Netscaler VPX 10.1.121.10 load balancing of LDAPS broken
Situation: After an upgrade of our VPX devices to FW 10.1.121.10 intermittent authentication issues appeared for the access gateway users. They would simply fail the LDAP bind, yet all monitors would be green with all services up. Our radius and LDAP authentication point internally to a LB VIP on the Netscaler first before connecting to the individual servers.
Solution: At this stage Citrix support are investigating the issue, they have recognised it as a bug and their workaround solution was to bypass the netscaler load balancer for LDAPS going direct to a specific server, or to downgrade to 10.1.120.13. The downgrade was not a solution for us as we already had issues with the previous version with the VPX network and LACP negotiation.
Once we removed the internal LDAPS load balancer the Netscalers started authenticating immediately.
We then added another policy for a secondary authentication policy and server so we did not introduce a single point of failure.
