Citrix NetScaler

Some Android devices unable to connect using NetScaler Gateway 11 with HTML Injection

I recently had to troubleshoot why around 50% of Android users could not connect successfully using Receiver for Android to a NetScaler Gateway vserver on a NetScaler that was recently updated from 10.5 to 11.0. The message the users were getting within Receiver after typing their credentials and attempting to authenticate was:

An error has occurred while connecting. Check your server address and data connection.

I had never seen behavior like this before on any other NetScalers but this particular NetScaler had a pretty good load on it so I had a very large segment of device data and traffic metrics to parse through. There was no pattern to the failures. I examined the version of Android Receiver, Android OS, and even the phone models. There was no correlation at all. The only thing I found is that it was consistent on every authentication attempt if your device was one of the unlucky 50% that was being impacted. Turns out the culprit was the “EdgeSight Monitoring (HTML Injection)” feature under the Advanced Features of your NetScaler. This feature was used by EdgeSight for NetScaler and later used by Insight Center to have the NetScaler push traffic stream details out to the monitoring server.

On this particular NetScaler it was never setup for EdgeSight but it did have Insight Center since the 1.0 days and back then when you setup AppFlow you could setup HTML Injection too. AppFlow had been disabled for other reasons but HTML Injection was still enabled. All firmware upgrades through 10.5 had no issues with Android with this feature enabled. It wasn’t until the 11.0 upgrade that I started noticing this issue with around 50% of Android devices that were connecting. You can verify this in your environment by syslogging AAA traffic and running a filter to search for failed logins with the word “Android” which is the user agent. You’ll see repeated failures from users attempting to authenticate and can’t login which is a good sign something may be wrong. Reach out to these users and verify they are using correct credentials. See if they can login via web browser or iOS device. If these work but still can’t login via Android Receiver, on your NetScaler go to:

System -> Settings -> Configure Advanced Features

and uncheck:

EdgeSight Monitoring (HTML Injection)

Force close Receiver on the Android device and try again. You may also have to clear the application data (reset Receiver) by going to the device’s Settings > Application Manager > Receiver > Clear data. If it connects you know what the issue was now. To take it a step further you can always do a traffic capture on your NetScaler to verify what is happening as well.

I spoke with Citrix NetScaler Support who mentioned this HTML Injection feature is deprecated now but I’m still trying to follow-up and get an official statement on that.

3 Comments

  1. Mura

    January 24, 2016 at 5:41 AM

    Its a wonderful article, unchecking the APPflow and EdgeSight Monitoring (HTML Injection) fixed the issue. now am able to configure the receiver from my Andriod phones

  2. Ryan

    May 13, 2016 at 4:49 PM

    Thanks a bunch for this, don’t think I would have ever found it! We upgraded our Netscaler from 10.5 to 11.0 a couple of months ago and I didn’t correlate the update with the Android problems since I rarely use Receiver on my phone. As the only person in my company using an Android, nobody else said anything.

  3. Nick

    May 19, 2016 at 5:26 PM

    This was wonderful! I’ve had a ticket open with the Netscaler team for nearly two weeks with little to no progress and after a quick web search and a few minutes with your article I’m in business.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Exchange 2003

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...

Cloud Design Architecture

The community-driven paperback book initiated by my friends Bas van Kaam and Christiaan Brinkhoff is available for sale on Amazon. If you haven’t picked...

JasonSamuel.com began in 2008 as a way for me to give back to the IT community. This website features the latest news and how-to's on enterprise mobility, security, virtualization, cloud architecture, and other technologies I work with. This website has evolved over time to become a go-to reference hub for these technologies. It receives hundreds of thousands of unique visitors from all over the world each month. More details on the About Me page.
Copyright © 2008-2023 JasonSamuel.com

Exit mobile version