1. Management access to NetScaler is lost from different subnet other than NSIP, SNIP subnet.
2. Not able to access resources behind NetScaler. Load balancing VIP access fails when protocol configured is TCP or any application layer protocol using TCP as transport layer.
3. PING to NSIP and VIP works fine.
4. Load balancing VIP using UDP protocol works fine.
5. Management access is enabled.

To resolve this issue:

1. Redesign routing in the network such that request path and reply path are the same.
2. Change firewall settings to allow asymmetric routing.

You can also complete the following step as a workaround:

• Enable MBF on NetScaler. This will force the reply to be sent to the same interface from which it was received. Run the following command via CLI to enable MBF:
  enable ns mode mbf.
  
  Note: To further confirm the issue, we can take nstrace on netscaler and generate traffic from browser to VIP or NSIP. In nstrace we can look for SYN packet to the VIP/NSIP and look for Source and destination MAC Address in Ethernet Header and compare it with SYN,ACK packet. This will further confirm  the asymmetrical routing issue as we will see different Source MAC address used to send SYN,ACK rather than what we saw in Destination MAC adrdess of SYN packet.

Problem Cause

Issue was caused due to asymmetric routing in the network. Firewall received SYN/ACK from NetScaler on different interface than on interface on which it had sent TCP SYN. Since firewall by default has a setting to disallow asymmetric routin, it drops SYN/ACK sent by NetScaler. This caused connection failure.

Asymmetric routing can be found easily by taking trace on NetScaler wherein we can see NetScaler receiving TCP SYN on one interface and sending SYN/ACK on other interface.