Ciphers and Protocols Compatibility
Not all cipher types are supported with different protocols. For example, the AES cipher is not supported when using SSLv3. For list of NetScaler supported ciphers, see Citrix Documentation – Ciphers Supported by the NetScaler Appliance
SSL Cipher List Empty
NetScaler will send a FATAL ALERT to the back end server even if the SSL cipher list in the SERVICES Tab is empty.
But this time the FATAL ALERT will be sent even before the TCP handshake is completed.
So make sure that the Cipher list is not empty.
By default ALL the ciphers are allowed or enabled on Service/Service Group and when the virtual server is created the DEFAULT cipher group is bound by default as shown below:
So unless the cipher group or cipher is unbound explicitly, FATAL ALERT will not be sent before the TCP handshake is completed.