While accessing an SSL Vserver, the connection might intermittently fail. A new attempt at the connection is successful. On capturing a Wireshark trace, it is observed that the Client is closing the connection with a SSL Alert : Decrypt Error

Disable OCSP stapling on SSL profile Settings.

Citrix Engineering is working on a code fix for this issue tracked under ID: 696422.

Problem Cause

Check the SSL profile/ SSL parameters if OCSP stapling is enabled.

SSL hanshake might fail if server cert ocsp response cache is not found and another client request is served by Vserver before receiving ocsp response from the OCSP responder for server certificate.

In this condition, with OCSP stapling enabled, the NetScaler can send incorrect Server Hello to the client, causing the client to generate the SSL alert.