Citrix NetScaler

Fixing the Citrix NetScaler Gateway blank page issue when upgrading from 11.0 to 11.1

on

netscaler-gateway-11-1

When you upgraded a NetScaler from firmware version 10.5 to 11.0, there were many things you needed to be aware of which I covered in my “Citrix NetScaler 10.5 to 11.0 firmware upgrade issues to watch out for” article. I really love 11.1 and all the improvements over the older firmware but one of these issues is still very prominent even when upgrading 11.0 NetScaler Gateway environments to 11.1. You may still have around 10-20% of your users get a blank white page after the upgrade. Yes even if you are already on X1 on 11.0 and keep the same X1 theme on 11.1 these users can be impacted. You’ll notice that base.css and rdx.js don’t want to respond which gives you a blank page:

2a

If you try and type the the URLs for those files directly into a browser:

https://gw.yourdomain.com/vpn/js/rdx.js

or

https://gw.yourdomain.com/logon/themes/Default/css/base.css

you’ll notice it will show a Secure Connection Failed Message like this:

An error occurred during a connection to gw.yourdomain.com. SSL received a record with an incorrect Message Authentication Code. Error code: SSL_ERROR_BAD_MAC_READ

4c

you’ll hit refresh a few times and eventually the page will come up fine:
5

After a few refreshes of the login page it might work but for some users, but it can also get pretty bad where the whole page is messed up with certain elements loading and much of the .js files giving HTTP 304 codes saying they are “Not Modified”:
7

8

As I mentioned in my article before, this is being cached on the client browsers and there are some steps you can take to mitigate this. Some people think if they have a Platinum NetScaler with Integrated Caching you can go in there and flush all objects or even flush the “loginstaticobjects” Cache Content Group but this will have no effect. It’s not the NetScaler caching these objects. The easiest way to fix this is to create a no cache rule and bind it to your NetScaler Gateway vserver for a few days before and after your upgrade. The impacted 10-20% of users will hit it and this will force their browsers to flush their caches.

A default NetScaler Gateway vserver will have 6 Cache policies bound to it like this:
9

What you need to do is add an extra cache policy with the priority order of 1 so it gets hit first. You go under Optimization > Integrated Caching > Policies and create something called “cache_pol_fix_blank_page”. Set the Expression to true and the action to “NOCACHE”:
11

Now you bind that as priorty 1 on your NetScaler Gateway vserver like this:
12

and now the impacted users should be back to normal again with a regular login page! Just don’t forget to unbind this after a few days. Please do post a comment below if this helps you or if you have any questions.

About Jason Samuel

Jason Samuel is an Infrastructure Architect in Houston, TX with a primary focus on mobility, virtualization, and cloud technologies from Citrix, Microsoft, & VMware. He also has an extensive background in web architecture and information security. He is certified in several technologies and is 1 of 50 people globally that is a recipient of the prestigious Citrix Technology Professional (CTP) award. He is 1 of 28 people in the world that is an Atlantis Community Expert (ACE). He is a featured author on DABCC which provides the latest IT Community News on Cloud, Data Center, Desktop, Mobility, Security, Storage, & Virtualization. In his spare time Jason enjoys writing how-to articles and evangelizing the technologies he works with.

Recommended for you

Leave a Reply

Your email address will not be published. Required fields are marked *