Hi Andreas, Sorry for the long delay, I was out for a while and miss this email.
To be honest with you, I was expecting to get some weirdness like this. I'm reaching out Citrix on a side channel to see if different specs for the protocol exist so I may do the appropriate changes in haproxy to support both (or more) version of the protocol. Cheers, Bertrand On 03/03/17 16:57, Andreas Mahnke wrote: > Hello, > > as requested at discource.haproxy.org <http://discource.haproxy.org> > (http://discourse.haproxy.org/t/netscaler-cip-analysing-code-seems-to-be-incorrect/1043) > I hereby report the issue below to the HAProxy mailling list cc-ing the > author of the netscaler-cip patch. > > we are trying to run several instances of HAProxy (v1.7.3) behind a > NetScaler VPX (Version 11.0 64.34) and want to use the NetScaler CIP > feature so that the original IP of the client can be passed through HAProxy. > > The haproxy.cfg listener looks like this: > > listen weblistener > bind *:80 accept-netscaler-cip 4711 > tcp-request connection expect-netscaler-cip layer4 > mode tcp > option tcplog > server s1 192.168.0.123:8000 <http://192.168.0.123:8000> check > > The NetScaler sends the CIP Packet as specified here: > https://support.citrix.com/article/CTX205670 and the Packet looks as > expected after taking a tcpdump and viewing it with wireshark. But the > analysis in HAProxy fails with 'CO_ER_CIP_BAD_PROTO' at line 784. (IP > Version not v4/v6). > > An exemplary CIP Header arriving in HAPRoxy looks like this: > > 0x00 0x00 0x12 0x67 0x00 0x00 0x00 0x34 0x00 0x01 0x00 0x28 0x45 > 0x00 0x00 0x28 > 0x5c 0xef 0x40 0x00 0x3e 0x06 0x39 0x08 0xbe 0x64 0xdc 0x99 0x0a > 0x70 0x01 0x6b > 0xe3 0xfc 0x00 0x50 0xba 0x67 0x50 0x9e 0x9e 0xcc 0x0e 0xcd 0x50 > 0x10 0x72 0x10 > 0xf9 0xfe 0x00 0x00 > > where the beginning parts are: > > Magic Number: 0x00 0x00 0x12 0x67 > CIP Length: 0x00 0x00 0x00 0x34 > Type: 0x00 0x01 > CIP Header size: 0x00 0x28 > IP Version: 0x45 0x00 0x00 0x28 > > Based on this Header and the specificaton from citrix, the code part in > HAProxy which analyses, the CIP seems to be incorrect in 2 places: > > - Line 711 > The "IP Version" bytes start at index 12 as specified by Citrix. > Hence the correct increment here would be 12 (instead of 8) in our eyes. > We patched the code for testing purposes and with the increment of > 12 the IP Version analysis works as expected and also the source ip > retrieval worked fine. > > - Line 788 > The line pointer is incremented by the length of the CIP, hence the > pointer should be decremented by the amout used in item 1 (8 or 12, > depending what is correct) > > Does anyone has a deeper knowledge of NetScaler CIP and can review our > findings in order to determine the cause of the problem? Maybe the > version of our NetScaler is to new or old? > > Best regards, > mahnkong -- Bertrand Payments Infrastructure Engineering, Amazon
signature.asc
Description: OpenPGP digital signature
Amazon Data Services Ireland Limited registered office: One Burlington Plaza, Burlington Road, Dublin 4, Ireland. Registered in Ireland. Registration number 390566.
