By default, the VPN parameter setting should be disabled. However in 14.1-25 and 14.1-29 there was a UI bug that inadvertently enabled this feature. This was fixed in 14.1-34, but if it got enabled it would not have been disabled automatically due to being unable to identify if the setting was intentionally enabled.

This setting change has compounded for many customers along with changes to code as of 14.1-60 and 14.1-66 where if the settings is enabled, it results in a partial config and causes access to Storefront to fail. Hence users will receive a "Cannot complete request" or "Internal Server Error 43531" error. In traces, it will be seen that the SNIP does not even attempt to contact Storefront servers.

Primarily we are seeing that the VPN Parameter setting is enabled. However customers should check all 3 areas. The solutions is to disable secure private access:

1. VPN Parameter: set vpn parameter -securePrivateAccess DISABLED

2. VPN Vserver: set vpn vserver [vserverName] -securePrivateAccess DISABLED

3. /nsconfig/rc.netscaler: Check the file to see if contains any of these lines, if so, remove them:

nsapimgr -ys call=ns_vpn_enable_spa_onprem
nsapimgr -ys call=toggle_vpn_enable_securebrowse_client_mode
nsapimgr -ys call=toggle_vpn_redirect_to_access_restricted_page_on_deny
nsapimgr -ys call=toggle_vpn_use_cdn_for_access_restricted_page

There is a feature called Secure Private Access that was introduced in 14.1-4 and is intended to be disabled by default. If it gets enabled and you upgrade to 14.1-60 or 14.1-66, access to Storefront will fail.

The setting can be enabled in VPN Parameters, VPN Vserver config, or using an nsapimgr command in /nsconfig/rc.netscaler