Randomly users are getting the error HTTP Error 400. The request is badly formed when connecting to NetScaler gateway Vserver.



Closing and re-opening the browser seems to restore the connection temporarily. Error is received when connecting to Gateway Vserver, No login page is presented.

NetScaler started updating the host header while sending data to backend server.
For this, NetScaler checks the wihome URL for updating the FQDN in the Host field from the start of fqdn to first /.
 
if / is not given in wihome after fqdn, device will check until it finds next /.
If there is no slash, we will check an extra 7/8 characters and the HOST header may contain extra bytes.

This issue is not seen if there is an additional path after the FQDN as the path will include the / .
Eg: http://www.xyz.com/Citrix/XenApp.

In case of pure FQDN, modify the Wihome in the VPN Session Action from :

add vpn sessionAction WIPol_Profile -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome  "http://abc.com"

TO

add vpn sessionAction WIPol_Profile -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "http://abc.com/"

---

Problem Cause

Host Header containing additional random bytes in the request forwarded to backend server

GET / HTTP/1.1

Host: 148.106.160.5:8080..x

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: https://abc.com/cgi/setclient?wica

Cookie: clientBrowserName=Firefox; clientBrowserVer=53; clientBrowserFullVer=53.0; clientOS=Windows 7 (64-bit); icaClientVer=Not detected; theUserName=; 

Connection: keep-alive

Upgrade-Insecure-Requests: 1

X-Citrix-Via: abc.com

X-Citrix-Via-VIP: x.x.x.x

X-Forwarded-For: y.y.y.y