When you set up NSA (CSA) with load balancer and have two servers, it's not possible to login, it does not authenticate

All Supported Clarity Releases 

• From what we see the load balancer isn’t maintaining session affinity, causing requests to bounce between NSA servers. The application's sessionId cookie is either being stripped or corrupted by the LB.
• This approach bypasses the problem with the application's sessionId cookie by using a separate, clean cookie (BALANCEID) that contains only alphanumeric characters for session affinity.

To complete the setup of NSA with Load Balancer, we need the LB to be :

1. Set up with Sticky Sessions
2. Add a Custom Cookie

Here is suggested solution with Apache mod_proxy_balancer

Suggested Steps for Citrix ADC Netscaler:

Configure the Custom Cookie Persistence:

• On the Virtual Server configuration page, look to the right-hand menu (Advanced Settings) and click Persistence.
• A new Persistence section will appear in the main window.
• Under Persistence, select COOKIEINSERT from the dropdown menu.
• In the Cookie Name field, type exactly: BALANCEID
• Set the Time-out (minutes) to 0 (this ensures it acts as a session cookie).
• Click OK and then Done.

Changes on Apache as example: 

<VirtualHost *:80>
ServerName lb.example.com
ProxyPreserveHost Off
Header add Set-Cookie "BALANCEID=balancer.%{BALANCER_WORKER_ROUTE}e; path=/;" env=BALANCER_ROUTE_CHANGED
<Proxy "balancer://nsacl">
BalancerMember "https://xxxxx:8090" route=node1
BalancerMember "https://xxxxx:8090" route=node2
ProxySet lbmethod=byrequests stickysession=BALANCEID
</Proxy>

ProxyPass "/" "balancer://nsacl/"
ProxyPassReverse "/" "balancer://nsacl/"
</VirtualHost>

1. Exact config:
   
   Header add Set-Cookie "BALANCEID=balancer.%{BALANCER_WORKER_ROUTE}e; path=/;" env=BALANCER_ROUTE_CHANGED
   
   stickysession=BALANCEID