlucky 50% that was being impacted. Turns out the culprit was the “EdgeSight Monitoring (HTML Injection)” feature under the Advanced Features of your NetScaler. This feature was used by EdgeSight for NetScaler and later used by Insight Center to have the NetScaler push traffic stream details out to the monitoring server.
On this particular NetScaler it was never setup for EdgeSight but it did have Insight Center since the 1.0 days and back then when you setup AppFlow you could setup HTML Injection too. AppFlow had been disabled for other reasons but HTML Injection was still enabled. All firmware upgrades through 10.5 had no issues with Android with this feature enabled. It wasn’t until the 11.0 upgrade that I started noticing this issue with around 50% of Android devices that were connecting. You can verify this in your environment by syslogging AAA traffic and running a filter to search for failed logins with the word “Android” which is the user agent. You’ll see repeated failures from users attempting to authenticate and can’t login which is a good sign something may be wrong. Reach out to these users and verify they are using correct credentials. See if they can login via web browser or iOS device. If these work but still can’t login via Android Receiver, on your NetScaler go to:
System -> Settings -> Configure Advanced Features
EdgeSight Monitoring (HTML Injection)
Force close Receiver on the Android device and try again. You may also have to clear the application data (reset Receiver) by going to the device’s Settings > Application Manager > Receiver > Clear data. If it connects you know what the issue was now. To take it a step further you can always do a traffic capture on your NetScaler to verify what is happening as well.
I spoke with Citrix NetScaler Support who mentioned this HTML Injection feature is deprecated now but I’m still trying to follow-up and get an official statement on that.