Hi Bertrand, sounds good! When I can assist testing, please let me know.
Best regards, Andreas On Tue, Apr 4, 2017 at 5:38 PM, Bertrand Jacquin <[email protected]> wrote: > Hi Andreas, > > Sorry for the long delay, I was out for a while and miss this email. > > To be honest with you, I was expecting to get some weirdness like this. > I'm reaching out Citrix on a side channel to see if different specs for > the protocol exist so I may do the appropriate changes in haproxy to > support both (or more) version of the protocol. > > Cheers, > Bertrand > > On 03/03/17 16:57, Andreas Mahnke wrote: > > Hello, > > > > as requested at discource.haproxy.org <http://discource.haproxy.org> > > (http://discourse.haproxy.org/t/netscaler-cip-analysing- > code-seems-to-be-incorrect/1043) > > I hereby report the issue below to the HAProxy mailling list cc-ing the > > author of the netscaler-cip patch. > > > > we are trying to run several instances of HAProxy (v1.7.3) behind a > > NetScaler VPX (Version 11.0 64.34) and want to use the NetScaler CIP > > feature so that the original IP of the client can be passed through > HAProxy. > > > > The haproxy.cfg listener looks like this: > > > > listen weblistener > > bind *:80 accept-netscaler-cip 4711 > > tcp-request connection expect-netscaler-cip layer4 > > mode tcp > > option tcplog > > server s1 192.168.0.123:8000 <http://192.168.0.123:8000> check > > > > The NetScaler sends the CIP Packet as specified here: > > https://support.citrix.com/article/CTX205670 and the Packet looks as > > expected after taking a tcpdump and viewing it with wireshark. But the > > analysis in HAProxy fails with 'CO_ER_CIP_BAD_PROTO' at line 784. (IP > > Version not v4/v6). > > > > An exemplary CIP Header arriving in HAPRoxy looks like this: > > > > 0x00 0x00 0x12 0x67 0x00 0x00 0x00 0x34 0x00 0x01 0x00 0x28 0x45 > > 0x00 0x00 0x28 > > 0x5c 0xef 0x40 0x00 0x3e 0x06 0x39 0x08 0xbe 0x64 0xdc 0x99 0x0a > > 0x70 0x01 0x6b > > 0xe3 0xfc 0x00 0x50 0xba 0x67 0x50 0x9e 0x9e 0xcc 0x0e 0xcd 0x50 > > 0x10 0x72 0x10 > > 0xf9 0xfe 0x00 0x00 > > > > where the beginning parts are: > > > > Magic Number: 0x00 0x00 0x12 0x67 > > CIP Length: 0x00 0x00 0x00 0x34 > > Type: 0x00 0x01 > > CIP Header size: 0x00 0x28 > > IP Version: 0x45 0x00 0x00 0x28 > > > > Based on this Header and the specificaton from citrix, the code part in > > HAProxy which analyses, the CIP seems to be incorrect in 2 places: > > > > - Line 711 > > The "IP Version" bytes start at index 12 as specified by Citrix. > > Hence the correct increment here would be 12 (instead of 8) in our eyes. > > We patched the code for testing purposes and with the increment of > > 12 the IP Version analysis works as expected and also the source ip > > retrieval worked fine. > > > > - Line 788 > > The line pointer is incremented by the length of the CIP, hence the > > pointer should be decremented by the amout used in item 1 (8 or 12, > > depending what is correct) > > > > Does anyone has a deeper knowledge of NetScaler CIP and can review our > > findings in order to determine the cause of the problem? Maybe the > > version of our NetScaler is to new or old? > > > > Best regards, > > mahnkong > > -- > Bertrand > Payments Infrastructure Engineering, Amazon > > > Amazon Data Services Ireland Limited registered office: One Burlington > Plaza, Burlington Road, Dublin 4, Ireland. Registered in Ireland. > Registration number 390566. > >
