After enabling WAF on ADC, the following error is seen while adding Citrix Gateway URL on Workspace : "Unable to add account with the given server URL. Ensure that it is correct or enter your email address."



Traffic Flow Brief Topo:
Workspace >>>> LB SSL Virtual Server(on ADC1, WAF enabled)  >>>> Citrix Gateway Virtual Server(on ADC2)

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

1. Go "Configuration>System>Profiles"
2. Select "HTTP Profiles"
3. Clone a new HTTP Profile based on "nshttp_default_profile" and Check "Drop extra data from server" option.

Note:Checking this box will drop any extra data when server sends more data than the specified content-length. This will drop the extra data without dropping the connection.
4. Bind new created HTTP Profile to LB service (on ADC1, WAF enabled).

---

Problem Cause

Refer to RFC2616 standard (https://www.ietf.org/rfc/rfc2616.txt):
"The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response."

The response to the HEAD request contains a message-body. ADC WAF treats it as an invalid http response and then resets the TCP connection with reset code 9206.

9206	HTTP tracking failed due to invalid HTTP request/response header.

ADC1 nstrace e.g.

• After receiving the 302 response to the http request "HEAD /cgi/authenticate" from Citrix Gateway
• LB Vserver does not transmit it to the client. Instead, sends "RST" with reset code 9206 to the client.

             

• The 302 response contains a message-body:

https://www.ietf.org/rfc/rfc2616.txt