Connect with us

Hi, what are you looking for?

Citrix NetScaler

Fixing the Citrix NetScaler Gateway blank page issue when upgrading from 11.0 to 11.1

netscaler-gateway-11-1

When you upgraded a NetScaler from firmware version 10.5 to 11.0, there were many things you needed to be aware of which I covered in my “Citrix NetScaler 10.5 to 11.0 firmware upgrade issues to watch out for” article. I really love 11.1 and all the improvements over the older firmware but one of these issues is still very prominent even when upgrading 11.0 NetScaler Gateway environments to 11.1. You may still have around 10-20% of your users get a blank white page after the upgrade. Yes even if you are already on X1 on 11.0 and keep the same X1 theme on 11.1 these users can be impacted. You’ll notice that base.css and rdx.js don’t want to respond which gives you a blank page:

2a

If you try and type the the URLs for those files directly into a browser:

https://gw.yourdomain.com/vpn/js/rdx.js

Advertisement. Scroll to continue reading.

or

https://gw.yourdomain.com/logon/themes/Default/css/base.css

you’ll notice it will show a Secure Connection Failed Message like this:

Advertisement. Scroll to continue reading.

An error occurred during a connection to gw.yourdomain.com. SSL received a record with an incorrect Message Authentication Code. Error code: SSL_ERROR_BAD_MAC_READ

4c

you’ll hit refresh a few times and eventually the page will come up fine:
5

After a few refreshes of the login page it might work but for some users, but it can also get pretty bad where the whole page is messed up with certain elements loading and much of the .js files giving HTTP 304 codes saying they are “Not Modified”:
7

8

As I mentioned in my article before, this is being cached on the client browsers and there are some steps you can take to mitigate this. Some people think if they have a Platinum NetScaler with Integrated Caching you can go in there and flush all objects or even flush the “loginstaticobjects” Cache Content Group but this will have no effect. It’s not the NetScaler caching these objects. The easiest way to fix this is to create a no cache rule and bind it to your NetScaler Gateway vserver for a few days before and after your upgrade. The impacted 10-20% of users will hit it and this will force their browsers to flush their caches.

A default NetScaler Gateway vserver will have 6 Cache policies bound to it like this:
9

What you need to do is add an extra cache policy with the priority order of 1 so it gets hit first. You go under Optimization > Integrated Caching > Policies and create something called “cache_pol_fix_blank_page”. Set the Expression to true and the action to “NOCACHE”:
11

Now you bind that as priorty 1 on your NetScaler Gateway vserver like this:
12

and now the impacted users should be back to normal again with a regular login page! Just don’t forget to unbind this after a few days. Please do post a comment below if this helps you or if you have any questions.

Advertisement. Scroll to continue reading.
6 Comments

6 Comments

  1. ziggricky

    January 26, 2017 at 12:51 PM

    Thanks Jason. I have been dealing with cache nightmares on netscaler everytime we update a rewrite policy that modifies html on the page. I will give your suggestion a try and report back.

  2. Jake

    April 22, 2017 at 8:08 AM

    I’m planning on going from 11.0 to 11.1 soon, but I only have Enterprise licensing. Is there another way to solve this problem or should I add on Integrated Caching licensing prior to upgrading. Great article!

  3. Nathan

    November 28, 2017 at 6:08 PM

    Unfortunately even with this configuration a lot of the content delivered by the VPN vServer is still delivered with a Cache-Control header of no-cache, which doesn’t actually stop caching, it just makes the browser validate the ETag which can still result in this issue occurring in our experiences on various device upgrades in our Enterprise. You can validate it’s pulling from the cache by looking at the HTTP 304 responses you get on those calls.

    We found a more effective method, albeit far more bandwidth intensive, by using rewrite policies/actions that look something like this:

    add rewrite action CacheControl-NoCache_replace replace "HTTP.RES.HEADER(\"Cache-Control\")" "\"no-cache, no-store, must-revalidate\""
    add rewrite policy RWP-SDC-PRS-CacheControl-NoStore "HTTP.RES.HEADER(\"Cache-Control\").EQ(\"no-cache\") CacheControl-NoStore_replace

    This replaces the no-cache header and adds the no-store and must-revalidate header which will force it always to re-pull on all subsequent connections.

    You can bind this to a VPN vServer, or if you want to work on a AAA forms page you can add another bit to the policy like: &&(HTTP.REQ.HOSTNAME.EQ("asdf.com")) and then bind it globally.

    We avoided any reports of blank or white screens on an environment supporting 10K+ AAA/VPN users, compared to a year ago using other methods where we had 20%+ reports.

  4. zwhiterabbit

    December 28, 2017 at 9:50 AM

    another solution is to unbind the _cachevpnstaticoptions from the default 6 policies , it should work as a charm

  5. C. Uerel

    October 9, 2018 at 9:42 AM

    @zwhiterabbit
    I tried to unbind _cachevpnstaticoptions from the default 6 policies (FW 12.0 59.8) I get “Policy not bound to specified policy label”

  6. Ravi

    March 18, 2019 at 12:23 PM

    Hi,

    we are moving MPX to VPX. Added VPX in HA pair and synced the config. all looks good bu when i promote VPX to Primary, the gateway URL is not openining in browsers, but if we open in incognito or Private it works.

    Seems there is a cache policy, but we have this policy in place and it got synced fine as well. any thoughts. ?

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Exchange 2003

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Cloud Design Architecture

The community-driven paperback book initiated by my friends Bas van Kaam and Christiaan Brinkhoff is available for sale on Amazon. If you haven’t picked...

Advertisement

JasonSamuel.com was launched in 2008 as a platform to give back to the IT community by sharing knowledge and expertise. Over the years, it has become a trusted global resource for the latest insights, how-to guides, and thought leadership on enterprise mobility, security, virtualization, cloud architecture, automation, and other cutting-edge technologies. Today, it serves as a go-to reference hub for IT professionals, attracting hundreds of thousands of unique visitors from around the world each month. Learn more on the About Me page.
Copyright © 2008-2025 JasonSamuel.com