Recently, we made changes to certain virtual servers to only use TLS v1.2 & the ~12 ciphers available. This was to ensure we no longer used insecure ciphers. 
Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

See below for state of CS Vserver: 
> show ssl vserver cpa_corp_web_prod_INTERNAL_https_csvip 

Advanced SSL configuration for VServer cpa_corp_web_prod_INTERNAL_https_csvip: 
DH: DISABLED 
Ephemeral RSA: ENABLED Refresh Count: 0 
Session Reuse: ENABLED Timeout: 120 seconds 
Cipher Redirect: DISABLED 
SSLv2 Redirect: DISABLED 
ClearText Port: 0 
Client Auth: DISABLED 
SSL Redirect: DISABLED 
Non FIPS Ciphers: DISABLED 
SNI: DISABLED 
SSLv2: DISABLED SSLv3: DISABLED TLSv1.0: DISABLED TLSv1.1: DISABLED TLSv1.2: ENABLED 
Push Encryption Trigger: Always 
Send Close-Notify: YES 

1) CertKey Name: CPA-Wildcard-sha256 Server Certificate 

1) Cipher Name: TLS1.2-AES128-GCM-SHA256 
Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(128) Mac=SHA-256 

2) Cipher Name: TLS1.2-AES256-GCM-SHA384 
Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(256) Mac=SHA-384 

3) Cipher Name: TLS1.2-DHE-RSA-AES128-GCM-SHA256 
Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(128) Mac=SHA-256 

4) Cipher Name: TLS1.2-DHE-RSA-AES256-GCM-SHA384 
Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(256) Mac=SHA-384 

5) Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 
Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(128) Mac=SHA-256 

6) Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 
Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(256) Mac=SHA-384 

7) Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256 
Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(128) Mac=SHA-256 

8) Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384 
Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA-384 

9) Cipher Name: TLS1.2-DHE-RSA-AES-128-SHA256 
Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA-256 

10) Cipher Name: TLS1.2-DHE-RSA-AES-256-SHA256 
Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA-256 
Done 
> 

Problem is, since making that change, we noticed that some browsers were no able to connect to our website securely. Firefox error is below: 

An error occurred during a connection to www.example.com.
Cannot communicate securely with peer: no common encryption algorithm(s). 
(Error code: ssl_error_no_cypher_overlap) 

We have since reversed the change so that users are no longer affected, but we can troubleshoot/test this with other virtual servers in our environment. 

I need to know why this was happening and find a fix please. 

We are running NS10.5 57.7.nc 

Asked customer to bind ECC curve with SSL Vserver in question 

bind ssl vserver cpa_corp_web_staging_https_csvip -eccCurveName P_256 
bind ssl vserver cpa_corp_web_staging_https_csvip -eccCurveName P_384 
bind ssl vserver cpa_corp_web_staging_https_csvip -eccCurveName P_224 
bind ssl vserver cpa_corp_web_staging_https_csvip -eccCurveName P_521 

bind ssl vserver cpa_corp_web_staging_mvc_https_lbvip -eccCurveName P_256 
bind ssl vserver cpa_corp_web_staging_mvc_https_lbvip -eccCurveName P_384 
bind ssl vserver cpa_corp_web_staging_mvc_https_lbvip -eccCurveName P_224 
bind ssl vserver cpa_corp_web_staging_mvc_https_lbvip -eccCurveName P_521 

---

Problem Cause

Mozilla is sending ECDHE Ciphers in Client Hello.
ECDHE cipher suites use elliptical curve cryptography (ECC).
however the CS VIP doesn't have ECC curves binded with CS VIP.

This issue was seen because netscaler was upgraded from a code prior to 10.1.
And if there are any SSL Vserver existing in configuration prior to upgrade, post upgrade NS cannot automatically bind ECC Curves with them.
In that case one must explicitly bind ECC curves to the existing SSL virtual servers or front end services.
The curves are bound by default to any virtual servers or front end services that you create after the upgrade, but not the one's which have been existing.