Hello,
as requested at discource.haproxy.org (
http://discourse.haproxy.org/t/netscaler-cip-analysing-code-seems-to-be-incorrect/1043)
I hereby report the issue below to the HAProxy mailling list cc-ing the
author of the netscaler-cip patch.
we are trying to run several instances of HAProxy (v1.7.3) behind a
NetScaler VPX (Version 11.0 64.34) and want to use the NetScaler CIP
feature so that the original IP of the client can be passed through HAProxy.
The haproxy.cfg listener looks like this:
listen weblistener
bind *:80 accept-netscaler-cip 4711
tcp-request connection expect-netscaler-cip layer4
mode tcp
option tcplog
server s1 192.168.0.123:8000 check
The NetScaler sends the CIP Packet as specified here:
https://support.citrix.com/article/CTX205670 and the Packet looks as
expected after taking a tcpdump and viewing it with wireshark. But the
analysis in HAProxy fails with 'CO_ER_CIP_BAD_PROTO' at line 784. (IP
Version not v4/v6).
An exemplary CIP Header arriving in HAPRoxy looks like this:
0x00 0x00 0x12 0x67 0x00 0x00 0x00 0x34 0x00 0x01 0x00 0x28 0x45 0x00
0x00 0x28
0x5c 0xef 0x40 0x00 0x3e 0x06 0x39 0x08 0xbe 0x64 0xdc 0x99 0x0a 0x70
0x01 0x6b
0xe3 0xfc 0x00 0x50 0xba 0x67 0x50 0x9e 0x9e 0xcc 0x0e 0xcd 0x50 0x10
0x72 0x10
0xf9 0xfe 0x00 0x00
where the beginning parts are:
Magic Number: 0x00 0x00 0x12 0x67
CIP Length: 0x00 0x00 0x00 0x34
Type: 0x00 0x01
CIP Header size: 0x00 0x28
IP Version: 0x45 0x00 0x00 0x28
Based on this Header and the specificaton from citrix, the code part in
HAProxy which analyses, the CIP seems to be incorrect in 2 places:
- Line 711
The "IP Version" bytes start at index 12 as specified by Citrix. Hence
the correct increment here would be 12 (instead of 8) in our eyes.
We patched the code for testing purposes and with the increment of 12
the IP Version analysis works as expected and also the source ip retrieval
worked fine.
- Line 788
The line pointer is incremented by the length of the CIP, hence the
pointer should be decremented by the amout used in item 1 (8 or 12,
depending what is correct)
Does anyone has a deeper knowledge of NetScaler CIP and can review our
findings in order to determine the cause of the problem? Maybe the version
of our NetScaler is to new or old?
Best regards,
mahnkong
as requested at discource.haproxy.org (
http://discourse.haproxy.org/t/netscaler-cip-analysing-code-seems-to-be-incorrect/1043)
I hereby report the issue below to the HAProxy mailling list cc-ing the
author of the netscaler-cip patch.
we are trying to run several instances of HAProxy (v1.7.3) behind a
NetScaler VPX (Version 11.0 64.34) and want to use the NetScaler CIP
feature so that the original IP of the client can be passed through HAProxy.
The haproxy.cfg listener looks like this:
listen weblistener
bind *:80 accept-netscaler-cip 4711
tcp-request connection expect-netscaler-cip layer4
mode tcp
option tcplog
server s1 192.168.0.123:8000 check
The NetScaler sends the CIP Packet as specified here:
https://support.citrix.com/article/CTX205670 and the Packet looks as
expected after taking a tcpdump and viewing it with wireshark. But the
analysis in HAProxy fails with 'CO_ER_CIP_BAD_PROTO' at line 784. (IP
Version not v4/v6).
An exemplary CIP Header arriving in HAPRoxy looks like this:
0x00 0x00 0x12 0x67 0x00 0x00 0x00 0x34 0x00 0x01 0x00 0x28 0x45 0x00
0x00 0x28
0x5c 0xef 0x40 0x00 0x3e 0x06 0x39 0x08 0xbe 0x64 0xdc 0x99 0x0a 0x70
0x01 0x6b
0xe3 0xfc 0x00 0x50 0xba 0x67 0x50 0x9e 0x9e 0xcc 0x0e 0xcd 0x50 0x10
0x72 0x10
0xf9 0xfe 0x00 0x00
where the beginning parts are:
Magic Number: 0x00 0x00 0x12 0x67
CIP Length: 0x00 0x00 0x00 0x34
Type: 0x00 0x01
CIP Header size: 0x00 0x28
IP Version: 0x45 0x00 0x00 0x28
Based on this Header and the specificaton from citrix, the code part in
HAProxy which analyses, the CIP seems to be incorrect in 2 places:
- Line 711
The "IP Version" bytes start at index 12 as specified by Citrix. Hence
the correct increment here would be 12 (instead of 8) in our eyes.
We patched the code for testing purposes and with the increment of 12
the IP Version analysis works as expected and also the source ip retrieval
worked fine.
- Line 788
The line pointer is incremented by the length of the CIP, hence the
pointer should be decremented by the amout used in item 1 (8 or 12,
depending what is correct)
Does anyone has a deeper knowledge of NetScaler CIP and can review our
findings in order to determine the cause of the problem? Maybe the version
of our NetScaler is to new or old?
Best regards,
mahnkong