When adding a VPX to NetScaler Console, we may see error "NetScaler is not licenced. You must apply license to a device to use HTTPS connection".  Finally, the VPX is added to NetScaler Console, but displayed as "Out Of Service".

In mps_inventory.log, we can see the following errors.

10 Dec 25 18:58:51.790 [Error] [Stat[#50775]] https://<NSIP>:443/nitro/v1/config, Reason: SSL Exception: error:0A000152:SSL routines::unsafe legacy renegotiation disabled
10 Dec 25 18:58:51.790 [Error] [Stat[#50775]] executeNITROCommand: Send HTTPMessage Failed:Exception: SSL Exception: error:0A000152:SSL routines::unsafe legacy renegotiation disabled for <NSIP>

When adding a VPX to NetScaler console using HTTPS, NetScaler console will try to establish a SSL connection to NetScaler. In recent builds, the openssl library version in NetScaler Console has been bumped up, and the renegotiation_info extension is required in this modern openssl versions.

When an older NetScaler build is used, such as 13.1-33.54 in this case, the renegotiation_info extension is not included in the ServerHello message with the default settings of NetScaler SSL paramerters. As a result, NetScaler Console sends a RST after receiving the ServerHello. This behavior ultimately causes the error to appear when adding the VPX.

This issue can be solved by setting "Deny SSL renegotiation" to NONSECURE under global SSL paramters. With this change, NetScaler will include renegotiation_info extension in the ServerHello.

set ssl parameter -denySSLReneg NONSECURE

Besides, in latest NetScaler version, the renegotiation_info extension exists in the ServerHello sent by NetScaler even though we keep the default setting "Deny SSL renegotiation : ALL" . So we can also solve this issue by upgrading NetScaler to latest build.

This article describes an issue encountered when adding a VPX to NetScaler Console, where the error message "NetScaler is not licensed. You must apply a license to a device to use HTTPS connection" is displayed.