The NetScaler VPN vserver is configured with an IIP where a subnet is specified, so that the end users will get the IP assigned from that subnet when they launch the VPN client.

If NetScaler receives a packet destined to a broadcast IP that falls in the IIP range, then NetScaler forwards this broadcast packet to next hop (Gateway) by changing the destination MAC. Now the next hop sends this packet back to NetScaler since it has IIP configured in that range. This continues and causes a loop in the network which eventually causes the network devices to slowdown. 

Add access control lists (ACLS) to drop these broadcast packets.
add ns acl IIP_broadcast_deny DENY –destip x.x.x.255
apply ns acls

An example of the configuration when this issue will be seen, where users have IIPs configured and bound to gateway vserver:
bind vpn vserver xxx -intranetIP x.x.x.0 255.255.252.0

If user connects to Gateway Vserver > Connects to the VPN plugin > VPN plugin gets the IP assigned from the subnet configured in IIP as shown above. Now if the incoming packet to NetScaler is destined to broadcast IP x.x.x.255, it causes a loop in Network.

Problem Cause

NetScaler currently does not handle the broadcast packets directed to the IIP subnet.