Error code: ssl_error_no_cypher_overlap on Mozilla Firefox when connecting to CS VIP with only TLSv1.2 enabled

Recently, we made changes to certain virtual servers to only use TLS v1.2 & the ~12 ciphers available. This was to ensure we no longer used insecure ciphers.??

See below for state of CS Vserver:??
> show ssl vserver cpa_corp_web_prod_INTERNAL_https_csvip??

Advanced SSL configuration for VServer cpa_corp_web_prod_INTERNAL_https_csvip:??
DH: DISABLED??
Ephemeral RSA: ENABLED Refresh Count: 0??
Session Reuse: ENABLED Timeout: 120 seconds??
Cipher Redirect: DISABLED??
SSLv2 Redirect: DISABLED??
ClearText Port: 0??
Client Auth: DISABLED??
SSL Redirect: DISABLED??
Non FIPS Ciphers: DISABLED??
SNI: DISABLED??
SSLv2: DISABLED SSLv3: DISABLED TLSv1.0: DISABLED TLSv1.1: DISABLED TLSv1.2: ENABLED??
Push Encryption Trigger: Always??
Send Close-Notify: YES??

1) CertKey Name: CPA-Wildcard-sha256 Server Certificate??

1) Cipher Name: TLS1.2-AES128-GCM-SHA256??
Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(128) Mac=SHA-256??

2) Cipher Name: TLS1.2-AES256-GCM-SHA384??
Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(256) Mac=SHA-384??

3) Cipher Name: TLS1.2-DHE-RSA-AES128-GCM-SHA256??
Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(128) Mac=SHA-256??

4) Cipher Name: TLS1.2-DHE-RSA-AES256-GCM-SHA384??
Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(256) Mac=SHA-384??

5) Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256??
Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(128) Mac=SHA-256??

6) Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384??
Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(256) Mac=SHA-384??

7) Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256??
Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(128) Mac=SHA-256??

8) Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384??
Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA-384??

9) Cipher Name: TLS1.2-DHE-RSA-AES-128-SHA256??
Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA-256??

10) Cipher Name: TLS1.2-DHE-RSA-AES-256-SHA256??
Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA-256??
Done??
>??

Problem is, since making that change, we noticed that some browsers were no able to connect to our website securely. Firefox error is below:??

An error occurred during a connection to??www.example.com.
Cannot communicate securely with peer: no common encryption algorithm(s).??
(Error code: ssl_error_no_cypher_overlap)??

We have since reversed the change so that users are no longer affected, but we can troubleshoot/test this with other virtual servers in our environment.??

I need to know why this was happening and find a fix please.??

We are running NS10.5??57.7.nc??

Asked customer to bind ECC curve with SSL Vserver in question??

bind ssl vserver cpa_corp_web_staging_https_csvip -eccCurveName P_256??
bind ssl vserver cpa_corp_web_staging_https_csvip -eccCurveName P_384??
bind ssl vserver cpa_corp_web_staging_https_csvip -eccCurveName P_224??
bind ssl vserver cpa_corp_web_staging_https_csvip -eccCurveName P_521??

bind ssl vserver cpa_corp_web_staging_mvc_https_lbvip -eccCurveName P_256??
bind ssl vserver cpa_corp_web_staging_mvc_https_lbvip -eccCurveName P_384??
bind ssl vserver cpa_corp_web_staging_mvc_https_lbvip -eccCurveName P_224??
bind ssl vserver cpa_corp_web_staging_mvc_https_lbvip -eccCurveName P_521??

Mozilla is sending ECDHE Ciphers in Client Hello.
ECDHE cipher suites use elliptical curve cryptography (ECC).
however the CS VIP doesn't have ECC curves binded with CS VIP.

This issue was seen because netscaler was upgraded from a code prior to 10.1.
And if there are any SSL Vserver existing in configuration prior to upgrade, post upgrade NS cannot automatically bind ECC Curves with them.
In that case one must explicitly bind ECC curves to the existing SSL virtual servers or front end services.
The curves are bound by default to any virtual servers or front end services that you create after the upgrade, but not the one's which have been existing.