Whenever force sync happens in NetScaler appliance, the secondary appliance observes the default ciphers, whereas the primary appliance observes the custom ciphers.

Different Ciphers Observed in Different Appliances

The configured ciphers in SSL vserver are not same across the peer nodes (cluster/HA) in certain scenarios.
After investigating the issues, the variance could happen in any one of the following scenarios:

NetScaler Clusters

In one or two nodes cluster, ssl custom cipher group is configured in vserver. When a new node is added to the cluster as part of config sync operation, the add lb vs command gets executed in the new node with the default cipher binding to it. Thereafter, ssl custom cipher group config gets synced in addition to the default cipher (it appends to the existing DEFAULT cipher) and so the expanded cipher lists (DEFAULT+ssl custom ciphers) are observed in show ssl vserver on the newly added node.

NetScaler High Availability

When HA sync is forced on the secondary appliance, clear config happens and it is reapplied.
As part of reapplying config on secondary:

• The add lb vserver of type SSL gets executed with default cipher group binding to it.
• Custom cipher will be bound to vserver as per config.

Because of the preceding reasons, vserver on secondary will have default plus custom cipher binding. If custom cipher is a subset of the default cipher, only default cipher will be seen.

Unbinding cipher ALL and binding custom cipher makes the required correct config to be seen in the preceding scenarios.