NetScaler Admin GUI Login Redirects Back to Login Page After Firmware Upgrade Due to Management GUI WAF/API Spec Protection

book

Article ID: CTX696623

calendar_today

Updated On:

Description

Details

Administrators may observe this issue after upgrading the NetScaler ADC firmware version.

Common symptoms include the following behavior: the Admin GUI login page loads successfully, but after the administrator enters valid credentials, the browser is redirected back to the original login page without displaying an error in the GUI.

In some cases, the browser or HAR file may also show:
HTTP/1.1 307 Temporary Redirect
Location: /menu/er?error=SESSION_CORRUPTED

The login page is served successfully, but the authenticated GUI session is not created. The user is redirected back to the initial login page.

Review /var/log/ns.log for entries similar to the following:

APPFW_SCHEMA_PARAMETER_INVALID
ns-mgmt-gui-default-appfw-profile
ns-mgmt-gui-spec
POST https://<NSIP>/login/do_login
<blocked>

Example commands:

shell
grep -i ns-mgmt-gui-spec /var/log/ns.log
grep -i APPFW_SCHEMA_PARAMETER_INVALID /var/log/ns.log
grep -i ns-mgmt-gui-default-appfw-profile /var/log/ns.log

These log entries indicate that the Management GUI login request is being rejected by the Management GUI WAF/API Spec validation. This explains why the GUI login page loads and credentials can be submitted, but the session is not established.

Additional supporting evidence may include the following counter:

shell
nsconmsg -d current -g http_err_admin_ui_requests_dropped
nsconmsg -K /var/nslog/newnslog -d statswt0 -g http_err_admin_ui_requests_dropped

The http_err_admin_ui_requests_dropped counter may correlate with Admin UI request drops when the Management GUI request is blocked.

The following conditions may be ruled out when the evidence supports normal connectivity and service availability:

  • The GUI service is not completely down because the login page loads.

  • TCP/TLS connectivity is working because the browser reaches the GUI.

  • CLI, SSH, and SFTP access continue to work.

  • Local authentication may not be the cause if no failed authentication entries are observed.

  • Browser cache may not be the root cause if the same behavior occurs across browsers or incognito sessions.

Resolution

Resolution

As a workaround, disable WAF protection for NetScaler management interface endpoints and retest the Admin GUI login.

Run the following commands from the NetScaler CLI:

set system parameter -wafprotection DISABLED
save ns config

After applying the change, test the Admin GUI login again.

Expected result:

  • The /login/do_login request should no longer be blocked by Management GUI WAF/API Spec protection.

  • The GUI session should be created successfully after valid credentials are submitted.

  • The browser should proceed past the login page instead of returning to the original login page.

If the issue persists after applying the workaround, collect a support bundle after reproducing the issue:

show techsupport

 

Issue/Introduction

After a NetScaler ADC firmware upgrade, the Admin GUI login page may load successfully, but the login does not complete after valid local credentials are submitted.

The browser may return to the initial login page without displaying an authentication error. CLI, SSH, and SFTP access may continue to work normally.

This behavior can occur when the NetScaler Management GUI login request is blocked by Management GUI WAF/API Spec protection. The affected request is typically: POST /login/do_login

Powered by Wolken Software