Cipher is not supported on this platform

[Matthew Riddler]

Hello,

I have a strange thing that I cannot figure out.

I have 2 netscaler VPX's running on 2 different SDX's. All vpx's are running 12.0 60.10nc. The SDX's are both running 12.0 60.9

 

I am trying to add the cipher 'TLS1.2-ECDHE-RSA-CHACHA20-POLY1305' into a user defined SSL group.

 

On one of the VPX's I get the error below. I can see that the cipher is available in a few of the system groups. But cannot add this to any user defined groups.

 

The other VPX I am able to add it without any issues. Again they are running the same code.

 

Both VPX's were re-built when we moved them to the SDX platform. An import of the config was applied the same on both SDX's

I have looked at all of the settings relating to SSL & cannot see any difference between them.

 

Is there something I need to enable to allow me to put this cipher into a user defined group?

 

Thanks

Matt

[Gregor Blaj]

Have you tried using the CLI? Wouldn’t be the first time I’ve seen the GUI do odd things. 

[Jens Ostkamp]

On 27.6.2019 at 2:16 PM, Gregor Blaj said:

Have you tried using the CLI? Wouldn’t be the first time I’ve seen the GUI do odd things. 

 

I would go with this too. Adding Ciphers to a user defined group has always been a struggle and contained various GUI bugs. 

 

When you did the config re-import - did you just copy paste the config into the NetScaler (or just copied the ns.conf into the netscaler directory)? I've had various problems when I tried to just copy paste the cli commands into NetScaler, I think the backup/restore function is better for these cases, as you usually have to alter the old ns.conf quite a bit to not run into weird issues after executing the old ns.conf on a new NetScaler

[Matthew Riddler]

Hello,

 

I tried adding via the cli but get exactly the same response. Not supported on this platform.

 

I have asked my colleague who did the migration to the SDX. This was done using the import wizard. The same as all of the other instances.

 

I will log this with citrix to see what they have.

 

Thanks

Matt

[Richard Bazovsky]

Hi,

Did citrix told you something?

 

Thanks.

Richard

[Dennis Aston1709152728]

As an FYI CHACHA20 ciphers are not well supported on many devices other than the VPX series virtual appliances.  If you remove them from your list of ciphers you will probably succeed, like I did.  To increase your chances make sure you are running 13.x code.

Reference this article for Cipher support from Citrix:

https://docs.citrix.com/en-us/citrix-adc/13/ssl/ciphers-available-on-the-citrix-ADC-appliances.html