When using two-factor challenge/response authentication through RADIUS, the NetScaler Gateway imposes a session timeout for the RADIUS challenge/response dialogue.

In case of SMS token code delivery, there might be long delays between the challenge displayed to the user and the actual submission of the token code through the NetScaler logon form.

It has been observed that NetScaler Gateway keeps the challenge/response session open between 2 and 4 minutes, this is often too short if the user is in an area with poor internet reception. When the user is too slow to submit the token code, after submitting the token code the following internal http error is displayed by NetScaler Gateway:
Http/1.1 Internal Server Error 43549

The RADIUS server will accept the submitted token code, that is verified, too.

Currently there is no option to modify the RADIUS challenge/response timeout through NetScaler configuration and the session time limit are hardcoded inside aaad.