Citrix NetScaler

Some Android devices unable to connect using NetScaler Gateway 11 with HTML Injection

on

citrix-receiver-android-html-injection-netscaler-gateway-error

I recently had to troubleshoot why around 50% of Android users could not connect successfully using Receiver for Android to a NetScaler Gateway vserver on a NetScaler that was recently updated from 10.5 to 11.0. The message the users were getting within Receiver after typing their credentials and attempting to authenticate was:

An error has occurred while connecting. Check your server address and data connection.

3

I had never seen behavior like this before on any other NetScalers but this particular NetScaler had a pretty good load on it so I had a very large segment of device data and traffic metrics to parse through. There was no pattern to the failures. I examined the version of Android Receiver, Android OS, and even the phone models. There was no correlation at all. The only thing I found is that it was consistent on every authentication attempt if your device was one of the unlucky 50% that was being impacted. Turns out the culprit was the “EdgeSight Monitoring (HTML Injection)” feature under the Advanced Features of your NetScaler. This feature was used by EdgeSight for NetScaler and later used by Insight Center to have the NetScaler push traffic stream details out to the monitoring server.

On this particular NetScaler it was never setup for EdgeSight but it did have Insight Center since the 1.0 days and back then when you setup AppFlow you could setup HTML Injection too. AppFlow had been disabled for other reasons but HTML Injection was still enabled. All firmware upgrades through 10.5 had no issues with Android with this feature enabled. It wasn’t until the 11.0 upgrade that I started noticing this issue with around 50% of Android devices that were connecting. You can verify this in your environment by syslogging AAA traffic and running a filter to search for failed logins with the word “Android” which is the user agent. You’ll see repeated failures from users attempting to authenticate and can’t login which is a good sign something may be wrong. Reach out to these users and verify they are using correct credentials. See if they can login via web browser or iOS device. If these work but still can’t login via Android Receiver, on your NetScaler go to:

System -> Settings -> Configure Advanced Features

1

and uncheck:

EdgeSight Monitoring (HTML Injection)

2

Force close Receiver on the Android device and try again. You may also have to clear the application data (reset Receiver) by going to the device’s Settings > Application Manager > Receiver > Clear data. If it connects you know what the issue was now. To take it a step further you can always do a traffic capture on your NetScaler to verify what is happening as well.

I spoke with Citrix NetScaler Support who mentioned this HTML Injection feature is deprecated now but I’m still trying to follow-up and get an official statement on that.

About Jason Samuel

Jason Samuel is an Infrastructure Architect in Houston, TX with a primary focus on mobility, virtualization, and cloud technologies from Citrix, Microsoft, & VMware. He also has an extensive background in web architecture and information security. He is certified in several technologies and is 1 of 50 people globally that is a recipient of the prestigious Citrix Technology Professional (CTP) award. He is 1 of 28 people in the world that is an Atlantis Community Expert (ACE). He is a featured author on DABCC which provides the latest IT Community News on Cloud, Data Center, Desktop, Mobility, Security, Storage, & Virtualization. In his spare time Jason enjoys writing how-to articles and evangelizing the technologies he works with.

Recommended for you

3 Comments

  1. Mura

    January 24, 2016 at 5:41 AM

    Its a wonderful article, unchecking the APPflow and EdgeSight Monitoring (HTML Injection) fixed the issue. now am able to configure the receiver from my Andriod phones

  2. Ryan

    May 13, 2016 at 4:49 PM

    Thanks a bunch for this, don’t think I would have ever found it! We upgraded our Netscaler from 10.5 to 11.0 a couple of months ago and I didn’t correlate the update with the Android problems since I rarely use Receiver on my phone. As the only person in my company using an Android, nobody else said anything.

  3. Nick

    May 19, 2016 at 5:26 PM

    This was wonderful! I’ve had a ticket open with the Netscaler team for nearly two weeks with little to no progress and after a quick web search and a few minutes with your article I’m in business.

Leave a Reply

Your email address will not be published. Required fields are marked *