There exists a LB VIP that has AAA enabled. The AAA uses an authentication profile where the authentication domain is set to top-level or parent domain(repro.lab).
There also exists a NetScaler Gateway VIP that is set to use nFactor authentication by an authentication profile which also has authentication domain set to top-level domain.

Now a client first logs to the LB VIP and authenticates against AAA. Client receives the NSC_TMAS cookie with domain "repro.lab".

If the same client then tries to access the Netscaler Gateway VIP with this cookie, the page only shows "Http/1.1 Object Not Found". 

Logging to Gateway site first and then to LB VIP AAA doesn't cause the same problem. 

Upgrade the NetScaler firmware to the below version that includes the fix.

11.1-59.10 and above
12.0-59.8 and above
12.1-49.23 and above
 

Workaround:

Move to Unified Gateway setup OR Remove Domain wide Authentication domain in AAA Vserver.

Note: Removing Domain wide Authentication domain may break SSO across other LB VIPs. To overcome this, ensure that all LB VIPs that require SSO are using the same Authentication profile.

Alternative is to access Gateway VIP first.
 

---

Problem Cause

If Gateway and LB Vserver using AAA Vserver are deployed on the same NetScaler in the same domain but outside of Unified Gateway, accessing gateway after LB login that sets domian wide cookies results in a 404. Gateway should ignore the cookies if not deployed in Unified Gateway and process logon.