After Update from 10.5 to 11 Login Page does not work any more. First time if you put the Gateway URL in browser, it will ...

Symptoms or Error

After Update from 10.5 to 11 Login Page does not work any more. First time if you put the Gateway URL in browser, it will display the Gateway login page. If you open a new tab in same browser and access the Gateway URL it will show the White page. If you hit Ctrl + F5 or delete cache from browser and try again, it will display the login page again.


  • ??The issue is caused when you have URL transformation policies bound globally or at vserver level. URL transform invokes the AppFw code to carry out the validation of http packet information and drops the connection if the validation fails. In this case as well we see the counter appfwreq_tot_drop_connection incrementing in newnslog files during the issue time indicating some issue with the transform policy.
  • ??The issue is already known and is fixed in??11.0-64+ release.
  • But if customer doesn't want to upgrade to 11.0-64.x build and wants the fix in their current builds, we??can look for any URL transformation policies bound globally in ns.conf. If yes, then unbind those and that should fix the issue. To confirm if any URL transformation policies are bound globally run the below command in shell prompt:
cd /nsconfig
cat ns.conf | grep "bind transform"

To further confirm if the issue is similar to what described above, please do below:
  • Take fiddler capture on client machine or nstrace on netscaler. From fiddler capture on client side or netscaler trace if we??see following headers in GET requests for loading the logon page,??then the user will hit the issue:
?? ?? ?? ?? If-Modified-Since:
?? ?? ?? ?? If-None-Match:??
  • Then the response will be??HTTP/1.1 504 from netscaler.
  • In the trace,you will see NetScaler is RESETTING the .css and .js requests with Netscaler REST code : 9856.
  • To further confirm in Fiddler you can Compose the traffic to same non-working URL without these headers as mentioned above and that should work??and you will see 200 OK in response in fiddler.

Problem Cause

The issue is??Caused when URL transformation policies bound globally.

It is important to note that this issue occurs irrespective of whether the client is licensed for App Firewall feature or not. Also even if the feature is enabled the issue occurs.

Features such as URL transform, CVPN, Rewrite use the Appfw code path and covertly use a dummy appfw profile.

Applicable Products


Join the conversation

Citrix Discussions

Open a case

Citrix Support