Jump to content
Welcome to our new Citrix community!

NetScaler login shows HTTP 500 Internal Error

Tim Hodge

Recommended Posts

Hi Guys,


I was wondering if you could help me out.


I have a new NS device (second one) and am trying to set up an  SSL VPN using the access gateway options.


I have successfully installed and applied the SSL VPN certificate to a VServer. I have used AD authentication similar to my first device and am able to connect to AD.


When I login, I immediately get an IE error - HTTP 500 Internal Server Error. The working NS device, allows me to download and install the AG plugin. This one however, does nothing.


I have the shell window open monitoring the AD debug file.


And I see the following:


/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1466]:send_accept sending accept to kernel for : timhsending accept to kernel for timh


iwagent.c[1107]:main EV_DEBUG: handle time out


And the 'iwagent.c' line repears every 1 minute.


Any ideas what is going on here please and how I can resolve it?










Link to comment
Share on other sites

Hi Tim ,


receiving ' iwagent.c[1107]:main EV_DEBUG: handle time out  ' is  normal when using aaad.debug .

And based on line " /usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1466]:send_accept sending accept to kernel for : timhsending accept to kernel for timh "

It looks like user 'timh' is verified by Ldap server . That means the user is now provided with an auth cookie " NSC_AAAC" and the site URL on which it should return to get applications published .

Questions for you :

- What is the URL at which you get 500 server error .

- Is the Netscaler's SNIP able to communicate with backend storefront / Webinterface servers on the ports you configured ?

Link to comment
Share on other sites

If i define a session policy (that has the homepage set to our intranet homepage) - same error.


If I unbind the session policy and leave it with just the authentication policy - same error.


Is this a cert issue?


The setup:


NS has 1 cable connected from 0/1 to a port on the DMZ CORE SWITCH.


The Serup:




AD User hits FIREWALL1 (rule configure for anything from outside to communicate with Netscaler on 443)

AD User hits Netscaler that has a default route to go to DMZ-CORE-SWITCH

AD User hits FIREWALL2 (rule configured for NetScaler to speak to DC1 (domain controller) on ANY PORT.


From the AAAD.DEBUG log it seems like the AD Authentication is working fine.


The same error occurs if I try and log in with a LOCAL Netscaler user.


The URL that is showing the internal server error is https://testtgpvpn.guinness.org.uk/cgi/login which has an SSL cert applied and installed for it.

Link to comment
Share on other sites

There are no Storefront servers in the mix. We are simply trying to get the SSL VPN sorted out.


There is no ICA PROXY or WEBINTERFACE servers configured.


There is no MIP or SNIP configured on the device.


The network IPs on the device are as follows@


172.22.13 (NSIP)

172.221.14 (VIP)


The routes on the device are as follows:           (dmz core switch) UP  UP UP

Link to comment
Share on other sites

Carl  -  I have a few questions please.


1. At the moment we are using one interface on the netscaler that is connected between the port on the NS and DMZ Core Switch. Are we able to configure a SNIP on the same interface or will a separate interface be needed?


2. At the moment we have USIP (use source IP) enabled and USNIP (use subnet IP) enabled.Will this cause a problem or should we configure a pool on intranet IPs for clients?


3. If we used a SNIP as per your suggestion, we would need to create one for each Subnet - 10.1.x.x, 10.2.x.x, 10.3.x.x etc. Can we have one address to communicate to all backend networks? Is that the purpsoe of a MIP?


4. We are trying to get users/clients to communicate with servers on the 10.2.x.x network. Am I right in saying that I need to create a SNIP as follows - SNIP. Is that is all that is required or do I need to add a route on the NS?


Thank you

Link to comment
Share on other sites

Thanks Carl.


So we have one interface (0/1) in use that as previously mentioned, connects to the DMZ core switch. This one connection allows us to manage the NS device on In the config we have a VServer configured with an address of The users can hit the login page and log in but are then unable to access any of systems in the LAN over any protocol.


If i wanted to have the users be able to communicate with the 10.2.x.x network, would I simply create a SNIP of with a subnet mask of


Once the SNIP is created, does it need to be binded?

Link to comment
Share on other sites

No. The SNIP is essentially an interface IP. If your one interface is connected to the subnet then you need a SNIP address in that subnet. 


NetScaler will use the SNIP as the Source IP when connecting to machines on other subnets. This traffic will probably go through your default gateway or any other gateway (router) as configured in static routes. The other machines will then respond to the SNIP.


Here's a good blog post on NetScaler fundamentals - http://blogs.citrix.com/2014/03/31/acquiring-netscaler-skills-where-to-start-and-how-to-continue/

Link to comment
Share on other sites

Hi Tim


Might be similar issue as mentioned in release notes of 10.1 129.11 :

Issue ID 488015: If the hostname that sends an incoming request does not match the domain configured on the authentication virtual server, the NetScaler ADC returns an HTTP 500 error. As a workaround, configure an authentication profile and include the hostname.

Link to comment
Share on other sites

  • 3 years later...

Hey guys,


I know I'm late to the game here, but in our case, this turned out to be a client-side problem. We literally tried everything, sifted through multiple packet captures at both ends of the communications line, had tickets open with Citrix support; nothing.


What ultimately solved the problem: IE reset (from Internet Options>Advanced). Make sure you check the box to clear everything out. Also, the same procedure worked for Chrome.


Our environment:


Gateway: NS 12.0 56.20nc

Clients: Windows 10 1709 w/ IE 11 & Chrome 57


Problem was intermittent in nature for some users, and not existent for others. We believe that when the affected users had their Windows profiles migrated from Win7 to Win10 using USMT, it is bringing over problems.


What I'm trying to say here is don't get hung up on diagnosing the Netscaler side only... 

Link to comment
Share on other sites

  • 1 year later...

Another possible solution: 

In the Authentication LDAP Server (Which contains info like Base DN, the Bind account, etc) There is the 'Default Authentication Group' parameter. This is a free text field, so it's possible to mess up the value. In my case I had this value set to a AAA group that didn't actually exist.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...