NetScaler CIP analysing code seems to be incorrect

Hello,

we are trying to run several instances of HAProxy (v1.7.3) behind a NetScaler VPX (Version 11.0 64.34) and want to use the NetScaler CIP feature so that the original IP of the client can be passed through HAProxy.

The haproxy.cfg listener looks like this:

listen weblistener
    bind *:80 accept-netscaler-cip 4711
    tcp-request connection expect-netscaler-cip layer4
    mode tcp
    option tcplog
    server s1 192.168.0.123:8000 check

The NetScaler sends the CIP Packet as specified here: https://support.citrix.com/article/CTX205670 and the Packet looks as expected after taking a tcpdump and viewing it with wireshark. But the analysis in HAProxy fails with ‘CO_ER_CIP_BAD_PROTO’ at line 784. (IP Version not v4/v6).

An exemplary CIP Header arriving in HAPRoxy looks like this:

0x00 0x00 0x12 0x67 0x00 0x00 0x00 0x34 0x00 0x01 0x00 0x28 0x45 0x00 0x00 0x28
0x5c 0xef 0x40 0x00 0x3e 0x06 0x39 0x08 0xbe 0x64 0xdc 0x99 0x0a 0x70 0x01 0x6b
0xe3 0xfc 0x00 0x50 0xba 0x67 0x50 0x9e 0x9e 0xcc 0x0e 0xcd 0x50 0x10 0x72 0x10
0xf9 0xfe 0x00 0x00

where the beginning parts are:

Magic Number:    0x00 0x00 0x12 0x67
CIP Length:      0x00 0x00 0x00 0x34
Type:                      0x00 0x01
CIP Header size:           0x00 0x28
IP Version:      0x45 0x00 0x00 0x28

Based on this Header and the specificaton from citrix, the code part in HAProxy which analyses, the CIP seems to be incorrect in 2 places:

  1. Line 711
    The “IP Version” bytes start at index 12 as specified by Citrix. Hence the correct increment here would be 12 (instead of 8) in our eyes. We patched the code for testing purposes and with the increment of 12 the IP Version analysis works as expected and also the source ip retrieval worked fine.

  2. Line 788
    The line pointer is incremented by the length of the CIP, hence the pointer should be decremented by the amout used in item 1 (8 or 12, depending what is correct)

Does anyone has a deeper knowledge of NetScaler CIP and can review our findings in order to determine the cause of the problem? Maybe the version of our NetScaler is to new or old?

Best regards,
mahnkong

Can report this to the mailing list at:
haproxy@formilux.org

and CC the author of this patches please:
Bertrand Jacquin jacquinb@redacted.nowhere

This has just been reported to the mailing list.

Thanks and regards,
mahnkong