During SSL handshake process in packet trace: 

1. After client sending "Client Hello" contains cipher suit "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" to NetScaler, NetScaler replied  "server Hello"、"certificate"、"server key exchange" and "server hello done" to client. Refer pic.1
2. client replies "Alert(Level: Fatal, Description: Handshake Failure)" to NetScaler with RESET followed. Refer pic.2

Pic.1: 

Pic.2: 

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

1. Log into Netscaler GUI
2. Click Traffic Management -> SSL -> Change Advanced SSL Settings
3. Change the value of parameter "Deny SSL Renegotiation" from "All" to "NOSECURE".

---

Problem Cause

• According to the RFC, when client hello contains cipher suit "TLS_EMPTY_RENEGOTIATION_INFO_SCSV". server hello should include the "renegotiation_info" extension, otherwise, client may want to terminate the SSL handshake.

https://www.ietf.org/rfc/rfc5746.txt

• However, the default value of parameter "Deny SSL Renegotiation" is "All" for NetScaler, so the server hello from NetScaler would not contain the "renegotiation info" extension.